Ok, I took the CSSLP exam. I got a 688 out of 700 today. I took the official online ISC2 course with a week's online webex training (which was different from the online work). I used the flash cards and all the resources. Out of the 175 questions there were quite a few questions not associated with the flash study cards or what appear to be from the office student guide. There were also questions about modeling (I will not name them due to not talking about what was on the test), but the models were never referenced in the official study guide. If I would have known I would have refreshed on the associated models. Not sure what is going on here, but I would expect the resources to review and understand to be successful in the exam would be in the Official Student Guide. It would hope someone from ISC2 would please comment on this concern.
I'm just wondering how much a person's background impacts how well they do on this test...for example, a software developer vs. infosec specialist vs. IT vs. QA person, etc.
Can some of you give me an idea of your background? Mine is in software development...
I suggest you also read everything cloud-related from CSA (CCSK material) and NIST. Questions tend often to be about topics and trends, so stuff from SANS and other organizations will help. Remember, too, the various ISO standards and explanations.
You can't know everything, and you can't know specifically what's on the exam, so learn the concepts and how management make the decisions about service provision, risk management and business continuity. Be aware too of legal issues, privacy issues and issues at each level of the stack from PHY to APP,
Give yourself plenty of time to tackle it (even double the time you took to prepare for the original CISSP cert.)
In that reference list – there is a list of over 31 books and publications. All of that material would probably take someone with a full time job over a year or more to read and fully comprehend/digest.
To answer your question - Do the topics they cover represent the topics you've seen on the test? I'm considering taking the CSSLP at some point and would look to this list for my study material.
Probably – what I think is there are obscure questions written in double negatives such as - for example -
There’s nothing less worse than not answering a question incorrectly. Or using phrases like least unlikely or using vague terms such as “often” “frequently” “rarely” “sometimes” or “might.” as an example.
Again my issue is with the wording and I believe that is done so that the pass rate is low. If this test was testing on the material they present in straight forward questions – people would pass it who have studied for it.
Unfortunately, I believe they have professional test writers - write these questions with the intent to confuse test takers on purpose.
I literally got headache(s) reading the questions on the exam.
@havinsomefun wrote:In that reference list – there is a list of over 31 books and publications. All of that material would probably take someone with a full time job over a year or more to read and fully comprehend/digest.
Yeah, agreed! There is often a lot of overlap in the references so I will obtain all the freely available ones, and then maybe look to purchase (used from Amazon) a handful of the remainder that I feel will give me the best coverage based on the topics in the exam outline.
To answer your question - Do the topics they cover represent the topics you've seen on the test? I'm considering taking the CSSLP at some point and would look to this list for my study material.
Probably – what I think is there are obscure questions written in double negatives such as - for example -
There’s nothing less worse than not answering a question incorrectly. Or using phrases like least unlikely or using vague terms such as “often” “frequently” “rarely” “sometimes” or “might.” as an example.
Again my issue is with the wording and I believe that is done so that the pass rate is low. If this test was testing on the material they present in straight forward questions – people would pass it who have studied for it.
Unfortunately, I believe they have professional test writers - write these questions with the intent to confuse test takers on purpose.
I literally got headache(s) reading the questions on the exam.
I know what you mean about double speak and have encountered this myself on the CCSP and partially on the ISSAP exams I took. The CISSP and ISSEP test questions I felt were written very well. I don't know if that's just down to the particular "forms" I have faced - this is ISC2's name for a set of questions.
Some useful information on "forms" can be found here:
https://www.isc2.org/register-for-exam/exam-scoring-faqs
In terms of ISC2 using professional question writers, they hold workshops where they invite people who hold the appropriate certification to attend and write "items" as they call them.
More details on this process can be found here:
https://blog.isc2.org/isc2_blog/2018/03/isc2-item-writing-explained.html
Thanks for the reply.
You wrote - In terms of ISC2 using professional question writers, they hold workshops where they invite people who hold the appropriate certification to attend and write "items" as they call them.
Yes – they have those and then I believe they then give the "jest" of those questions to the professional test writers who then twist them in a way that make them extremely painful and confusing to understand what it is that they are asking. The CISSP was not like that for me.
If anyone asked me if they should take the CSSLP or some other cert I would without hesitation - 100% steer them away from this exam until ISC2 redoes the questions. Hats off to anyone who has managed to pass it thus far. I have 2 other co workers who took it and they both failed as well with the same take always.
Saw a hand full of questions which were the type that would use most likely or least likely followed by the paragraph type of questions with a lot of twist and turns where you might see one key word to give you a inkling of a hint of what they were asking – not one - one straight forward – type of question(s).
Tons of complicated scenarios that one small misinterpretation of how it was worded could completely throw you off.
So when you ask what should I study for? Study as much condensed material as humanly possible with books such as – CSSLP CBK, CSSLP All in one – Essential CSSLP Exam Guide, take a boot camp – the practice exams online where elementary compared to what I saw from the exam so a complete waste of time - and then hope and pray you don’t get a version of the exam that has all test questions which are worded in a way that makes it so hard to figure out what they are asking that it throws all your studying out the window.
BTW, I also wanted to note that for the CISSP I did not read any of the books. I purely studying by taking a week long boot camp and taking a ton of practice exams online.
For the CSSLP, there does not seem to be any useful practice exams (and I stress any that I have found) and I believe this is because this exam is too new and not enough interest.
Not enough material and authors out there have focused on this exam i.e. it’s not popular enough for SME’s to focus their attention on creating good practice exams. The ones I have seen are extremely elementary and do more harm than good for preparation.
