Comments on the CISSP Computer Adaptive Exam

I am teaching classes for candidates pursuing that pinnacle of cybersecurity certification, the CISSP.  The CISSP is a challenging course of study, and the certification exam has always been daunting.  When I took the exam in 2016, there were 275 questions and the exam allowed 6 hours for completion.

These days the exam lasts only 3 hours, and has between 100 and 150 questions on it.  You need  70 out of 100 points to pass.

But as a computer adaptive test, there are new challenges.  The first is that you MUST answer the questions as you get them.  There is no marking for later review, and if you skip a question you cannot go back to answer it later.  The variable length is due to the way the adaptive part works.

The test starts with easy questions, and then gives you harder questions.  That is, unless you are failing the easy questions, then it will give you even easier questions.  This is done to establish a baseline relative to your professional understanding of cybersecurity.  The value of the questions depends on the difficulty.  The exam looks at the last 75 questions to calculate a running score.

If you haven’t made 70 points by question 100 you will keep going until the last 75 questions provides a passing score, then the test stops.  Or the test continues until you have answered so many questions wrong, there is no point in continuing.

If you are looking for information about the exam, the best source is someone who just took it and passed.  I respect the non-disclosure agreement that test-takers sign, so there are not questions or answers from the test here.  But I just finished teaching a new cohort, and a few have already taken and passed the exam.  Here are some observations from students about the dreaded CISSP exam.

More resources:

I can’t thank you enough for the “Think like a manager” advice. If not for that, I most likely would have selected the “right” answers instead of the “best” answers.

From JC –

I wanted to let you know that I passed my exam. I would also like to let you know that at zero point did I think I was going to pass. I felt like I had no idea what the right question was. I even would probably answer them differently if I took the exam again today. However, I finished in 104 questions and the question really did hit a broad spectrum of things. Not a single one of them felt in any way inline with the next. I would like to mention when I failed the first time a while back the questions seemed to stay on the same subject and dig into different domains within the same area (IE like VPN, VLANS). This time it hit many different concepts and felt like none of them repeated and none of them had anything to do with the others.

I understand this doesn’t help much in terms of helping with the exam but I wanted to let you know that I passed. I also want to thank you for helping it helped a lot a lot.

Tips for passing that helped me was to re-watch the days of the bootcamp that I was unfamiliar with. Then run through about a million test questions for literature practice haha. I would let you students know that I promise not a single question that I took on those millions of practice exams came up, so I would tell people no chance you can brute force this test. However, the practice exams helped me decipher the words in the exam to be able to narrow the answer down to two or so. Most times all seemed correct, Look for works hidden in the meanings not necessary all the bold ones either.  (Sometime it will say FIRST which we know to mean first, but that’s not enough. On this test you looked deeper and it would say extra words that mean a lot toward which answer wasn’t correct… like times or instructions on how) This was a big help because I read the question back wards to see which answers was to do with the last part of the  question then used the bold words to pick which on was the best answer from the left over answers.

From BD –

I was in your class last week and wanted to thank you for your efforts in providing a good learning experience.

I took the test yesterday and passed!  I was somewhere right around 110 questions when the test ended…about 2 hours and 5 minutes in.  I have to say that the test was not as difficult as what I thought it would be.  Questions were pretty straight forward and, for the most part, fairly short and to the point.

Although there were a couple of questions I thought were probably some of the “not scored/dummy questions”, I certainly don’t think there were 25 of them.  I know the test is adaptive so what I saw could be completely different from what others experience.

One of the key pieces of advise that I heard from you and others is “think like a manager”.  I think, especially for some of us old timers, our experience and technical knowledge can be a hindrance in the test.  I found myself having to step back a couple of times and think “okay, this test is not for someone who has 25 years of network and security experience.  Answer the question like someone who has just studied the material in the book/class would answer the question.”  That helped significantly for the test.

