I passed the CISSP in late 2025. It was one of the hardest exams I’ve ever sat, and one of the most rewarding. Here’s how I approached it, what exam day was actually like, and what I’d do differently if I could go back.

Why the CISSP?

I’d been working in information security for a while and wanted a certification that reflected a broad understanding of the field rather than a narrow technical specialism. The CISSP felt like the right fit — it covers everything from risk management to software development security, and it’s widely recognised across the industry.

I won’t pretend the career benefits weren’t a factor either. The CISSP opens doors, and I wanted to make sure I wasn’t being overlooked for roles simply because I didn’t have those four letters after my name.

My Study Approach

I studied for about four months, mostly in the evenings and on weekends. Here’s what worked for me:

The official study guide was my foundation. I read the ISC2 Official Study Guide cover to cover, taking notes as I went. It’s dense and not exactly a page-turner, but it’s thorough. I treated it as my primary source of truth.

Destination Certification MindMap videos were a game-changer. Rob Witcher’s YouTube series breaks each domain down visually, which really helped me see how concepts connected across domains. I’d watch a video after finishing a chapter to reinforce what I’d read.

Practice exams taught me how to think. I used Boson practice exams extensively. The questions are tough — arguably tougher than the real exam — but the detailed explanations for every answer (right and wrong) were invaluable. I wasn’t just memorising facts; I was learning how to reason through scenarios.

“How to Think Like a Manager” shifted my mindset. Luke Ahmed’s book was the single most useful resource for understanding the CISSP’s approach to questions. The exam doesn’t just test what you know — it tests how you’d make decisions as a security leader. This book helped me stop thinking like a technician and start thinking like a manager.

What I’d Do Differently

If I could go back, I’d spend less time on the domains I was already comfortable with and more time on the ones that felt unfamiliar. I over-studied some areas out of comfort and under-studied others because they felt dry.

I’d also start doing practice exams earlier. I left them until the last month, but I think I’d have benefited from using them throughout the study period to identify weak spots sooner.

Exam Day

I won’t go into specifics about the questions — and you should be sceptical of anyone who does — but I can share what the experience was like.

The CAT (Computerised Adaptive Testing) format is disorienting at first. You can’t go back to previous questions, and the difficulty adjusts based on your responses. I finished at around 125 questions and genuinely had no idea whether I’d passed or failed.

The provisionally pass screen at the end was one of the best moments of my professional life. I sat in my car in the test centre car park for about ten minutes just processing it.

Advice for Others

• Don’t rush it. Give yourself enough time to study properly. Four to six months is realistic for most people with professional experience.
• Understand, don’t memorise. The exam tests comprehension and judgement, not recall. If you find yourself memorising port numbers, you’re probably focusing on the wrong things.
• Join a community. The r/cissp subreddit was genuinely helpful. Reading about other people’s experiences made me feel less alone in the process.
• Trust the process. There will be days when you feel like you know nothing. That’s normal. Keep going.

The CISSP isn’t the end of the journey — I’m already studying for the CCSP — but it’s a meaningful milestone, and I’m glad I did it.