I recently read that, according to (ISC)2, most people do not pass the CISSP exam on the first try. Does this alter how people should prepare? Does it make sense to take the exam a first time with minimal preparation, learn what it's like, and then undergo a more rigorous process before taking the exam a second time? I don't want to waste money on boot camps or training courses and still not pass.
Ask the Expert!
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
Taking the (ISC)2 CISSP exam can be an intimidating experience. There is a massive amount of information that could potentially be part of the 250 questions that must be answered in six hours. I took the exam myself in 2003 and found the preparation to be extremely stressful. Many people don't pass on their first attempt -- I have heard of failure rates as high as 70% -- and this no doubt weighs heavily in the back of test-takers minds, making preparation even more difficult.
I have heard of several different approaches to CISSP test preparation. There are the expensive boot camps and training courses that cram the entire CISSP Common Body of Knowledge into a short class. Some propose taking the test the first time without preparation just to get familiar with the testing process.
I am not a fan of either of these approaches, although different study techniques may work for different people. Cramming for the CISSP exam will probably not help, as there is too much subject matter to retain. Cramming also has the disadvantage of being completely forgotten in a few weeks. The information gained when you study for the CISSP is valuable, and you will benefit by actually learning and retaining it. People that pass the exam through cramming tend be the same people that give the certification a bad name later because they cannot apply any of the knowledge they were tested on.
I also don't recommend just taking the exam unprepared as a study technique. This is the most expensive way to get a feel for the types of questions on the test, which will change each time you take it. You will not get the same questions twice. (ISC)2 won't even tell you what questions you missed -- just what general subject categories you need to study, which isn't very helpful. The only time that this study technique may have any use at all is for those that suffer high levels of test anxiety and need to get familiar with the testing process -- what it's like to sit in the room and answer the questions in the time allowed – in order to cope.
I approached the test the same way I approached all of the certification tests I have taken in my career, and I found it to be the best way to study for the CISSP. I found computer-based quiz software that offered hundreds of practice questions and a thick reference book that covered all of the potential exam material. I started by taking the practice tests to determine areas in which my knowledge was weakest.
The CISSP exam requires five years of experience in the field for good reason. I found that I was able to get through some subject areas in the practice exam because of my previous experience. This allowed me to focus on areas where I struggled. I would review each practice question that I missed and research the subject in the reference book. I would then write the question and answer into a spiral notebook to reinforce the information in my memory. I have often used this technique with good success. By the time of the test, I was acing each subject category in the practice tests and knew the information cold.
In the end, I was able to pass the test on the first try by using this technique. It isn't expensive, but it does require time and effort as well as experience in order to succeed. I am not a fan of any shortcuts and strongly suggest to anyone taking the test that they fully envelope themselves in the study process. This makes for much stronger information security professionals and adds credibility to those who are certified.
The test will not be easy, even with all of this preparation, so don't feel discouraged if you don't pass it the first time. The difficulty of the exam is why the CISSP still has value today, and after many years in the field, it is the only certification that I continue to keep current. Good luck!
This was first published in August 2013