I agree with j_M007,
Having sat the exam and passed, it certainly was NOT what I expected. But the best advice I can give is this:
The exam isn't testing whether or not you read the material. The exam is testing whether or not you understand the material well enough that when presented with a scenario, if you are the person who is in charge of a security department, you can answer "what is the best way to solve this?" The fundamentals of the material are what you draw upon as knowledge to weigh each of the answers. It would be rare in life that a study book, like Sybex or Shon Harris would be used as a reference for a real world experience decision. (Can you imagine breaking out the ISC2 green book during a board meeting to look something up?) Instead, these should be informational values that you use to weigh all of your options.
I know, this seems lofty as advice, especially when looking from a perspective of what to do next. Here is an example:
Let's say we are talking about cars, and you are taking an exam to manage a race shop.
Should you know fuel octanes, burn rates, piston throw distances, specs for materials, etc? Sure. But knowing that information is just a way to make informed decisions on the BEST way to solve problems that are likely to arise in your career. Knowing both WHAT and WHY you know these things, how they fit together and how that information is used to solve the overall problem is the key here.
I hope that helps.
Spot on Kevin. Book learning may get you through the door. Real-world experience is what will help you the most. Slowing down and thinking the question through.
Passed this week.
I found a site which has around 250 questions that prep you for the exam and far more difficult than the exam questions, and they really helped me to think like a manager. There are also some good core concept videos.
The site owner is also a CISSP in good standing, and was very responsive on queries. Really helped me.
Message me if you want details.
Yes, I only took it 4 months ago and the way the questions are written are utterly confusing if not gargle.
To make matters worse, if the question is straight forward then the answers are complete gargle just as well.
I made a post on an unofficial forum about 4 months ago on the same subject and I was surprised to find folk defending the lousy exam format and boorish design of it.
I just graduated from university and spent a total of 2 months prepping for the exam and I used the official Sybex text, and the last two practice exams. Because my focus was in cybersecurity, I had the luxury of reading the sybex text three times.
I think the important thing to highlight for all would be that the practice exams and sybex text questions are only meant to be used as practice and not meant as one-to-one mapping for the real deal as far as exam format goes.
Believe me, I was just as upset to find that the real exam was nearly 98% multiple-choice while the practice exams had other question types.
The conclusion that I came to as to why they made the exam so horrid is because they didn't want people remembering what the exam held---meaning, they didn't want people giving away questions/answers on sites like this.
It's a logical provision but it isn't the best, IMO. I don't think it's fair for experts who have no knowledge of test-design and reading comprehension amongst a wide-audience of varying-level of test-takers to devise an exam that would only make sense to the people who made it.
The argument then becomes that if they made the exam to be a replica of the practice exams, that everyone would pass and therefore diminish the value of the exam/certification.
My argument is that they can keep their lousy formulated question/answer format, but simply change the question types so that it isn't straight MC and self-doubt throughout the entirety of the exam. Have a heart—we're human too. We have limits to how much we can receive the same thing.
I won't say the exam didn't throw me a freebee, 'cause I did get one, but that was one out of 80-something questions that were pure hell.
The exam makers seem like sadistic egoists who solely enjoy the suffering of those to come simply because their previous generation did the same to them.
Break the cycle and reap the benefit of a legacy worth being recognized for.
Simply making the exam as confusing as possible because the LANGUAGE lets you do so doesn't mean your exam is difficult, it means you're cheating by making the properties of the exam difficult. There's a difference.
The first thing I would recommend to the board or whoever manages the exams' development would be to hire people who actually know how to write an exam. I'm tired of seeing people constantly complain about something that obviously cheapens the legitimacy of an unruly expensive exam. 😠
Exam questions are written by current CISSPs. After you pass, you can apply to participate in the question development process, just like the rest of us. (ISC)² does follow a rigorous process that "grades the test itself" and retires questions that are not predictive of success.
The exam is designed to ensure that this statement applies to you:
The CISSP is ideal for experienced security practitioners, managers and executives interested in proving their knowledge across a wide array of security practices and principles, including those in the following positions.... [reference]
Over 130,000 CISSPs have taken and passed the exam. I am one of them. Personally, I found the exam quite easy and passed in well less than half the allotted time. I credit this to the fact that I greatly exceeded the experience requirement (both in longevity and breadth) at the time I sat for the exam.