Took new CISSP test in May 2015

brenbrenOK

mjsinhsv wrote: »

b/eads is "keepin it real". We need more members like him.

The test really needed a refresh.
I've seen posts in the past from folks who said all they did was memorize the sunflower and passed with no experience.
That really helps the profession and the validity of the cert.

I have a buddy who was in the Atlanta class last month who told me the ISC instructor informed them all that ISC is really pushing the experience level that will be required to pass the exam.

KUDOS to ISC for doing this.
Maybe there will be less CISSP's saying they have met other CISSP's who don't know sh1t.

mjsinhsv,
I think we are more on the same side than he thinks. My job has not required me to have a CISSP, however you know as well as I do that if you are a contractor with the Federal Government, there are a lot of Federal Government type people who have CISSP's, and there are a lot of contractors that pay for their employees to go to boot camp who don't have the experience, and just memorize the OSI model, EAL levels, Biba, Clark Wilson, Brewer Nash, asymmetric and symmetric encryption, etc. I can't tell you who many CISSP's I have talked to who don't know what SSH, RDP, windows event forwarding, auditing, analysis of data, really is. So I was curious and said, OMG if that guy can be a CISSP than I know I can. LOL. All my knowledge other than when I went to the boot camp and read the Shon Harris book has been hands on work. Beads was saying on other threads that he's never known anybody who has admitted failing, I admitted it and now he thinks I'm a hater. It couldn't be further from the truth. My mistake going into the test was not following my strategy. I didn't think the first test was overly complicated, I actually went through the first 150 questions in about 90 minutes. My problem is test taking strategies. I read too fast and I miss questions like how many months of the year have 28 days? Well duh, all of them do, but if you read that fast, you might think, oh February. Or True or False 100% of people who eat carrots die? Uh, hmmm, well eventually they all do so I guess it's 100%. I never said I hated what they did, and I do truly want this to be a test that not everybody can pass, I also think when the test changes, that it should be a requirement that previous CISSP's should be required to take, even if they give previous CISSP's a price break, I think that would be great. Then everybody is current, and every CISSP can comment on each question if they want to make this better. I just said it was a radical change from the test before, and people should not listen to the cert mills who are saying, "Don't worry about it, not much has changed, so pay is the $3,000 for boot camp and will will ensure you pass, but well if you don't, you can sit through another boot camp for free. You don't see them offering to pay for a re-sit fee. So I am saying KUDO's for ISC for doing this. And the more I sit here and try to remember the scenario questions, and look them up myself, I say, oh I got that right. So deductive reasoning is a good thing, and having this certification SHOULD mean more, because that means the people who actually can think on there feet will be more valuable and I know value means more $$$$$$$, so I'm all for it.

brenbrenOK

YouWill787 wrote: »

I'm beginning to think that part of the NDA for the CISSP is agreeing to scare the bejesus out of CISSP hopefuls via any means possible.

I'd like to preface this appropriately: I'm not taking a stance on any statement, but instead trying to spur conversation. I haven't taken the test before April 15th nor after. I'm one of the apparently unlucky ones who decided to really kick into gear on preparing to tackle this beast at a time that unfortunately put my testing time frame just far enough beyond the transition that attempting to rush my studying to make it before the changeover would have turned my ~$600 fee into more of a bet on the horse with the best payout and worst odds.

One thing I noticed is that it's not even 4 weeks past the changeover date so no one knows if they've passed yet. A lot of the posts I've read on the pre-April 15th test was that people felt extremely unprepared and were uneasy on their assurance that they were passing, in fact, many were sure they failed. Upon submitting the test and being handed their outcome, many passed despite their discomfort. Is it possible that the CISSP just has that effect on most people?

The other thing I've seen mentioned is how much more can even be added to the exam? I think that's a weird question, because I feel like a metric crap ton more could be added. A more accurate question might be, how much more material could be added to the CISSP exam while still remaining within the confines of what the certification embodies? They went from 10 domains to 8 domains but there were many statements that none of the material was dropped so still 10 domains of stuff, just in 8 domains, whatever, the domain names seem irrelevant to me. I figured originally that this would mean an update to material: know more about pentesting, know more about cloud computing, know more about mobile technology, etc,. I think the 4% ratio came from diffing the CBK 3rd and the CBK 4th and returning about 4% more material.

I post in peace.

