My experience with the CISSP exam (detailed post - long)

I had my CISSP exam on 1st June and did not pass. It is a very big disappointment - I really cannot stop my tears every day.

My Study - My preparation for this exam was as follows:
1) Attended at the end of November 2015 a 5-days intensive CISSP training. The trainer provided good training slides which were based on Official (ISC)2 Guide to the CISSP CBK, Fourth Edition. He mentioned that you can make the exam with only 2 weeks learning. I did not have the same opinion - it is unrealistic to think something like this.

2) Started to learn studiously for the CISSP exam at the beginning of January 2016:
a) For each CISSP domain I read the slides from training and also the corresponding chapters from AIO from Shon Harris (6th edition) which I read cover to cover.
b) For each domain I did the questions from AIO book (altogether 326 questions), the questions from the Official (ISC)2 Guide to the CISSP CBK (altogether 200 questions) + another 1275 supplementary questions from our trainer (with detailed explanations about each answer).

I found the Official (ISC)2 Guide to the CISSP CBK not comfortable for learning because it springs from one idea to another and only looked at certain topics and did the questions at the end of each domain.
I know that AIO book was not very up-to-date but the topics were very clear explained. I admit that this book is too detailed but it helped to understand a lot of topics much better as the Official (ISC)2 Guide to the CISSP CBK. I have also made my own notes on certain topics.

In February I scheduled my CISSP exam for 2nd May 2016. Fortunately, I discover this forum in March and was glad to get the best information about the experience of other people with the CISSP exam. I buy me quickly the Sybex Official Study Guide 7th edition and also the 11th hour CISSP from Eric Conrad. At the beginning of April, I realized that I will not manage to be well prepared for the exam on 2nd May and rescheduled the exam for 1st June. And I have also subscribed for CCCure.

3) I started to learn from Sybex Official Study Guide 7th edition at the beginning of April. I got 80% for the assessment test at the beginning of the book. This showed me that my previous study was not in vain.
I paid my very best attention to this book when I learned. I made my own notes from each chapter and tried to understand all concepts very well - based on all what it was told here in the forum. I did all the questions at the end of each chapter and have done the written lab.
When I finished a domain, I recap all the stuff and did other questions from Total Tester tests (came with AIO book). And I have also done some CCCure tests where I have scored btw. 74% and 90%. I have done once again for each domain the test questions from my trainer. This helped to see if the stuff it is still fresh in my mind.
At the end of the day I have also reviewed the Sunflower slides and CISSP Combined Notes.

4) When I finished to read Sybex Official Study Guide 7th (cover to cover) I started with the Cybrary videos. I found Kelly great - she explained all very well and gave a lot of tips on what to be aware when you take the exam.
Then for each domain I took up to 250 questions from CCCure and have scored btw. 89% and 93%.
I have also looked at the Sybex flashcards and glossary.

April and May 2016 was a very intensive learning time. I learned every day on an average of 11 hours and on weekends 12-14 hours. I went twice a week to fitness (only 2 hours on evening) and sometimes I have done Yoga myself at the end of the day. This helped to get new energy.

5) One week before the exam I posted here my first posting, asking what I should still done until the exam. I was always only a silent reader and was aware that ZzBloopzZ and Seab will have their exam almost in the same period (+/- a few days).
So I started with the 4 Sybex Bonus Exams and my scores were 83,60%; 80%; 83,27% and 83,20%. I could see what does it mean to have a test at once with 250 questions and almost on the way that the questions will be on the real exam (based on what other people told here in forum).
I started to read the 11th hour CISSP from Eric Conrad but read it only to 50% as I realized that it is better to use the time reading my own notes I made from the Sybex Official Study Guide 7th edition. I have also made a lot of other own notes, based on the questions I answered wrong from CCCure or on things that were only mentioned in the Sybex Official Study Guide but not in much detail (e.g. SAML, SPML, XACML, Oauth, etc.).
I didn't want to read the CISSP Study Guide, third edition from Eric Conrad because I really wouldn't have the time to read it and considered that 2 books to read (AIO & Sybex cover to cover) is enough to understand the concepts.
I have also looked once again at the Cybrary videos. I tried not to lose the focus before the end, even if it is not easy to keep track for that long.

As I saw that no posting came from ZzBloopzZ I was really sad and I did not want to think about something unpleasant. But on 31st May he posted his feed-back from exam and it helped a lot to hear that confidence is the key for the exam. Thanks ZzBloopzZ!:)

So when I went to the exam I had the feeling that I know the stuff very well. I kept in mind what Kelly said in her video about the exam: to consider all from a managerial point of view, your role is a risk advisor, don't try to fix problems, etc.
This was also repeatedly told here in the forum: YOU HAVE TO HAVE A MANAGEMENT MINDSET WHEN YOU TAKE THE TEST.
I was also aware that the questions in the exam will be much difficult and also that they will be tricky. And also that there is enough time to answer the questions but even so you should focus to plan 50 questions per hour.

