Comments on the CISSP Computer Adaptive Exam

I am teaching classes for candidates pursuing that pinnacle of cybersecurity certification, the CISSP.  The CISSP is a challenging course of study, and the certification exam has always been daunting.  When I took the exam in 2016, there were 275 questions and the exam allowed 6 hours for completion.

These days the exam lasts only 3 hours, and has between 100 and 150 questions on it.  You need  70 out of 100 points to pass.

But as a computer adaptive test, there are new challenges.  The first is that you MUST answer the questions as you get them.  There is no marking for later review, and if you skip a question you cannot go back to answer it later.  The variable length is due to the way the adaptive part works.

The test starts with easy questions, and then gives you harder questions.  That is, unless you are failing the easy questions, then it will give you even easier questions.  This is done to establish a baseline relative to your professional understanding of cybersecurity.  The value of the questions depends on the difficulty.  The exam looks at the last 75 questions to calculate a running score.

If you haven’t made 70 points by question 100 you will keep going until the last 75 questions provides a passing score, then the test stops.  Or the test continues until you have answered so many questions wrong, there is no point in continuing.

If you are looking for information about the exam, the best source is someone who just took it and passed.  I respect the non-disclosure agreement that test-takers sign, so there are not questions or answers from the test here.  But I just finished teaching a new cohort, and a few have already taken and passed the exam.  Here are some observations from students about the dreaded CISSP exam.


From GG –

Here are the things I can share before I forget.

  • I had not seen most of the questions before in any study aids. So mostly the way I answered was understanding/underlying the key topic/ principle and relate the theory I learned and applied from a managerial point of view (Thank you for drilling this into me during the class).
  • Look at the syllabus and cover all topics, example – they have added topics like supply chain which I did not prepare but I think I must have winked well since I had worked in supply chain before.
  • Practice question which has more than one domain impact. Example – application layer, testing and tools/operations. The questions started out with complex questions which covered more cross over topics and slowly went to topics on two or one domain.

The main questions were on this topic for me

  • SOC reports
  • ABAC (attribute based access control)
  • SDN (Software defined networking)
  • SCADA controls
  • Encryption
  • Few on data remanence
  • Supply chain
  • eDiscovery
  • DRP/BCP

Few questions on finding the right order of steps on various topics.

For the preparation these are the materials I used.

  • I followed the Thor Pedersen courses on Udemy the same weeks you were teaching in addition to all materials RCTC provided. That helped me understand the topics in detail.
  • Thor said it is good to get practice on 3000-5000 questions. I would have covered about 4000 questions from various question banks – Wiley test bank, Boson, Pearson test bank, Mike Chapple questions, CISSP Practice Exams, Fifth Edition, 5th Edition By Shon Harris and Jonathan Ham, And I also did the  free test questions from various training agencies available online.
  • I also used the sunflower cheat sheet you provided from previous students and revised the concepts using Eleventh hour CISSP by Eric Conrad during the last two days.
  • Another important thing is I sat down 3 hours without any disturbance and practiced the online tests even with masks on to see my mental agility.

Hope this helps for next students. I thank you so much for helping me in this journey.


From MR – I passed my CISSP exam today on 100 questions. It was heavy on technical questions I felt and pretty difficult (as expected). The resources I used most were Infosec Institute final practice exam and the 11th hour book.


From RM –

I took the exam and passed.  Not really any surprises on the content…there were more nuanced questions with picking the best choice seeming to be a preferred testing methodology.  A lot more BCP than I cared for.  Also names of algorithms.


From PR:  I’d started studying about 3 months ago though generally only a few hours a week (mostly reading through the books and any online materials, the CISSP sub-Reddit is a great resource). There’s also a discord server that houses discussion (and some free instruction) for CISSP and other certs that I wish I had known about myself.  https://discord.gg/certstation

Then this past week with the class I was in class all day and then at night I spent at least 3-4 hours re-reading chapters and doing practice questions. Work giving me freedom from daily responsibilities for a week definitely helped a lot. Saturday and Sunday I spent basically all day doing practice exams, then made sure I got to bed early Sunday night and used Monday before the test to just be as relaxed as possible rather than cramming.

I think the majority of questions seemed based around scenarios of some sort but they weren’t chained together for multiple questions, and I think they were all multiple choice single answer. And while I’m sure memorizing facts helped in a number of situations, it definitely seemed like it was much more focused on interpretation and logical reasoning based on the body of knowledge than strictly regurgitating facts. Memorizing acronyms was also unnecessary. I found the class really helpful, particularly your stories and the review of the practice questions. Even if the exam is not exactly the same as the practice I think it’s helpful to just go over and hear the reasoning of why a particular answer is favored over another.


From HS:  I’m glad to announce that I provisionally passed the CISSP exam.  It was really a tough journey with a lot of perseverance and dedication, but it has finally paid off.  This is a huge achievement for me and I will be proud to join the CISSP family after the completion of my ISC2 endorsement process.  A big thank you to all who helped me in one way or another.  Special thanks to Bob Weiss for your awesome bootcamp, Thor Pedersen – Lead trainer at ThorTeaches and Adam Gordon your incredible practice questions and your advice helped me a lot to be on the right track, and to have the correct mindset to fight until the 150 question.  Feel free to contact me if needed, I will be more than happy to help anyone who is planning to pass the CISSP exam.


