Just passed the CISSP exam after answering all 147 questions — what a journey! For anyone preparing, I wanted to share the resources that truly made a difference for me:

1.Minoj Sharma's 100 Days CISSP Success Toolkit – A structured and motivational guide that kept me on track.

2.ROB's Destination CISSP: A Concise Guide (2nd Edition) + YouTube Mindmaps – Helped me visualize and retain key concepts effectively.

1. Minoj Sharma's Udemy Scenario-Based Question Bank – Great for practicing real-world scenarios and sharpening decision-making.

2. Jason Dion's 600 CISSP Questions – Excellent for building confidence and testing knowledge across all domains.

My advice: stay consistent, stay focused, and trust the process. If you're preparing for CISSP, I hope this helps you on your path. You’ve got this! Also, thanks for community for updates and passing stories in this platform. Good advice for answering strategy: You can do it too ! (CISSP in 2 Months, First Attempt, Stopped at 100 Questions) : r/cissp

I recently passed the CISSP exam, finishing in 100 questions within about two hours.

For preparation, I didn’t go through the CBK cover-to-cover. Instead, I leaned on my background across tech: development, DevOps, engineering, pentesting, and now GRC along with the CRISC certification I’d recently completed.

My approach was simple:

• Week 1: Refresh core technical fundamentals using Peter Zerger, with targeted deeper reading in areas of the CBK that needed extra attention.

• Following weeks: Focus on developing the “CISSP mindset” thinking like a manager. I treated practice questions as critical analysis exercises, weighing options based on both technical fundamentals and risk management perspectives.

For practice, I used the LearnZapp and Wiley Q&A databases extensively, paying close attention to why answers were wrong as much as why they were right. My scores started around 50%, but by the third week things began to click. Listening to Andrew Ramdayal , Luke Ahmed and Prabh Nair really helped me grasp the managerial mindset, and the official study guide audiobook by Mike Chappell reinforced key concepts.

In the end, I found the exam itself much easier than the late-night prep. If you’re currently studying, my biggest tip would be this: focus on seeing every concept through a managerial lens. Perspectives like what’s deprecated, what’s faster, what’s scalable, and what’s most cost-efficient e.t.c will make all the difference. More importantly on exam day, read the question. Read the options. Read the question again. Pay attention to directive words, scribble ✍️ things down if it helps your reasoning.

Hey guys, today I had to face the CISSP beast and I passed the exam on question number 100. I used most of the study material recommendations listed here, but honestly, I think the key to success is motivation and perseverance.

I just wanted to share that the formula for me is to stay motivated during the drive to the exam center by listening to music from the movie Rocky: "Burning Heart," "Eye of the Tiger," "No Easy Way Out." Every time I've taken a certification exam, that's my motivational music... Find your motivation to face the challenge!

QE They are indeed challenging tests and they make you train your brain for the real exam scenario!

A month ago I passed the CISM and now I've achieved the CISSP, so I'm going to take a break to enjoy the triumph... This group really helps a lot...

Greetings and VIVA CHILE!!! 🇨🇱🤘

I just passed the CISSP exam today after answering 150 questions. After the 100th question, I honestly thought I was going to fail because the exam didn’t stop. However, I was able to push through and keep a steady pace, answering each question in about a minute to make sure I finished. I was relieved to see that many of the questions were directly related to the Dest Mind Map and QE – those were a huge help! The questions were more technical than scenario-based, which was a bit surprising.

I knew that my weakest area was Network Security, especially when it came to understanding the basic concepts and models. I struggled a bit with those at first, but I found that PowerCert Animated Videos on YouTube really helped me grasp the concepts. Their clear, easy-to-understand animations made a big difference. Highly recommend checking them out

https://youtube.com/@powercertanimatedvideos?si=ulnrQ93qECedhezt

Previous Certification: I also passed the CSSLP last year, so this is my second major certification in the cybersecurity space

Study Strategy:

My approach to studying for CISSP started with trying out some of the sample questions in QE. This helped me understand the types of questions I’d face and gave me a sense of how to approach my studies. After that, I turned to the Destination Mind Map to get a high-level overview of the domains and key concepts. Finally, I tackled the official study guide to dive deeper into the material and solidify my understanding.

