Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Viewer II

CISSP Dilution

Dear ISC2,


I hope you're well aware of the pass rate from the new CAT format. It has sky-rocketed. Comparing between the reddit/facebook/techexamforums, it's clearly apparent that more people are passing, daily, with minimal effort. What used to be, 3 months of hard work studying the entire CBK from head to toe along with thorough, comprehensive practice testing to attain this elite certification, others have been spending just a few weeks to pass the CISSP exam. I studied for the CISSP religiously, every day for 3 months to pass this exam. I worked hard for this so it pains to see others, with minimal effort, pass the same exam, at a higher frequency since the format changed to CAT.


And to no surprise, the word is getting out, everyone who has been studying for this is being told to go ahead and jump on it without wasting more time or before ISC2 realizes that they may just have made this exam significantly easier. The ease of attaining this cert now isn't fair to all those who studied, laboriously to attain it.



Pre-CAT,Certified Information Systems Security Professional

37 Replies
Newcomer I



I recently took the CAT test and passed. I wish if I could take the old exam (linear 250 questions). Personally I believe CAT is a bit tougher format to "Pass" the exam. I haven't studied for more than a few weeks. But, my overall experience in the field has helped me more, than all studies. Especially my last six years in the military. My plan was focusing on the few domains I had less experience on. I was confident about a few domains and was hoping to score 95% on those domains. I was more keen about learning the other domains deep. The study experience is much more valuable than certification. I don't know much about the pass rates, but have seen a lot of people failing too. Maybe we eventually will have someone who had experience on the linear exam taking the CAT and giving some inputs about the "easiness" of CAT. Given an option,  I will opt for the longer format.  I wouldn't want to see Dilution in an exam like CISSP, like it happened in lot of other certifications. 



just my opinion






Newcomer I

I made my 250 questions back in 2013 after over 15 years of daily work in securityland.
Took one week course to get idea about, which kind of language tricks there might be (I'm not native english speaker).
Spent little less than 3 hours on test. It was my life second hardest test, only Mensa test was harder 😄

Which brings my tought to actual topic; is there too many CISSP ?
It depends to what you compare that number. Here in Finland, we have around 500 CISSP, but we have over 2000 Mensa members.
SO; there definetly are not too many CISSP.

I think one thing of this gossip might come from social media and behaviour change, how new security practioneers are marketing themselves more openly than example 20 years ago. When I was working at Defence Forces (Army), I didn't market myself at anyway as it was not wanted nor desired to do so.

- Jra

Contributor I

> I am still having a hard to time to believe
> that answering 100 to 150 questions
> prove to anyone that you are dealing
> with what is called an Information
> Systems Security professional.

It shouldn't. There are scores of CISSPs out there who have never written a line of code, have responded to an incident, who can tell the difference between TFTP and FTP, who have actually implemented policy, and who use a computer daily for more than internet and email.

Yet we call them cyber professionals for some reason?!

Contributor I


> However, it is (ISC)² policy to not publicly
> disclose exact pass rates.

Why exactly is that? The lack of transparency here is concerning -- in other industries by way of comparison, their certification and licensing authorities expose such data.


You state it's ethical issue.  It's an ethical issue to be transparent about the process?  That's laughable... ETHICS is the very reason why most authorities ARE transparent about their processes!!!

Newcomer I



It's not the number of questions that can decide the quality of the individual. You can ask a person 1000 multiple choice questions, but can't measure the true knowledge level. In some situations 3 or 4 questions can measure the knowledge and experience of a person. I think the "adaptive" method is far better than the subjective questions method or the longer objective format exam. You can design the questions so that a single question might be covering multiple domains. Remember that it's far tougher to choose from multiple right answers than filtering out the wrong ones. So the number of right answers for a single question may vary and it becomes a matter of perspective to choose the "RIGHT" answer. The more the number of right answers per question, the tougher the exam gets.I have met a lot of people (including a few who were teaching where I was taking training on information security), who couldn't answer the basic questions. They all had those fancy certifications. So the dilution is there in most certifications. I personally believe ISC2 should test in more depth, may be more than a few inches deep. The best thing I liked about the test is that cramming will not cut it like many other exams out there. And for a true security professional, the learning never stops and certifications are just milestones in the never ending journey. You have to love the learning part. I was at the receiving end of handling under qualified certified people a lot of times in my career. I didn't have a choice on the skill level of people I get to work with. Not an enviable position to be in.


Cheers, Happy learning

Newcomer II

Good morning,


I must respectfully disagree with you.


3 or 4 questions can certainly validate one single topic out of the 500 being covered by the CBK.


They refer to the CISSP as the gold standard, the all-encompassing certification.   


When the CISSP was released a few dozen years ago, the field of information security was nowhere as complex and as diversified as it is today.    At that time, people were getting certified after working in the field for years.  Now it is the opposite, certifications are entry level, where people get certified not to show their mastery of the subject but more to show they met the minimum requirements.


Bottom line, the new CAT test seems to be saving a lot of time for sure.  I had a student who completed his exam in 34 minutes with 100 questions.


Best regards




Owner and Founder of the CCCure Family of Portals
Our quiz engine is at
Our Learning Portal is at
Community Manager

@mgoblue93 Historically, (ISC)² has not shared any pass rates publicly and this practice is unchanged by the update of the exam format. I will share your feedback on this issue, though. Thank you!

Viewer II

I'm a little late to this conversation, but I strongly disagree.


I belong to the subreddit r/CISSP and a Facebook group and I see the many posts about passing.  I feel that many people are quick to post their success, but few have the courage to post their failures.


I have failed this exam twice.  I'm taking my time before a third attempt and am studying more for the knowledge than for the certificate at this point.  I don't think it's diluted, but becoming more popular in the mainsteam tech community and thus has reached a wider audience.