YouWill787,

Let's just say the material is in the book for historical purposes, but in this new world of transparency where everything is done through software, and the user really doesn't have a need to know, do we really need to know if Bill wants to send an email that's certified to Sally would he encrypt is with his public key, his private key, Sally's public key or Sally's private key? LOL. They are moving more towards Cloud, Mobile computing pen testing, etc, so there can only be a certain amount of questions on the test so something has to come out. But this is not your average bear questions about cloud computing, pen testing, and mobile devices. It's very scenario based, with almost not enough information to really form a confident answer in the real world so you just have to go with ISC and think what do they think the best answer is. Definitely very thought provoking and in some cases you have to be an all in one, contract writer, programmer, business analyst, SLA writer, SLA metric gatherer, pen tester, auditor, technical writer, Security Professional, code reviewer, etc. LOL. I'm not sure if we need to know that the actual size of DES is 56 bit. Not sure we really need to know for the test what a Caesar's cipher, or a Scytale cipher is for daily operational work. I've got a triple major in Business, English and History, so for me that's cool to know, but for a new CISSP test, why waste a question on that. Yes the test does have that effect on people, for sure. But if you are good with facts and like reading about the enigma machine, then the previous test was for you. I'm self taught in technology, so I started with the power button, moved on to taking things apart, viruses, cmd line, powershell and then on to UGH, Security Plan hell and NIST 800-53 auditing for security plans, and BCP/COOP, technical sales, pre-sales architecture and other fun stuff.
Anyway like I said, I don't know if I passed or not, but if I did woohoo, because that means it was based on my experience and not something I memorized. Anyway cheers to all. Life is too short, I did a quick stop by to just give my experience and I'm thinking I probably should have just not said anything and let people figure it out for themselves. I'm one of 7 kids, lost my brother when I was 20, just lost my Dad, God Bless him, in December. He was a 20 year Air Force veteran, 1st Sergeant, always took care of his guys. I'm the same way, always a giver, but as I can see here some people don't want help so, but you would have figured that SOME senior members here would appreciate a new voice with new information. Some people just want to be know-it-alls, and if they don't want to read what I posted, they can always skip over my posts. In the spirit of a rising tides raises all boats is what I was thinking. Some people disagree. Good luck with your test when you take it. If I don't pass again I'm going to take it again. LOL. It's only money.

Sheiko37

Getting in the CISSP exam and thinking "am I taking the right test?" is something I've heard a lot, so it's hard to say if brenbrenOK was blindsided in the typical way by the CISSP exam, or it's genuinely changed. I don't think scenario based questions are new?

YouWill787 wrote: »

I've read on the pre-April 15th test was that people felt extremely unprepared and were uneasy on their assurance that they were passing, in fact, many were sure they failed. Upon submitting the test and being handed their outcome, many passed despite their discomfort. Is it possible that the CISSP just has that effect on most people?

Exactly.

Khaos1911

I'm seriously starting to wonder if I took the right test.

I only have 4 years of InfoSec experience, only studied the Shon Harris 6th edition book and her practice questions for maybe 2 months, glanced at the Conrad book and I thought the CISSP exam was easy as pie. After the 1st 100 questions, I thought to myself "this can't be the beast everyone is so afraid of. This ish is nothing." And I'm no genuis by any stretch, hell I'm not even smart...I'm just not dumb.

roboace

Studied Shon Harris and passed it in April as well. And i can say my questions were distributed across the domains.

I don't think a attending a bootcamp or or reading a book means you will pass the test though. So if you attend the bootcamp again, and take it, you are not guaranteed to pass. And if you have been working in one information security domain for the past 5 years, you might still fail the ISC2 test. All I can say is there is no single source of knowledge for the exam, but the All in One guide does as much as possible to cover a lot the different domains.


@brenbrenOK, Everyone's test won't be the same, so if they ask you a lot more on networking, aren't you supposed to be prepared either way? Does the test have to cover all the 10 domains just because you had to read it all? It's a test of preparedness, just as it is one of content - "a mile wide, inch deep". If your second test was similar to the first, then even i would be worried. Even if ISC2 didn't get revised on April 15th, your tests would have change, and the concentration would have changed too.
"Why do we fall? To learn to pick ourselves up!" Get back up, and don't rush it. I know people who have taken it 4 times. So make sure you pass it on your next try. You'll know when you're ready, there's no point rushing to take it 15 days from now. Though I understand your rant.. I'd be mad if i had to pay for 3 times the cost..

