Preparation
I started preparing in January and took the exam in mid-March. So it took me about two months in total, with a few interruptions. I spent about an hour a day during the week and two hours at weekends. Some weeks I did nothing at all – but I didn’t let that stress me out.
My technical background allowed me to repeat familiar content instead of starting from scratch. Nevertheless, the exam was no walk in the park. It was crucial that I identified my weaknesses early on and worked on them systematically. I focussed on continuity rather than perfectionism – it was okay to skip a chapter from time to time.
Learning resources – what really helped
Destination Certification book
My main tool. Clear, well-structured, easy to read. Some simplifications (e.g., on digital signatures) are questionable, but overall a very good book. The balance between depth and comprehensibility is just right.
Destination Certification video course
Almost identical in content to the book, but helpful for structuring learning time. The book is sufficient for the budget-conscious. I like to use the videos as ‘light fare’ after work.
Destination Certification App
Free and useful for travelling. Not a substitute for other resources, but good for revision in between.
Official Study Guide
Dry, but strong in terms of content. I used it selectively for topics where I had weaknesses – e.g. legal framework conditions. If you persevere with it, you will be rewarded with depth of detail.
Official Practice Tests
Excellent for consolidating understanding. Not only the right answers, but also the wrong ones are explained. Very valuable for fine-tuning, especially in the final phase.
LearnZapp
Basically the official questions in app form – but saves a lot of time. Very efficient for $10 a month. I averaged 85%. My favourite tool for the last two weeks.
Tip: I did some of the tests in the bathtub. Sounds banal, but learning in a relaxed atmosphere works better.
Strategy
The key recommendation: ‘Think like a manager’ – not like a technician. This change of perspective was crucial. Thanks to my GRC experience, this was easy for me. I asked myself with every question: What makes strategic sense? What is politically viable? What can be documented?
My weaknesses lay in the area of memorisation – such as process steps in the right order. Mnemonic devices and acronyms helped me here, e.g. for the Cyber Kill Chain:
Really (Reconnaissance)
Wicked (Weaponization)
Dudes (Delivery)
Exploit (Exploitation)
Innocent (Installation)
Computers (Command & Control)
Arrogantly (Actions on Objectives)
I also built my own memory aids for other processes. The aim was always to understand the context – not just to memorise facts.
What didn’t work
Destination Certification Workbook
I printed out the entire workbook – a packet of paper and toner. After the first chapter, I abandoned it. Without an accompanying course, it lacked context. For me, it was inefficient.
Printed Q&A questions
I started with the official paper questions. Looking back, it was a waste of time. LearnZapp was faster, more convenient and more motivating. Digital tools are clearly superior here.
The day of the exam
I was calm and prepared. Nevertheless, a few notes on the Frankfurt test centre:
- Parking: Hardly possible above ground. Better to park in the hotel car park next door.
- Catering: No drinks or snacks. Drink enough beforehand.
- Procedure: Friendly but strict. ID and procedures take time – allow for a buffer.
The exam environment was pleasantly quiet, the lighting and technology were fine. No reason to be nervous.
The exam itself
I was expecting worse. The reminders from Destination Certification (‘read four times’, ‘block answers’) were exaggerated for me. If you stay calm and know the type of question, you’ll do fine.
It took me just under two hours. Some of the questions were tricky, but never incomprehensible or unfair. I found the CCDP exam eight years ago much more difficult.
It was crucial to understand the why behind the answers – and to always take the perspective of the responsible manager.
Conclusion – For whom is CISSP worthwhile?
If you already have technical understanding and GRC experience, the CISSP is not an insurmountable hurdle. It’s not about specialist knowledge, but about judgement and prioritisation.
My recommendations:
- Think like a decision-maker: technology plays a role – but from the perspective of responsibility and risk.
- Internalise the principles: Understand processes, not just their order.
- Stay pragmatic: You don’t need to know everything, but recognise what is relevant.
- Focus on structure: Processes, guidelines and formal procedures are often the right answer.
- Get to know the CISSP style: Questions have their own logic – practice specifically towards this.
My conclusion: The exam has its reputation, but those who learn in a structured and reflective way can pass it well.