Lifelong learning - preparing for the CISSP

In the professional world, we often talk about lifelong learning. That’s why people frequently ask about the next course, learning content, or certification that can help them move forward.

For me, the answer was to take on the Certified Information Systems Security Professional, or CISSP, from ISC2.

But that was my personal decision—everyone should first review the various providers and decide on the training content, certification, and format that suits them best.

From my point of view, an alternative would be the CISM from ISACA. In the end, it’s a personal choice.

For me, CISSP was the right mix of technical and management topics.

The scope of topics in CISSP includes:

1. Security and Risk Management

   • Fundamental security principles

   • Compliance, legal, and regulatory issues

   • Security policies, standards, and guidelines

   • Risk analysis and management

   • Business Continuity & Disaster Recovery

   • Ethics (Code of Ethics – ISC²)

2. Asset Security

   • Data classification

   • Ownership of information

   • Data protection and privacy laws

   • Protection mechanisms for information

3. Security Architecture and Engineering

   • Security models and concepts

   • Secure design principles

   • Security architectures (e.g., Trusted Computing Base)

   • Basics of cryptography

   • Vulnerabilities in system components (hardware, software, cloud)

4. Communication and Network Security

   • Network architectures (OSI, TCP/IP, etc.)

   • Secure network components

   • Firewalls, VPNs, IDS/IPS

   • Network attacks and countermeasures

5. Identity and Access Management (IAM)

   • Authentication methods

   • Access control models (e.g., RBAC, ABAC)

   • Identity lifecycle management

   • Single sign-on, federation, MFA

6. Security Assessment and Testing

   • Security assessments (e.g., penetration testing, vulnerability scans)

   • Security metrics

   • Continuous monitoring

   • Log reviews and audits

7. Security Operations

   • Security incidents and incident response

   • Business continuity/disaster recovery in practice

   • Forensics

   • Logging, monitoring, SIEM

   • Physical security

8. Software Development Security

   • Secure Software Development Lifecycle (SDLC)

   • Threats and vulnerabilities in software

   • Security controls in development processes

   • DevSecOps, code analysis

This covers a broad range of information security. A deep dive into each topic isn’t the goal here, but everyone has the opportunity to explore their "favorite topic" in more depth afterward.

Once I reached this point, I asked myself: which book do I need? Of course, there are endless recommendations online. So I started with the

(ISC)² CISSP Certified Information Systems Security Professional Official Study Guide, and I recommend ordering the Practice Test Book with it. Both books are available as a bundle.

Why the Practice Test Book right away?

It’s helpful to start with practice questions on each chapter or topic at the exam level—it helps measure your learning success. If too many answers are incorrect, you should go over that area again. It’s worth noting: this is not about rote memorization but understanding. The exam questions won’t be repeated word-for-word—unfortunately. 😉

Before you begin studying, I recommend thinking about how you’ll document your learning and take notes. It’s essential and saves time and stress.

In school, we took notes during lessons and then studied from them.

Many scientific studies say handwritten notes especially support learning. I can confirm this—everyone must find their individual method and workflow. Try different things—it’s worth it.

I tried many concepts: handwriting on the iPad, digital notes in Notion, and finally ended up with MindMaps.

But every new concept means a fresh start, a different structure, and a new workflow. So it’s best to think about it from the beginning and stick to one path—it saves time and effort.

I built my MindMaps so that the chapter is in the middle and the individual topics branch out like arms. By the end, I had 8 MindMaps.

I added more details and information as branches, meaning I could elaborate further in the notes. The MindMaps I created can also be reused for further study after certification.

Many MindMap tools have a helpful feature: you can tag individual notes or sections.

In my notes, I wrote down questions or unclear points that needed more research. That way, I didn’t have to interrupt my study flow for research. I could do that research in a separate session.

I used tags to mark important topics, open questions, or areas that needed deeper elaboration. This gave me the opportunity to refine topics later using additional resources—like the internet, forums, or books.

It’s often helpful to refer back to external sources after your initial study and clarify confusing areas.

Here’s a snippet of one of my MindMaps:

By expanding and collapsing branches, I could quiz myself. Then I’d expand the branches to check my answers.

Doing this regularly increased my retention and recall, which is very helpful for the exam.

Now there’s just one final question:

Should notes be written in German or English? This decision can greatly influence your learning success.

Writing in English helps express yourself in the language of the exam. It avoids misunderstandings and builds confidence in phrasing.

German can support deeper understanding but comes with the risk of drifting away from the exam’s requirements.

English forces you to be precise and focused in your learning.

I chose to take notes in English to prepare optimally for the exam while improving my language skills at the same time. That’s a double benefit!

To anyone preparing for the CISSP exam, I’m wishing you the best of luck!