CISSP 2nd Attempt - 664

simondeyssimondeys Member Posts: 13 ■□□□□□□□□□
Hi Guys

My first attempt was some where in 2011 scored 575, the second attempt recently this month scored 664 ,

I read Sybex 7th Edition cover to cover at least 7 to 8 times ,
CCURE - All questions
Eric Conrad - 2 times
Shon Harris , - 3 to 4 times cover to cover.
Practiced almost all questions available on the internet.

My views about the exams ,

First attempt
I focused only and only on Shon Harris ,
It was a written exam , where i have to put a dot on a cardboard.
I found the exam very difficult , for eg. In crytography i knew what are types of attacks such as Plaintext , cipher text only, but the question was drafted in a such a way ,i was clueless .
I can say 10% was objective , rest all scenario based

Second Attempt
Couple of days before the exam i was confident enough that i would nail it , as per my hard work and studies ,

On the day of the exam , the very first questions , why are embedded system hard to hack into , and i cannot explain what options they have given , all sounded irrelevant .

Does anyone knows what is the total evacuation time in BCP , is it the time when people leave the building and reach the safe area , is it the time when people start leaving the building , etc etc.

I saw 50% on application security , 40 % on cloud computing , and 5 % poly instantiation , and 5 % objectives.

It is very unfair the questions are not divided domain wise equally,

How am i suppose to know , which document is signed and for what between the customer and Cloud security provider.

I must say , no matter how much you study from books or practice questions , the exam mostly relies on your extra knowledge , experience , common sense and above all "luck" .

I will probably schedule this exam asap , but i dont understand what to study now and from where , as i left no stones unturned during the last preparation.

Appreciate an expert advice.



  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    Not to be unexpected. What's your experience in the field? Do you have at least 5 yrs?

    I passed it after I've spent 13 years in the industry.
  • dhay13dhay13 Member Posts: 580 ■■■■□□□□□□
    That was going to be my question, how much experience do you have in this field. A few of the questions you asked seem to be real world related.

    I have about 10 years of experience, 6 full-time, and recently passed on my first attempt. I focused on Sybex 7th and But I have to say, if I didn't have the experience I don't think it would have mattered how long I studied or what materials I used.

    Example, the embedded systems question would depend on the answers given. Sometimes embedded systems are not on the network, making them very difficult to hack. If they are on the network they often lack the security systems of other devices so in that sense may be easier to hack. You have to see what answers are available before you can figure out the correct one. One of the nuances of this test is that it is heavily dependent on reading apprehension.
  • simondeyssimondeys Member Posts: 13 ■□□□□□□□□□
    Thanks for your replies ,

    I have more then 5 years experience in information security and Infrastructure.

    If we talk about experience , can a guy even with 16 to 20 years experience answer question like below ?

    - how is total evacuation time calculated in BCP ( i dint find any material which has an answer)
    May be someone with only BCP experience can answer this .

    - What document and why is it signed between Customer and security Cloud Provided ,
    I asked my service provider , and his answer was not even close the options given in the exam.

    - 3% Questions on ATM , (ATM cash machine not Asynchronous Transfer mode) , yes , it was mentioned with the full name ,
    Which infosec experience guys can answer on ATM cash machine internal security.

    These are only a couple of examples , i saw tons on queries which was far beyond the scope and difficult even from an experience guy

    My question here is , what should be the next step , what else should i cover , as am very well versed with Sybex 7 th edition cover to cover

    I have no worries to give another try anytime , Am more afraid if the same questions gets repeated ,
  • jazz_01jazz_01 Member Posts: 65 ■■■□□□□□□□
    Sybex Book is a good course for the preparation but I think you should keep working on labs and simulators more. I was also facing the same problem, failed my exam once but one of the experts suggested me to try out uCertify labs and simulators which I git it free access for 15 days and then bought it for $90. It has helped me out to pass my exam, thank you #uCertify.

