Comments on the CISSP Computer Adaptive Exam

I am teaching classes for candidates pursuing that pinnacle of cybersecurity certification, the CISSP.  The CISSP is a challenging course of study, and the certification exam has always been daunting.  When I took the exam in 2016, there were 275 questions and the exam allowed 6 hours for completion.

These days the exam lasts only 3 hours, and has between 100 and 150 questions on it.  You need  70 out of 100 points to pass.

But as a computer adaptive test, there are new challenges.  The first is that you MUST answer the questions as you get them.  There is no marking for later review, and if you skip a question you cannot go back to answer it later.  The variable length is due to the way the adaptive part works.

The test starts with easy questions, and then gives you harder questions.  That is, unless you are failing the easy questions, then it will give you even easier questions.  This is done to establish a baseline relative to your professional understanding of cybersecurity.  The value of the questions depends on the difficulty.  The exam looks at the last 75 questions to calculate a running score.

If you haven’t made 70 points by question 100 you will keep going until the last 75 questions provides a passing score, then the test stops.  Or the test continues until you have answered so many questions wrong, there is no point in continuing.

If you are looking for information about the exam, the best source is someone who just took it and passed.  I respect the non-disclosure agreement that test-takers sign, so there are not questions or answers from the test here.  But I just finished teaching a new cohort, and a few have already taken and passed the exam.  Here are some observations from students about the dreaded CISSP exam.

From MR – I passed my CISSP exam today on 100 questions. It was heavy on technical questions I felt and pretty difficult (as expected). The resources I used most were Infosec Institute final practice exam and the 11th hour book.

From PR:  I’d started studying about 3 months ago though generally only a few hours a week (mostly reading through the books and any online materials, the CISSP sub-Reddit is a great resource). There’s also a discord server that houses discussion (and some free instruction) for CISSP and other certs that I wish I had known about myself.

Then this past week with the class I was in class all day and then at night I spent at least 3-4 hours re-reading chapters and doing practice questions. Work giving me freedom from daily responsibilities for a week definitely helped a lot. Saturday and Sunday I spent basically all day doing practice exams, then made sure I got to bed early Sunday night and used Monday before the test to just be as relaxed as possible rather than cramming.

I think the majority of questions seemed based around scenarios of some sort but they weren’t chained together for multiple questions, and I think they were all multiple choice single answer. And while I’m sure memorizing facts helped in a number of situations, it definitely seemed like it was much more focused on interpretation and logical reasoning based on the body of knowledge than strictly regurgitating facts. Memorizing acronyms was also unnecessary. I found the class really helpful, particularly your stories and the review of the practice questions. Even if the exam is not exactly the same as the practice I think it’s helpful to just go over and hear the reasoning of why a particular answer is favored over another.

From HS:  I’m glad to announce that I provisionally passed the CISSP exam.  It was really a tough journey with a lot of perseverance and dedication, but it has finally paid off.  This is a huge achievement for me and I will be proud to join the CISSP family after the completion of my ISC2 endorsement process.  A big thank you to all who helped me in one way or another.  Special thanks to Bob Weiss for your awesome bootcamp, Thor Pedersen – Lead trainer at ThorTeaches and Adam Gordon your incredible practice questions and your advice helped me a lot to be on the right track, and to have the correct mindset to fight until the 150 question.  Feel free to contact me if needed, I will be more than happy to help anyone who is planning to pass the CISSP exam.

From MA: I’m extremely excited to announce I PASSED my exam!!! If I can do it, YOU can do it! Thank you Bob for the informative course and willingness to spend extra time with us if needed!

If you’ve put in the hours studying and feel comfortable with the core security concepts, chances are you’re probably ready to take it! As Bob and many others have said, the mindset in which you approach the test/answer the questions is critical—think like a manager! Don’t get caught up answering every question with the “technician/operator” mindset (which can be tricky for some). Read the question and even re-read to ensure you fully understand what is being asked and approach it how “management/The big C’s” would!

Also! If you haven’t seen this video, make sure to watch it! She does an excellent job of explaining why YOU WILL PASS and how to approach the test. Lets gooooooooo!!!!

