Here we attempt to answer the common questions we are asked about earning the Certified Information System Security Professional certification. Specifically, our resident cybersecurity expert shares his feedback on taking the CISSP Exam.

Disclaimer: This transcript was automatically generated using speech to text software. It’s imperfect, and we recommend listening to the actual video over reading this for the most accurate presentation.

Sid: 

Hey everybody. It’s Chris and Sid again from Everblue to answer more of your questions on how to prepare for the CISSP exam.

One of our frequently asked questions is “What is the CISSP exam like?” So Chris…

Chris: 

Yeah. As of a couple of years ago, and this is increasingly common in the standardized test world, the CISSP exam moved to become a Computer Adaptive Test (CAT).

So it used to be that if you took a standardized test, that you’d go fill in on a piece of scantron paper A B C or D on a little piece of paper with a #2 pencil.

Now the way that works is you set up an appointment at a testing center and you’re going to take your exam on a computer.

There’s a few things that are unique about that, some really good, some a little bit stress inducing. The first is going to set up an exam appointment which means that you’re probably not the only person in the room taking the CISSP exam. The CISSP exam is three hours long but other exams are 2 hours long, or 6 hours long, and there’s all different rules for each type of test.

But you’re going to set your appointment and the system is going to tell you what appointments are available on a calendar and you’re going book it for whatever day of the week and month that’s available to the testing center near you and that also fits your schedule.

When you walk in the testing center you’re required to have two forms of ID that your name has to match identically.

My full name is Christian but I wouldn’t put “Chris” when I filled out my application because there’s a chance that the person at the testing center might give me trouble.

 Sid: 

I heard that your ID is supposed to have a signature on it; is that right?

Chris: 

You’re supposed to have two IDs with signature. So for me I normally carry around my driver’s license, which has my signature, and my military ID which doesn’t. So when I went in for my exam appointment. I had to bring my passport because that does.

It’s an example of something that can be stress inducing the day of if you show up and it turns out you don’t have the right documentation with you.

The whole reason why these exist that they don’t want people cheating. So they’ll require multiple forms of ID, you’ll have to do a palm scan biometrically, which is like a fingerprint, and so they use multiple ways to validate who I am, just like two-step authentication on a computer.

For the exam itself, is what most people are probably most concerned about. It used to be that there was a longer 6 hour exam with 250 questions.

The exam has been cut down – this is one of the benefits of computer adaptive testing – to only 100 to 150 questions. The reason why is that the way that the computer adaptive test works is that you can’t go backwards on a question.

So as soon as you answer question number one whether you’ve got it right or wrong it’s going to send you to a fork in the road.

And if you got it wrong, it’s going to send you to a certain question. If you’re right, it’s going to send you to a different question.

Sid: 

So it’s not like some exams we can mark the things you’re not sure about go back and review them after you’ve looked at other questions and thought about a little bit. You’ve got to make a decision and move forward.

Chris: 

It’s nerve rattling and it’s really stress inducing. What makes it even worse is that if you get it wrong, it asks you easier question and it’ll keep as long as you get it wrong answer keep asking you easier and easier questions.

And as long as you get it right it’s gonna ask you harder harder questions and it’s going to try to figure and triangulate on where’s the ceiling of your proficiency.

Basically once you get farther to the exam on any given question the computer is dialed in your level of knowledge so that they you know one serves up the next question that it’s 50/50 certainty whether or not you’re going to get the question right or wrong even though there’s four answer choices for most questions.

And so the way it feels as the test taker is “Man this is a really tough test!” regardless of whether you’re really good or really not so good it’s going to find what your ceiling of your knowledge is it puts you right to that.

So is the test taker it’s really hard, you’re really thinking hard, it’s tiring your brain out, and you don’t really know where you’re at.

It’s hard you’re really thinking hard it’s time to bring out you don’t know where you’re at.

And so you’re gonna click from question 99 to 100. Several things can happen then. The computer can say “Yes! We are very highly confident this person has demonstrated that they have the necessary knowledge to earn the CISSP credential.”

So, it’ll say “Congratulations, please go see the person outside. They’ll give you a preliminary notice that will tell you it’ll take a few days to confirm but you’ve preliminarily passed the CISSP exam.

At question 100 it could also say the the reverse – “Sorry we definitively determined that you’re not going to pass this test, so we’re not going to waste your time asking another 50 questions.”

Or it could keep asking questions because you’re somewhere in the middle. You’re not in the top five percent and you’re not in the bottom five percent.

You know you’re in this this middle ninety percent and it’s going to say we’re going need to ask you additional questions and you have up to 150 questions to prove to the computer that you have the necessary level of knowledge.

