I wanted to share an experience about the CISSP exam I’d recently taken, and I'd like to receive exam beneficial feedback. In short, I had failed. In the last 6 weeks, I had clocked over 216 hours of concentrated study. Here’s what I had accomplished:
1) Read the entire CBK 4th edition cover to cover
2) Memorized all the questions and answers in the CBK (why the right are right and why the wrong are wrong)
2) Watched an entire CISSP video training series on Safaribooksonline… twice
3) Memorized all of the practice questions in the video series (why the right are right and why the wrong are wrong)
4) Read the Shon Harris book
5) Memorized the Shon Harris book “Quick Tips” portion of each domain
6) Memorized all the questions and answers in that book (why the right are right and why the wrong are wrong)
In effect, between these three resources, the facts, and I use that word specifically, were all in 100% alignment. In fact, in my last week, I basically reread through all the material in skim fashion and learned nearly nothing new. In my mind, I was 110% confident and ready for the exam ( counted over 500+ test questions memorized from multiple sources!).
I’m going to be as literal as possible, and try my best not to exaggerate my anecdotal figures. Within the first 10 - 15 questions, I already knew there was no way I felt like I was going to pass if the question format kept going the way it was. It was as if though the exam came from a completely different set of material. At the 150th question, I concluded that all that I’d studied was about 80% irrelevant. I’d say 70% or more of the questions were “What is the BEST…,” “What is the MOST likely…,” and “What is the MOST important…” In effect, all the FACTS I’d learned, studied, and committed to memory were completely useless with regard to passing the exam.
Erroneous terms which are not even in the CBK were used in questions. THIS IS UNFAIR TEST PRACTICE. The test felt nothing like what a CISSP exam is supposed to be. In fact, If I had luckily passed the exam, I’d feel slightly undignified in that there's an entire bank of CISSP information in my head that was never even used. I would have been shocked if I did pass, given the questions. I would have thought, "How did I pass this thing anyway? Sheer luck? My knowledge on CISSP was barely touched..."
This is the part that really killed me; fact-based questions. Cold hard facts that you read in the book that I filled my notebook with never appeared on the test. Questions that I should have gotten 100% right because the answers are binary (either is or isn’t correct) were no where to be seen. The way I felt was that this test was not fact-based, it was subjective-opinion based. When I read questions that were almost fact based, there were answers I was expecting to see, and was ready to select. They oddly didn't appear, and I was sitting there with my arms crossed and head tilted to the side wondering, "What on earth are they expecting me to answer? The answer is "X" and it's not on the list!!!"
THIS TEST IS DESIGNED TO FAIL YOU.
Even if I had the CBK to reference on the test, it would have done me no good. The questions and answers to the test were not reference worthy. The mark of a good test is that the questions have to have a correct answer that is attributable to official study material. PERIOD. Otherwise, you're just making things up, and the test is whether or not I can read someone's mind and see the world as they do. That's just wrong.
I don’t know what to feel at this point. I felt so confident, and I was completely shot down, and down $700 with not a thing to show for it. I feel scammed. The sad thing, is that I love IT and cyber security. I’ve been doing it in my career over 15 years. Truthfully, when I started the CBK study, I’d say a solid 60-70% of the material in the book I already knew just from doing it as my job. There was no reason I should have failed this. This cert wasn’t supposed to help me really improve my career as much as it was supposed to validate all that I’d already done.
This is not my first professional grade certification! I am TOGAF 9, PMP, and CompTIA Security + certified. CISSP is the worst test I've ever taken in my life!
Frankly, I don’t even know how to study for this test anymore. How does one study for questions like “BEST, MOST likely, MOST important thing to do…” I want APPROVED material that contains the answer to EVERY possible question that test has for me. If i cannot trace back a test question to a direct answer in a book, then the question needs to be thrown out. Period. You're testing my knowledge on facts written in a book. ISC2 does not have the right to just take someone's money for a certification that is suggested to represent the knowledge found in their CBK and totally rick-roll you into a test with questions that have nothing to do with the CBK official test material. If you have ANY advice to give me, I’d be happy to take it. I still want this cert.
(If you are not a test taker post April 2018, then I don't think I want your opinions or words in this forum as it's probably irrelevant. I want help from someone who has passed it after this date, and the correct material I need to study for the exam. The ISC2 CISSP CBK, Shon Harris book, and the latest Sybex book, which I am reading now, is regurgitating all the information I already know, and KNOW FOR A FACT is not on the test.)
