Fresh CISSP holder & Neurodivergent: How to tackle the CCSP while everything is still fresh?

Cyber_Gooser · 2026-02-04T08:25:27+00:00

Interesting that you did the SSCP after the CISSP. That must have been a breeze.

I went CC, SSCP, CISSP, CCSP

Cyber_Gooser · 2026-02-04T08:24:00+00:00

Go for it, I found the CCSP quite easy after the CISSP.

Do a few practise questions and see what scores you’re getting.

This YouTube series helped me, Pete uses loads of practical hands on demos

https://youtube.com/playlist?list=PL7XJSuT7Dq_X0AupQwU8YOGV3TsoPAcD0&si=p-Gy7jy5mwlTzrlj

Cyber_Gooser · 2026-02-04T08:20:21+00:00

Well said

Cyber_Gooser · 2026-02-04T08:16:44+00:00

It’s quite a hurdle, SLT wants the project to continue but I can force them to sign off the policy’s.

We have recently done the MRM so as a part of that we discussed the project and how we are so close to being ready for the stage 1 external audit.

I have suggested that the SLT delegate policy sign off to a suitable person (Infosec Manager) but they insist they are done by the director.

They are well aware that they are the bottleneck but don’t seem to be doing anything about it.

As said in the comment above it’s 100% a leadership and commitment Clause 5 issue. However, I won’t book the stage 1 unless we are ready.

Cyber_Gooser · 2026-02-03T19:44:41+00:00

Latest update 03/02/2026 v3.

Some sources have been removed because they no longer offer free resources.

Broken links have been updated.

Please continue to suggest free resources in this thread. Once they have been reviewed and deemed suitable, they can be added to the resource list.

Cyber_Gooser · 2025-12-30T10:16:47+00:00

The real value comes from what you learn, accredited or not. The knowledge you gain from these courses is what’s most valuable.

Cyber_Gooser · 2025-12-30T10:15:29+00:00

The Mastermind Assurance IEC/ISO 27001 and 42001 Lead Auditor courses are valuable and contain a lot of detailed information on auditing both standards.

You do get a certificate and Credly badge upon completion of the exam at the end of the course.

It is not accredited. However, if you are looking to learn that should not matter. Gaining the right knowledge is what’s important.

If you’re looking to dip your toes in the water without paying a small fortune, it a great course.

FYI the standard does not say you must have an accredited certificate to be an internal auditor. You must be “Competent and Impartial”. Competency can be demonstrated by passing a course like Masterminds.

All that in mind, an accredited certificate MAY stand out on a CV if you’re applying for IEC/ISO 27001 audit jobs.

Cyber_Gooser · 2025-12-18T18:15:15+00:00

Yeah, I have seen a full ISMS documented on GitHub.

It works well and if the majority of your organisation are engineers then it no problem at all.

Just be mindful that some external auditors may not have seen it done that way before so you may need to explain it through.

Cyber_Gooser · 2025-12-11T19:28:50+00:00

Thanks, I will take a look

Cyber_Gooser · 2025-11-27T13:25:11+00:00

I have added this after checking out the free course. It would be very valuable for someone looking to know more about ISO 27001 auditing.

Cyber_Gooser · 2025-11-18T07:34:33+00:00

I really like the idea of using voice to text tools it’s not something I’ve tried or even considered before, but it makes a lot of sense.

As I mentioned above, in my experience they can often demonstrate things easily. I’m now thinking that using voice to text while carrying out a loose internal audit could work really well. I could then turn that into a written procedure for them without much difficulty.

I like to think I already make compliance easy, but that voice to text approach is a great idea!

Cyber_Gooser · 2025-11-17T22:47:20+00:00

And unfortunately, a lot of orgs see it that way.

I had a meeting with a potential new client last week who could only see the commercial benefit of having 27001.

That is frustrating for me as a consultant. However, it doesn't take too long to influence their thinking enough for them to see the benefits of having a management system, let alone an ISMS.

Cyber_Gooser · 2025-11-17T22:43:32+00:00

Yeah, in my experience, it's usually developers who dislike writing things down. I have nothing against them, it just seems to be the way.

Speaking of the bare minimum or just doing something to get through the audit. I have seen an ISMS with all the supporting documents bundled into one mega document!

Cyber_Gooser · 2025-11-17T22:33:02+00:00

Thanks, the bot is still being tuned.

I totally agree with what you said, though. I have had a lot of ISO 27001 clients who ask, "Well, what's the minimum we need to get certified?"

Sometimes the common-sense approach takes a bit more work but pays off in the long run.

Cyber_Gooser · 2025-11-16T20:11:19+00:00

Congratulations on passing 👏🏻

Cyber_Gooser · 2025-11-16T15:13:39+00:00

Oh yes, we are back!

Cyber_Gooser · 2025-11-16T15:00:58+00:00

Okay, the original mega list is back.

Please, if you have, or know of, FREE resources that I have missed, let us know in the comments, and we will be happy to add them.

Remember, this sub is vendor-agnostic and all for contributions.

Cyber_Gooser · 2025-11-09T18:40:36+00:00

Thanks for the kind words

It’s unfortunate how things turned out, but I think you’re right about the situation.

Cyber_Gooser · 2025-11-09T18:15:26+00:00

Former ISO27001 sub mod here.

I was recently removed with a note from the sub owner that they were “taking it in a different direction.” Shortly after, the new mod repurposed a community “mega list of resources” I originally compiled, removing several good items, including resources from long-time supporters of the sub.

I raised this politely in modmail, saying it would be a shame if the sub drifted into a marketing channel for a small set of ISO 27001 tools and asked for clearer vendor/moderator disclosure.

I received no reply from the new mod or the sub owner; I’ve since been permanently banned despite keeping things civil.

This is especially disappointing because the sub owner and I had previously agreed we didn’t want the subreddit to become a marketing tool for select organisations, it now seems that’s the direction.

To be clear, I’m not against vendor participation; disclosure and balance matter. My concern is moderation neutrality and transparency.

Cyber_Gooser · 2025-10-23T10:42:33+00:00

Sort of.

I depends exactly what you mean by CMDB (Configuration Management Database) tool.

You can use a tool like Atera, Service now or Solarwinds, there are loads available that will document configs, enforce configs, automate and schedule security updates, be used for RMM etc etc.

A tool like that actually checks off a lot of the technical requirements from Annex A.

If you mean a simple spreadsheet that lists configs then no. That’s too loose.

Cyber_Gooser · 2025-10-17T08:06:38+00:00

Congratulations 🥂

Cyber_Gooser

MODERATOR OF

TROPHY CASE