I wanted to share an experience about the CISSP exam I’d recently taken, and I'd like to receive exam beneficial feedback. In short, I had failed. In the last 6 weeks, I had clocked over 216 hours of concentrated study. Here’s what I had accomplished:
1) Read the entire CBK 4th edition cover to cover
2) Memorized all the questions and answers in the CBK (why the right are right and why the wrong are wrong)
2) Watched an entire CISSP video training series on Safaribooksonline… twice
3) Memorized all of the practice questions in the video series (why the right are right and why the wrong are wrong)
4) Read the Shon Harris book
5) Memorized the Shon Harris book “Quick Tips” portion of each domain
6) Memorized all the questions and answers in that book (why the right are right and why the wrong are wrong)
In effect, between these three resources, the facts, and I use that word specifically, were all in 100% alignment. In fact, in my last week, I basically reread through all the material in skim fashion and learned nearly nothing new. In my mind, I was 110% confident and ready for the exam ( counted over 500+ test questions memorized from multiple sources!).
I’m going to be as literal as possible, and try my best not to exaggerate my anecdotal figures. Within the first 10 - 15 questions, I already knew there was no way I felt like I was going to pass if the question format kept going the way it was. It was as if though the exam came from a completely different set of material. At the 150th question, I concluded that all that I’d studied was about 80% irrelevant. I’d say 70% or more of the questions were “What is the BEST…,” “What is the MOST likely…,” and “What is the MOST important…” In effect, all the FACTS I’d learned, studied, and committed to memory were completely useless with regard to passing the exam.
Erroneous terms which are not even in the CBK were used in questions. THIS IS UNFAIR TEST PRACTICE. The test felt nothing like what a CISSP exam is supposed to be. In fact, If I had luckily passed the exam, I’d feel slightly undignified in that there's an entire bank of CISSP information in my head that was never even used. I would have been shocked if I did pass, given the questions. I would have thought, "How did I pass this thing anyway? Sheer luck? My knowledge on CISSP was barely touched..."
This is the part that really killed me; fact-based questions. Cold hard facts that you read in the book that I filled my notebook with never appeared on the test. Questions that I should have gotten 100% right because the answers are binary (either is or isn’t correct) were no where to be seen. The way I felt was that this test was not fact-based, it was subjective-opinion based. When I read questions that were almost fact based, there were answers I was expecting to see, and was ready to select. They oddly didn't appear, and I was sitting there with my arms crossed and head tilted to the side wondering, "What on earth are they expecting me to answer? The answer is "X" and it's not on the list!!!"
THIS TEST IS DESIGNED TO FAIL YOU.
Even if I had the CBK to reference on the test, it would have done me no good. The questions and answers to the test were not reference worthy. The mark of a good test is that the questions have to have a correct answer that is attributable to official study material. PERIOD. Otherwise, you're just making things up, and the test is whether or not I can read someone's mind and see the world as they do. That's just wrong.
I don’t know what to feel at this point. I felt so confident, and I was completely shot down, and down $700 with not a thing to show for it. I feel scammed. The sad thing, is that I love IT and cyber security. I’ve been doing it in my career over 15 years. Truthfully, when I started the CBK study, I’d say a solid 60-70% of the material in the book I already knew just from doing it as my job. There was no reason I should have failed this. This cert wasn’t supposed to help me really improve my career as much as it was supposed to validate all that I’d already done.
This is not my first professional grade certification! I am TOGAF 9, PMP, and CompTIA Security + certified. CISSP is the worst test I've ever taken in my life!
Frankly, I don’t even know how to study for this test anymore. How does one study for questions like “BEST, MOST likely, MOST important thing to do…” I want APPROVED material that contains the answer to EVERY possible question that test has for me. If i cannot trace back a test question to a direct answer in a book, then the question needs to be thrown out. Period. You're testing my knowledge on facts written in a book. ISC2 does not have the right to just take someone's money for a certification that is suggested to represent the knowledge found in their CBK and totally rick-roll you into a test with questions that have nothing to do with the CBK official test material. If you have ANY advice to give me, I’d be happy to take it. I still want this cert.
(If you are not a test taker post April 2018, then I don't think I want your opinions or words in this forum as it's probably irrelevant. I want help from someone who has passed it after this date, and the correct material I need to study for the exam. The ISC2 CISSP CBK, Shon Harris book, and the latest Sybex book, which I am reading now, is regurgitating all the information I already know, and KNOW FOR A FACT is not on the test.)
Plenty of great feedback in this thread for helping those who are trying reach the goal. Couple of observations based on this and other threads prior to passing the CISSP myself.
1. Frustrated test takers seem to have a similar point of view with study guide test questions not being helpful and significant content not tested. Are there any recommended guides out there which can assist and improve test takers techniques with the (Most, Best, etc) questions in relation to the CISSP material? This may not even be CISSP guides but would be my first recommendation to someone who is taking the test. Test taking skills just as being a polite human needs to be taught and practiced.
2. For those that truly do not have the in-depth experience as they thought, is there an official path they should start with? If you search google for passing the CISSP, you will receive a ton of different answers. As I stated in my earlier reply, I was able to pass the CISSP with Shon Harris 6th edition and ISC Study Guide 7th edition only because I was confident my experience level would speak to every domain. Note simply working for 20 years in any field does not make someone more experienced (leaving it at that).
If these two questions can be answered with more certainty, I believe it will remove some noise simply because the cost is significant to many and honestly I do not understand why there is not at least 1 retry attempt without cost. Again, I may be off basis here based on my recommended study search as I only used 2 self-study and experience so please share your thoughts.
I passed my CISSP exam back around end of June. I've also held Security+ certification. From my experience both exams are very different. There is a reason even CompTIA itself position CISSP as "expert" level certification and Security+ only has "Intermediate" on the IT certification road map, because the depth and breath of the knowledge domain they cover are different.
Was the exam difficult? Definitely! But personally I feel it's the right exam for CISSP. It's not just about memorizing the terminology or content, it's also about understanding and being able to apply the knowledge to different situation and threat landscape that's constantly changing. So picking a best choice as answer for the question is very fitting, and realistic. Can't have one shoe fit them all. As CISSP, we are supposed to know the terminology and content. What's IPS? What's web proxy? What's change management? What's WAF? That's not the objective of the exam. In real life, customer/audience/manager would ask you: What is the BEST way to protect the environment? What is the MOST Important item to work on this quarter/fiscal year? If we do not have these technology, what will Most likely to happen? Can't tell them: sorry, it's not in the CBK~
The study method that works for me is to ask/learn from others: Without much programming background, I asked my colleague who is a developer about SSDLC and that help me understand the chapter; With no prior knowledge in audit, I sit through one and ask auditor questions regarding the process; I attended cybersecurity conferences and meetings to enforce knowledge area that I'm not familiar with. I took the opportunity to ask speaker additional questions to help me understand the concept. All I can say is work experience help, and there is a reason people form study groups. I read only one book, watched the training modules on Pluralsight. But experience and ideas I learn from my colleague attribute more to me passing the exam.
Hope you find the study method that work for you.
The CISSP exam is no joke! I passed the legacy version in 2015. I studied like crazy for months. I credit my passing the exam not just to studying hard but also to my experience working in the industry.
Also, the thing which helped me the most in passing this exam was PERSPECTIVE - the questions must be answered from the perspective of a CISSP answering the questions using the knowledge from the CBK.
I hope you will take the exam again (and soon).