I can't say i passed it because I read just the Shon Harris book. I didn't even go over any of the practice test books, but I was simply going to give it my best. Personally, i have a lot of practical experience on most of the domains. Somewhere in the middle of all that, I got all I needed for the test. And the Shon Harris book just helped to remind and reinforce all i've learnt thus far.

And the CISSPs you've met that don't know squat...
I've also found that some just say they have it. Wait till they get audited...
Check the stats page, the numbers aren't as high as they would be if 4 out of every 10 people you meet have it.

To anyone else preparing for the test, don't let the stories of the exam being hard get to you. But ask yourself if you really need/want it.

Khaos1911 wrote: »

I'm seriously starting to wonder if I took the right test.

I only have 4 years of InfoSec experience, only studied the Shon Harris 6th edition book and her practice questions for maybe 2 months, glanced at the Conrad book and I thought the CISSP exam was easy as pie. After the 1st 100 questions, I thought to myself "this can't be the beast everyone is so afraid of. This ish is nothing." And I'm no genuis by any stretch, hell I'm not even smart...I'm just not dumb.

!nf0s3cure

Well clearly the test was showing its age, so they had do something about it. But what they have done and if that is in the right direction will be known in the next few months. If they are still looking at legacy stuff and still questioning about legacy cryptographic algorithms then they are still way off the mark. If you still have to read about the legacy crypto stuff as it may be examined then they have made no difference to their quality of testing scope.

justjen

Sheiko37 wrote: »

Getting in the CISSP exam and thinking "am I taking the right test?" is something I've heard a lot, so it's hard to say if brenbrenOK was blindsided in the typical way by the CISSP exam, or it's genuinely changed. I don't think scenario based questions are new?

Agreed. From extensive reading of blogs and posts prior to April 15, there seems to have been at least some variation between a few/some people who "lucked out" and received exams that could be answered based on memorization and a larger number who received many scenario-based questions with ambiguous or incomplete information requiring knowledge AND analysis of 2 or more domains to answer the question.

That later group, which included me on April 14, generally seemed to feel no amount of simple memorization or purely technical approach would prepare you. Frankly, the post-April description does sound essentially the same type of difficulty as test I experienced. Even though I answered all 250 questions in 90 minutes, I was convinced I had failed. But I didn't - I passed.

brenbrenOK

Khaos1911 wrote: »

I'm seriously starting to wonder if I took the right test.

I only have 4 years of InfoSec experience, only studied the Shon Harris 6th edition book and her practice questions for maybe 2 months, glanced at the Conrad book and I thought the CISSP exam was easy as pie. After the 1st 100 questions, I thought to myself "this can't be the beast everyone is so afraid of. This ish is nothing." And I'm no genuis by any stretch, hell I'm not even smart...I'm just not dumb.

When did you take the test?

brenbrenOK

!nf0s3cure wrote: »

Well clearly the test was showing its age, so they had do something about it. But what they have done and if that is in the right direction will be known in the next few months. If they are still looking at legacy stuff and still questioning about legacy cryptographic algorithms then they are still way off the mark. If you still have to read about the legacy crypto stuff as it may be examined then they have made no difference to their quality of testing scope.

Nope none of that stuff was on there, they definitely are moving in the right direction.

brenbrenOK

Sheiko37 wrote: »

Getting in the CISSP exam and thinking "am I taking the right test?" is something I've heard a lot, so it's hard to say if brenbrenOK was blindsided in the typical way by the CISSP exam, or it's genuinely changed. I don't think scenario based questions are new?



Exactly.

I didn't say scenario based questions were new, and I've already explained I took the test on April 1st, and I wasn't blindsided, what I studied was on there. My mistake is I did go fast, I didn't flag any questions for review, hell I didn't even check to see if I had skipped over questions. I take full blame for that. I'm saying the level and depth of the scenario questions were what took me by surprise. And I also admitted that I mainly used my experience of being in the Infosec world, and didn't have but a few scattered questions that you could say somebody could memorize and answer. And heck I might have passed, who knows I hope so. I have to wait just like everybody else. It has genuinely changed, and this is not a rote memorization test anymore. It does stretch the limits of your experience when answering these scenario based questions. So really the harder the better, that will mean fewer CISSP's and more money for anybody who has a CISSP.

brenbrenOK

justjen wrote: »

Agreed. From extensive reading of blogs and posts prior to April 15, there seems to have been at least some variation between a few/some people who "lucked out" and received exams that could be answered based on memorization and a larger number who received many scenario-based questions with ambiguous or incomplete information requiring knowledge AND analysis of 2 or more domains to answer the question.