The key to my success was revision. I made sure to go over the material at least three times to solidify my understanding and reinforce the concepts

Cybersecurity Experience:

With 5 years of experience as a cybersecurity consultant, I've had the opportunity to work on a variety of projects that really helped me understand the concepts I was tested on. It’s been a challenging journey, but definitely worth it.

Passed QE twice 8xx, failed Sybex 2x125 qs practice exam ( only 50% correct). Am I cooked ? Would you book exam if you were me lol.

OMG. What was this experience?

6 months of prep, OSG read cover to cover, official practice exams all done 80+%, felt like i have a LLM in my brain, i just could tell you anything that was covered inside OSG - from top of my mind without a doubt and with full understanding of any related topics.

4+ years of related work experience in the industry (mostly offsec/blue team/techie but with full understanding and experience in grc)

The exam? RENDERED ME USELESS. I felt like a little kid, scared, wanting my mommy to hold my hand. I seriously wanted to stand up and leave at about 70 question. I was sure I failed.

Questions were so ABSTRACT.

DON'T GIVE UP, SLEEP WELL, MANAGE YOUR TIME, DEDUCE DEDUCE DEDUCE.

The solution mentions that retaining multiple copies “allows you to still have access in case the tape is stolen/lost”, but that it “won’t increase the security of the media”

I don’t see “security of the media” being mentioned in the question, hence considered it to be about security of the information that is on the media (in which case I assume Availability to be as important as Confidentiality)

Does someone see how I could have spotted this pitfall? Many thanks 🙏

Hi I’m new to cybersecurity and my teacher gave my class this ebook to help us go thru the course, do any of you of you know what the physical book for this is? I just want to confirm since the few suggestions I got the covers look different, for example I got suggested this one https://www.amazon.com/Certified-Information-Security-Professional-Official/dp/1394254695 this https://www.amazon.com/Certified-Information-Security-Professional-Official/dp/1119042712#immersive-view_1757340692343 And this https://www.amazon.com/Official-ISC-CISSP-CBK-Reference/dp/1119789990

I want to share my study journey in case it helps someone else:

Study Timeline

• Total Prep Time: 1 to 1.5 months
• Daily Study: 1–3 hours on weekdays
• Weekend Study: 2–6 hours

My Study Method (per Domain)

1. Watched the full Destination Certification domain videos.
2. Studied the same domain from the Destination Cert book.
3. Practiced all the Destination App questions (initially scoring only 50–70%).
4. Watched Kelly Handerhan’s Cybrary videos for the same domain.
5. Revisited my wrong answers til I consistently hit 70–80%.

I repeated this structure for all 8 domains — nothing more, nothing less.

After Completing All Domains

1. Took the QE CAT practice exams: scored 3xx, 6xx, 8xx, 9xx, 9xx, 9xx, 1xxx.
2. Two days before the exam: watched the 8-hour Cram video.
3. The day before: only the 15-minute Kelly Handerhan summary video.

Mistakes I Strongly Recommend Avoiding

1. Sleep prep: Train yourself to wake up early (exam was at 9 AM).
2. Rest well: I barely slept from stress (woke up 5+ times). Don’t do this!
3. Fight till the end -- Fight till the end -- Fight till the end -- Fight till the end: Don’t give up on the last question. I passed literally at the last question. My brain felt like it was burning, but the “Congratulations” made it all worth it.
4. Mindset matters: I walked into the exam as if I already passed — and celebrated after.

Important Note

1- CISSP is not only about managerial concepts — you need both technical and managerial knowledge to pass. Be ready to switch your mindset between hands-on technical understanding and high-level risk/governance thinking. That balance is key.

2- Don’t rely only on AI for answers and clarifications—sometimes (and quite often) the responses aren’t fully accurate

🙏 Huge thanks to God, to my family for believing in me, and to myself for not giving up.
And to this subreddit — whether you passed or failed, your posts kept me motivated. You all fueled my journey.

Time to celebrate 🎉🥳

I just signed up for (QE) and got my Dest Cert book

I await your recommendations and guidance. Thank you, CISSP community.

It's quite disappointing, but I didn't succeed in my attempt. I ran out of time after completing around 134 questions. I faced some tough questions, especially between 92 and 98. These questions included 2-3 tables that required calculating ALE and safeguards for threats 1-2-3. I'm not sure if that's common, but I felt like I wasted a lot of time on them. I studied for a solid four months and have eight years of experience in IT, focusing on networking and working as a security engineer. So, it's surprising that I performed poorly in security operations.

