I recently sat for the Certified Information Systems Security Professional (CISSP) exam. After 15 years in the industry full-time, and the last 6+ years in a dedicated security role, I figured I might as well take it. As with most industry certification exams, I can’t share specific details about the exam due to the non-disclosure agreement, but I can share some high-level thoughts and my own personal experience for others seeking this well-respected credential.
Note: The CISSP exam changes in length in April 2024, with the minimum and maximum exam question length decreasing by 25 questions and the maximum exam time decreasing by one (1) hour. These changes don’t substantively change my thoughts, but you will want to make adjustments for recommendations based on those criteria, e.g. when to take a break, and confirm details like the breakdown of operational vs unscored items during the minimum exam question length on ISC2’s site.
(Citation note: Facts and information on this page come from the ISC2 official website for CISSP, specifically their exam outline and exam technology pages. Given the amount of content repeatedly referenced from these two sources, you won’t see inline links beyond the first cite.)
The exam is hard…by design
In my opinion, there are a number of elements that, by design, make the CISSP exam hard. None of this should be surprising if you’ve read ISC2’s exam outline and exam technology description, but it does become apparent once you’ve sat for the exam.
Computerized Adaptive Testing (CAT)
You’re expected to get questions wrong on the exam.
The exam engine intentionally picks questions that, based on your prior questions and responses (i.e. how well you are performing relative to the difficulty of the questions), you are expected to only answer correctly 50% of the time. Future questions will adjust in difficulty to maintain that 50/50 split. This is why ISC2 recommends that you not focus on the difficulty of a question to gauge whether you’re passing or failing. The exam engine is attempting to assess, at a high level (95%) of confidence, your knowledge; part of that process involves serving up questions that many candidates fail to answer correctly.
You can’t revisit previous questions. Put on your blinders, answer, and move on.
Because of the CAT format, you can’t go back and change your answer on a previous question. There’s no point in second-guessing yourself after you hit the button to go to the next question. Take your time on the question at hand, lean on your knowledge and experience, use good test-taking practices (e.g. eliminate obviously-wrong answers, compare the content of answers to differentiate them), and then answer and move on.
Competency in your weakest domain is the fastest way to finish the exam.
What’s the easiest, fastest way to pass the exam? Demonstrating competency in all eight domains in 125 questions. How do you do that? Make sure you’re demonstrating competency in your weakest domain.
As the CAT page explains: “Candidates who pass the exam at 125 items have mastered enough concepts throughout all domains to prove proficiency. […] Candidates who exceed 125 items could be proficient in some domains, however, the presentation of additional items allows the candidate the opportunity to continue to prove proficiency in other domains so that they may achieve the minimal passing score.”
This is all to say: if your weakest domain meets the 95% confidence interval for the passing standard (more on this next), chances are you’re also passing in your stronger domains. Do that in the first 125 questions, and the exam will end in a pass.
Spend some time in exam prep identifying your weaker domains. You may need to run through some practice exams or flashcards that break down your results by domain to help, or you can self-assess using resources like the official study guide, that break down content by domain.
Understand the pass/fail rules.
The CAT page explains in a lengthy section how pass/fail is assessed. Your primary goal is to demonstrate competency in 75 operational questions — this is the confidence rule. As long as you hit the 95% confidence interval by question 125, the exam will end in a pass. Conversely, if you are well below proficiency in the first 75 operational questions, the exam will cut you off right then and there with a fail.
Your secondary goal, if you don’t get a pass after question 125, is to answer every question correctly from there on out to reach that 95% confidence interval. You won’t see any unscored questions that are freebies, so every remaining question counts for real. More importantly, you want to hit that confidence interval as quickly as possible to end the exam — before you reach 175 questions or run out of time.
If you can’t pass on the confidence interval rule and hit the end of the exam, your first 50 operational questions are thrown out under the maximum length rule. That’s because the exam engine only looks at the last 75 operational questions when scoring under this rule. (The first 125 questions are 50 unscored, 75 operational; questions 126 to 175 are all operational.) If your performance improves over the 175 questions, that can be enough to get you over the finish line. But if you struggle towards the end, you could find yourself moving below the passing standard.
If you run out of time, only the last 75 operational questions are scored. The worst thing you can do if the clock is ticking is to rush through the remaining questions and randomly pick answers. As with the maximum length rule, you’re working with a sliding window of 75 operational questions, so you’re better off focusing on educated guesses (quality) versus taking wild swings at more questions (quantity).
