I wanted to share an experience about the CISSP exam I’d recently taken, and I'd like to receive exam beneficial feedback. In short, I had failed. In the last 6 weeks, I had clocked over 216 hours of concentrated study. Here’s what I had accomplished:
1) Read the entire CBK 4th edition cover to cover
2) Memorized all the questions and answers in the CBK (why the right are right and why the wrong are wrong)
2) Watched an entire CISSP video training series on Safaribooksonline… twice
3) Memorized all of the practice questions in the video series (why the right are right and why the wrong are wrong)
4) Read the Shon Harris book
5) Memorized the Shon Harris book “Quick Tips” portion of each domain
6) Memorized all the questions and answers in that book (why the right are right and why the wrong are wrong)
In effect, between these three resources, the facts, and I use that word specifically, were all in 100% alignment. In fact, in my last week, I basically reread through all the material in skim fashion and learned nearly nothing new. In my mind, I was 110% confident and ready for the exam ( counted over 500+ test questions memorized from multiple sources!).
The exam.
I’m going to be as literal as possible, and try my best not to exaggerate my anecdotal figures. Within the first 10 - 15 questions, I already knew there was no way I felt like I was going to pass if the question format kept going the way it was. It was as if though the exam came from a completely different set of material. At the 150th question, I concluded that all that I’d studied was about 80% irrelevant. I’d say 70% or more of the questions were “What is the BEST…,” “What is the MOST likely…,” and “What is the MOST important…” In effect, all the FACTS I’d learned, studied, and committed to memory were completely useless with regard to passing the exam.
Erroneous terms which are not even in the CBK were used in questions. THIS IS UNFAIR TEST PRACTICE. The test felt nothing like what a CISSP exam is supposed to be. In fact, If I had luckily passed the exam, I’d feel slightly undignified in that there's an entire bank of CISSP information in my head that was never even used. I would have been shocked if I did pass, given the questions. I would have thought, "How did I pass this thing anyway? Sheer luck? My knowledge on CISSP was barely touched..."
This is the part that really killed me; fact-based questions. Cold hard facts that you read in the book that I filled my notebook with never appeared on the test. Questions that I should have gotten 100% right because the answers are binary (either is or isn’t correct) were no where to be seen. The way I felt was that this test was not fact-based, it was subjective-opinion based. When I read questions that were almost fact based, there were answers I was expecting to see, and was ready to select. They oddly didn't appear, and I was sitting there with my arms crossed and head tilted to the side wondering, "What on earth are they expecting me to answer? The answer is "X" and it's not on the list!!!"
THIS TEST IS DESIGNED TO FAIL YOU.
Even if I had the CBK to reference on the test, it would have done me no good. The questions and answers to the test were not reference worthy. The mark of a good test is that the questions have to have a correct answer that is attributable to official study material. PERIOD. Otherwise, you're just making things up, and the test is whether or not I can read someone's mind and see the world as they do. That's just wrong.
I don’t know what to feel at this point. I felt so confident, and I was completely shot down, and down $700 with not a thing to show for it. I feel scammed. The sad thing, is that I love IT and cyber security. I’ve been doing it in my career over 15 years. Truthfully, when I started the CBK study, I’d say a solid 60-70% of the material in the book I already knew just from doing it as my job. There was no reason I should have failed this. This cert wasn’t supposed to help me really improve my career as much as it was supposed to validate all that I’d already done.
This is not my first professional grade certification! I am TOGAF 9, PMP, and CompTIA Security + certified. CISSP is the worst test I've ever taken in my life!
Frankly, I don’t even know how to study for this test anymore. How does one study for questions like “BEST, MOST likely, MOST important thing to do…” I want APPROVED material that contains the answer to EVERY possible question that test has for me. If i cannot trace back a test question to a direct answer in a book, then the question needs to be thrown out. Period. You're testing my knowledge on facts written in a book. ISC2 does not have the right to just take someone's money for a certification that is suggested to represent the knowledge found in their CBK and totally rick-roll you into a test with questions that have nothing to do with the CBK official test material. If you have ANY advice to give me, I’d be happy to take it. I still want this cert.