Does anyone have advice on how they improved for their second attempt? What questions did you practice a lot? I know nothing can replace the actual exam experience. I reviewed the Destination Certification book 2-3 times and went through Pete's Last Mile and LearnZapp. I'm curious about other resources that helped other people and could help me improve my timing and performance, thanks again.

I’ve noticed some QE questions are phrased in ways that mix networking and cryptography, and it makes me realize I’m still not fully strong in certain concepts. The tricky part is I can’t even pinpoint exactly where the confusion lies — it feels like I know it, but I don’t know it. Has anyone else felt the same?

Also, when we talk about authentication protocols, does that always mean network authentication or can it refer to other types as well?

I can’t believe my exam is just a few days away. At this point, the anxiety has turned into laughter 😅

Happy to announce that yesterday I passed the CISSP exam at 100 Questions at my first attempt. This sub really inspired me since I joined. The stories posted here both successful and unsuccessful ones got me adequately prepared.

I joined the 2025 FRSecure Mentor Program in April 2025 and watched Pete's CISSP CRAM Series on YouTube, as well as Destination Certification Mind Maps, for preparation. The mentorship program was gold as the team would provide real-world scenarios on how to apply the knowledge, and this was vital in those quirky exam questions. The mentorship program used the OSG which I had a copy as well.

The YouTube videos from Pete's CISSP CRAM series really focused on the most important topics, as the OSG is a massive book that can seem overwhelming.
The Mind Maps Videos from Destination Certification with Bob's easy learning techniques were really helpful as well.

I would say real-world experience is key. I have been a SysAdmin since 2014 and became IT Manager and Security Manager from 2018 so I could relate to a lot of information. I have also led ISMS initiatives, which is really CISSP simplified.

Finally, I would like to thank God for making it possible. Honestly, it is not an obvious pass. ISC2 make it treacherous.

I’ve been a long-time lurker on this sub, and I want to thank this community for all the resources and success stories that helped me along the way. I have 10 years of experience in Government IT. I first took the test two years ago with the "peace of mind" voucher and unfortunately failed both attempts, largely due to not dedicating enough study time. My biggest struggle was shifting my mindset away from a hands-on, technical approach. I was used to fixing things, but I needed to adopt the "CISSP Management Mindset."

After those attempts, I continued to study off and on until this past April. At that point, I hunkered down and studied the entire Official Study Guide (9th Edition), completing the practice questions after each chapter. I also made physical flashcards for concepts or algorithms that I had a hard time memorizing. I even took a full week off from work just to focus on grasping the material.

About a month before my exam, I read Destination CISSP (1st Edition) from cover to cover along the with the mind map videos. This book was a huge help in visualizing concepts and understanding them on a deeper level. Its concise nature was perfect for my final month of studying.

For practice questions, I used Quantum Exams, which really improved my reading comprehension and helped me identify the keywords that reveal what the question is truly asking. I also used the Pocket Prep and Learnzapp apps to drill down on the domains where I was weakest.

Pete Zergers Exam Cram, Last Mile, and “How to Answer Difficult Questions” essential resources as well especially for the final hour.

Best of luck to everyone in the community who is still studying. Don’t give up!

Could someone help me understand why risk analysis is not right here? How do I determine when risk analysis is required or not ?

Does the CISSP want the incident response steps to be:

Prepare, Detect & analysis, Containment, Eradication, recovery, Lessons learned

Or

Detect, Respond, Mitigate, Report, Remediate, Recover, Lessons,

I see multiple places teaching different steps. What is the CISSP aligned steps? This plays a major factor in answering questions based on which steps you follow.

Hey everyone,

Been a lurker on here, never posted. I wanted to share my experience.

I took the SANS CISSP prep course and associated certification, GISP back in July 2025 and passed. I wanted to take CISSP shortly after, but life got in the away. Just took the exam today and passed.

132 questions with 1 hour remaining. There were a couple of points during the test I doubted myself as others have pointed out.

The SANS course was sponsored by my employer. If I did not have this option, I would have not chosen this route due to the cost. There are paper quizzes at the end of each domain but nothing interactive or web based. In my preparation for CISSP, I did not refer back to the SANS material.

