First off, don't be afraid of those posts of people saying they failed, the exam is not that difficult! However, you do need to look at many resources to learn the concepts in-depth. There were a few questions on the exam that left me stuck (most likely part of the 25 experimental questions they add which don't count toward your score) but many of the questions seemed easier than the post-assessment questions. I had no previous IT experience so if I can do it so can you!

Guide + Resources

1. Know A+ core 1 and Sec+ content. Watch Professor Messer on Youtube, specifically the network and security portion of the A+ objectives. This will give you foundational knowledge for this exam. If I did not have A+ knowledge it would have been VERY difficult to pass this exam. Look at Messers Sec+ videos to learn security topics more in-depth. Study and memorize the OSI model and TCP/IP as this will very likely be on the test.

2. Become a candidate here and get the free voucher + training. Use ISC2 Self-Paced Training. Do the pre-assessment, complete the self-paced training, and post-assessment. Write down all the topics you need to brush up on. Go back and brush up on them with the self-paced training. Retake the post-assessment until you're understanding a majority of the concepts. Take handwritten notes! It helps with memory.

3. Watch Mike Chapple on Linkedin. His course was a great overview of everything you need to know. Here are some notes I found for his course as well.

4. Get Thor Pedersen's Udemy course, skim through what you already know, and focus on learning your weak points in detail. I didn't finish his course because it is pretty long, but I highly recommend his course for learning topics in depth. Take his practice exams as well until you're understanding most of the concepts. Write down your weak points and target those by watching his videos again.

5. Get the Paulo Carrieria and Andree Miranda Udemy practice exams. Repeat the process. Find your weak points and target those in your studying. By this point, you should have learned plenty of additional concepts that are not in the self-paced training and fixed your weak points. These questions were the most accurate to what you'll see on the exam!

6. Watch Prabh Nair and Cloud Guru Amit's Youtube playlists. They have good questions and Prabh gives great explanations of concepts. Also, watch this CC summary video to know what topics to expect on the exam. Write these down and know them because almost everything he mentioned I had encountered on the exam.

7. Study this mindmap and memorize the exam outline domains. Be able to explain the concepts in depth like a teacher. You can type up chapter/concept summaries to test your knowledge and memory. I did this to remember the parts of the IR, BCP, DRP, and the OSI model.

8. Use these flashcards provided by ISC2. Know how to define the vocabulary in your own words. Make your own flashcards as well for your weak points.

9. Before the exam read over the ISC2 e-textbook. Seriously, the last-minute skim through the text saved me on a couple of specific questions.

10. I also recommend retaking the exams after studying the concepts in depth. I was first scoring ~80%-85%, and after studying weak points I was scoring 90%+. If you're reaching max improvement in your understanding of concepts you are ready to take the exam.

Know These Essential Topics:

- ISC2 Code of Ethics 4 Canons

- CIA triad, IAAA, privacy, non-repudiation, and what attacks/controls are associated with each.

- Know authentication types and what is associated with them. 1- Something you know, 2- Something you have, 3- Something you are. Know MFA and what authentication methods count as MFA (should be two or more distinct types of authentication)

- Governance: Regulations, Standards, Policies, Procedures, Guidelines. Know what is mandatory and not. Know who creates what. Know PII, PHI, HIPAA, PCI-DSS, and GDPR.

- Know ciphertext & plaintext, hashing, digital signatures, symmetric/asymmetric encryption, and public/private keys.

- All types of cyberattacks (watch professor messer sec+ videos for this). Know which part(s) of the CIA triad is compromised in the attacks. Know social engineering (phishing, spear phishing, whaling, smishing, vishing).

- Defense in Depth, Segregation of Duties, Least Privilege

- Access Controls (DAC, MAC, RBAC, ABAC) and their advantages/disadvantages

- Administrative, Technical, and especially your Physical controls.

- Preventative, Corrective, Detective, Detterent, Recovery, and Compensating control types

- Network Devices (Router, Switch, Firewall, IPS/IDS, NIDS/HIDS, SIEM/SOAR, CASB, VLAN, VPN, DMZ, NAC, Client, Server, etc.). Know IPV4 vs IPV6. Know to segment and isolate vulnerable IoT devices and what is microsegmentation.

- Memorize OSI Model, how many layers, and what protocols/devices are in each layer. Know what data is called in different layers (bits, frames, packets, segments). Know TCP/IP as well.

- IR (especially the steps), BCP, DRP what their purpose is, and what is in each of these. Know risk identification, assessment, and treatment (avoid, mitigate, transfer, accept).

- Hardening and Configuration Management, Patch Management, Change Management, and components in each.

- AUP, Password Policy, BYOD

- Data Lifecycle and Destruction methods. Know classification vs labeling. Data retention.

- Cloud models (IAAS, PAAS, SAAS), Cloud characteristics. Know what is a Public, Private, Hybrid, and Community cloud. Know what is an MSP. Know MOU/MOA and SLA.

- Hot, Warm, Cold, Sites. Data backup types (full, differential incremental), and how to create redundancy.

- Know the difference between environmental, natural, and manmade.

Hope this helped you out and good luck!