EB – It was harder than I expected and it really pushed me to my limits. I had to take all 150 questions but as I got to the end, the last few questions got much easier. You really need to understand priority – what solution is best, not just what it does. Stress that 25 questions will be thrown out and if you take all 150 questions I think you can get up to 45 questions wrong and still pass, so don’t get stuck wasting time one the tough ones, just pick one and move on. Expect not to know everything and focus on getting the ones you can be certain about.

My personal strategy after registering for the date and completing the course was:

    1. Read 1 domain in the Conrad Study Guide 3rd edition
    2. Highlight definition words and key concepts in the book and to highlight words that describe/define them as concisely as possible
    3. Do the 15 question quiz in the Study Guide book
    4. Go back to the beginning of the domain and transfer highlighted portions into my .txt notes file, searching Google or appendix when add’l info was needed
    5. Do the 100 questions for the domain in the ISC2 official practice tests book
    6. If an question I immediately have no clue or idea, circle the question’s number in the back answers section
    7. Grade the test and in the back answers section, circle the number of the questions I got wrong
    8. For circled questions, read the solution/explanation and add more to my .txt file if needed
    9. Repeat for all domains
    10. Day of test – review notes file from beginning if time allows, else do it the day before ( I should have started this earlier as it was much longer to go through than I expected)

This took about 4-5 weeks of intense studying after scheduling my exam with about 3-5 hours per day with some off-days and lots of short breaks. Don’t get overwhelmed by the magnitude, but really force yourself into studying what is most confusing and difficult. Try to go beyond definitions and understand the situations in which different solutions should be implemented/preferred. It’s important to have a secluded place to study away from distractions, devices, dogs, TVs, and other people so you only have what’s in front of you and nothing else.

I can provide my .txt file to anyone interested. It ended up being over 1500 lines of notes and even that wasn’t entirely everything that could be on the test, but going through the process of typing things out is what really helped me solidify and internalize everything.

KY – I would like to share you the news that I passed my CISSP exam on 08/22. During the test, I didn’t get any straight or simple questions like in Pearson practice tests. Most of my questions were scenario based questions.

Thank you very much for teaching the course and sharing your experiences.

Here is what I did:

I studied and practiced the same materials from our class over and over as I don’t want to get overwhelmed with different study materials:

Few days before the exam, I also used this book from O’Reilly (Eleventh Hour CISSP®, 3rd Edition – By Eric Conrad, Seth Misenar, Joshua Feldman) which gives the overview of all the concepts.

From the CISSP sub-Reddit

My time to said: I cleared the exam! Some points:

1- My exam was a little bit more technical than most here. No port number, but lots of VPN questions, etc..

2- First 30 or so questions are worded in a hard way. Keep it up, read the questions and answers several times and

3- After those 30 or so questions, I got questions very straight, like A or B ( Boson like)

4- Know your concepts, SOC reports, basics of GDPR, ethics

Materials used:

– isc2 official book ( read once cover to cover, then read the most unknown domains again) – 9/10

– 11th hour ( good for review prior to the exam) – 10/10

– Boson ( great questions and answers)- 10/10

– Mindmap certification videos on youtube ( Those guys are monsters. They explained Kerberos in a way that even a kid can understand. If you want to to a prep course, they are the ones to call ) – 11/10

– Phone apps with questions: 08/10

– Isc2 practice tests: 09/10

– All-in-one book and questions ( Shon Harris): I don’t recommend it. Too technical.

I was a little bit afraid, because I was getting very tired of studying ( studying every day at least for an hour, for about 4 months). My advice is: be smart about your studies. Focus on the domain you are weak, and use the tactic that works best for YOU ( I took security+, cysa+ and CISSP in a time-span of 6 months, that helped in memorizing the key concepts). Some people work better with videos, others writing ( like me), so know how information stick to you.

All the best for you guys! you can make it!

If you have recently taken the exam, feel free to contribute your experience in the comments section,  Please DO NOT provide question examples in violation of the NDA, those will be deleted.  But other comments of how the tst went for you, what sort of questions (scenario, multiple choice) and the study aids you found most valuable for preparation are welcome.

More resources:


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.