I instead used:

Pete Zerger's YouTube Videos - Exam Cram and 100 important topics

50 CISSP Practice Questions. Master the CISSP Mindset by Technical Institute of American

And I paid for one month of LearnZapp. My practice tests scores were fairly low, don't use this as a gauge on how you're doing. Instead, use it to identify your weak areas.

I have industry experience as a security architect and managing PSIRT.

Best of luck to everyone who is actively preparing, you can do this!

I am studying for CISSP, and preparing from QE. I initially chose "block the sender's email address", thinking it was the best immediate action to stop the spread. But the correct answer was "analyze the email to identify its origin."

The explanation says that blocking the sender is a reactive measure, and that we should first analyze the email to better understand the threat. But here's my confusion:

If the phishing email has already been sent and the incident is underway, isn’t it appropriate to take reactive steps at that point? Shouldn’t stopping the attack’s spread take priority before diving into analysis?

Would love to hear how others interpret this
(from chatgpt)

So one of the questions in a YouTube video says:

Which of the following security assessment methods is most effective in finding unknown vulnerabilities that are not disclosed

a- penetration test b- code review

The video answer was penetration test, but I know that PenTesters to the test using known tools and known vulnerabilities unless they are really good and explore weaknesses that are not yes exposed. On the other hand, code review tests the code source to seek weaknesses in how it is programmed, so most likely he will find weaknesses that are not disclosed. In fact most vulnerabilities are discovered this way which makes it a better answer.

Please help me if I’m wrong.

Hey everyone, thanks in advance for the help!

For this question I selected C- 2FA. The video I'm watching said most effective one to be done first is D, develop a strict password policy. The way I read this was that I'm solving for unauthorized access first. The question also doesn't state that there isn't a policy in place already- if there was people could still ignore it. 2FA to me seems to make the most sense to implement first which would stop the unauthorized access. Then do a policy and then training.

I understand that the developer of QE is here, and generally speaking the product is fine, but too many of the questions are not answerable. I've already posted a few, but aside from presenting me with subjects that I note to study further, too many questions are just worded so poorly they only server to frustrate, confuse and de-motivate. Yet another example (edited for brevity):

A security practitioner just received notification from his IR team that unauthorized access to a system has been confirmed. The compromised account has been revoked and system isolated. What is the next step?

a) examine root cause to prevent future compromise

b) report situation to senior management

c) begin restoration of affected system

d) begin mitigation to contain the incident

Per QE, the correct answer is C. 1) the question says the system was compromised. Ignoring the order of IR, It does not say anything about data disruption. What's to restore? 2) Why would anyone begin restoration before they know the root cause has been resolved? You're just going to get compromised again.

Detection - done

Response - done

Mitigation - NOT YET DONE -- "Analyzing the incident, which includes understanding its cause. This understanding can then help clean the systems and implement security measures to protect against future incidents" (INFOSEC).

Reporting - TBD

RECOVERY - TBD

:

We can easily eliminate B. The use of the word "mitigate" in D was a poor choice, but this can be eliminated because, by context, it appears (and again, making a leap) that D means "Response". C makes no sense at this stage and is not the proper order. A is the next step and the only viable (and correct managerial) decision.

After that rant, I'm happy to issue a mea culpa if I missed something. I routinely hit 80-90% in other study materials, but have not broken 55% in QE (and am currently at 45%).

Materials Used: Only used Destination Certification materials(Masterclass, Book, App, Mind Map videos).

Experience: Have 8 years of IT experience, none solely security focused

Time Investment: Started studying May 27th, and rarely ever took a day off. Probably averaged about 1 hour per-day while working full-time.

Overall thoughts -

One of the more difficult certs I have ever taken. Definitely didn’t feel as if I was performing well, but the test stopped after 100 questions nonetheless. I can’t really offer anything here that hasn’t been broken down more succinctly by others.

You need a comfortable working knowledge of all domains and to be able to find the right perspective relative to the question. Sometimes this was “Think like a CEO”, but there were a few items that I felt needed a perspective that was a bit more focused than that. I say that to say - Don’t think just thinking of the 10000 foot view on EVERY question is the proper method, but it is for the majority.

Godspeed everyone, you can do it, but you absolutely have to put in a good bit of effort!

What is the longest anyone has waited to hear back from ISC2 after submitting application for certification

it was my first non-CAT test on Quantum. scored only 56. feeling low. please guide