On April 5, after six months of preparation, I took, and passed, the CISSP exam. Here are some of the lessons I learned along the way.

For starters, I think I studied too much. After taking SANS’ MGT 414, I believe I was fairly prepared to take the test. However, after listening to the horror stories from instructors and others who have taken the test, I thought it necessary to over-prepare. I reviewed the audio recordings of the classes dozens of times for months. I read the CISSP Study Guide, Second Edition. I signed up for an account on, and took several tests there. I got a copy of CISSP All-in-One Exam Guide, 6th Edition, and did practice tests in that book as well.
One of the recurring themes that I heard from my instructors and other people who had taken the test was how hard it was. (Apparently it has one of the highest, if not the highest failure rate of any professional certification tests in the industry. Comforting.) One of the reasons given was that questions would be very poorly written, and you would have to spend time just trying to understand what the heck was being asked. Another reason is that there is so much covered in the Common Body of Knowledge (CBK), that you really do need to know a lot. The test itself is 250 questions, and you have 360 minutes to complete it. So that’s 87 seconds per question, not counting any time you take for breaks; you can take as many breaks as you want, and the clock just keeps on ticking. Finally, the test is supposedly designed to be not so much geared toward memorization as toward analysis.

Despite running in to many poorly worded questions, e.g. “which of the following provides an incorrect mapping about XYZ,” on practice tests, there were exactly 0 of these on my test. There were certainly questions I needed to back and re-read to make sure I’d gotten everything, (such as the hidden “nots” which seemed to elude me on practice tests,) but they were all intelligently written and there was always at least one answer that made sense. The only challenges happened when there were two (or more) answers that made sense.
As for the length of the test, for someone who practices as many physical activities as I do, sitting in a chair for several hours straight is a walk in the park. If anything, I was afraid I would get bored, as I did in the practice tests, more than anything. However, I was so amped for the test, that this did not happen and, with the exception of a few breaks, I was able to focus and plow through. I made sure to eat a good meal the night before, along with a light breakfast. I took snacks, including a protein bar and some freshly-squeezed fruit juice with me. That helped, once the sugar high subsided.
The Pearson VUE test center itself was fine, with the exception of some glaring security issues that I intend to bring to the attention of ISC^2. I made sure to locate and visit the building a day before so there would be no question. I arrived an hour early, but wasn’t admitted until half an hour before the test. I finished the test, including my second pass through, in about 4 hours, upon which I received confirmation that I had passed. Now I need to submit some paperwork to prove I’ve worked in the industry for the required time, and get an endorsement from a colleague who is already a CISSP.

Leave a Reply