CISSP no score when you pass?

62Vette

I understand you wont get a score when/if you pass the exam. Just wondering why that is?

Find more posts tagged with

Comments

sojourn

I don't know either. It would be nice to know whether I scraped through barely, or passed well.

jvrlopez

Maybe to keep the credential even across the board? Wouldn't want some people boasting that they scored higher than other CISSPs.

62Vette

true, but what good will I do the profession if I just scraped by and don't know what domains I need to work on?

cyberguypr

Dominic Toretto's line applies here:

“It don’t matter if you win by an inch or a mile… winning is winning!”

What do you call someone who barely passed med school? “Doctor” is what you call them.

dustervoice

If you are good enough to pass i guess it shouldn't matter as they know most of the questions are purposely crafted to trick you.

62Vette

I gotta say that if it wasn't a work requirement, I could not see myself sitting for this. I attended a boot camp and when the exam questions are described as purposely trying to mislead you... well that bout sums it up. 600 bones and oh please make sure you pick the "most" correct answer. Sure sure that other one is also correct...but this ones more correct. Nope cant say I'm a fan.

sny

I read about this somewhere but basically ISC2 does not want score to be used for differentiating between CISSP holders.
From Fast and the Furious "It doesn't matter if you win by an inch or a mile Winning is Winning"

cyberguypr

Isn't that how real life is? There's usually are a myriad of options to complete any given task. You need to choose the best/most efficient way to do it given budget, time, and other constraints. A carefully orchestrated balancing act.

LionelTeo

ISC2 exaplained this is because CISSP exams have a different marking scheme. Not all questions give you a full mark, some questions will give more marks than others while some will give less. Because this, it would be unfair to give a score, only to result that a company select a candidate because his score is higher, but this could be due to the fact that the candidate had easier questions.

dustervoice

To be honest i'm never a big advocate of tests as a way to prove what someone knows... especially ones like the CISSP that tries to trick you on purpose! There are people with test anxiety;they go blank from the stress of taking a test. I would rather they put me in front of a few insecure/poorly configured servers and say do your best to secure them in 6 hours. If the cissp is using crafted words to lure you into select the wrong answer how does that prove that you know how to properly implement security? The only reason im persuing this cert is because HR managers scans resumes for that "cissp" word and if its missing your profile goes into trash bin. Its a shame really.

LionelTeo

I think you got the wrong idea about this cert in technical perspective. CISSPs is not about securing a server or proving someone is technical of something. CISSP is about business, and its very important to integrate business into Security.

Take for example given XXXX technology cost YYYY per month to defend host ZZZZ that generates a revenue for AAAA per year. Host ZZZZ faces QQQQ threats per month and last assessment shows host ZZZZ vulnerability is inadequate to protect against QQQQ threat. And if QQQQ threat hits, host ZZZZ can potentially lose BBBB revenue.

So now the company decided to buy and integrate a technology into the enviroment, get someone to set it up, he is able to do it so well and flawlessly that everyone applauds for him. But what if the technology, while now is capable to protect the host ZZZZ, now cost more because the business had not taken in account that the manpower and solution cost more than the revenue it loses if it had been hit by the threat? In such case, better alternative could be the solution, the flaws could be just a result of a poor patch management program.

CISSP is about Security talking in Business terms to Business owners, your CISO may not be able to write a single line or program, run a nmap, never touch a linux, or may not even know the latest hardware or technology. But he can be someone who is capable of saving the business million of dollars by implementing excellent BCP/DRP programs, policies, patch management, secure development life cycle, vulnerability management, change management, most importantly selling a point across to business owners about implementing new programs/technologies in place in terms of ROI and risk perspective.

Hence that is why its important to learn CISSP, not because of just passing a HR interview, but to bring points across to business owners, in business perspective.

62Vette

Like others here, this aint my first cert. That said I have never been asked to provide my exam score to anyone...only ask and verify you have the Cert. So to that point why not let the candidate know what they scored. Also ok real life...don't agree. Facts I can get behind, what class fire extinguisher do you need for said fire. Cut and dry. Working on any OS you know there are several different ways to get to let say the control panel. But when you read the study guide they tell you MS wants you to say click on start menu blah blah whatever. Sure 3 answer choices might be a correct way to get to the control panel, but you were taught the way MS wants you to. So you get the answer correct. Here it seems a lot more grey...and purposely so!

tufexams

Agreed. However, my thought process is that you study for an exam and expected to be tested on the exam material. Heck, if you buy the Official ISC2 materials, like I did. Then you should have material (not actual questions mind you), that has at least some correlation to THEIR OWN study material. I got close twice. Does this mean that I don't know the material. I'm not sure simply because don't know the areas that I was weak in. Yes, they provide the domains, but we all know the domains are huge. It could be anything within that domain or not. I can tell you, and I don't care what anyone on this forum says. I got hit with material that I did not see anywhere in my study material. I ain't going to violate the NDA, even though I am not cissp, but I just took it and making this clear. Everyone has the right to an opinion, and that is mine. If this next go around isn't successful, I'm pursuing the GSLC which tells you straight out which one's you miss, provides explanation why so that you can regroup and go back and study that section. You will not get the same questions, but at least you know why you missed it.