From MA: I’m extremely excited to announce I PASSED my exam!!! If I can do it, YOU can do it! Thank you Bob for the informative course and willingness to spend extra time with us if needed!

If you’ve put in the hours studying and feel comfortable with the core security concepts, chances are you’re probably ready to take it! As Bob and many others have said, the mindset in which you approach the test/answer the questions is critical—think like a manager! Don’t get caught up answering every question with the “technician/operator” mindset (which can be tricky for some). Read the question and even re-read to ensure you fully understand what is being asked and approach it how “management/The big C’s” would!

Also! If you haven’t seen this video, make sure to watch it! She does an excellent job of explaining why YOU WILL PASS and how to approach the test. Lets gooooooooo!!!!


EB – It was harder than I expected and it really pushed me to my limits. I had to take all 150 questions but as I got to the end, the last few questions got much easier. You really need to understand priority – what solution is best, not just what it does. Stress that 25 questions will be thrown out and if you take all 150 questions I think you can get up to 45 questions wrong and still pass, so don’t get stuck wasting time one the tough ones, just pick one and move on. Expect not to know everything and focus on getting the ones you can be certain about.

My personal strategy after registering for the date and completing the course was:

    1. Read 1 domain in the Conrad Study Guide 3rd edition
    2. Highlight definition words and key concepts in the book and to highlight words that describe/define them as concisely as possible
    3. Do the 15 question quiz in the Study Guide book
    4. Go back to the beginning of the domain and transfer highlighted portions into my .txt notes file, searching Google or appendix when add’l info was needed
    5. Do the 100 questions for the domain in the ISC2 official practice tests book
    6. If an question I immediately have no clue or idea, circle the question’s number in the back answers section
    7. Grade the test and in the back answers section, circle the number of the questions I got wrong
    8. For circled questions, read the solution/explanation and add more to my .txt file if needed
    9. Repeat for all domains
    10. Day of test – review notes file from beginning if time allows, else do it the day before ( I should have started this earlier as it was much longer to go through than I expected)

This took about 4-5 weeks of intense studying after scheduling my exam with about 3-5 hours per day with some off-days and lots of short breaks. Don’t get overwhelmed by the magnitude, but really force yourself into studying what is most confusing and difficult. Try to go beyond definitions and understand the situations in which different solutions should be implemented/preferred. It’s important to have a secluded place to study away from distractions, devices, dogs, TVs, and other people so you only have what’s in front of you and nothing else.

I can provide my .txt file to anyone interested. It ended up being over 1500 lines of notes and even that wasn’t entirely everything that could be on the test, but going through the process of typing things out is what really helped me solidify and internalize everything.


KY – I would like to share you the news that I passed my CISSP exam on 08/22. During the test, I didn’t get any straight or simple questions like in Pearson practice tests. Most of my questions were scenario based questions.

Thank you very much for teaching the course and sharing your experiences.

Here is what I did:

I studied and practiced the same materials from our class over and over as I don’t want to get overwhelmed with different study materials:

Few days before the exam, I also used this book from O’Reilly (Eleventh Hour CISSP®, 3rd Edition – By Eric Conrad, Seth Misenar, Joshua Feldman) which gives the overview of all the concepts.


From the CISSP sub-Reddit

My time to said: I cleared the exam! Some points:

1- My exam was a little bit more technical than most here. No port number, but lots of VPN questions, etc..

2- First 30 or so questions are worded in a hard way. Keep it up, read the questions and answers several times and

3- After those 30 or so questions, I got questions very straight, like A or B ( Boson like)

4- Know your concepts, SOC reports, basics of GDPR, ethics

Materials used:

– isc2 official book ( read once cover to cover, then read the most unknown domains again) – 9/10

– 11th hour ( good for review prior to the exam) – 10/10

– Boson ( great questions and answers)- 10/10

– Mindmap certification videos on youtube ( Those guys are monsters. They explained Kerberos in a way that even a kid can understand. If you want to to a prep course, they are the ones to call ) – 11/10

– Phone apps with questions: 08/10

– Isc2 practice tests: 09/10

– All-in-one book and questions ( Shon Harris): I don’t recommend it. Too technical.

I was a little bit afraid, because I was getting very tired of studying ( studying every day at least for an hour, for about 4 months). My advice is: be smart about your studies. Focus on the domain you are weak, and use the tactic that works best for YOU ( I took security+, cysa+ and CISSP in a time-span of 6 months, that helped in memorizing the key concepts). Some people work better with videos, others writing ( like me), so know how information stick to you.

All the best for you guys! you can make it!


If you have recently taken the exam, feel free to contribute your experience in the comments section,  Please DO NOT provide question examples in violation of the NDA, those will be deleted.  But other comments of how the tst went for you, what sort of questions (scenario, multiple choice) and the study aids you found most valuable for preparation are welcome.


