A full account of the preparation journey: from the first training course to exam day, with the tools, mindset shifts, and strategies that actually made the difference.
Operating principle throughout: understand the why, not just the what. CISSP does not reward memory. It rewards judgment.
My CISSP journey began in May with a six-week course from InfosecTrain, covering all eight domains. I want to be honest about what a training course does and does not do. It gives you a map. It introduces the terrain. It does not give you depth — and depth is what CISSP actually tests.
After the course, I moved straight into the Official (ISC)² CISSP CBK Study Guide and read it cover to cover, taking handwritten notes throughout. This was around July. The handwriting was deliberate. It slows you down. It forces you to process rather than scan. If you are highlighting and moving on, you are not studying — you are performing the act of studying.
Before sitting for CISSP, I wrote the CC exam in August. The Certified in Cybersecurity is also a CAT adaptive exam, and that was exactly the reason I took it.
If you have never sat a CAT adaptive exam before, the format itself can be disorienting. Questions shift in difficulty based on your responses. The exam does not behave like a fixed paper. If you walk into CISSP without having experienced that format, you are managing two unknowns at once — the content and the experience.
The CC removed the second unknown. It also served as an honest self-check: had I actually understood enough to pass something, or was I just familiar with the material? I cleared it. That told me I had a foundation to build on.
After clearing CC, I went back to the CBK for a second full read. This time I approached it differently.
The CBK is organised by chapters, not by CISSP domains. Domains are split across multiple chapters. So I did the mapping manually — I identified which portions of the book belonged to Domain 1, which to Domain 2, and so on, and then read only those portions in sequence for each domain. This meant I completed domains properly rather than accumulating a scattered mix of topics.
After finishing each domain, I went straight to the Cybex domain-wise questions. This sequencing matters. You complete a domain while it is fresh, test yourself immediately, and find out exactly where your understanding is solid and where it is not. If you wait, the material fades and the feedback loop breaks.
I completed this iteration once, then read the CBK again. Two full passes.
Around this time I started writing a cybersecurity blog, summarising what I had studied in my own words. What I did not expect was how powerful this would become as a study tool.
When you have to explain something clearly enough for someone else to understand, you very quickly discover the difference between what you actually know and what you only think you know. Gaps that felt invisible while reading become obvious the moment you try to write. The blog became one of my most effective revision methods — not because I planned it that way, but because teaching forces clarity.
After two CBK passes I added Pocket Prep — a mobile app with around 800 questions. It is not exam-level difficulty, and I would not rely on it alone. But at this stage, after weeks of heavy reading, you have a large amount of information in your head that has not fully settled. Pocket Prep helps consolidate it. You start recognising terms and concepts in context, and things that felt abstract start to stick.
I had originally planned to sit for CISSP in November. Personal circumstances meant that did not happen. Rather than let months of preparation go stale, I made a decision: I would sit for CISM.
With about 15 additional days of focused preparation, I cleared CISM. What I did not fully anticipate was how much this would benefit my CISSP preparation. CISM goes deep into governance, risk management, and incident management — areas that map directly onto CISSP Domains 1, 2, and parts of Domain 3. By the time I returned to CISSP, those areas were not just covered — they were reinforced.
If your timeline allows it, and especially if governance and risk are not your strongest areas, CISM as a stepping stone is worth serious consideration.
My exam was now scheduled for March. From January onward, the strategy shifted — less new content, more consolidation and practice.
This is when I discovered Pete Zerger's material. His YouTube videos are genuinely useful, but the real find was his book, CISSP Last Mile. At around 500 pages, it is an efficient, well-structured summary of every major concept across all eight domains. For the price he charges, the value is almost unreasonably good. I would strongly recommend it for anyone in the final two months of preparation.
After reading Last Mile, I created a final set of handwritten summary notes — around 50 pages — which became my primary revision reference in the last few weeks.
For practice exams I used Boson, Quantum, and CertPreps. They are not interchangeable, and it is worth understanding what each one is actually good for.
Boson is solid for concept reinforcement. The explanations are detailed and help you understand why an answer is correct, not just that it is. The difficulty is not quite at exam level, but it builds foundations well.
Quantum is the closest to the actual exam in terms of language and question style. It also has a CAT adaptive simulation mode, which is genuinely valuable for getting used to the format. Some of my Quantum tests ended at 100 questions, some at 125, some at 150 — which is exactly how the real exam behaves.
CertPreps is underrated and often overlooked. The questions are deliberately confusing. The language is tricky. That is not a flaw — it is the point. Sitting with CertPreps trains you to slow down, read carefully, and resist the instinct to jump to an answer. That is precisely the skill the CISSP exam demands.
