Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Viewer II

CISSP Dilution

Dear ISC2,


I hope you're well aware of the pass rate from the new CAT format. It has sky-rocketed. Comparing between the reddit/facebook/techexamforums, it's clearly apparent that more people are passing, daily, with minimal effort. What used to be, 3 months of hard work studying the entire CBK from head to toe along with thorough, comprehensive practice testing to attain this elite certification, others have been spending just a few weeks to pass the CISSP exam. I studied for the CISSP religiously, every day for 3 months to pass this exam. I worked hard for this so it pains to see others, with minimal effort, pass the same exam, at a higher frequency since the format changed to CAT.


And to no surprise, the word is getting out, everyone who has been studying for this is being told to go ahead and jump on it without wasting more time or before ISC2 realizes that they may just have made this exam significantly easier. The ease of attaining this cert now isn't fair to all those who studied, laboriously to attain it.



Pre-CAT,Certified Information Systems Security Professional

37 Replies
Community Manager

Hi Sunny!

The change in format to the CISSP exam (from linear to CAT) has had no impact on the pass rate. We are excited to see so many people posting here and elsewhere about passing the exam, but this is because we are seeing unprecedented demand for the CISSP exam, which means a larger number of people are succeeding.

Also, since there’s been a change to the exam format, I think more people are interested in sharing their experiences than might have in the past.
Community Champion

More data needed I think, but I'd strongly expect that ISC2 put a lot of thought into this and are tracking very closely. 


However, if you did chose to believe impressions of social media over ISC2s statement, there's always the option of taking solace harumphing about how it was much better in your/our/my day: 😉


"And when we got home, our Dad would kill us and dance about on our graves..!" 

"But you try telling young people that, they won't believe you..." 😉

Advocate I

@SunnyDee wrote:

What used to be, 3 months of hard work studying the entire CBK from head to toe along with thorough, comprehensive practice testing to attain this elite certification, others have been spending just a few weeks to pass the CISSP exam.


While I share concern about dilution, I think if the CISSP exam measures what it is supposed to, it should not be a labor to pass the exam. It's supposed to measure a broad range of knowledge acquired over several years. Yes, due to the breadth of the CBK, it is doubtful anyone has complete depth in all areas; some study is necessary, but it's not like cramming for a history final.


My concern is the nature of the CAT. We live in an age of constant distraction, and any substantive statement is met with a "TL;DR" response. To me this is the real security threat. I can't think of a single vulnerability or exploit that at some point can't be traced to human error. While I appreciate that sitting for potentially six hours and 250 questions is a chore, have you ever had to read over a month's worth of logs to find the single IP that touched off an incident? Security often is maintaining focus in the face of mind-numbing data. It is about finding the path of quality, not the shortest distance. Part of what needs to be tested is the mental endurance. Even the act of being able to review past questions (double check your work!) is a capability you want to see among security professionals. I find the very nature of CAT contradictory to the skill set necessary to be an adept security professional.



I have the same fear about the cert losing value and prestige. 

Community Champion

To that point of dilution of excellence of the CISSP, I think it's important to trust in ICS2's application of high standards of confirmation. We can ask for data on this and perhaps a group could be established.


To the question of the new exam format's difficulty vs the old exam's difficulty - I think that while it may seem 'easier' to have the shorter duration it's not necessarily the case. I've seen cases in training and education where changed standards make things easier and allowing the selective rework of confirmation is one of those.


I've sat it twice(lapsed due to not bothering with CPEs)  and the old format was actually providing me cribs for the few questions I didn't know confident with - I didn't even need to do a final review just updated on the fly. The CISSP exam did seem to be a good test of my knowledge and application of it, but it also tested my comprehension, English and to some extent my stamina - if we look at the critical few things we want it to confirm, well I'd like it to look at my security knowledge and critical thinking rather than my prowess as a native English speaker and my ability to sit still.


To be sure, we could put a cohort of existing CISSPs through the new exam. I'm up for it, I didn't have any real problem with either exam I wrote(paper and CBT), but I'd figure CAT would be a little harder or more accurate test, I do wonder would I have to retake if I failed?


I know that if you spent time, money and effort in professional differentiation it's natural to defend it. But I think that some commoditization of the CISSP is inevitable as Cyber Security professionalizes and ranks grow. There will just be more candidates with the requisite knowledge and expereince. Concentrations help somewhat to further differentiate.


I fully expect to be eclipsed by those coming into the industry, and I'd rather a dynamic exam that keeps up with the state of the art - I'd rather have more minds of sufficient calibre and trust the adaptive mechanisms in place to ensure the quality level is met. I've seen 'prestige ghettos' where there are attempts to select out, and they don't end well.  Ultimately I'd say the best safeguard anyone could make is to volunteer for exam writing workshops.





Newcomer II

I agree with KaityEagle here:


On ISC2 website there are multiple links to the Certification Magazine website where they post the average salary of the top 75 certifications in IT. The ISC2 family of certs have been listed and the CISSP and it's concentrations have been top 20 each time. This list gives an easy view of what certificate to earn to make the most money, so of course it will create more demand for the more popular certs. 



Newcomer II



That is an interesting comment, however only ISC2 can answer the question with accuracy.  They can tell us what is the current pass rate since 18th of December compared to what they were the previous months.


CAT testing has been used by other certification bodies very successfully for technical topics that were nowhere as wide as the 8 domains of the CISSP CBK.  


The 8 domains contain multiple hundreds of topics.   Multiple test takers have reported having received only 100 questions before getting a pass rate,   So let's take a worst case scenario and pretend the student got the maximum of 150 questions and then received a passing grade.


This means that about 1 out of 4 topics or even less are being evaluated.  That does not sound right to me.


I am still having a hard to time to believe that answering 100 to 150 questions prove to anyone that you are dealing with what is called an Information Systems Security professional.


It seems to me we have regressed and some value is lost in the process.


Was the decision motivated by cost cutting or a true will to better the evaluation process and validate true skills?


Just my two cents








Owner and Founder of the CCCure Family of Portals
Our quiz engine is at
Our Learning Portal is at
Newcomer II

It will be hard to make any guess or estimate or conclusion about dilution of a cert based on anecdotal postings in multiple social network sites and forums. I would hope and a posting by ISC2 seems to confirm that metrics are collected about % passing of all exam takers. This should be the number to monitor. As nice as it is to hear on FB, LinkedIn etc that many people pass and maybe even find the format easy, these are anecdotal postings that do not allow a conclusion about the actual % of people passing the exam.

Viewer II

I understand that but it's all over and it's not easy to miss that everyone's passing left and right since the CAT format change. This isn't a rumor anymore, it's been a month and the entire cyber security community is talking about this becoming easier.


Even the CISSP boot camps are being offered at a discounted rate because they're also realizing that no one needs boot camps anymore. All you need is a week or two to study for this and it's an easy pass. 


ISC2, please take note of the pass rate. This isn't fair to people who put in the hard work and trained for the endurance this exam was supposed to challenge the test taker. There are so many cases of people passing in under an hour and under 100 questions. 


I sincerely hope this cert isn't diluting and ISC2 needs to make this new format just as challenging and enduring to the many people like myself who worked hard for this.