From KW –

Advice I can give

TL:DR – Read the question, Read the answers, Re-Read the question, pick an answer for all 150 questions or Read question, Read answers and pick answer, Re read question to see if answer fits

Attempt to answer practice questions this way to get in the habit of doing this. I still don’t fully commit to this and will get questions wrong then realize oh… I read something wrong. To this point in practice tests/quizzes it isn’t about getting questions correct, because you will not see any of the practice questions on the test, it is about understanding why the answer is the correct answer or the best answer. This is why I like Boson over Wiley for prep. It gives a books worth of knowledge for each question.

From JO –

There was nothing that I would say really surprised me. About 10 questions in I was thinking “OK, I got this.” It did get a little harder for a spell, but I never felt like I was failing it. I had heard a lot of people comment they thought they were failing and they passed anyway. I never felt that.

    1. I only got one question on a specific technology that really seemed like it was off the wall with no way to know the answer unless I had just read about that particular technology. The answers were Level 1, Level 2, Level 3 or Level 4 so not much help there either. But what was being proposed did not sound very secure, so I just guessed ‘Level 1’ – which is a long way to say even if you think you have to guess, you might be able to think of a reason for what you are guessing.
    2. Fortunately, I don’t recall too many questions where I did not know anything about what was being asked.
    3. Be ready to take time to carefully really read each question. Even if it seems like it’s asking about something technical that you don’t feel familiar with, there is likely a way to at least eliminate some of the answers.
    4. The questions are worded very clearly with things like BEST or MOST LIKELY in all caps. Pay attention to those words.
    5. It’s management exam, not a technical or IT trivia exam. There will be a lot of questions that try to bait you into making a technical response, but if there is an option about escalating to management, that might be the best answer.
    6. Look for answers that indicate you are thinking before taking action.
    7. Give yourself time to stop and rest for a few seconds between questions. If you end up with 150 questions, and use all 180 minutes, that’s still 72 seconds per question, so don’t rush.
    8. I found the full practice tests in the Sybex book to be the best simulation for question complexity and timing. If you time yourself taking those tests and do the math on how much time you spent on each question, you will know what 72 seconds per question feels like. (In my practice tests from Sybex using their online tool, I averaged about 40 seconds per question.)
      1. So bottom line on time, you will have plenty of time to finish the exam if you pace yourself.
    9. I could tell that I got more questions in one particular area, so I must have missed one or two on that topic and the adaptive test (ABAC / RBAC, etc.) but I didn’t feel trapped in any particular area.

One other really helpful piece of preparation advice – get out on Reddit and read through the CISSP group. Be careful to not get lulled into complacency by someone on Reddit who says they passed at 100 questions in 61 minutes…. They might have a totally different experience level or background than you do. However, what I found helpful is that people post what resources they liked and used. I found this was a good way to find out about things that you might not have known about otherwise. I started the process thinking I would be able to just read the Sybex book and take the test. I was really glad that I did not just do that.

From MB –

Passed today with 150 questions and almost 2 hours. Quite a few questions on ABAC and SOC reports. Some questions I felt like I couldn’t even comprehend what was being asked. Primarily I used Boson and an app on my phone called IT and security. It’s a $20 a month subscription but I only planned on using it for one month anyway. The good part about it was that it pointed you to the page in the book that the question was about.

As said many times, read and reread the question. Take you time and even take a break. I feel there’s plenty of time for the exam. I got to question 75 and told myself I was only half way just in case I had to go to 150. My hope was 100. Read up on those things like BCP and SDLCs. And know them well. I studied a lot of encryption and port numbers and didn’t see anything on my exam that was more than what we’d already know in general about what is and what isn’t secure.

Good luck and you can do it.

From GG –

Here are the things I can share before I forget.