    You can check out the CISSP labs at www (dot) ucertify (dot) com.
  • dhay13dhay13 Member Posts: 580 ■■■■□□□□□□
    Hard to say about your answers above without seeing the entire question, available answers, and context of the question, but think of it this way...
    if management was conducting a fire drill when do you think they would likely start the timer? Likely as soon as a fire is alerted.So my answer would be from the time the fire is alerted until the last person reaches the rendezvous point. I think I remember seeing this question somewhere too but can't recall where.

    The other question about a cloud partner? I would say most likely the answer would be SLA (Service Level Agreement). That is usually the most important document when it comes to service type arrangements.

    As far as ATM? Not sure what the question asked.

    But again, it depends on the context of the question.
  • anthonxanthonx Member Posts: 109 ■■■□□□□□□□
    The term commonly used by our service provider is SLA but in the contract the cloud provider also calls it master service agreement or MSA. I dont know the difference. Maybe someone else can provide the explanation. Just sharing...
  • dony2015dony2015 Member Posts: 27 ■■■□□□□□□□
    I failed a second time on December 19. I had the same problems with this poster. So many Cloud questions I did not see anywhere in the books I used. First it was polyinstantiation, then the cloud questions. I don't know what other material to use to support the ones i already have. Failing this again is not an option. I went over the Cybrary videos over and over, bought another video from Udemy for the 10 domains. Used all the books available. I was still hammed on Domain 8, i.e. Software development security with polyinstantiation questions and Cloud questions which has nothing to do Paas. Iaas, etc. Just have to think about my next line of action before taking CISSP heads on again.
  • lucky0977lucky0977 Member Posts: 218 ■■■■□□□□□□
    What are you not getting about poly instantiation? You should only need the high level concept, such as it being used in a database scenario. Two users with completely different security clearances will physically be able to see the same instance in a database but logically, they are different as there is information for one classification level and information for another classification level. I don't remember what kind of questions I had on cloud so i couldn't help you there.
    Bachelor of Science: Computer Science | Hawaii Pacific University
    CISSP | CISM | CISA | CASP | SSCP | Sec+ | Net+ | A+
  • kabooterkabooter Member Posts: 115
    Hang on Guys
    I think I know what is going on. I think.
    Lot of new stuff was added to exam in 2015. Lot of it is covered in CBK Green book. Not in others.
    a Lot of it is NOT covered anywhere. We need to find the resources. So I am adding some resources here from Clement's site AND requesting all of you to please list more such resources here in this thread. W/o these resources there is hardly any chance of cracking the exam.
    · Read about the newly added content
    [FONT=&quot]o [/FONT]
    Below you have the list of new domains on the left and the new topics that were introduced within each of the domains on the left. I welcome your help to complete it with even more details. If you know of topics and links that could be added, please send an email to and let me know.



    Security & Risk Management

    Threat Modeling
    More details were added about threat modeling

    Asset Security

    Integrate security risk consideration into acquisition and practice
    Hardware, Software, and services
    Third Party assessment and monitoring
    (on site assessment, document exchange and review, process/policy review)
    Minimum security requirements
    Service-level requirements

    Security Engineering

    Mobile Systems
    This is NOT referring to Phones and other tools. It is referring to laptop as mobile devices and the risk associated with those mobile devices.

    Internet of things (IoT)
    Welcome to the Internet of Things. Please check your privacy at the door. | ITworld



    How to Build a Safer Internet of Things - IEEE Spectrum


    The Cyber Defense Magazine also has some interesting articles on the challenge of IOT at:
    Embedded Systems
    Smart Appliance, devices with a computer.