Unscored questions
40 percent of your first 125 questions won’t count. Don’t try to judge how well or poorly you’re doing for the first 125 questions.
The minimum exam length (prior to April 2024) is 125 questions, which includes 50 “pre-test” or “unscored” questions, and 75 operational questions. These unscored questions aren’t flagged or marked in any way, and are evaluated for use in a future version of the exam. That means you are going to see a lot of questions in the first part of the exam that don’t affect the outcome. Trying to ferret out these unscored questions isn’t worth your time. Treat all 125 questions as operational, but don’t get worked up if you see a question that seems wonky — it may well be unscored, so take a best guess and move on.
Every question after question 125 is a real, scored question.
Questions 126 through the end of the exam (up to question 175) are all operational questions. They are real; they are scored; they are all important to either hitting that 95% confidence interval or banking correct answers for the sliding window of 75 operational questions (which comes into play if you hit the exam maximums for questions or time). Remind yourself if you hit question 126: it’s time to put your head down and really get to work.
Breadth of content in exam domains
ISC2 explains the CISSP certification like this:
CISSP validates an information security professional’s deep technical and managerial knowledge and experience to effectively design, engineer, and manage the overall security posture of an organization.
“CISSP Certification Exam Outline Summary,” https://www.isc2.org/certifications/cissp/cissp-certification-exam-outline.
You have to demonstrate competency as an architect, engineer, and manager to obtain this certification. Simply working in a security operations center (SOC) or just being a product or project manager won’t give you the inherent domain knowledge to succeed on the exam. (That being said, you only need to demonstrate work experience in two of the eight CISSP domains to become a CISSP.)
Use the ISC2 CISSP official exam materials to understand how your work experience maps to the exam, and identify your strongest and weakest domain areas.
For me, I cover all of the domains in my work on a regular basis. When reading through the official study guide, I found that 80 to 90 percent of the content was already familiar to me. In some cases — as an example, the Bell-LaPadula and Biba models — I was familiar with the concepts but not the names. This meant that I could spend more time studying on a smaller percentage of the exam content, and lean on my work experience to cover me in areas like symmetric and asymmetric cryptography, Kerberos, and single sign-on technologies.
The exam values certain types of responses over others. Always focus on the context of the question.
If you look at third-party exam prep materials, many of them will remind you to wear certain “hats” or prioritize certain things when answering a question:
- The ISC2 Code of Ethics
- Human and life safety
- Managerial solutions vs. technical solutions
- Preventative actions vs. reactive actions
This comes into play particularly with questions that use modifiers like BEST, MOST, LEAST, etc. You may be offered an array of answers for a question: technical and non-technical; people-focused and technology-focused; policies and procedures. A huge part of the CISSP exam is reading comprehension and understanding the perspective of the question. If the question is framed in a life-safety context, you need to read the answers in that context, which means discounting answers that prioritize equipment or assets over people. Or, if the question is specifically seeking out a technical implementation, it’s unlikely the correct answer is one that implements a policy.
You should expect straightforward technical questions on the exam.
While the “think like a manager” mantra is frequently touted on various exam prep materials, it’s important to remember that the exam domains also cover technical knowledge. That means you need to be prepared to answer straightforward technical questions. For example, domain 3.6 covers cryptographic solutions. Do you understand the difference between symmetric and asymmetric encryption methods? What makes elliptic curve unique? Can you describe how public key infrastructure works and why it’s prevalent today? When would you use a digital signature? What are some common hashing algorithms, and which ones are deprecated because they’re no longer secure?
Test length
Getting to question 125 takes a while. If you get to question 126, take a break.
The minimum test length (prior to April 2024) is 125 questions. That’s the earliest you can get a pass/fail. It’s also the last point where you’ll see unscored questions. Chances are, if you’ve spent 45 to 60 seconds per question, you’re likely near or at the two-hour mark. That’s a long time to be sitting and staring at a screen.
Pause at question 126. Stretch your legs, use the restroom, take some deep breaths, relieve the eye strain.
Why take a break here? Every question going forward is scored. You want to terminate the exam (with a pass) as quickly as possible, and that means answering every question correctly to hit the 95% confidence interval. Use this as an opportunity to refocus. You do not want to go the full 175 questions or 4 hours if you don’t have to.
Scheduling can be hard
Sign up immediately as a ISC2 associate so you can view available exam dates.