That later group, which included me on April 14, generally seemed to feel no amount of simple memorization or purely technical approach would prepare you. Frankly, the post-April description does sound essentially the same type of difficulty as test I experienced. Even though I answered all 250 questions in 90 minutes, I was convinced I had failed. But I didn't - I passed.

I agree, I feel the same way, so I will wait and see.

Sheiko37

brenbrenOK wrote: »

this is not a rote memorization test anymore.

I think the point myself and others are making is that it never was a memorization test. The way you're describing your May test experience is much like how people have described the test for years.

Corrant

Long time lurker...
Took the exam April 26th. Bootcamp in Feb, 8+ years in IA/Networking/Info. Sec...originally scheduled to take the test April 13th prior to the exam changing, life caught up to me and I had to reschedule last minute.

I figured the exam was going to be straight forward, I was scoring 80's on cccure, skillport, etc. Had no issue memorizing and understanding the information.
Felt fairly confident. Never took the CISSP before, so wasn't sure what to expect outside of these threads and practices tests. Only reason I didn't wait a little longer was because my company paid for the test and I had to take it within 60 days of the bootcamp. Figured "what could they really add? RMF? Continuous Monitoring?, Pentesting?, I'm familiar with most of that"
...with that said.

brenbrenOK is 100% correct.

The test was vastly different than what I was expecting, much deeper in nature, almost "hypothetical". There were very few "What layer of the OSI model does _____, or Integrity is most important for which security model?" There were no questions regarding keyspace sizes, or crypto differences, not a single port mapping question.
It's really hard to explain, and after taking the exam I thought it was basically what the test consisted of prior to the date. It seems to be totally different now. There's really no amount of memorization or "knowing" that can prepare you for the new test. I flagged about 50 questions that literally could've been answered with 3 out of the 4 of the answers given.

I hope to be one of the ones that gets his results back and learned he passed, but I really have NO IDEA.

brenbrenOK

Corrant wrote: »

Long time lurker...
Took the exam April 26th. Bootcamp in Feb, 8+ years in IA/Networking/Info. Sec...originally scheduled to take the test April 13th prior to the exam changing, life caught up to me and I had to reschedule last minute.

I figured the exam was going to be straight forward, I was scoring 80's on cccure, skillport, etc. Had no issue memorizing and understanding the information.
Felt fairly confident. Never took the CISSP before, so wasn't sure what to expect outside of these threads and practices tests. Only reason I didn't wait a little longer was because my company paid for the test and I had to take it within 60 days of the bootcamp. Figured "what could they really add? RMF? Continuous Monitoring?, Pentesting?, I'm familiar with most of that"
...with that said.

brenbrenOK is 100% correct.

The test was vastly different than what I was expecting, much deeper in nature, almost "hypothetical". There were very few "What layer of the OSI model does _____, or Integrity is most important for which security model?" There were no questions regarding keyspace sizes, or crypto differences, not a single port mapping question.
It's really hard to explain, and after taking the exam I thought it was basically what the test consisted of prior to the date. It seems to be totally different now. There's really no amount of memorization or "knowing" that can prepare you for the new test. I flagged about 50 questions that literally could've been answered with 3 out of the 4 of the answers given.

I hope to be one of the ones that gets his results back and learned he passed, but I really have NO IDEA.

Thanks for explaining in one email what I was trying to get across. Maybe as more people start coming forward they will come to understand how different this test was.

brenbrenOK

Sheiko37 wrote: »

I think the point myself and others are making is that it never was a memorization test. The way you're describing your May test experience is much like how people have described the test for years.

Sheiko37, of course the previous test was memorization. What are the OSI layers, what are the TCP/IP layers, Kerberos is this, Diameter is that, a CA's primary purpose is for this. Yes there were scenario type questions, but like Corrant so eloquently stated, these were scenario based questions that were purely hypothetical. Maybe some of them were the ones that weren't going to count, but I've looked recently at the NEW questions that all these "study" companies are putting out and all they are doing is rehashing old material in a memorization based manner, and that is not going to work for this test. I think ISC is getting away from these type of questions and going to these hypothetical type questions with different scenarios to break the back of these companies who sell "brain ****" questions. All ISC has to do is change the scenario and they hypothetical situation so no "real" questions can get out. I can't even remember what the questions are but let me try to propose a question that was similar like. "A company is going to move to the cloud, they currently have window devices, MACS, and linux/unix servers, they have hired a security professional to come in to help them with the move to the cloud, they are halfway through the risk assessment on the cloud, suddenly they discover a malicious email being forwarded throughout the company, the CEO is on vacation, physical security stopped four unauthorized users at the perimeter and a hurricane has just been named and is in the path of your primary site. The upgraded RAM for the Windows Servers came in after a two week's delay. What's the BEST thing the security professional can do? LOL, of course I went overboard a little bit, but where in the Shon Harris book or the new CBK can you find the answer?

astudent

"I've seen posts in the past from folks who said all they did was memorize the sunflower and passed with no experience."