They keep the actual algorithm secret. It’s like a trade secret what you don’t actually know what the secret sauce is on how it grades. I don’t think it matters all that much.

One of a few of the things that I’ve noticed is that a lot of practice questions will be very acronym heavy.

Probably the biggest thing with the exam is that they will spell out every acronym. It can be a real time suck if you’re studying and trying to memorize every acronym. There’s just an endless number of acronyms across all of the materials relevant to the exam.

If you’re trying to memorize acronyms and what they mean that’ll just be a big waste of your time. They will spell the term and they put the acronym in parentheses in every single instance where a term with an acronym is ued.

Sid: 

So great advice if you’re going to take this exam. Don’t waste your brain space memorizing acronyms. They’ll be spelled out for you.

Chris: 

A lot of practice questions, to include the official ISC2 questions, will have questions with just four acronyms without the acronym being spelled out. I’m not talking about the content of the questions but rather the style of the questions can lead you toward more rote memorization.

And the second thing is that a lot of the practice questions that are out there lend themselves toward more rote memorization, or pump and dump.

Sid: 

And those are the easier questions to make for someone preparing the exam. It’s not great for the students, but the people who write these books or create practice questions it’s easy for them because they’re just pulling information off lists and generating practice questions even though it doesn’t do much good for the test taker.

Chris: 

Bingo. I think that the way you experience that is that a lot of the practice content that is out there – take this with a grain of salt – will lead you down a road of memorizing lists of information and numbers. When you get to the exam you certainly have to know the underpinnings of the material, but there’s not going to be as much regurgitation of information. It’s going to be more like you’ll be presented with a set of information and what’s the judgement call you’d make based on that set of information.

And it makes sense. The exam is more of a managerial exam. Management is all about making decisions and so the exam is testing when presented with a limited set of information, will you make a judgement call? Is answer A right? Or B, or C, or D?

And the last thing I would say is that you know the vast majority of the exam 95% or so is just standard multiple choice questions. There can be a few that are “select all that apply” or “which three of the following” and there might be one or two where there’s some drag and drop.

Maybe you’ve got four terms and you’ve got to marry them up by dragging boxes on the computer screen. You’ll probably experience fewer than five questions like that on the exam. You certainly don’t see them in the practice question content.

It’s a fair exam. A lot of people will say that the practice questions are easier but I don’t know if I’d say it’s easier or harder but it’s just the difference between that memorization, that pump and dump, and the intuition of the judgement call.

The very last thing I’ll say is that because the computer adaptive test can be so stressful one of things that I find helps me is that in any of these tests they are constantly testing new questions. So when I first 100 questions of the exam, 25 of them will be pilot questions that are not scored and you’re really only scored on 75 questions.

You don’t know which 75 count which 25 are just pilots and they’re using those and how people perform on those to make one instance of a test fair in the future. But if you have a really hard question I have no idea I’m just guessing it could be a little bit reassuring to say “let’s just hope that was one of the pilot questions and that didn’t count against me“ and move on.

Sid: 

It can also be tricky. I know you’ve said that a lot of time you come out of a test smarter than you went into it, so you can look at questions and figure out the logic behind them even if you don’t know all of the information so they don’t have the opportunity to go back and adjust your answers as you get the test is a bit of a gap but mentally you can answer it and forget about it move on next.

Chris: 

Totally. Yeah, there are other tests where you can review your questions where question 57 might trigger something in your brain that gives you an answer to question number 25 so you can go back to those but this isn’t a test like that.

Hopefully question 57 ends up triggering something that ends up being helpful question 80 or any other future question, but for better or worse I would say that there is comparable fairness between the tests. So even though it can be stress inducing during the test, and it is designed that way – a computer adaptive test (CAT) is designed to find the ceiling of your ability and push you right to it. So you’re going to feel like something of a failure because you’re at the limit of your knowledge and the test is just figuring out where that ceiling is. If you’re ceiling is down low that might not be enough to pass the exam, or if your ceiling is up high because you’re the smartest guy in the room it’s going to find that ceiling and push you right to it. So under any circumstance you’re going to feel like “I am really not doing well on this test” but you’re done in half the time, so that’s a massive benefit. Going for fix hours is like running a marathon in comparison.

Sid: 

Thanks Chris

Chris: 

Thank you.

For more questions about the CISSP exam, give us a call at (800) 460-2575.

Update – On June 1, 2022, (ISC)² added 25 pretest (unscored) questions to the CISSP exam, increasing the total number of questions from 100-150 to 125-175. As a result, the maximum allotted time to complete the exam has increased from three hours to four hours. There are no changes to the content of the CISSP exam; the domains and domain weights contained within have not changed.