Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Newcomer II

CISSP Failed Exam 11/2018 ***Passed. 12/2018***

I wanted to share an experience about the CISSP exam I’d recently taken, and I'd like to receive exam beneficial feedback. In short, I had failed. In the last 6 weeks, I had clocked over 216 hours of concentrated study. Here’s what I had accomplished:


1) Read the entire CBK 4th edition cover to cover


2) Memorized all the questions and answers in the CBK (why the right are right and why the wrong are wrong)


2) Watched an entire CISSP video training series on Safaribooksonline… twice


3) Memorized all of the practice questions in the video series (why the right are right and why the wrong are wrong)


4) Read the Shon Harris book


5) Memorized the Shon Harris book “Quick Tips” portion of each domain


6) Memorized all the questions and answers in that book (why the right are right and why the wrong are wrong)


In effect, between these three resources, the facts, and I use that word specifically, were all in 100% alignment. In fact, in my last week, I basically reread through all the material in skim fashion and learned nearly nothing new. In my mind, I was 110% confident and ready for the exam ( counted over 500+ test questions memorized from multiple sources!). 


The exam.


I’m going to be as literal as possible, and try my best not to exaggerate my anecdotal figures. Within the first 10 - 15 questions, I already knew there was no way I felt like I was going to pass if the question format kept going the way it was. It was as if though the exam came from a completely different set of material. At the 150th question, I concluded that all that I’d studied was about 80% irrelevant. I’d say 70% or more of the questions were “What is the BEST…,” “What is the MOST likely…,” and “What is the MOST important…” In effect, all the FACTS I’d learned, studied, and committed to memory were completely useless with regard to passing the exam.  


Erroneous terms which are not even in the CBK were used in questions. THIS IS UNFAIR TEST PRACTICE. The test felt nothing like what a CISSP exam is supposed to be. In fact, If I had luckily passed the exam, I’d feel slightly undignified in that there's an entire bank of CISSP information in my head that was never even used. I would have been shocked if I did pass, given the questions. I would have thought, "How did I pass this thing anyway? Sheer luck? My knowledge on CISSP was barely touched..."


This is the part that really killed me; fact-based questions. Cold hard facts that you read in the book that I filled my notebook with never appeared on the test. Questions that I should have gotten 100% right because the answers are binary (either is or isn’t correct) were no where to be seen. The way I felt was that this test was not fact-based, it was subjective-opinion based. When I read questions that were almost fact based, there were answers I was expecting to see, and was ready to select. They oddly didn't appear, and I was sitting there with my arms crossed and head tilted to the side wondering, "What on earth are they expecting me to answer? The answer is "X" and it's not on the list!!!"




Even if I had the CBK to reference on the test, it would have done me no good. The questions and answers to the test were not reference worthy. The mark of a good test is that the questions have to have a correct answer that is attributable to official study material. PERIOD. Otherwise, you're just making things up, and the test is whether or not I can read someone's mind and see the world as they do. That's just wrong.  


I don’t know what to feel at this point. I felt so confident, and I was completely shot down, and down $700 with not a thing to show for it. I feel scammed. The sad thing, is that I love IT and cyber security. I’ve been doing it in my career over 15 years. Truthfully, when I started the CBK study, I’d say a solid 60-70% of the material in the book I already knew just from doing it as my job. There was no reason I should have failed this. This cert wasn’t supposed to help me really improve my career as much as it was supposed to validate all that I’d already done.


This is not my first professional grade certification! I am TOGAF 9, PMP, and CompTIA Security + certified. CISSP is the worst test I've ever taken in my life!


Frankly, I don’t even know how to study for this test anymore. How does one study for questions like “BEST, MOST likely, MOST important thing to do…” I want APPROVED material that contains the answer to EVERY possible question that test has for me. If i cannot trace back a test question to a direct answer in a book, then the question needs to be thrown out. Period. You're testing my knowledge on facts written in a book. ISC2 does not have the right to just take someone's money for a certification that is suggested to represent the knowledge found in their CBK and totally rick-roll you into a test with questions that have nothing to do with the CBK official test material. If you have ANY advice to give me, I’d be happy to take it. I still want this cert.