The Exam
As ZzBloopzZ said, the exam itself was brutal. I was a little bit nervous, this was normal at the beginning but I said to me I have to be calm. The hard part was trying to understand the English wording itself and trying to figure out what is exactly being asked. Unfortunately, I am not a native English speaker and so I got difficulties with some of the wording which in some cases was really poorly written.
I am working in IT for 16 years and I am doing my daily work on English but the official language in the land where I am living is not English. I had never problems with any other colleagues, people or customers all-round the world when I communicated with them on English.
As a lot of people told here in the forum, I had to re-read some questions 4-5 times. My first impression was: is this English or another language? I felt that the wording is purposely trying to trick you instead of just testing your knowledge or experience.
At the end I could understand every from that 250 questions, but this costs me very precious time. I have all the time focused on the available time for the exam, as I did not want to run out of time.

In the first hour I managed only 40 questions and not 50 as Kelly and Sybex book suggested. I was not desperate, I told me I will catch on it in the next time. At question 85 I took a little break because I must go to the bathroom. It was a very short break (4-5 minutes) and when I came back I realized that I have to go faster through questions. But this was not possible because I got another tricky questions which necessitate again more time. I renounced to take another breaks.
For the last 10-15 questions I had perhaps less than 1 minute pro question available. My idea was to try to answer each question as Kelly suggested. I managed to answer each question but this was done for the last 10-15 question under a very big time pressure and of course I made mistakes. I think, I finished to answer my questions 5 seconds before the time was out. And at the end I knew that I have lost the battle (got only 647 points). There was no available time to review any question.

From this point of view and the experience with my CISSP exam, I consider that it was not a fair examination because of how that tricky questions were formulated and the time you had available. As non-native English speaker you are at a disadvantage from the beginning.
Per example, I had recently an exam with ISACA and the questions were also very tricky but the non-native English speakers candidates got supplementary 20 minutes and these 20 minutes were my salvation.

So I am not angry that ISC2 are testing our reasoning/logic/deduction skills with tricky questions. What I found not honest is to lump together the native English speakers with the non-native English speakers. I would expect that the non-native English speakers get a little more time for the questions, or they renounce using "bad English" at the exam questions.
I will never be able to understand a poorly written statement/idea exactly with the same speed as a native English speaker.
If English is not your primary language, ISC2 recommends (but does not require) that candidates sit for the TOEFL (Test of English as a Foreign Language) examination prior to sitting for an ISC2 examination. I find this is an unreasonable recommendation. I couple years ago I sat myself on training course for TOEFL and there was nothing there from the whole tricky poorly written statement/ideas in the CISSP exam. I am very sure that TOEFL would not help.

My background - I think that my background is enough for the exam: 16 years in IT (consulting, sys admin, web security including authentication (LDAP), encryption (SSL) protocols and standards as well as SSO technologies). Before working in IT I worked in electrical engineering (including also security technology and safety engineering) so I could enjoy to remember my knowledge from the past as I go through the chapter for the physical security for CISSP exam.

I have learned so much for this exam to get at the end what????? Only frustration and the feeling that it is not a fair examination. I don't think that if I would sit and take the CISSP exam again, I would have better chances. I know that each candidate gets another questions. Perhaps some people had luck and had not to struggle with "bad English". Per example oooorp who is also a non-native English speaker (see the posting Passed 30.04 Moscow, Russia) said that he did not have bad experience with "tricky questions with nonlinear wordings and 4 right answers to choose the best".

I asked myself what I have done wrong? All the used books and tests I have done (more than 5000) were not relevant enough for the exam? The scores I got in the preparation tests were not a good sign that I am ready for the exam?
I think that I have done all that I could and for most questions I know that I choose the managerial and not the technical answer. I could do the Sybex Bonus Exams in maximal 4,5 hours. I have never thought, that I will really run out of time in the real exam.

I had a big confidence but yet my whole motivation is equal to null.

Sorry for the long ego posting, but all I have told here helped me to feel me a little bit better. Thanks all of you for your inputs and suggestions.

Find more posts tagged with

Comments

aftereffector

CISSP is a tough test, and I can't even imagine how much more difficult it would be for a non-native speaker. Actually, I sort of can - if I had to take the CISSP in Korean, I'd never even attempt it. So kudos to you for giving it a hell of a lot of effort and getting pretty darn close for your first attempt. I know several people who didn't even make it into the 600s on their first go-around and not one of them had to deal with a language barrier, either. Don't give up! Take some time off, don't even think about the CISSP for a few more days or more, spend time with your family - and when you are ready, I know you will conquer it.

