New Insights About the New CISSP Exam May 2021 Update

As many of you know, I teach a number of information security certification classes, especially the (ISC)2 CISSP certification.  Almost a year ago the (ISC)2 update the course content and questions for the CISSP.  Students that I have taught since then have started taking and passing the new exam, and here are some of their comments.

This is a resource page for other test takers both current and future, and I will continue to add student comments even after the post date.

Other CISSP Resources of WyzGuys Cybersecurity

  • Preparing for a CISSP Certification Bootcamp
    Attending a CISSP certification bootcamp should be the final step in your preparation for taking and passing this highly sought and often required cybersecurity certification exam.  How should you prepare for the bootcamp itself? I teach about three CISSP bootcamps a month.  A bootcamp is a full t…
  • Comments on the CISSP Computer Adaptive Exam
    I am teaching classes for candidates pursuing that pinnacle of cybersecurity certification, the CISSP.  The CISSP is a challenging course of study, and the certification exam has always been daunting.  When I took the exam in 2016, there were 275 questions and the exam allowed 6 hours for completi…
  • Advice After Failing the CISSP Exam
    Here is the advice I gave to a student who has failed the exam.  Really – It is good advice for test takers too.  The only difference is when you fail, (ISC)2 provides an analysis of the domains you were below proficiency.  If you are prepping for your first exam, you know where you are weak an…
  • Are You Ready for Upcoming Changes to the CISSP Exam?
    The CISSP exam is changing on May 1, 2021.  The changes are covering technology updates for the most part.  The official word from (ISC)2 is that the changes are minor, and if you have the industry experience required, and have adequately prepared for the current exam, you should be ready for the …

CISSP Continuing Education and Account Maintenance Question

One of my students had this question and I thought it might be worth including in this compilation.

Passed the exam thanks to your awesome training and mentorship.  The endorsement process is however taking a while.  I may have missed it but was there a session where you went over the “continuing education” credits system/requirements and the whole “after the exam” topic ?.

And my response:

Congratulations.  I am collecting comments from recent test takers for a new CISSP exam article that is posting on March 29.  Any insights you can provide would be appreciated, and included in the article.  Looking especially for study tips, comments on the new content, and you exam experience.  Please send me something.

If by endorsement, you mean the 5 years of experience in 2 or more domains, my advice is this:

They are not looking for 5 years of time in a cybersecurity title, your experience can include entry level IT experience too, even stuff you have done for yourself personally or for family, friends, etc., as long as it is security related.  Have you installed a Internet connect door lock?  Physical security.  What about a Ring doorbell.  Minutiae counts.  If you ever configured a fleet of PCs using a base image that included anti-malware software, this counts.  Set up a firewall?  Counts.

What about your sponsor?  (ISC)2 can help with that item too.

As far as the CEU requirement and the annual membership fee, I usually talk about that, but you never know we might have missed that.  Attending webinars gets you 1 CEU per hour.  Seminars provided by (ISC)2 are automatically credited to your account, others need to be added manually.  Lots of stuff counts.  Reading books, writing articles for a blog post (you can submit one too me for my blog for instance) attending security conferences.  The local Secure360 conference is good for 12 hours of CEUs, this is happening in May.  Attending meetings of the local (ISC)2 chapter (  Join our local chapter, or add your name to our email list for announcements.  See the web site.  You need 40 CEUs per year.  You have 3 years to accumulate them (120 CEUs total)

ALL certifications have continuing education requirements, fortunately, you can use the same events for multiple certs.  My CISSP CEUs also count for CompTIA CASP+ which covers me for all my other CompTIA certs, as well as the EC Council’s Certified Ethical Hacker.  This requires a little bit of recordkeeping on your part, and submitting your CEUs online.  Time consuming, but much easier than sitting for the exam again in three years..

CISSPrep Practice Exam

This was just recommended to me by a current student.  The questions are represented to be closer to the actual exam questions.  Check out

Josh B – I passed the damn thing!

Read the Sybex Official Study Guide 1.5 times

Did all study guide tests

Did ALL Sybex Practice Tests version 3

Used CISSPrep Quick Tests up to 6 Hour tests up to 22

Started reading 11th Hour yesterday and finished hours before test. Good refresher.

I also watched Kelly Handrhan’s video series on Cybrary and Sari Greene video series. It is available on O’Reilly

11th hour book was also on O’Reilly so good reference for students.

Mark S –  Thank you, sir.  Just writing to inform you I passed the CISSP exam last Friday and thank you for your help in preparing for the exam through the Mayo/RCTC partnership. Thinking like a manager had a strong focus on the exam and I appreciate you drilling this home.

The main advice I would give students is to think end-game in terms of applying risk management, configuration management, or change management to a specific scenario with the focus on mitigating risk. It is not necessarily how well you can memorize formulas, but how well you can put on the managerial hat and determine the best course of action to satisfy the scenario given. Also, while the various practice tests do help prepare your mindset, they should be used on how best to find the best answer from a list of good answers. Practice reading slowly, reading each answer, choosing an answer, then re-reading the question to see if it fits. Regardless, the practice questions are generally more technically focused than the actual exam.