    Communications & Network Security

    Converged protocols (e.g., FCoE, MPLS, VoIP, iSCSI)
    Software Defined Networks
    Video to watch:

    If you wish to learn more:
    Storage and Network Convergence
    iSCSI and FCoE
    Read chapter one of the document above for a quick overview.
    Content Distribution Networks
    Amazon CloudFront
    and Others

    Identity and Access Management

    Session Management
    Desktop Sessions Desktop sessions can be controlled and protected through several means including but not limited to the following: Screensavers
    Automatic Logouts
    Session/ Login limitation
    Schedule Limitations
    Registration and Proofing of Identity
    Cloud Identity Services

    Security Assessment and Testing

    This is mostly a new domain that goes in a lot more depth about Security Assessment and Penetration Testing. The two document below will give you most of what you need to know.
    See: Penetrating Testing Guidelines from the PCI DSS Council

    NIST SP 800-115Technical Guide to Information Security Testing and Assessment

    Security Operations

    Asset Management and asset inventory
    Configuration Management
    WhiteListing and Blacklisting
    understand advantages and Disadvantages

    Coverage of Sandboxing
    A bit more details on Patch Management
    Read chapter 3 of the document above about the challenge of Patch Management

    Software Development Security

    Integrated Product Team (IPT)
    DevOps and its principles
    The Three Ways: The Principles Underpinning DevOps - IT Revolution IT Revolution
    Software Assurance

    Clement and Nathalie
    Source :
    PS: If moderators think it is not proper to copy and paste links from Clement's site, please remove it.
  • dhay13dhay13 Member Posts: 580 ■■■■□□□□□□
    I remember reading quite a bit on polyinstantiation but not quite sure where so I will list my sources:

    Sybex 7th
    skillsoft (free through my employer) - mainly just used the practice tests
    FedVTE (free for military (or ex-military), and anyone with a .gov email address - started with this so it has been a long time since i have looked at it

    and that pretty much covers it there. I would THINK it would have come from Sybex as that was the only thing I looked at for the last 4 weeks and I remember reading quite a bit about polyinstantiation shortly before my test.
  • jcundiffjcundiff Member Posts: 486 ■■■■□□□□□□
    anthonx wrote: »
    The term commonly used by our service provider is SLA but in the contract the cloud provider also calls it master service agreement or MSA. I dont know the difference. Maybe someone else can provide the explanation. Just sharing...

    A MSA is the main 'contract' between a vendor and client... a MSA may contain multiple SOWs/SLAs... SLA is typically a metric within the SOW/SLA

    SLA example " A 2-4 hour resolution time to a sev1 incident is a SLA that may be defined in a MSA

    hope this helps
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke
  • Mike-MikeMike-Mike Member Posts: 1,860
    As someone with their test scheduled in less than 2 weeks.... this motivates me to quit wasting time online and start studying
    Currently Working On

    CWTS, then WireShark
  • jt2929jt2929 Member Posts: 244 ■■■□□□□□□□
    I can tell you from experience that "luck" had no part in me passing the exam. Quit thinking like that, study the material required, and pass the exam.
  • simondeyssimondeys Member Posts: 13 ■□□□□□□□□□
    Dear jt2929

    When i say the "luck" factor in passing, it means the question set might have been much easier .as you know ISC2 says "they change the exam content to maintain the integrity"

    I see guys with 10 years experience and years of hard work fail to clear the exam , on the other hand you can see post with half of the experience and 3 months preparation and pass in first attempt , the funny part is i read one Einstein post where he had experience of 6 months , he studied for 3 weeks, and he actually passed ,
    how do you explain this ?
  • lucky0977lucky0977 Member Posts: 218 ■■■■□□□□□□
    simondeys wrote: »
    Dear jt2929
    When i say the "luck" factor in passing, it means the question set might have been much easier .as you know ISC2 says "they change the exam content to maintain the integrity"

    Experience plays a major factor. As far as luck in this exam, all questions are equally difficult and you pretty much have a 50/50 shot at answering the questions correctly as two answers are obviously wrong and the other two answers seem to be the correct answer to the question.
    It's pretty much 50% reading comprehension/50% infosec related. The key is reading the entire question more than once, maybe 3 or 4 more times before answering the question.
    Bachelor of Science: Computer Science | Hawaii Pacific University
    CISSP | CISM | CISA | CASP | SSCP | Sec+ | Net+ | A+
Sign In or Register to comment.