(If you are not a test taker post April 2018, then I don't think I want your opinions or words in this forum as it's probably irrelevant. I want help from someone who has passed it after this date, and the correct material I need to study for the exam. The ISC2 CISSP CBK, Shon Harris book, and the latest Sybex book, which I am reading now, is regurgitating all the information I already know, and KNOW FOR A FACT is not on the test.)
Hey there,
I know your frustration. This test is not designed to test your technical knowledge. There is know practice test that will help you with what you will take. Take off your engineer or technical hat off. Throw it completely out the window. It will not help. Think like a manager. A manager does not know the technical. They care about the business and risk. Basic concepts. DO NOT READ MORE THAN ONE BOOK. Why? All the books contain the same material but talks about it in a different way. So why read more. Always eliminate two answers. Always. You will see questions that have nothing related to the terms in the book. Think sensibly. Grammatical mistake will be everywhere. Who cares. Understand what they are asking. This is a psychological exam. All the answers will look the same. Take the question for what it is asking. You understand if you are engineer because you are in a different mindset. This is normal. Think like a manager think like a lawyer.
I have to say that while there was very little correlation between information available in books and the exam, (for me it was an old stile, 5.5 hr experience), it was still well worth it.
The prerequisites are referring to years of practical experience in multiple domains, which I had. Most of the questions were answered strictly by relying on experience and logic.
Even with 20 years of experience in the field, I've spent about 6 months studying the materials and, when encountering something that I felt deserved more attention, looking for external resources for deep dives into the subjects.
I cannot agree more with your post and sentiments. I have lodged a complain having had the exact same experience. I have spent 100's hours, and practised 1000's of questions, I would say 80% of what I learnt is not on the exam. I work in the cyber and have 25 years of experience in high level IT. I used the official ISC2 study guide and practise questions, Videos, 11th hour study guide, CISSP for dummies and Shon Harris book but all useless as the questions bore no resemblance to what is published.
Like you I may sound bitter but I'm just annoyed and feel the exam is very unfair and bears no resemblance of what is published and what I studied. Not even a hint of a leading question, vague reference and replacement works, ambiguous and simply awful.
I won't be wasting my time or money again I will go with another qualification body.
@Dr_C_Lace wrote:I wanted to share an experience about the CISSP exam I’d recently taken, and I'd like to receive exam beneficial feedback. In short, I had failed. In the last 6 weeks, I had clocked over 216 hours of concentrated study.
You've already a lot of feedback. I'd just add, simply, that in my experience when I took the test (granted in 2004 but I've kept abreast of its evolution), I felt it was designed to evaluate three things - in order of priority:
I think the issue is many certifications are designed in the reverse. If you spend a couple of hours memorizing some facts, you can get yourself certified as anything from an SEO expert to a robotics integrator. Welcome to the gig economy. The CISSP, ideally, is a bit different. As others have said, you have to think like a manager. You don't need to know the specific checklist of how to secure an OS, but you need to know that there is a checklist and how to construct a process that ensures the checklist is followed.
As of 12/21/2018, there are 131,000+ CISSPs that have all passed the exam, so there is definite proof that passing is possible.
I concur with @JoePete that something seems to be missing something and it is probably not the book-knowledge. After all, the studies you report are comparable to that described by most posters, both those who have passed and those who have failed.
Since you claim experience, that leaves "think like a manager". By this, we do not mean somebody that supervises people; We are referring to mid- to upper-management -- those responsible for setting strategic direction and making million-dollar risk decisions.
If you are looking for a "study and pass" cert, you might check out Security+. The studying you did for CISSP will give you a huge head-start on that cert.
