I wanted to share an experience about the CISSP exam I’d recently taken, and I'd like to receive exam beneficial feedback. In short, I had failed. In the last 6 weeks, I had clocked over 216 hours of concentrated study. Here’s what I had accomplished:
1) Read the entire CBK 4th edition cover to cover
2) Memorized all the questions and answers in the CBK (why the right are right and why the wrong are wrong)
2) Watched an entire CISSP video training series on Safaribooksonline… twice
3) Memorized all of the practice questions in the video series (why the right are right and why the wrong are wrong)
4) Read the Shon Harris book
5) Memorized the Shon Harris book “Quick Tips” portion of each domain
6) Memorized all the questions and answers in that book (why the right are right and why the wrong are wrong)
In effect, between these three resources, the facts, and I use that word specifically, were all in 100% alignment. In fact, in my last week, I basically reread through all the material in skim fashion and learned nearly nothing new. In my mind, I was 110% confident and ready for the exam ( counted over 500+ test questions memorized from multiple sources!).
I’m going to be as literal as possible, and try my best not to exaggerate my anecdotal figures. Within the first 10 - 15 questions, I already knew there was no way I felt like I was going to pass if the question format kept going the way it was. It was as if though the exam came from a completely different set of material. At the 150th question, I concluded that all that I’d studied was about 80% irrelevant. I’d say 70% or more of the questions were “What is the BEST…,” “What is the MOST likely…,” and “What is the MOST important…” In effect, all the FACTS I’d learned, studied, and committed to memory were completely useless with regard to passing the exam.
Erroneous terms which are not even in the CBK were used in questions. THIS IS UNFAIR TEST PRACTICE. The test felt nothing like what a CISSP exam is supposed to be. In fact, If I had luckily passed the exam, I’d feel slightly undignified in that there's an entire bank of CISSP information in my head that was never even used. I would have been shocked if I did pass, given the questions. I would have thought, "How did I pass this thing anyway? Sheer luck? My knowledge on CISSP was barely touched..."
This is the part that really killed me; fact-based questions. Cold hard facts that you read in the book that I filled my notebook with never appeared on the test. Questions that I should have gotten 100% right because the answers are binary (either is or isn’t correct) were no where to be seen. The way I felt was that this test was not fact-based, it was subjective-opinion based. When I read questions that were almost fact based, there were answers I was expecting to see, and was ready to select. They oddly didn't appear, and I was sitting there with my arms crossed and head tilted to the side wondering, "What on earth are they expecting me to answer? The answer is "X" and it's not on the list!!!"
THIS TEST IS DESIGNED TO FAIL YOU.
Even if I had the CBK to reference on the test, it would have done me no good. The questions and answers to the test were not reference worthy. The mark of a good test is that the questions have to have a correct answer that is attributable to official study material. PERIOD. Otherwise, you're just making things up, and the test is whether or not I can read someone's mind and see the world as they do. That's just wrong.
I don’t know what to feel at this point. I felt so confident, and I was completely shot down, and down $700 with not a thing to show for it. I feel scammed. The sad thing, is that I love IT and cyber security. I’ve been doing it in my career over 15 years. Truthfully, when I started the CBK study, I’d say a solid 60-70% of the material in the book I already knew just from doing it as my job. There was no reason I should have failed this. This cert wasn’t supposed to help me really improve my career as much as it was supposed to validate all that I’d already done.
This is not my first professional grade certification! I am TOGAF 9, PMP, and CompTIA Security + certified. CISSP is the worst test I've ever taken in my life!
Frankly, I don’t even know how to study for this test anymore. How does one study for questions like “BEST, MOST likely, MOST important thing to do…” I want APPROVED material that contains the answer to EVERY possible question that test has for me. If i cannot trace back a test question to a direct answer in a book, then the question needs to be thrown out. Period. You're testing my knowledge on facts written in a book. ISC2 does not have the right to just take someone's money for a certification that is suggested to represent the knowledge found in their CBK and totally rick-roll you into a test with questions that have nothing to do with the CBK official test material. If you have ANY advice to give me, I’d be happy to take it. I still want this cert.
(If you are not a test taker post April 2018, then I don't think I want your opinions or words in this forum as it's probably irrelevant. I want help from someone who has passed it after this date, and the correct material I need to study for the exam. The ISC2 CISSP CBK, Shon Harris book, and the latest Sybex book, which I am reading now, is regurgitating all the information I already know, and KNOW FOR A FACT is not on the test.)
If official books, official prep questions, and boot camps are no good, what options do I have? I failed on my first attempt and continue to use what resources are available. However, I still feel lost as to how I can prepare for the test. I am in search of good advice.
My advice for anyone is rather than trying to study a particular domain, experience it. I think that is the key to the CISSP - it's not supposed to be a test-prep type of test (sure, a cottage industry has popped up to sell you just that). It is supposed to measure experience. If you have never done a business impact analysis, for example, you can study the definition of one, but until you have actually gone through the process of evaluating dozens of scenarios and their impact on an inventory or service, you'll probably not have the ability to know-out an exam question. Whatever domain you are weak in, try to get some experience (work, volunteer, etc.) in that area.