  • I had not seen most of the questions before in any study aids. So mostly the way I answered was understanding/underlying the key topic/ principle and relate the theory I learned and applied from a managerial point of view (Thank you for drilling this into me during the class).
  • Look at the syllabus and cover all topics, example – they have added topics like supply chain which I did not prepare but I think I must have winked well since I had worked in supply chain before.
  • Practice question which has more than one domain impact. Example – application layer, testing and tools/operations. The questions started out with complex questions which covered more cross over topics and slowly went to topics on two or one domain.

The main questions were on this topic for me

  • SOC reports
  • ABAC (attribute based access control)
  • SDN (Software defined networking)
  • SCADA controls
  • Encryption
  • Few on data remanence
  • Supply chain
  • eDiscovery

Few questions on finding the right order of steps on various topics.

For the preparation these are the materials I used.

  • I followed the Thor Pedersen courses on Udemy the same weeks you were teaching in addition to all materials RCTC provided. That helped me understand the topics in detail.
  • Thor said it is good to get practice on 3000-5000 questions. I would have covered about 4000 questions from various question banks – Wiley test bank, Boson, Pearson test bank, Mike Chapple questions, CISSP Practice Exams, Fifth Edition, 5th Edition By Shon Harris and Jonathan Ham, And I also did the  free test questions from various training agencies available online.
  • I also used the sunflower cheat sheet you provided from previous students and revised the concepts using Eleventh hour CISSP by Eric Conrad during the last two days.
  • Another important thing is I sat down 3 hours without any disturbance and practiced the online tests even with masks on to see my mental agility.

Hope this helps for next students. I thank you so much for helping me in this journey.

From MR – I passed my CISSP exam today on 100 questions. It was heavy on technical questions I felt and pretty difficult (as expected). The resources I used most were Infosec Institute final practice exam and the 11th hour book.

From RM –

I took the exam and passed.  Not really any surprises on the content…there were more nuanced questions with picking the best choice seeming to be a preferred testing methodology.  A lot more BCP than I cared for.  Also names of algorithms.

From PR:  I’d started studying about 3 months ago though generally only a few hours a week (mostly reading through the books and any online materials, the CISSP sub-Reddit is a great resource). There’s also a discord server that houses discussion (and some free instruction) for CISSP and other certs that I wish I had known about myself.

Then this past week with the class I was in class all day and then at night I spent at least 3-4 hours re-reading chapters and doing practice questions. Work giving me freedom from daily responsibilities for a week definitely helped a lot. Saturday and Sunday I spent basically all day doing practice exams, then made sure I got to bed early Sunday night and used Monday before the test to just be as relaxed as possible rather than cramming.

I think the majority of questions seemed based around scenarios of some sort but they weren’t chained together for multiple questions, and I think they were all multiple choice single answer. And while I’m sure memorizing facts helped in a number of situations, it definitely seemed like it was much more focused on interpretation and logical reasoning based on the body of knowledge than strictly regurgitating facts. Memorizing acronyms was also unnecessary. I found the class really helpful, particularly your stories and the review of the practice questions. Even if the exam is not exactly the same as the practice I think it’s helpful to just go over and hear the reasoning of why a particular answer is favored over another.

From HS:  I’m glad to announce that I provisionally passed the CISSP exam.  It was really a tough journey with a lot of perseverance and dedication, but it has finally paid off.  This is a huge achievement for me and I will be proud to join the CISSP family after the completion of my ISC2 endorsement process.  A big thank you to all who helped me in one way or another.  Special thanks to Bob Weiss for your awesome bootcamp, Thor Pedersen – Lead trainer at ThorTeaches and Adam Gordon your incredible practice questions and your advice helped me a lot to be on the right track, and to have the correct mindset to fight until the 150 question.  Feel free to contact me if needed, I will be more than happy to help anyone who is planning to pass the CISSP exam.

From MA: I’m extremely excited to announce I PASSED my exam!!! If I can do it, YOU can do it! Thank you Bob for the informative course and willingness to spend extra time with us if needed!