When I felt ready to schedule my exam, my jaw dropped. The nearest Pearson VUE testing centers had three options: in five days; in eight days; and in one month. The following several months had no availability. (For context, I scheduled at the end of January 2024 and sat for the exam at the beginning of March. The exam format and content changes in April 2024, which may have affected exam availability.)
I was only able to look up available exam dates once I had registered as an ISC2 associate. There’s no downside to signing up on ISC2’s site, as you’re not committing to a date, and you’ll need to register anyway if you want to take any ISC2 exam or obtain a credential.
Pick an exam date and commit to it — once you’ve done some initial exam prep.
You can reschedule or cancel an exam, but it will cost you, and as I mentioned in the previous section, availability can be limited. And if you have to travel to a testing center, you have other associated costs on top of the exam and reschedule/cancel fees.
Having a scheduled exam date forces you to study and prep, even if that date is six or more months out. That can be a great motivator and give you a tangible goalpost to reach.
However, I would only schedule once you’ve done some initial exam prep — reading through resources like the official study guide, or going through at least one practice exam. The CISSP exam covers a lot of ground, and I would not recommend blindly committing to the exam fee without understanding where your current knowledge is, relative to the exam domains.
Studying can’t take the place of real-world experience
As I mentioned earlier, I’ve spent 15 years full-time in the industry. Throughout that entire time, security has been a portion of my job duties, and has been my full-time work for the past 6+ years. That means I’m well past the minimum qualification threshold for CISSP eligibility.
Real-world experience is a force multiplier for the exam.
If you scroll through the Internet, you’ll see people listing off resource after resource — flashcard apps, YouTube videos, e-books, practice exams. A popular social media site has post after post of exam candidates — pass and fail, to their credit — explaining how they prepped for the exam, along with their work background.
In my case? I used these over the course of two weeks:
As I read through the official study guide, I found myself already being familiar with 70 to 90 percent of the content. NIST SP 800-53 and NIST RMF? Check. The CIA triad? Check. BCP and DR? Check. Cryptography? Check. The flavors of 802.11? Check. Software development lifecycles? Check. And for all of this content, it’s not just about knowing the names and acronyms — it’s also about understanding the details underneath, and how they integrate into the bigger security puzzle.
That’s how I ended up booking an exam date one month out. After reading through the content covered in the eight exam domains, it was clear to me that I had the prior knowledge to pass, and just needed to do two things: 1) learn the remaining content that was unfamiliar to me, and 2) understand how the exam was designed and what it considered to be “correct” answers. Those two resources met my needs.
This is not just a technical exam
As mentioned earlier, this credential is focused on “deep technical and managerial knowledge” for the “overall security posture of an organization.” In other words, it’s not representative of an entry-level cyber security job. You can’t even apply to be a CISSP unless you have four (with waivers) or five years of “cumulative, full-time experience” in at least two of the exam domains. (ISC2 will let you sit for the exam without work experience; they just won’t let you claim the CISSP credential until you meet the work requirement.)
A huge element of the CISSP exam is reading comprehension.
The exam (and the credential) is not only about the ability to cite this technology term or this algorithm or this protocol. It’s about the application of technology in the broader framework of policies, laws, and conceptual architectures. Understanding the nuances of SAML is great, but how do you fit it into a broader IdAM strategy? What are the [legal] data privacy concerns if you implement SAML? Can you understand why your IAM team is pushing for funding to migrate applications from SAML to OIDC, and then articulate it in a manner that your CFO can understand? These are questions far beyond the technical realm, but require a fundamental understanding of the technology.
The CISSP credential is respected because it requires a significant amount of skill and knowledge to obtain. It’s a great goal for those working in the cyber security field, but keep in mind that it fills a specific spot in the field. Just as a great SOC analyst doesn’t need a CISSP to demonstrate competency in his job, a great senior director of IT security doesn’t need an AWS Certified Solutions Architect Professional credential to demonstrate competency in her job.
Parting thoughts
For anyone who’s preparing for the CISSP exam: I wish you the best of luck. It is not the kind of exam you can just walk into and ace; it requires a lot of hard work, whether through exam study or accumulation of knowledge from being in the industry. It’s a difficult credential to obtain, but if you do succeed, it’s a demonstration of both your technical and non-technical acumen. Display it proudly, but humbly; use it to the advancement of your career; and remember to give back to the technology field and help the next generation of cyber security practitioners.