| Resource | Priority | Best used for | What to know |
|---|---|---|---|
| Foundation | |||
| InfosecTrain course 6-week, all 8 domains |
Must have | Getting the map | Start here. Gives breadth, not depth. Not enough alone — pair with CBK immediately after. |
| CBK Official Study Guide (ISC)² official book |
Must have | Core knowledge base | Read it twice minimum. Map chapters to domains manually on your second pass. Handwrite notes as you go. |
| CC exam Certified in Cybersecurity |
Must have | CAT format dry run | Also a CAT adaptive exam. Take it before CISSP to get comfortable with the format and validate your foundation. |
| Practice — Domain Validation | |||
| Cybex questions Domain-wise format |
Must have | Post-domain testing | Attempt immediately after completing each domain. Closes the feedback loop while material is fresh. |
| Pocket Prep ~800 questions, mobile app |
Strongly recommended | Concept consolidation | Not exam-level difficulty. Best used after 2 CBK passes to settle terminology and reinforce what you have read. |
| Final Stretch — Revision | |||
| CISSP Last Mile Pete Zerger — ~500 pages |
Must have | Final synthesis | Best single resource for the last 6–8 weeks. Covers all 8 domains efficiently. Highlight as you read — you will return to those sections in the final 10 days. Also watch Pete Zerger's YouTube videos. |
| Quantum CAT adaptive mode available |
Must have | Exam simulation | Closest to actual exam language. Use the CAT mode — tests may end at 100, 125, or 150, just like the real exam. Best for timing calibration. |
| CertPreps Deliberately tricky language |
Strongly recommended | Language conditioning | Underrated. Questions are confusing by design — forces you to slow down and read carefully. Scores of 75–80% here are a good sign. |
| Boson | Strongly recommended | Concept reinforcement | Not quite exam-level difficulty but excellent detailed explanations. Good for understanding why an answer is correct, not just that it is. |
| Optional / Situational | |||
| CISM exam ISACA certification |
Take if relevant | Governance depth | If your timeline slips, sit for CISM instead of going stale. Deep overlap with CISSP Domains 1, 2, and parts of 3. Roughly 15 extra prep days needed. |
| Trainer mock questions InfosecTrain / Kamlesh Singh |
Take if available | Extra practice variety | Use in the final 10 days to mix with other platforms. Adds variety and may surface blind spots. |
| Mind maps Pete Zerger's + self-created |
Take if you are visual | Lifecycle memorisation | Especially useful for forensics, incident response, data lifecycle, and access control models. Draw your own — the act of creating them matters more than the end result. |
| Blog writing / teaching Any platform |
Hidden gem | Deep revision | Explaining a domain in writing forces you to find every gap in your understanding. One of the most effective revision methods — even if no one reads it. |
You will hear this phrase constantly throughout CISSP preparation. Think like a manager, not a technician. But very few people explain what it actually means in practice.
Let me give you a concrete example. Consider fire suppression in a data centre. You could memorise the difference between wet pipe, dry pipe, deluge, and pre-action systems. But memorising definitions is not going to help you answer a scenario question. What will help is thinking like the person responsible for that data centre.
You have two things to protect: expensive electronic equipment and human lives. Water destroys electronics. You cannot have it running freely unless absolutely necessary. But you also cannot compromise on human safety. So what do you actually do?
You want the fastest possible detection — which means aspirating smoke detectors, because they can sense incipient smoke before a fire fully develops. You want a system that does not release water unless it has to. You want multiple conditions to be met before water is released. That is exactly what a pre-action system does. The name tells you: there is a required action before the water action. Once you understand why it exists, you will never confuse it with deluge or dry pipe again. The correct answer becomes the only sensible answer.
This is the thinking pattern the exam rewards.
One of the subtler but more important things to internalise is sensitivity to English. CISSP questions are precision instruments. A single word changes the answer.
For example, if a question uses the word veracity or accuracy, it is pointing to integrity — not availability, not confidentiality. If a question asks what mechanism creates accountability, the answer is auditing and logging — not accountability itself. Auditing leads to accountability. If a question says an incident has been detected and reported, it has not been confirmed. You do not jump to containment before confirmation. A manager verifies before acting.
Read every single word. Do not infer what the question is probably asking. Let the question tell you exactly what it is asking.
This is one of the most important things I can pass on: lifecycle sequences are not optional revision items. They are the structure around which a large proportion of CISSP questions are built.
The exam will rarely ask you to define a lifecycle. It will place you inside a scenario, tell you what has already happened, and ask what comes next — or what was done incorrectly, or what is missing. To answer that, the sequence needs to be automatic.
The incident response lifecycle is a good example. Pete Zerger — and full credit to him — teaches it using the mnemonic DRMRRRL, which he calls Drum Roll:
A question might say: an organisation has contained the incident and updated senior management. What should they do next? If DRMRRRL is a living map in your head rather than a memorised string, you immediately locate yourself: Mitigate is containment, Report is informing management, so the next step is Remediate. From there you evaluate which answer option represents remediation. The mnemonic does not give you the answer — it tells you where you are in the process.
The same principle applies to forensic evidence handling. The order of volatility — CPU registers, RAM, running processes, network connections, disk, external storage, backups — must be internalised, not just recognised. If forensics becomes unavoidable and this ends up in a court of law, you are the responsible person. You need to know the sequence, not just know that a sequence exists.
The data lifecycle — Classify, Store, Use, Share, Archive, Destroy — underpins questions around data ownership, custodianship, and handling policy. The information security policy lifecycle — creation, approval, implementation, awareness, enforcement, review, retirement — sits behind asset management questions. These are not minor topics. They recur throughout the exam in different scenarios.
For information flow models, I did not memorise a comparison table. I used a single anchor and derived everything else from it.
For Bell-LaPadula, my anchor was: allows read down. From that one fact I immediately knew — no read up, no write down. It is a confidentiality model. Information cannot flow from a higher classification level to a lower one. If a question asks which model prevents information flowing from higher to lower, the answer is Bell-LaPadula and I arrived there in seconds.
Biba is the opposite: integrity model, no write up. Clark-Wilson is integrity enforced through transactions and separation of duties. Brewer-Nash — the Chinese Wall model — prevents conflict of interest by blocking access to competitor data once you have accessed one client's information.
One anchor per model. Derive the rest. That is a memory cue, not memorisation.
The same approach works for cryptography. Do not memorise algorithms in isolation. Know why each one exists. Which algorithm handles key exchange over an unsecured public network? Diffie-Hellman — because it allows two parties to establish a shared secret without ever transmitting it. Why is ECC preferred for mobile and IoT? Smaller key sizes with equivalent strength means less processing overhead. When do you use your private key versus your public key? Private for digital signatures, proving it came from you. Public for encryption, ensuring only the intended recipient can read it.
If you understand the purpose, scenario questions answer themselves.