Out of curiosity, what is your native language?

TechGuru80

Personally I didn't see any questions that had poor English. The questions are made to be tricky because you have to see exactly what they are asking...specific words or wording will make one answer correct over another. Your pace definitely was not fast enough...realistically you should aim for at least 30 minutes or so to review answers.

beads

This probably deserves its own sticky thread but later, not today.

The CISSP is a "psychometric experience exam" hence why some of the language appears to be a bit obtuse at first glance. The questions on the real exam have little comparison to the more amateur questions the non-professional exam question writers (like myself) have written for CCCure, etc.

This may be slightly outdated but this book or another like it would likely help you master the final leg of this journey.
http://www.amazon.com/CISSP-Practice-Questions-Explanations-Vallabhaneni/dp/B00EKYQOCU/ref=sr_1_3?ie=UTF8&qid=1465238083&sr=8-3&keywords=cissp+rao

Basically the author knows how to write mind bending questions in much the same format as the real test.

Next do a Google search on Exam questions, e.g.: exam question types
https://www.google.com/search?q=exam+question+types&ie=utf-8&oe=utf-8

Sample from search query
http://www.proliteracyednet.org/downloads/242test_qts.pdf

There are some well understood tips. You've taken many tests in your life but certifications don't have the same look or feel as an academic exam. So don't treat them the same. The other point being with commercial exams is that the more you take the easier they become.

You might want to take Security+ as an intermediate first, gaining some much needed confidence and overall practice with commercial examinations.

Hopefully, that will help! If not please ask more questions.

Good luck!

- b/eads

gespenstern

Don't get frustrated, there's no point. You failed -- it's normal, many people do fail for the first time.

In addition to a broad base of knowledge the exam tests your logic as well, you have to be proficient enough in negating double "nots" and navigate well around various words such as "despite", "in spite of", etc. Overall, logic is a very important skill especially while correlating events trying to rebuild the picture of what actually happened in incident response, forensics and investigations.

It also tests how you can do in stressful conditions, that's why it is 250 in 6 hours instead of 125 in 3 hours. Again, this is something what happens in real world scenarios, again, in incident response. I remember myself working for 30 hours in a row during a critical event.

Get back to studies, get back to cccure.org, do practice questions in Pro mode (you didn't do them in Pro, right?) to get 75% and higher. Learn how to deal with different English logic-related words.

Also, as b/eads said, start with basics, do either SSCP or Security+ first, they will prepare you to the CISSP so your next experience won't be anything of "brutal". This exam is not that hard as you describe it. And I'm not a native English speaker.

And just another point on tricky questions. The CISSP exam questions are of very high quality compared to pretty much any other multiple-choice style exam out there. They are logical. Correct answer is correct not because someone decided that, but because it is based on facts, proven concepts and logic or at least on how (ISC)2 sees things which is documented in preparation materials.

They have to be tricky. Psychology of deception is a very important field for any security professional, because ultimately, security involves dealing with adversaries who always want to deceive you and trick you. Computers and software are made by humans, who are often deceiving beings, they are error-prone and not reliable. On top of that, these days ~90% of successful intrusions are done via social engieering of some sort. How do you expect yourself to be a security professional if you can't deal with deception? Do you expect Russian cybercriminals not to hack the assets you are paid to protect because you have two toddlers and therefore don't have time and resources to protect the assets?

Deal with it, you weren't properly prepared. Accept it and get back to studies, work on your weak areas, accept advices given to you in this thread, start small (SSCP and Security+) and if you don't give up -- eventually you'll be there.

Cora_Pan

First of all, thank you all for your encouraging answers. After a while I felt not so disappointed any more - every defeat needs time to be dealt with. I think I know yet better why I did not pass (after performing the "root cause analysis"); time help us to better understand things that happened.

@ aftereffector: Thank you for your kind words. I took my time and tried not to think about the CISSP, I spent more time with my family and tried to resolve other things that I had to postpone because of learning for the exam. After a while I saw that I can't give up - so I will try it again. Many thanks for bolster me up!

@ TechGuru80: I was not the only one, who complained about questions that had poor English.
Example: "English itself was too confusing for people like us who are not native English speakers." (ghdineshs)
or
"be careful with some of the wording which in some cases is really poorly written. If you're not a native English speaker or extremely comfortable with the language you may run into some issues because sometimes its the context of the question that makes it difficult." (Roj4ck).

You have right, my pace definitely was not fast enough. Next time I will try my best to get the appropriate pace to pass the exam.

@ gespenstern: There are another forum member who told that the CISSP exam was anything of "brutal".
Example: "Two words - Freaking and Brutal" (EZstreet) or "The exam was a beast." (tuanp703) or "Sat through the full 6 hours in the exam and was gruelling." (ITWorker) or "the test was gruelling" (CLICK) or "The test was a beast" (IaHawk).