So after failing the second time I started to really read the CSSLP CBK, which I read twice but that wasn’t even enough so that is why I am reading that book again as well as the CSSLP All in One Exam Guide and will read the Essential CSSLP Exam Guide.
I believe this is one of those exams you have to read books and others materials and not focus on practice exams - because the ones out there are of no help.
In the books there are practice questions which are okish, but this is one of those exams which require tons of reading and re-reading to fully understand the tricky extremely confusing and hard to understand - worded questions which you will find on the exam.
I will be attempt this exam again for the only reason because I have invested too much time into to start to study for another cert and I stand by my advice that if someone is looking to take a cert that I would highly advice them to study for the CISM or CISA but to stay away from this one.
ISC2 really needs to fix the questions on this one so that test takers would have a chance to understand what they are really asking in the questions.
If you re read this forum - anyone who passed this exam submitted the exam thinking they had failed. No one walked away thinking they had passed and that's for a good reason because of the wording of the questions.
Very well worded! I took the exam in Feb and failed it, I contacted (ISC)2 to vent some frustration that the questions are bad. Guess what I was told, "Oh, use our Flash Cards that are available in the store". These flash cards are more ridiculous than the ones in the CBK. My second grade daughter could pass this exam if the real questions where like the flash cards.
I've concluded, like you, that There Are NO Example Questions that even come close. Before attempt 1, I had read the Official CSSLP CBK and its bad grammar as well as the first edition of the CSSLP All in One Exam Guide. I can't divest myself of all the effort I've put into this certification, so I am in the middle of re-reading the CBK / All in One Exam Guide and now the Essential CSSLP Exam Guide. I even tracked down the author to the Essential CSSLP Exam Guide and asked him about if he was going to do a example question book like he has done for others; he said nope. I think this exam gave him a headache like the rest of us. I've spent a lot of time and even downloaded all of the relevant NIST documents and have started to read them. The CSSLP All in One Exam Guide had a new version come out in March and will start reading it. I feel I might be ready in NOVEMBER (2020) with all of the reading and re-reading I am doing.
So for everyone else. If you are thinking of getting your CSSLP...STOP. Until (ISC)2 makes the questions more readable, you have a good chance of failing this expensive exam. I am sure their Exam Committee are reading our comments and laughing; then will throw in more double negatives into existing questions. If I fail it again, I'm done.
I like the methodology of learning through practice exams too.
However, for the last two exams I sat (ISSEP and ISSAP) the available practice exams are all old and based on the previous version of the certification so the domains don't align - that seems to be the case with the CSSLP too.
As you have described, the lack of current practice exams requires you to adopt a different learning method. One that I have had success with is to use the suggested reference list (hence the post I made yesterday). All questions you will see on the exam should be able to be referenced back to text found somewhere inside items on that list.
For the ISSEP and ISSAP I took one practice exam for each to help me gauge any weak areas and understand the types of questions I might see on the real test, the topics I might be asked about, and the level of detail I need to know. I then kept those things in mind while I was studying to make sure I was absorbing the correct information at the right level. Even though I fared pretty well in the initial practice exams due to extensive experience in the field, I still felt the need to put in significant amounts of study not only so I passed the exams but so I actually increased my knowledge in the subjects to authoritative levels.
I appreciate there are a lot of suggested references for the CSSLP, so I would look to read the CBK and the AIO which others have used to pass, and then look to read at least one authoritative reference for each domain I feel I am weak in chosen from the list.
As I said yesterday there is always a lot of overlap between many of the books on the list, so you don't need to read them all as you just end up re-reading content you've already gone over - although this is good for revision.
I'm not sure re-reading the books you've already read before but not been successful on the exam with is a good strategy. Maybe you just don't "click" with those books? You wouldn't be the first person to find an ISC2 CBK to be very dry and difficult to get on with! So I'd definitely recommend some new material. As you have taken the test before you know the domains where you need to bolster your understanding, so just pick up some new references that cover any of your weak areas.
While I appreciate your point about the double speak style questions, in my experience with the CCSP and ISSAP tests, if you truly understand the material all these questions do is slow you down from arriving at the correct answer.
In terms of recommending the CISM or CISA over the CSSLP, aren't the purpose of these three certifications fundamentally different? The CSSLP is focused on software security. While the CISM is focused on developing security/risk management programmes and doesn't cover software security at all to the best of my knowledge - I believe it touches on secure systems development which is not necessarily the same thing. While the CISA is about security auditing although this does cover elements of auditing software development.
If you're looking for something to gain recognition on your CV/resume then CISM/CISA would be the way to go, but my reason for considering the CSSLP is to show I have capability in secure applications/software so they would not be appropriate.
I'm not sure when (or if) I will be tackling this certification as I have some other things on my plate right now, and I only consider it as a nice to have rather than a must have. I'm likely to attempt the ISSMP first anyway when I do find time for studying again just to complete the full set of CISSP concentrations.
Anyway, good luck with your studies, and I applaud your persistence and tenacity!
EDIT: updated to make it clear this is a reply to @havinsomefun
@MDChris wrote:. . . If you take our official ISC2 and fail . . . we'll pay for your exam within one year of when you took the class. ...
Please check with your friend and double check the details. If true, please post the email here as there are many people on this community that could save substantial money with such a commitment from (ISC)².
More likely, they are referring to the Education Guarantee (on page 7):
Protect Your Investment with Our Education GuaranteeIf your employee has completed Official (ISC)² CBK Training but does not pass
the exam on their first attempt, they can attend a second (ISC)² Direct certification training seminar at no cost to you. Valid in North America within one year of the training seminar
EDIT: I apologize. I mistakenly replied to an old post.