Bob E – I wanted to let you know that I passed my CISSP exam on 2/23/22!  Thanks again for the class and helpful advice!  There were more questions about ISO 27000 and GDPR than I expected.  There was a lot of “think like a manager” style questions. More questions about creating policy and procedures instead of technical solutions, like we studied in class.

Aaron S – I really enjoyed your CISSP class. You were spot about thinking like a manager and rereading the questions!

I arrived at the testing site 40 minutes early and once I went through all of their check-in, identification and security screenings I was able to get right in. I’ve gone through much less steps entering DOD classified sites.

MY test experience

  • After 5 questions – well these aren’t going to be easy
  • After 10 questions – I should have studied more.
  •  After 50 questions – I started making mental notes of what I should concentrate on studying for my next attempt.

The torture ended at 100 questions. It seemed like it took forever for a proctor to come and escort me out of the testing room. I had to have my palm scanned and show my ID then I had to go to the front desk and show my ID again in order to get my results. They gave me the print out face down and then I had to find out my results. Thankfully I saw “Congratulations”.

Here are some additional resources I used:

  • BOSON practice questions
  • Luke Ahmed’s “How to Think Like a Manager”
  •  11th Hour CISSP 3rd edition
  •   Subscription to Luke Ahmed’s Study Notes and Theory website.

Make sure you understand RAID levels, SDLC, SOC report types, Encryption types and when to use them, GDPR, SSO and Kerberos. Don’t forget the ISC2 Code of Ethics is testable.

This was the hardest certification test I’ve taken. Believe the hype!

[Bob’s comment – 100 Questions is either the best you can do, or the absolute worst you could do.  If you pass at 100 you got nearly every question right, if you failed you got too many questions wrong.  A passing score between 101 and 150 is typical.  If you pass at 150, you got the last question right and needed all of them – no margin to spare]

Gerald W – I passed the CISSP exam on Friday Jan. 14, 2022 in Rochester, MN.  A lot of the things that you said about thinking like a manager were very helpful.  It was snowing heavy the day of the exam so I got to the testing site more than an hour ahead of schedule.  I sat in my pickup and prayed and memorized bible verses before going in.  The only thing that I brought in was two forms of ID and my car keys which I even had to put in a locker.  They didn’t hesitate to check me in and let me start the test even though I was early.

The test room was a narrow L-shape with a dozen 3/4 cube desks and glass windows for the monitor.  The test had a running timer in the upper right corner and there was a clock on the wall in front of me.  I tracked my time at questions number 50 and 100 to ensure that I had 120 minutes and 60 minutes remaining respectively.  My test stopped when I answered question number 100 with 59 minutes left.

The questions seemed very similar to what I saw on the practice tests.  There were maybe a half dozen that mentioned standards that I had never heard of.  So I just used reason to eliminate two answers then picked the one that I felt good about.  I didn’t purchase any of the extra study tests or material to prepare for the exam but practiced extensively with the Wiley test suite, the CISSP Study Guide, the CISSP Practice Tests, and RCTCLearn questions.  I used my own creativity and Excel to help practice and track weaknesses. I also used material on the OneDrive that you provided such as the “Eleventh Hour CISSP: Study Guide, Third Edition” by Eric Conrad, Seth Misenar, and Joshua Feldman even though it was outdated.  It gave me an overview of each domain prior studying them in your class and reading the assignments.  Thank you for being a great instructor.  Your stories made what should have been dry and boring into something interesting and insightful.

Nick V –

Experience: Took the test in Feb 2020 after self-study with the Sybex official book and test questions. Failed at 150 questions. I am sure that I have a printout somewhere with strong/weak domains from that exam, but cannot find it at the moment…

Fast-forward to later 2020, took your class in the Fall, took a lot of confidence away from the class being able to remember a lot of material from self-study and going through the Boson questions. However, work was keeping me extremely busy at the time and I wasn’t ever confident enough to take the exam.

Fast-forward again to this year, I started studying again in earnest. Passed May 10th at 100 questions.



Federated ID Management

Business Continuity/Disaster Recovery

OSI model

Wireless Networking

Training Resources:

Semester class via RCTC for Mayo Clinic

Sybex official study guide 8th edition (note that this edition DOES talk about all the subjects covered in the exam, but some (like Cloud and Federation) do not have the level of detail needed for what may come up)

Boson Ex-Sim Max for CISSP


– Computerphile youtube channel on specific subjects like DIffie-Hellman, AES, Encryption, etc. –

– Destination Certification on Kerberos, and generally with their domain overviews –

– Why you will pass the CISSP by Kelly Handerhan –

Official ISC2 – CISSP flashcards (these were hit/miss)

Made a personal set of flashcards for domains 3 and 4 which were tremendously useful for separating out the protocols in the OSI Model in particular

Study prep:

Sybex cover to cover

  1. Boson test
  2. Write Chapters/concepts that give me trouble
  3. Review the list
  4. Repeat Step 1

Final note: I remember looking through the Boson questions with the group, and really appreciating the insight as the why and why not each answer would be correct. This process and mindset is really helpful for the exam.




About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.