If you believe what the "folks" said about passing the exam through simply memorizing the sunflower, you are very ....

Sheiko37

brenbrenOK wrote: »

"A company is going to move to the cloud, they currently have window devices, MACS, and linux/unix servers, they have hired a security professional to come in to help them with the move to the cloud, they are halfway through the risk assessment on the cloud, suddenly they discover a malicious email being forwarded throughout the company, the CEO is on vacation, physical security stopped four unauthorized users at the perimeter and a hurricane has just been named and is in the path of your primary site. The upgraded RAM for the Windows Servers came in after a two week's delay. What's the BEST thing the security professional can do?

I know you're purposely exaggerating, and I've only passed the SSCP not CISSP, but this is exactly the type of question I saw through my exam (taken December 2014), it's exactly the kind of question many sources warn you to prepare for in the CISSP.

Corrant wrote: »

I flagged about 50 questions that literally could've been answered with 3 out of the 4 of the answers given.

This is also exactly what people have said for ages about the CISSP, I've read many educational materials telling you to expect those questions and how to deal with them.

Corrant

There were more questions like Bren posted than not. Given what he's stated about taking the test prior to the change and post change. I guess I don't understand the "backlash". He's obviously taken both, and noticed a considerable difference.

Sheiko, maybe you're right and I took the normal CISSP exam, with some added material. I don't know, like I said its the first time I took it. I just didn't feel prepared for this exam via the methods listed here and other sites. That's the main point I believe we're making. The test has changed and the study material previously used isn't sufficient.
I don't have a point of reference obviously, and maybe your test prior to the change and my test post change were nearly identical. I'm just some n3wb that was unprepared and failed. Maybe? I don't know. I just don't think based on my experience and preparation that the test was anywhere close to my expectations.
We'll find out in a couple more weeks.

gespenstern

it seems that we have two armies of people here, one says that exam is a totally unpredictable nightmare that you can't be prepared for, while other says that it has been like that for years and no surprise here.

brenbrenok still has an advantage in judging cause he did two attempts, one before and one after.

but still, all we see here are opinions, and in general, I tend not to buy what most people say about anything. But I do not expect to get any clarification on this from stats. It is expected that many wannabes try to pass it before 15th and it is therefore expected that the overall number of CISSPs in the US won't grow much in this and upcoming month.

It would be nice to have pass rate change, but, I guess, it's nearly impossible to get, at least, as of now.

Therefore, discussing this topic further is probably a waste of time so I'm leaving it, lol

mjsinhsv

brenbrenOK wrote: »

Sheiko37, of course the previous test was memorization. What are the OSI layers, what are the TCP/IP layers, Kerberos is this, Diameter is that, a CA's primary purpose is for this. Yes there were scenario type questions, but like Corrant so eloquently stated, these were scenario based questions that were purely hypothetical. Maybe some of them were the ones that weren't going to count, but I've looked recently at the NEW questions that all these "study" companies are putting out and all they are doing is rehashing old material in a memorization based manner, and that is not going to work for this test. I think ISC is getting away from these type of questions and going to these hypothetical type questions with different scenarios to break the back of these companies who sell "brain ****" questions. All ISC has to do is change the scenario and they hypothetical situation so no "real" questions can get out. I can't even remember what the questions are but let me try to propose a question that was similar like. "A company is going to move to the cloud, they currently have window devices, MACS, and linux/unix servers, they have hired a security professional to come in to help them with the move to the cloud, they are halfway through the risk assessment on the cloud, suddenly they discover a malicious email being forwarded throughout the company, the CEO is on vacation, physical security stopped four unauthorized users at the perimeter and a hurricane has just been named and is in the path of your primary site. The upgraded RAM for the Windows Servers came in after a two week's delay. What's the BEST thing the security professional can do? LOL, of course I went overboard a little bit, but where in the Shon Harris book or the new CBK can you find the answer?