If you’ve put in the hours studying and feel comfortable with the core security concepts, chances are you’re probably ready to take it! As Bob and many others have said, the mindset in which you approach the test/answer the questions is critical—think like a manager! Don’t get caught up answering every question with the “technician/operator” mindset (which can be tricky for some). Read the question and even re-read to ensure you fully understand what is being asked and approach it how “management/The big C’s” would!

Also! If you haven’t seen this video, make sure to watch it! She does an excellent job of explaining why YOU WILL PASS and how to approach the test. Lets gooooooooo!!!!

EB – It was harder than I expected and it really pushed me to my limits. I had to take all 150 questions but as I got to the end, the last few questions got much easier. You really need to understand priority – what solution is best, not just what it does. Stress that 25 questions will be thrown out and if you take all 150 questions I think you can get up to 45 questions wrong and still pass, so don’t get stuck wasting time one the tough ones, just pick one and move on. Expect not to know everything and focus on getting the ones you can be certain about.

My personal strategy after registering for the date and completing the course was:

    1. Read 1 domain in the Conrad Study Guide 3rd edition
    2. Highlight definition words and key concepts in the book and to highlight words that describe/define them as concisely as possible
    3. Do the 15 question quiz in the Study Guide book
    4. Go back to the beginning of the domain and transfer highlighted portions into my .txt notes file, searching Google or appendix when add’l info was needed
    5. Do the 100 questions for the domain in the ISC2 official practice tests book
    6. If an question I immediately have no clue or idea, circle the question’s number in the back answers section
    7. Grade the test and in the back answers section, circle the number of the questions I got wrong
    8. For circled questions, read the solution/explanation and add more to my .txt file if needed
    9. Repeat for all domains
    10. Day of test – review notes file from beginning if time allows, else do it the day before ( I should have started this earlier as it was much longer to go through than I expected)

This took about 4-5 weeks of intense studying after scheduling my exam with about 3-5 hours per day with some off-days and lots of short breaks. Don’t get overwhelmed by the magnitude, but really force yourself into studying what is most confusing and difficult. Try to go beyond definitions and understand the situations in which different solutions should be implemented/preferred. It’s important to have a secluded place to study away from distractions, devices, dogs, TVs, and other people so you only have what’s in front of you and nothing else.

I can provide my .txt file to anyone interested. It ended up being over 1500 lines of notes and even that wasn’t entirely everything that could be on the test, but going through the process of typing things out is what really helped me solidify and internalize everything.

KY – I would like to share you the news that I passed my CISSP exam on 08/22. During the test, I didn’t get any straight or simple questions like in Pearson practice tests. Most of my questions were scenario based questions.

Thank you very much for teaching the course and sharing your experiences.

Here is what I did:

I studied and practiced the same materials from our class over and over as I don’t want to get overwhelmed with different study materials:

Few days before the exam, I also used this book from O’Reilly (Eleventh Hour CISSP®, 3rd Edition – By Eric Conrad, Seth Misenar, Joshua Feldman) which gives the overview of all the concepts.

From the CISSP sub-Reddit

My time to said: I cleared the exam! Some points:

1- My exam was a little bit more technical than most here. No port number, but lots of VPN questions, etc..

2- First 30 or so questions are worded in a hard way. Keep it up, read the questions and answers several times and

3- After those 30 or so questions, I got questions very straight, like A or B ( Boson like)

4- Know your concepts, SOC reports, basics of GDPR, ethics

Materials used:

– isc2 official book ( read once cover to cover, then read the most unknown domains again) – 9/10

– 11th hour ( good for review prior to the exam) – 10/10

– Boson ( great questions and answers)- 10/10

– Mindmap certification videos on youtube ( Those guys are monsters. They explained Kerberos in a way that even a kid can understand. If you want to to a prep course, they are the ones to call ) – 11/10

– Phone apps with questions: 08/10

– Isc2 practice tests: 09/10

– All-in-one book and questions ( Shon Harris): I don’t recommend it. Too technical.