Thanks for the advice. If you read my original post, though, I actually already said I had a CompTIA Security +. I also said in later posts that I retook the exam and passed. I also gave some quick tips on how to actually pass. I also stated that the exam had to be taken, failed, and then evaluated. I mentioned failing the exam once as being part of the exam process; only because there is no material that exists that prepares you for this test; at least that I know of. It is a bit of an underhanded exam, that opinion of it has not changed; justify it how you will.
Anyway, it matters no more. I have the certification, and I am using it to its fullest extent. I am currently working on a disaster recovery plan, an encryption architecture approach, and an architecture approach to extending our existing architecture to the cloud; all of which are CISSP related activity. So, whatever; things we have to do and the price we have to pay just to be trusted to do work we already know how to do.
You should edit your original post with an update in big letters stating that you eventually passed otherwise you will continue to get advice from people in the future. No one will skim through the pages to find out that you actually passed. Unless you like receiving these type of "advice" posts then sure 🙂
First of all, congrats on clearing the exam, @Dr_C_Lace; as @Spoon2k said, it would be really helpful if you updated your original post to add that you passed at your next attempt, else others who just see the first few posts in the thread are likely to abandon their quest.
@Flyslinger2, I can relate to part of what you went through. Prior to the CISSP, I had taken certifications like the CompTIA Security+, MSCE: Security, CCNA: Security, and ITIL Foundation, wherein my usual strategy would be to prepare with reading materials, videos, and simulators / emulators if applicable --- for some months before an exam --- and then try some practice questions shortly before the exam.
It always worked for me until I tried the CISSP --- and flunking it was definitely a blow.
Anyways, I concluded that a lack of experience might have been responsible --- even though my earlier posts did involve elements of IT Security, they weren't dedicated to it. Unfortunately, garnering the needed experience wasn't a immediate option as I'd resigned shortly before the exam, so there wasn't much else to do but turn to practice questions.
When I retook --- & cleared --- the exam, only a fraction of the questions I encountered matched those practiced with, so it's clear that one can't bank on practice questions alone. Experience has a major part to play in this...
Just wanted you to know I failed the exam two days ago. I failed miserably!!!!
My background: I've been working in this industry close to 40 years. I'm a former ArpaNet Engineer.
If you don't know what the ArpaNet is/was or who my former employer was (BBN, Bolt Beranek and Newman) You shouldn't be in this industry. I'm a former Lead from Bay Networks (Nortel Networks) IP Services and Security Group. My Title today is Computer Scientist. And Yes I failed!
I studied on my own, went to the Boot Camp (56 hours last week), I read the 11th Hour cover to cover, did the ISC2 Official Practice Test, and YES, I FAILED! Oh by the way we even found mistakes in the class material.
The Test stopped at 101 questions, it mostly asked, “What is the BEST…,” “What is the MOST likely…,” and “What is the MOST important…”, the format of those questions never saw any of the practice questions we did in class. I was told "the more technical you are the less likely you are to pass this test on the first try" (or second try). The paper that was printed out at the end of the exam was NOT Domain specific on the improvements I needed to work on. I'm going to be 62 this year and the only reason why I'm doing this is because my company asked. I hold numerous certs in other IT area's in fact too many to list last one being Security+.
I should have the right to see the questions and answers to the test that I submitted to, not only to mention the throw away questions that were inserted in the test. This is a GAFF! What was taught in Class was mostly a Technical review and basically nothing to do with the actual test. Yes, I'm not happy I failed.
My former Manager is a Physicist by trade. New nothing about IT and still claims to know nothing about IT but passed this exam. Go figure!
I'm tired, going back to the drawing board, regrouping, taking another worthless class, has anybody found anything I could study that was even close to being on the test?
Have a, What is the BEST…,” “What is the MOST likely…,” and “What is the MOST important…Day!
Sorry to hear about the exam result. I myself have seen many folks with little experience have passed the exam and experienced couldn't, i myself can't really understand the logic behind this. But what I have seen is that answering the questions in the exam is kind of a trick, i.e. read the questions very carefully and see what they are emphasizing on.
I myself used to think completely technically but often found that I got carried away with quick thinking. Any practice exam/dumps will not match with actual exam questions. The practice questions help you in time management and refreshing domain knowledge.
If you spend sometime and rethink about how questions were framed and how did you choose the answer then it will help you in identifying the 1 or 2 mistakes that you made in selecting the most accurate response.
Take a break and then start preparing. I did CISSP in January, 2014 when they had made changes to the format of the questions, during the exam I thought I may not pass it because the questions were nothing like the cure dumps that I had practiced, till I got the printout stating that I passed I was not at all sure to make it.
I wish you good luck and hope that you will pass in the next attempt.