62Vette

Yes I hear you....and you do make sense. Still seems...well just not right.

dustervoice

LionelTeo wrote: »

Hence that is why its important to learn CISSP, not because of just passing a HR interview, but to bring points across to business owners, in business perspective.

I get your point clearly but do you really need a difficult and purposely tricky test to "bring points across to business owners" ?

LionelTeo

I got where you are coming from but ISC2 did have an intention to do this.

In real life, business owners may give scenarios that is as trickery as well. One would know that ROI = (Gain - Expenditure) / Expenditure. But what if the business owner simply give a document contain a few values with some expenditure and gains in the mixture and mess up and request an advice in the middle of the meeting. Such situation is as trickery to look at and it did requires the similar level of thinking to pull through.

Speaking from personal experience, my security operation center management would like to cut down the user account management procedure to escalate for every case down to just random checking, the local security team are pushing to stand firm to create every single case of user account management due to audit purpose. If down to random checking, then audit will definitly question and if we will to create every cases, then the workload will be too high due to high amount of reset request everyday.

It took a considerable effort to find a balance to deem that user account management for office hour for normal users are consider low risk because of their access level; And high risk for all users at non office hours and high risk for all higher management account at all times, and then push for a procedure that can satisfy both team management and auditor to say that we will monitor all the high risk situation and explains in terms of risk to them.

What ISC2 probably wants to assess is in terms of critical thinking, and all candidates that held CISSP is able to apply that effectively in their work after passing.

LionelTeo

tufexams wrote: »

Agreed. However, my thought process is that you study for an exam and expected to be tested on the exam material. Heck, if you buy the Official ISC2 materials, like I did. Then you should have material (not actual questions mind you), that has at least some correlation to THEIR OWN study material. I got close twice. Does this mean that I don't know the material. I'm not sure simply because don't know the areas that I was weak in. Yes, they provide the domains, but we all know the domains are huge. It could be anything within that domain or not. I can tell you, and I don't care what anyone on this forum says. I got hit with material that I did not see anywhere in my study material. I ain't going to violate the NDA, even though I am not cissp, but I just took it and making this clear. Everyone has the right to an opinion, and that is mine. If this next go around isn't successful, I'm pursuing the GSLC which tells you straight out which one's you miss, provides explanation why so that you can regroup and go back and study that section. You will not get the same questions, but at least you know why you missed it.

Their official material is not very good for studying, I agree to some extend and pass using Eric Conrad study guide. But there is people who had passed solely using offical material, while its possible, it could also be that these people wealth of experince are good enough to easily absorb them and thus its a walkover exam for them.

bobloblaw

CISSP questions are robust because they are trying to emulate real situations. Real situations typically have "BEST/WORST/MOST" options. Real situations also have way more information than is needed, or information that can be deemed irrelevant to the solution. Unfortunately, real life isn't always a direct cut and dry CompTIA Q&A. That is why the questions can be frustrating. Problem solving can be very frustrating.

Paperlantern

bobloblaw wrote: »

CISSP questions are robust because they are trying to emulate real situations. Real situations typically have "BEST/WORST/MOST" options. Real situations also have way more information than is needed, or information that can be deemed irrelevant to the solution. Unfortunately, real life isn't always a direct cut and dry CompTIA Q&A. That is why the questions can be frustrating. Problem solving can be very frustrating.

Honestly. Well put. The exam and certification is meant to collectively show a competency that can only be obtained with a realatively deep understanding of the material. I found there is very little to really have to MEMORIZE for CISSP. It's more about the mindset to be able to approach a scenario or a problem to get the best possible outcome.

The certification is geared the way it is because of the type of competency it is created to represent.

62Vette

Yeah that sounds reasonable. Still why no score when you pass?

JDMurray

Nobody puts the score they received for their cert exams on their resume. No hiring manager asks in an interview, "What was your score on the ABC cert exam?" No one has ever shown the slightest interest in creating a class system for any certification by dividing the cert holders into the 90%'ers, 80%'ers, 70%'ers, etc.

I don't know for sure, but when the (ISC)2 created their first cert (the CISSP) back in the mid-nineties, they must have designed it using a testing program in which there is no fixed passing score. The psychometric evaluation of the candidate’s answers may make giving a numerical score irrelevant. This means the score one candidate receives as a pass may mean a fail to another candidate depending on the content of their exams. After seeing the results of cert programs where a fixed passing score is used (Microsoft, Cisco, CompTIA, etc.), the (ISC)2 has never felt a reason to change their way of testing.

Now CompTIA with its new CASP certification has adopted psychometric testing evaluation and doesn't give a passing score either.