I was a little bit afraid, because I was getting very tired of studying ( studying every day at least for an hour, for about 4 months). My advice is: be smart about your studies. Focus on the domain you are weak, and use the tactic that works best for YOU ( I took security+, cysa+ and CISSP in a time-span of 6 months, that helped in memorizing the key concepts). Some people work better with videos, others writing ( like me), so know how information stick to you.

All the best for you guys! you can make it!

If you have recently taken the exam, feel free to contribute your experience in the comments section,  Please DO NOT provide question examples in violation of the NDA, those will be deleted.  But other comments of how the tst went for you, what sort of questions (scenario, multiple choice) and the study aids you found most valuable for preparation are welcome.

Additional comments for other student who passed –

DJ – Congrats to those CISSP’s I’ve missed. I took my test today and passed. It was kind of strange, I felt good about a lot of the questions but thought I’d blown it went I got to question 101…and then 125. Finally, I got all 150 questions and fully expected (as in the last test) to get the paper showing me where I need improvement. I got a congratulations instead.

My personal lessons learned are:

Drill on the practice exams, a lot (both Sybex and InfoSEC)!
Read through the 11th Hour
Read through the sunflower doc a lot
Read Bob’s best practices repeatedly

The thing I did really different for me was to accept that I will probably have to do this again next summer (while out of school) and that it was OK. When I got in there, I was in a much happier frame of mind knowing that I wouldn’t be drilling 250 questions every day for awhile, so I was very relaxed. I also took my time and did NOT watch the clock at all but did read the question until I understood it, read all the answers (not falling for the first good answers) and then read the questions again to confirm I thought I had the best answer. Last time, I remember feeling they were just punishing me after question 125, thinking I was already failed. This time, I stayed focused until the very end and still had over an hour left.

Like Bob said, slow down, read it all.

Thank you, Bob and fellow students for your shared experiences.

SP –

I just passed today as well, which is a nice present for my birthday tomorrow!

For those worried, I found knowledge of what the acronyms stood for was not very necessary. I also found the technical knowledge to be important but not the end-all-be-all. It was more knowing what was important in what situations.

AO –

I took my exam this morning and also passed, which I’m pretty stoked about!

I definitely echo the sentiment around critically reading each question and ensuring you comprehend what is being asked. I encountered a few questions where the four options included “correct” answers related to the topic, but only one specifically related to the ask. For example, a question may ask you to select the best method to identify something, then offer correct options to execute or evaluate that thing.

I found the Boson exam questions to be pretty close to the actual questions. Including formatting (bolding) and presentation of acronyms. I also found the 11th Hour PDF that Bob shared to be very helpful, especially the highlighted pieces. Those highlights were on point! That comprises all the resources I used to study for the exam: Bob’s bootcamp; Boson; 11th Hour.

Hopefully some of the above helps and best of luck to anyone still testing!

DS –

Just catching up on emails and saw the recent CISSP exam results for some.  Just to let you know, I took the exam about 2 weeks ago and passed.  My advice, and it was mentioned by others early on, is to approach each question from a managers perspective – “What would a manager be most concerned with?” and also to really read each question carefully as to exactly what they are asking for.  Also, as mentioned during the bootcamp, if you see a few questions that you think were not covered at all, don’t worry and just stay calm for the next question.  Other than the course textbook, I also read as much of the CISSP All-In-One book by Harris and Mayam, 8th Edition.  It was a very good compliment to the Sybex book.  As for test taking, there is a book called “How to think like a manager” by Luke Ahmed which I found really very helpful as it is just a book of 25 questions and it helps break down the approach and thinking that goes into answering the test questions.

Good luck to everyone taking it for the first time or who have to take it again !