@EmmaJakeJames wrote:I cannot agree more with your post and sentiments. I have lodged a complain having had the exact same experience. I have spent 100's hours, and practised 1000's of questions, I would say 80% of what I learnt is not on the exam. I work in the cyber and have 25 years of experience in high level IT. I used the official ISC2 study guide and practise questions, Videos, 11th hour study guide, CISSP for dummies and Shon Harris book but all useless as the questions bore no resemblance to what is published.
Like you I may sound bitter but I'm just annoyed and feel the exam is very unfair and bears no resemblance of what is published and what I studied. Not even a hint of a leading question, vague reference and replacement works, ambiguous and simply awful.
I won't be wasting my time or money again I will go with another qualification body.
I have been in IT since '83. I have owned several successful IT consulting companies. Designed and built solutions for DoD and helped two large Federal agencies transition from User ID and Password to PIV cards. I had only pursued the Security+ exam, as a universally recognized cert, in my entire career. I blew that test away. My current role required the CISSP cert. Fine, I can nail that too! LOL I took a boot camp course, read all the books, and crunched thousands of questions many with the instructor after class was officially over for another 1.5 to 2 hours a night for 6 days. I didn't do bad on the test but I didn't pass. I audited the course again, requested a different instructor, and I added Kelly Handerhan's video series found at Cybrary.IT. The second instructor never reviewed one question with the class the whole 6 days. That made me think. I realized that no question on the exam REMOTELY read/performed/seemed like any question I had encountered during my preparation.
It's. Not. About. Questions.
I know a few on here will argue with me that practice questions are a good resource. That's fine. We will agree to disagree. I think that if you are trying to get the questions answered correctly you are thinking more about the question then you are the material. Second review of the material I never practiced one question. Next test attempt I was finished in under 2 hours at 100 questions.
In real life, when a crisis arises and you are in that authority role, someone will run up to you and exclaim that the building is on fire! Because of adrenaline, fear, exhaustion, and misfiring synapses this person may not use the most grammatically correct wording. You have to sort through the emotions, physical issues and the crisis to make a decision, act on it and escalate it to upper management. This is CISSP to me. This is why their questions are not grammatically correct. They want to see how you can sort through the NOISE and get to the crux of the issue, determine a plan and execute.
Maybe this will help you. Maybe it won't. I wish you the best either way.
@EmmaJakeJames wrote:
If you can tell me where it says in the isc2 promotional material that you need to not bother reading the expensive content, not really bother attending the expensive courses they have charged me a lot of money for & I have invested hundreds of hours studying this & many other books I purchased.
It does seem as of late there are more complaints about the exam and its quality - but then again, for a long time, there wasn't much of a forum like this. Bear in mind that a certain number of questions on each exam are experimental - confusing or "wrong" questions may end up there, but you're not being graded on them.
I don't see (ISC)2 as forcing or even cajoling people into spending a lot of money on study materials. That said, there is a lot of money in the test and test-prep industry today - just like there is a lot of money in the security industry. However, quality is a different story in both regards, and for that reason, probably like a lot of folks here, I've developed a selective blindness toward marketing material. My study experience - granted it was 15 years ago - was I'd sit down with (ISC)2 Official Study Guide - it probably cost me $75 - and sip a Newcastle Nut Brown Ale. Some nights it would be two Newcastles, but that would be my cut-off. I didn't want to be reading (or drinking) too much in any one night. I probably ended up spending as much on beer as I did on the book, but neither was a sizable investment in time or money. What the guide affirmed was that my experience and intuition developed over the preceding 10-15 years wasn't too far off. I do vividly recall having to learn machine-state models (Bell-Lapadula, Biba) - that may have been a three Newcastle night.
I'll also say that my preceding work experience had been pretty broad - networking, databases, programming, systems - but it also included non-tech sectors. I think the typical tech employee, certainly at the time but still today, works much more in a silo. If it hadn't been for that broad experience, the exam would have been more daunting. My advice is less study, more experience in the domains you may be unfamiliar with. Build a database application, take part in a risk analysis, write a policy, etc.