Congratulations! Not for passing the exam, which is a great achievement, but for sticking with it. Since you have successfully completed it, the following comments are not necessarily of value to you, but hopefully other candidates may find something useful in them.
As others have noted, the CISSP is not for the technician or engineer - although many of them have earned it - it is for the leadership that makes the risk-based business decisions about how and when to apply certain aspects of security. In management the right answer is often elusive, and the wrong answer may be costly. Although we can learn from our own mistakes, and those made by others, the right answer may not be found in any textbook or practice question. A person who is able to process a number of variables, and decide what is "best," or offers the "most" security in a given situation, is not necessarily going to arrive at a binary answer - it is often a judgement call.
It's too bad that "wearing the CEO hat" wasn't emphasized in your preparation. Ben Malisow, an (ISC)2 instructor and industry thought leader, reminds his students not to "buy a $10 lock for a $5 bike." The $10 lock might be the most secure, but is it the "best" choice to protect the $5 asset? The security guy might want the $10 lock, but the owner of the bike (the CEO) might not see the value in it.
It's a bit harsh, and severely limits the candidate pool for this certification, but I believe that the experience requirements are insufficient. Instead of 5 years in at least two of the domains, I believe a candidate should have considerable experience in all of the domains. I have approximately 40 years of overall experience, including my military service and career in law enforcement, with additional experience as a coder, network engineer, firewall engineer, as well as project management, Agile, ITIL, and CMMI, so taking the test was fast and easy, although it was the most difficult I'd taken at that point in time.
Prior to that, the PMP was the most difficult exam. For me, the Lean Six Sigma Blackbelt (after I'd earned my CISSP) was a challenge, as I am not strong in math, and my formal education stopped when I left home as a teenager. However, I only sat for the certification exams after many years of proficiency in all of the above areas. I only sat for the CISSP in March of 2017, after decades of experience. Likewise, I've been neck-deep in cloud security for about 8 years, but just took the CCSP exam in October, the endorsement is still ongoing, so I can't claim the certification yet. Again, the CCSP test was easy, because the questions are similar to ones that I'm called upon to answer every day.
For anyone thinking of taking, or retaking, the test, if you don't have the experience to give you 100% confidence to answer a sufficient number of questions correctly, you might want hold off and spend some more time working in the field.
I failed my first attempt as well. During my first attempt in Nov of 2017 I can tell you for certain that I did not have a complete understanding of CIA and how it applied across the CBK's. I studied for a year and eventually started to understand how CIA was interwoven in all aspects of information tech security. From the technical aspects of cryptography to artful use in project management, the exam and the interwoven concepts of CIA cover a very broad spectrum of concepts and implementation techniques.
On my second attempt in Oct of 2018, I passed the exam and I believe having a deep understanding of CIA is what did it for me. I felt I understood the convoluted questions significantly more on the second attempt, even though their obscurity of the point made the questions just as difficult to understand.
I am glad to hear you passed. I failed my first attempt on December 18th. After the exam I read your post and was screaming inside "I feel exatly the same way". Frustrated and feeling tricked. My study efforts at this point are very simular to yours. Since you have now passed the exam, will you please provide me with some additional insight. I am confused as to which resources to use and how.
For study and preparation, kindly consider a reply I posted in the thread Mentor Needed.
There's nothing more frustrating than failing an exam. I prepared for about 4.5 months taking a very rigorous class that was pretty expensive. I managed to pass on the first attempt, but it definitely felt like the actual test was nowhere near the test questions I received or studied. I even took a CAT style exam in my preparation process as part of this course and the questions actually asked were worded very differently. In an effort to trip up candidates and make sure that their question pool is protected, I felt they masked their question pool by changing the language of the test. I found it really difficult and was asked all 150 questions, after which I was certain I failed. I scored proficient in all the domains in a simulated exam prior to taking the real thing and it was like walking in and taking a different certification exam altogether.
Don't give up, and know that what you've studied is part of the test. But you have to have extremely high reading comprehension in the language you take the test in. There is a specific way to approach the exam questions other than just reading them and answering based off the answers given. I won't say more than that- review how you approached the questions and refine your next attempt based off that.
Congratulations on passing the exam and thank you for sharing your frustrations.