  • Student Files
    • Read/understand all of 11th hour,
      • one or two chapters, drill questions, after you read the next 1-2x chapters
      • Go back to previous chapters and skim highlights to refresh memory
      • repeat, skim afternoon before/early morning day of
    • Crypto PPTX
  • Memorize
    • canons
    • NIST/ISO/EAL – high level – what docs/levels you’d need for what
  • infosec practice exam
    • lookup where not confident / wrong answer to make sure have the main topic areas
    • get as close to the 90% as you can
  • Did not use it, but sunflower would have been useful.
    If doing it again, I would have…

    • read over a few times
    • recreated the document by hand or re-type short version of it
    • enforces tactile and visual back and forth, helps give a anchor with memory

ED-  Test is indicative of your deep knowledge and understanding. Of my personal experience, only a few questions were straight forward. My biggest tip would be to go through the practice questions and truly answer in a managerial mindset to see if the answers correlate. You must have an extremely deep understanding to answer high-level questions.

Study material:

– InfoSec bootcamp

– 11th hour

– kelly handerhan cybrary

– isc2 complete guide

– sunflower guide

– quizlet

– Boson – Boson was the most closely related element. But, I assure you nothing you have seen is anything like the testing.

I also assure you, it is NOT that difficult of a test. Don’t give up,

From BJ –

Made it through to the other side last night.  Thought for sure I was going to fail.  Felt a little ‘deer in the headlights’ by several of the questions that covered information that I do not recall seeing the the book, Bootcamp, or even asked in the practice tests (really is a mile wide).  To me the test really felt like more of a ‘logic and reasoning’ test that a technical test, as the sole focus was eliminating two answers as quick as possible, and taking an educated guess between the other 2 questions (as Bob had mentioned in the Bootcamp).  Part of it may be my own fault for not diversifying with multiple study guides, as that never hurts.  I did buy the Shon book, but after reading the Bootcamp 1,000 page book twice, I was done if you know what I mean.  Aside from the bootcamp, probably had about 250 hours studying in the past 6 weeks but it is over with.

Enjoyed the Bootcamp and the experience for sure.  Learned a lot about topics that I hadn’t ventured into regarding regulations, laws, programming, etc.  Good luck to all that have yet to take it!

From JL –

Well it was about as brutal as I had expected from what I had read. Definitely not the most fun experience to have that is for sure. Only a few high level technical, otherwise it was not technical at all. I felt like almost my entire exam was risk assessment and SDLC. I also had a few high level technical networking things, but super basic stuff anyone that has done IT work could be able to answer.

I read the 11th Hour CISSP book about 5 days before my exam and I felt that it was an excellent resource as a refresher. I also used the Sunflower reference the night before and the morning of my exam as a nice quick glance reference for things.

From LF –

I seem to recall a lot of focus on the different types of access control (i.e. RBAC vs DAC). Also a lot on DRP and BCP and the roles of various senior level managers

Boson helped a lot but of course all the questions on the test were completely different.

Thanks for the great course! You are making a big difference for your students.

From JG –

PASS! 100 questions. 90 Minutes. YAY!

I had to use EWHAGS (engineering wild hairy-a** guesses) more than I thought I would, the test asked for details in areas I didn’t study in enough detail. But taking practice exams helped me most – I used them to identify weaknesses and went back to the book. I took at least a test a day for the last week.

If you know the answer, don’t hesitate. That buys time. If you are not sure, read all the answers CAREFULLY and reread the question, ESPECIALLY the last sentence. If you still don’t know it, do the elimination game and look again.

From SP –

Hi, I was in your class last week and passed yesterday, somewhere between question 100-110. The only thing that jump out was the number of questions about ABAC, but other than that the class was on target for depth and breadth of knowledge. As you (and others say), this is a management-focused certification.

There were are few questions on Industrial controls that were intended to check general knowledge of what is close to a machine, far from a machine, and one question that sticks out in my head of ICS is generally relatively weak. I applied the knowledge that I have of IoT devices, and general weaknesses.  I know they can’t provide the detailed results, but it would be really interesting to see on a question by question basis what I knew well vs. what I was weak on.



About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at
  Related Posts


Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.