You mention that you are not a native English speaker. But you are living in Chicago (as per your profile here in forum). I think this is not the same situation as a non-native English speaker who lives in a country with an official language different from English. The official language where you live and work is English: administration and public authorities are using English, home works are done on English, television, newspapers are all in English, etc. Even you are speaking at home with your family your native language, the most used language is English and this is a big advantage when comparing with the people from another country with an official language different from English.
And in such of countries, the social engineering attacks are done in the official language and not in English.
I participated recently at a security summit in Europa and as we discussed about social engineering, a lot of participants confirmed that this is happening in the official language of the country (French, Dutch, German, Spanish, etc.) and not in English. People are speaking here the official language among themselves because it is much easier to communicate - mostly in critical situations.

Anyway, even so, I think that I need to adopt another strategy when preparing for the exam. I have done almost all of the CCCure tests in Pro mode (only 1 test was on Hard). One day before my CISSP exam I did a CCCure test in Pro mode and got a score of 96% for the 100 questions.
The last 2 weeks until exam I took several CCCure tests with 250 questions (ca. 6 or 7 tests) in Pro mode and got scores between 89% and 93%. But Kelly from Cybrary was mentioning not to use Pro mode for CCCure since it is too technical compared to real exam. She suggests to use one level below which is "Hard" mode. So, what is better?

I agree with you, that it is very important to know how to deal with deception - not only as security professional but also in real life. If you are a security professional and have at home two toddlers, you must have your HLCP (Home Life Continuation Plan). That means, if you have a critical event at work, you need to have your "emergency plan" for home life during the time you will deal with the critical event.

As a IT professional and not only working in security, you need to be able to work under pressure. This was an important requirement when I got my job here. If you are not able to work in stressful situation (which are very different in the real world), you would not even pass your probationary period.
If you take a test with only 125 questions in 3 hours you have the same 1,5 minutes available for each question (as for 250 questions in 6 hours). If the questions are tricky and you need more time for them, it is possible that the same situation will happen as in my case (run out of time). I agree with you that the questions need to be tricky. But even tricky questions should be clear formulated and not confusing.

I am sure that there should be a solution for this case in order to get the appropriate pace when taking the exam.
My question is: how much would help to do first another certification exam (SSCP or Security+)? From other postings here in the forum I understood that SSCP or Security+ are more technical and CISSP is more managerial. As I understood, for these exams there are only 125 questions in 3 hours to be answered. Are the questions exactly so tricky as in the CISSP exam? Is the stuff for these exams almost the same as for CISSP exam?
Because if the questions are easier or the stuff is different, I don't see what would be the benefit. That's why I am asking this here.

To your suggestion about not to give up, I will respond with a Bertolt Brecht quote: "People who fight may lose. People who do not fight have already lost."
Thanks!

@ beads: Many thanks for your detailed suggestions! After a few days you posted your answer I ordered the mentioned book:
https://www.amazon.com/CISSP-Practice-Questions-Explanations-Vallabhaneni/dp/B00EKYQOCU?ie=UTF8&keywords=cissp%20rao&qid=1465238083&ref_=sr_1_3&sr=8-3&tag=viglink20307-20

I will also use the other information from the mentioned links.

I know that in July will appear the "CISSP Official (ISC)2 Practice Tests"
https://www.amazon.com/CISSP-Official-ISC-Practice-Tests/dp/1119252288?ie=UTF8&tag=viglink20307-20

Would this be good for study in addition to the other sources for CISSP exam preparation (Sybex Official Study Guide 7th edition, CCCure tests, Sybex online tests, McGrawHill online tests, Cybrary videos and Mp3s, etc.)?
First time I used AIO from Shon Harris (6th edition) and the Sybex Official Study Guide 7th edition. Do I really need to read the CISSP Study Guide, Third Edition from Eric Conrad? I think that I have understood good the conceps from the first 2 mentioned books. I found the Eleventh Hour CISSP from Eric Conrad not so great as I realized that it is better to use the time reading my own notes I made from the Sybex Official Study Guide 7th edition.
What I need is to get more experience with mind bending questions in much the same format as the real test.

And for you the same question as above for gespenstern: How much would help to do first another certification exam (SSCP or Security+)? Mostly because SSCP or Security+ are more technical and CISSP is more managerial.

Thanks once again all for your inputs and help!

alfred06

doing Sec+/SSCP basically to see if you encounter the same wording problem like CISSP. I think your mind was exhausted. you probably did couple of 250questions before doing the exam.

the practice test on sybex and cccure are the score that you gave (80-90%) one time shot or that was your best after doing them repeatedly? just curious.