More resources:


Additional comments for other student who passed –

DJ – Congrats to those CISSP’s I’ve missed. I took my test today and passed. It was kind of strange, I felt good about a lot of the questions but thought I’d blown it went I got to question 101…and then 125. Finally, I got all 150 questions and fully expected (as in the last test) to get the paper showing me where I need improvement. I got a congratulations instead.

My personal lessons learned are:

Drill on the practice exams, a lot (both Sybex and InfoSEC)!
Read through the 11th Hour
Read through the sunflower doc a lot
Read Bob’s best practices repeatedly

The thing I did really different for me was to accept that I will probably have to do this again next summer (while out of school) and that it was OK. When I got in there, I was in a much happier frame of mind knowing that I wouldn’t be drilling 250 questions every day for awhile, so I was very relaxed. I also took my time and did NOT watch the clock at all but did read the question until I understood it, read all the answers (not falling for the first good answers) and then read the questions again to confirm I thought I had the best answer. Last time, I remember feeling they were just punishing me after question 125, thinking I was already failed. This time, I stayed focused until the very end and still had over an hour left.

Like Bob said, slow down, read it all.

Thank you, Bob and fellow students for your shared experiences.


SP –

I just passed today as well, which is a nice present for my birthday tomorrow!

For those worried, I found knowledge of what the acronyms stood for was not very necessary. I also found the technical knowledge to be important but not the end-all-be-all. It was more knowing what was important in what situations.


AO –

I took my exam this morning and also passed, which I’m pretty stoked about!

I definitely echo the sentiment around critically reading each question and ensuring you comprehend what is being asked. I encountered a few questions where the four options included “correct” answers related to the topic, but only one specifically related to the ask. For example, a question may ask you to select the best method to identify something, then offer correct options to execute or evaluate that thing.

I found the Boson exam questions to be pretty close to the actual questions. Including formatting (bolding) and presentation of acronyms. I also found the 11th Hour PDF that Bob shared to be very helpful, especially the highlighted pieces. Those highlights were on point! That comprises all the resources I used to study for the exam: Bob’s bootcamp; Boson; 11th Hour.

Hopefully some of the above helps and best of luck to anyone still testing!


DS –

Just catching up on emails and saw the recent CISSP exam results for some.  Just to let you know, I took the exam about 2 weeks ago and passed.  My advice, and it was mentioned by others early on, is to approach each question from a managers perspective – “What would a manager be most concerned with?” and also to really read each question carefully as to exactly what they are asking for.  Also, as mentioned during the bootcamp, if you see a few questions that you think were not covered at all, don’t worry and just stay calm for the next question.  Other than the course textbook, I also read as much of the CISSP All-In-One book by Harris and Mayam, 8th Edition.  It was a very good compliment to the Sybex book.  As for test taking, there is a book called “How to think like a manager” by Luke Ahmed which I found really very helpful as it is just a book of 25 questions and it helps break down the approach and thinking that goes into answering the test questions.

Good luck to everyone taking it for the first time or who have to take it again !


  • Student Files
    • Read/understand all of 11th hour,
      • one or two chapters, drill questions, after you read the next 1-2x chapters
      • Go back to previous chapters and skim highlights to refresh memory
      • repeat, skim afternoon before/early morning day of
    • Crypto PPTX
  • Memorize
    • canons
    • NIST/ISO/EAL – high level – what docs/levels you’d need for what
  • infosec practice exam
    • lookup where not confident / wrong answer to make sure have the main topic areas
    • get as close to the 90% as you can
  • Did not use it, but sunflower would have been useful.
    If doing it again, I would have…

    • read over a few times
    • recreated the document by hand or re-type short version of it
    • enforces tactile and visual back and forth, helps give a anchor with memory

ED-  Test is indicative of your deep knowledge and understanding. Of my personal experience, only a few questions were straight forward. My biggest tip would be to go through the practice questions and truly answer in a managerial mindset to see if the answers correlate. You must have an extremely deep understanding to answer high-level questions.

Study material:

– InfoSec bootcamp

– 11th hour

– kelly handerhan cybrary

– isc2 complete guide

– sunflower guide

– quizlet

– Boson – Boson was the most closely related element. But, I assure you nothing you have seen is anything like the testing.

I also assure you, it is NOT that difficult of a test. Don’t give up,


From BJ –

Made it through to the other side last night.  Thought for sure I was going to fail.  Felt a little ‘deer in the headlights’ by several of the questions that covered information that I do not recall seeing the the book, Bootcamp, or even asked in the practice tests (really is a mile wide).  To me the test really felt like more of a ‘logic and reasoning’ test that a technical test, as the sole focus was eliminating two answers as quick as possible, and taking an educated guess between the other 2 questions (as Bob had mentioned in the Bootcamp).  Part of it may be my own fault for not diversifying with multiple study guides, as that never hurts.  I did buy the Shon book, but after reading the Bootcamp 1,000 page book twice, I was done if you know what I mean.  Aside from the bootcamp, probably had about 250 hours studying in the past 6 weeks but it is over with.

Enjoyed the Bootcamp and the experience for sure.  Learned a lot about topics that I hadn’t ventured into regarding regulations, laws, programming, etc.  Good luck to all that have yet to take it!

1

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Comments

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.