How did you answer this "similar" question?

brenbrenOK

mjsinhsv wrote: »

How did you answer this "similar" question?

I don't even remember what the answers were, and since this was not a real question, let me try to make some up some answers:

A. Call your old boss and ask for your job back
B. Patch the windows devices first since they are the most vulnerable
C. Check the biometric device to make sure the four unauthorized users weren't falsely rejected
D. Make a personal call to the weather man so that he can guarantee you that the hurricane is really going where it's headed, since the hurricane is still 500 miles out

mjsinhsv

brenbrenOK wrote: »

I don't even remember what the answers were, and since this was not a real question, let me try to make some up some answers:

A. Call your old boss and ask for your job back
B. Patch the windows devices first since they are the most vulnerable
C. Check the biometric device to make sure the four unauthorized users weren't falsely rejected
D. Make a personal call to the weather man so that he can guarantee you that the hurricane is really going where it's headed, since the hurricane is still 500 miles out

How would you answer hypothetical answers and why?

Sheiko37

everyone shh, let him answer

brenbrenOK

Sheiko37 wrote: »

everyone shh, let him answer

Because you have to pick an answer that's why. Isn't a hypothetical question just a scenario based question? And isn't a hypothetical answer the same thing as a scenario based answer. I don't have to answer Sheiko37, why don't you. I was just trying to show an example of how the questions were structured. Don't believe me, I don't care, study like you think you should, everybody should do that. I'm waiting for my results, not trying to convince anybody into studying any differently. Was just tying to give a little insight. I'm not forcing anybody to comment or even read my posts. Good Luck.

Sheiko37

brenbrenOK wrote: »

I don't have to answer Sheiko37, why don't you.

I know we're having fun and that's not meant to be a real question, but the answer would be clearly D imo, the reason is potential loss of life.

brenbrenOK wrote: »

I was just trying to show an example of how the questions were structured. Don't believe me, I don't care

I believe you because (I'm repeating myself) it's exactly like what I've experienced and what we've been told to expect for a long time with the CISSP.

rajeshkalluri

A Big Thanks to brenbrenOK ... for your patient typing and spending so much time to help others to give a glimpse about the current exam pattern ... I am preparing for the exam, but after seeing so many posts i am scared and confused how to prepare for the exam with limited available material for the new syllabus ... I got CBK 4, after reading domain 4 i am not happy with the way of explanation and i observed that so much material is taken from white papers available in internet (Sorry, if i am wrong) ... With so many years of experience currently you have and you know the both exam patterns can you please suggest how should we prepare ... Again thanks a lot for your time ...

mjsinhsv

Sheiko37 wrote: »

I know we're having fun and that's not meant to be a real question, but the answer would be clearly D imo, the reason is potential loss of life.


I believe you because (I'm repeating myself) it's exactly like what I've experienced and what we've been told to expect for a long time with the CISSP.

Sheiko, You gave it away. LOL.

Sheiko37

I'm currently studying, couldn't help it, didn't look like he was going to answer anyway.

jumezurike

I am going to be taking CISSP come June. Do you know how I can prepare myslef. I have finish Shon Harris book. What is next?
I need some guidance.

maxer

I think that ISC2 with the new organization is bringing the certification toward a business managerial security perspective different from the more technical one that was before. There are other ISC2 certifications which concern more on the technical point of view than the managerial one, that's why the CISSP is a more managerial one now. Finding the right balance between both these concepts is on the process i believe.
Also i don't think that you will be able to pass anymore the exam just because you learn this or that book or read some fast notes, this is possible with technicalities, instead managerial concepts depend on experience (the 5 years required are not just there as a number).
ISC2 and the value of this certification can't depend on shared notes or exam experiences but should rather certify that who passes this exam is a well experienced, security managerial problem solver. These concepts can not be learned on this or that book.

Don't take my words for granted but think about them.
As an example i would bring the ISACA CISM certification, what you are complaining about in all these posts i read are nothing more than the same difficulties encountered in the CISM exam. It has four domains but in those it covers quite a majority of CISSP (with exceptions though), the typology of questions are very similar with what i percept from your posts. CISM is a managerial exam, and in each question you are pushed to think in the fastest, optimal and efficient way as a security manager, giving all possible distractions (stress included as well).
Also there is no such book monsters in CISM, just the Review Manual but indeed is a review manual not a learning guide which is to be covered by your real experience.

Just another point of view.

Maxer