Breaking Down the CISSP

My Background

Before diving into how I prepared for and passed the CISSP exam, I want to give a bit of context about my professional background and why I decided to pursue this certification in the first place.

I’m a software engineer with a strong focus on cloud, security, and DevOps. Over the years, I’ve built and secured cloud platforms across industries like banking, fintech, medtech, and consulting, always aiming to align business needs with technical solutions.

I first earned the Google Cloud Professional Cloud Architect certification to sharpen my ability to design scalable and compliant cloud systems that meet real business requirements. Later, I pursued the OSCP to understand offensive security: I strongly believe that to defend a system effectively, you need to understand how attackers work. OSCP also sharpened my skills with low-level tools like nmap and netcat, which turned out to be just as useful in operations and troubleshooting.

CISSP was the next logical step - a way to formalize my knowledge across the broader spectrum of information security, from governance to architecture, and prepare for more strategic roles in the future.

My Timeline: I Didn't Rush

I started casually exploring CISSP content in summer 2024. I took handwritten notes, watched Pete Zerger's YouTube videos, and compiled his PDF slides into a single, searchable document. I also dabbled in the Official Study Guide (OSG), but found it hard to digest, so I took a break.

In January 2025, I came back with a new strategy. I picked up Pete Zerger’s CISSP: The Last Mile book and bought the LearnZapp question bank.

My strategy was to read a domain in CISSP: The Last Mile, then drill the corresponding domain questions on LearnZapp. Whenever I made mistakes or didn't understand something, I searched the OSG and sometimes complemented with ChatGPT, to be sure I covered and understood all the concepts.

To reinforce memory, I created Google Slides with summary tables (e.g. fire suppression types, access control models) and used post-its on my wall to memorize acronyms like DREAD.

For practice, I used LearnZapp on desktop and even built a Chrome extension to speed things up: keyboard shortcuts to select answers, submit, and navigate.

I also listened to CISSP domain audio reviews during commutes to stay immersed.

By late March, I felt ready. I planned to book for mid-April, but the only available exam slot was April 2, or wait until mid-May. I didn’t want to keep drilling endlessly, so I booked April 2. Worst case, I’d retake after 30 days.

On March 28, I bought access to QuantumExam (known for tougher, realistic questions).

The questions were much harder than LearnZapp. Of course it's important to know the content, but recall isn’t enough. Questions and answers are ambiguous, there may be multiple apparent good answers (or none) and that’s where a “think like a manager” logic needs to be developed. I did 5–6 mock exams over the weekend, then took a full rest day before the real thing.

Exam day: April 2. It was intense, more ambiguous than even QuantumExam. The exam ended at 100 questions (minimum cut-off). Then the instructor handed me the result paper... Passed!! A huge relief and a proud moment!

The final step was submitting work experience, endorsements, and documents. After 33 days, I received official CISSP certification. 🎉

Negotiating CISSP

One of the most important aspects of passing the CISSP is mindset. You’re not just learning facts - you’re learning to think like a security leader. Two videos that really helped shape my approach were Kelly Handerhan’s Why You Will Pass the CISSP and Pete Zerger’s Think Like a Manager.

Mindset & Strategy

CISSP questions are tricky, often vague or with multiple seemingly correct answers. Here's the mental framework I used:

• Identify which part of the CIA triad (Confidentiality, Integrity, Availability) the question targets.

• Eliminate the obviously wrong or overly technical answers.

• People come first: safety and ethics usually outweigh purely technical concerns.

• Think like a manager, not an engineer. Focus on risk, policy, and business impact.

Study Tactics

Understanding > Memorizing. The CISSP Official Study Guide (OSG) can feel overwhelming because it covers a massive breadth of topics without much depth. Instead of memorizing blindly, I leaned on ChatGPT to clarify concepts and explore edge cases. If something didn’t click, I asked questions until it did. Curiosity and persistence helped more than learning by heart.

The content is vast and interdisciplinary:

• Cybersecurity is more than IT: it includes physical security, policies, law, and human factors.

• You’ll learn about things you never expected, like fire suppression systems and their use cases.

It’s not about knowing everything. It’s about developing the right mindset to choose the best answer in context.

My Biggest Takeaway

The biggest lesson I took from preparing for the CISSP is how central risk management is to modern security and to business in general.

CISSP gave me a new mental model: you don’t fix everything; you identify, assess, and communicate risk. When you see something that feels wrong from a security perspective, you don’t have to fight it alone or burn out trying to fix it immediately. Instead:

1. Document the risk

2. Propose mitigation (if feasible)

3. Escalate and get formal risk acceptance from senior management

Once the risk is acknowledged and accepted at the right level, you’ve done your part ethically and professionally. It’s a powerful shift in mindset: rather than being the lone engineer pushing for change, you become a trusted advisor helping the business make informed decisions.