(If you are not a test taker post April 2018, then I don't think I want your opinions or words in this forum as it's probably irrelevant. I want help from someone who has passed it after this date, and the correct material I need to study for the exam. The ISC2 CISSP CBK, Shon Harris book, and the latest Sybex book, which I am reading now, is regurgitating all the information I already know, and KNOW FOR A FACT is not on the test.)

101 Replies
Newcomer III

How was your results by modules? What is the total count of modules with 'Below' result? If the result for most of modules was at least 'Near' or even better 'Above' it is good result already. Maybe some description from this topic can be helpful for you I also failed my CISSP CAT exam on the first attempt, but result is acceptable for me and I am working on filling my gaps. I also read books and watched tutorials, but do not forget to put this knowledge into the real life situations. Practice + CBK (and other sources) + improved practice is the best teacher on your way to CISSP.

Newcomer II

Thanks for the response and encouraging words. I got 4 Below proficient, 3 Near proficient, and 1 Highly proficient. To be honest, I know my response sounded like I am being a sore loser, but that isn't the case. I'm just furious. I can take failure. I actually failed my PMP exam the first time. I was arrogant and took the exam after I finished my MS in IT Project Management. I actually almost passed. However, their questions were so PMBOK related (rightfully so), that I wasn't able to pass. I failed, and I deserved it. I learned, and I retook it months later and blew it out of the water. No problem. I wasn't going to make the same mistake twice. This time, I actually studied the test material, as stated in my OP. I was expecting to pass the same way I passed on my previous exams. I study the facts, and I pass with flying colors. That's how this is supposed to work. Whether or not the questions are scenario based is irrelevant. If you know the facts, you can apply facts to the scenarios, and the answers should be SCREAMING at you, "PICK ME! I'M RIGHT!" The words of test are actively trying to deceive you.


For this failure of a test, I am suddenly thrown curveballs, one after another, where the test doesn't even cover the approved material, but instead asks all sorts of questions that have nothing to do with CISSP as a practice. Given how bad the test was, I would have actually felt bad if I did pass, and certainly sorry for the next person that had to take it. I would have to literally "wish them the best of luck" because they would absolutely need it.

Newcomer II

I am certain many agree with you as I do. I recently passed the CISSP using 2 study guides in the last 5 years(Shon Harris and 2014 edition ISC Official Study Guide). Upon completing the test, I had a similar feeling where I could not confidently say I passed due to having to choose between the "best" answers. I took a couple years off after reading thru Shon Harris twice because honestly I felt the load of information you were to memorize did not make you a better security practitioner. After switching jobs and working for a corp that heavily focused on Information Protection, I picked up the ISC Official Study Guide where the level of material felt more appropriate in my opinion. My approach was very similar to you in that I could no longer take any test questions because I understood each question and answer(right or wrong). After the first 25 questions, I realized the question format was no where similar to any of the study materials. I threw out my approach of attempting to answer questions without analyzing each and every answer more than once. Fortunately for me, I have quite a bit of experience in the domains which probably saved me. I have never been a great test taker and this was absolutely the most difficult for me. Hope others chime in with feedback on approaching the test.

Viewer III

I could not agree with you more in regards to this is the worst way to test someone knowledge I have ever seen. I have now taken this exam twice May 2018 (failed) and November 2018 (failed, but greatly improved compared to my first failure). What is the BEST and what is the MOST Likely with horribly cryptic multiple choice answers was very hard to decipher. If anyone figures out the best way to study for this exam please let me know. Otherwise don't waste your time with any of the study guides out there. ISC2 is just looking to take your money for their book as well, as what it tells you to study for will not be seen in the exam!
Viewer II



You failed twice, once in May and in November.


Was your May exam the older style and November the new style?



Viewer II

I studied like you but did the legacy exam..

