Advice After Failing the CISSP Exam

Here is the advice I gave to a student who has failed the exam.  Really – It is good advice for test takers too.  The only difference is when you fail, (ISC)2 provides an analysis of the domains you were below proficiency.  If you are prepping for your first exam, you know where you are weak and work on those.  You cannot ignore a topic and “make it up elsewhere” in the test.  This test is designed to exploit any weaknesses.

Which practice test bank is the best to use for studying? Opinions seem to vary, but I ordered the CISSP All in One book and its 1400+ digital bank of questions because someone said those were the most detailed like the exam. The actual exam questions seemed easy to me on Monday, but clearly that was delusional on my part. That said, there were a lot of factual questions that seemed to home in on my lack of technical knowledge – maybe I just need to focus on learning the technical sections?– Answer:  The two best options you have are the Wiley Exam through Efficient Learning that came with the book, or to purchase the Boson exam.  The exam questions at Thor Teaches  are well-regarded, and considered a bit more in the style of actual exam questions.  Use the exams in study mode, to get good explanations about the answer, Boson’s answers are more complete and exhaustive.  If you are short on experience, it is important to have a strong grounding in basic computer technology, networking, and basic security such as would be covered in CompTIA’s A+, Network+ and Security+.  Not suggesting you get those certs, but if you need the foundational background check out the video training at

Is there a best book to use for reading, like the big Sybex book, or the Shon Harris All in One, or the 11th Hour CISSP? I have all of them now. My score breakdown seemed to indicate that I am weakest in the more technical domains like Security Assessment and Testing (6), and Security Architecture and Engineering (3).Answer:  All of those study guides are good, also the Sunflower Summary and the Memory Palace.  I would recommend focusing on those domains and topics where you had the lowest proficiency.  For encryption study, read The Code Book by Simon Singh or Crypto by Steven Levy.  Read Larry Greenblatt’s PDF on Business Continuity Management (BCP/DRP)

Finally, how soon do you recommend I retake the exam? Does it sound to you like a month is right, or based on my performance do I need more time to study? This time I failed on 101 questions, and was Below Proficiency in six out of eight Domains – only Domains 1 and 8 were Near Proficiency.Answer:   A low score failure at 101 questions probably indicates that you did poorly throughout.  The exam would stop at Q101 only because it was not possible for you to pass even if you had gotten the remaining 49 questions correctly.  In your particular case I would recommend a retake at 45 or 60 days.  Normally I would say the 30 days you are required to wait to retake should be long enough.  So I would recommend spending a lot of time taking practice questions in the 6 domains you had below proficient.  Make sure to read and learn about why the answers are right or wrong. (Practice mode testing).  You have a lot of ground to cover for improvement.  Mark off two hours a day (or more) for study.  Also – learn HOW TO TAKE THE TEST.  There is a video on the Sept 7 CISSP blog post and Larry Greenblatt has a video as well.  Also an excellent book from Study Notes and Theory titled How to Think Like a Manager for the CISSP Exam.

And here is a well-written and detailed study guide from a test taker I found on the CISSP sub-Reddit:

Good Luck!!


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at
  Related Posts


Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.