The exam was nothing like what I expected and just difficult. Nothing looked familiar and the questions were so strange and unusual, I couldn't recall any of them after the exam.

Be optimistic with your next attempt and believe you will pass. Good luck!
Newcomer III

I'm sorry to hear that but I do think CISSP is valuable to the industry. I've been in the IT industry for 20+ years and passed the exam this June by following the CISSP Certification Exam Outline and studying Official (ISC)² CISSP Study Guide (Sybex 7th), materials from the suggested references and NIST SP 800 guidelines. Besides that, I read and study comprehensively.

Business in nature is dynamic with a variety of risks. We find no formula just like one in Math that guarantees any enterprise to succeed in doing business. IMHO, I consider the exam emphasizes not only on facts but also how to apply concepts, knowledge, principles, good practices, standards, and experience to solve business problems. The CBK is a good foundation to start with; there are, however, lots of materials to learn. It would be helpful to read the suggested references enlisted in the official materials and from the ISC2. I would also suggest you do more practice questions to validate your knowledge.

Last but not least, as CISSP is a management test based on solid technical understanding, pls think in depth about the security function/role in business, corporate governance, risk management, compliance, personnel and outsourcing processes and management systems.

I hope this helps. Keep going and good luck!

Best regards,
Newcomer II



My case was different, I read the Sybex book, CISSP for Dummies, 11th hours for CISSP and All-In-One CISSP twice on each one of them.


Question & Answers Sybex app on the phone about 50 questions daily and try to understand why the questions is like that and also the answer. I didn't memorize, you must understand the why of this question & it answer.


You have mentioned that you memorized the content of the book which from my point of view is not recommendable, the recomendation is to understand the concept of each topic, yes I know, for encryption or OSI layers, and others topics you must memorize the concept, however, you also must to now situation and applicability of these topics, and CISSP exam is oriented toward manageral capability for implementing this topics on the real life. i.e. Questions and answers are focused on managerial point of view, rather than technical point of view.


But, the questions & answers are builded based on real scenarios where a managers must demonstrate their abilities to solve these problems.


When I did my CISSP exam, I have passed at the first attempt and also when I finished the exam, I had 1 hour and 10 minutes to review it but I didn't do it.




Community Champion

I passed the Thursday night (last week in March of '18)  before the change over. Very recent but not the newest material.  I really don't think that the small change in the material is a factor.  


I had read enough blogs to quickly surmise the same that you experienced.  The practice exams NEVER come close to what you will experience in the real exam.  My logic was to NOT do any practice exams. None.  I would very slowly and methodically read the material and then formulate real world situations where I would have to make a decision as a manager to task technical resources under me and then translate that situation to the CXO level above me.  There are many other very smart people in this blog that recommend practice exams like Boson.  


I watched the Cybrary.IT series from Kelly Handerhan for CISSP.   Again, I watched it first time to get a feel for the entire content of what she was presenting. Second viewing my finger was on the pause button a lot to do the same as in my reading-formulate scenarios, blah blah blah.


Those words you picked up on are key-Most, likely, etc. because it's not about facts. It's about applying sound practice to situations at that moment.  Other keywords are those that are absolutes-"All" is a perfect example.  There is NOTHING absolute in the CISSP world.  One question I had 3 of the answers had the word All in it. I choose the 4th and moved on. Never even read the question. And yes, I read the "answers" before I read the question. And while we are on the topic of words a lot of the questions are written poorly by design.  My opinion is they are trying to emulate a situation where a staff member comes to you in a panic about some disaster (think a data spill from one classification level to another to frame it up) and is trying to communicate the issue to you while their heart rate and BP are all off the charts.  You have to wade through the "noise" of bad language to get to the meat of the situation.

What I did may work for you and may not. It's just one example of many study plans that I have seen that have had good results.  


Don't give up. Don't berate yourself.  You have "Dr" as part of your name. If you have a doctorate then you know how to analyze and make corrections based on the results of that analysis. You can do this.