I recently passed the CISSP Exam at 100 questions with one hour remaining.



Testing Strategy (my opinion, not official):

Hypothetically, if each CISSP question has a low, medium or high rating, the first 10 questions should be around medium/hard. The CAT exam will adapt to your answers so if you start off blazing hot, you should expect to encounter even harder questions. (e.g. this did not happen to me but I read other exam feedback about a tester who received IP subnetting questions. This user also passed at 100Q so my assumption was this could be considered a *hard to very hard* rated question and if I saw a subnetting question that means I was doing well on Domain 4.)If you start off by missing certain questions (e.g. SDLC, BCP), the CAT exam will keep throwing those questions at you some of which will have a low to medium rating. And if you do start off by missing questions, you have a deeper “hole” to climb out of and could see more than 100 questions.
IMO, an example of a hard question: I received a symmetric and asymmetric algorithm key size (bits) question. The question was not similar to what you would encounter in Domain 3 Official Study Guide (“Sybex”) or Boson. The question, and the answers, were written very well and you had to read the answers multiple times. I assumed that if I answered correctly, the CAT exam would close out Domain 3 and push me closer to a pass. I did not receive any encryption questions after that (probably around question 50).
Warning: I spent close to 30 minutes or more on the first 10–20 questions. Long enough to get worried that if I needed to make it to 150, I would be fighting the clock. This is a tradeoff you have to be cognizant of. I had around 55 minutes left at question 100 which means IF I would have received 150 questions, I would have ~1 minute per question. So if you decide to spend extra time analyzing the first questions, be aware that you may need to make up time later in the test.I received 2 – 4 questions on topics that were clearly not covered in Sybex. Having read Sybex twice (I’ll get to that), I assumed that these topics were experimental questions and I did spend the same amount of work analyzing the question as say something about BCP/DR. So keep in mind if you are stuck on a topic that seems foreign to the CISSP, it may be an experimental question.

Style of Questions:

If you have spent time reading CISSP pass/fail reddit posts in the last 2 years you SHOULD pick up on the fact that multiple choice (“M/C”) questions are not a good judge of exam readiness. M/C questions are very important to learning and gauging exam content knowledge and should be used to drive learning. The problem is, we get accustomed to how these questions are written while CISSP official questions are the complete opposite. The exam questions do a great job of writing questions that tie together multiple domains. Domain 1, Security and Risk Management, should be the baseline of every exam topic. Understanding the SDLC steps in order is not enough. You need to ask yourself, what are the risks of each step? What is (are) the mitigation(s)? This should be applied to every key exam subject as that is what you will experience on the exam.


* 10/10 — Discord
Think of a 24/7 study group with support from the top CISSP minds and authors (e.g. Adam Gordon, Wentz Wu, Thor Pederson, Rob Witcher, etc). This is a great community of like-minded professionals. Highly recommend. https://discord.gg/certstation

* 10/10 — Sybex 8th Edition

I read this book twice (first time when I failed in June 2019). There is repetition in the book so as a reader you should decide when to skim and deep dive.

* 8/10–11th Hour (Amazon, $25)

High level overview of the topics you should be aware of. After each Domain in Boson I would read the 11th hour chapter to make sure I understood the scope.

* 9/10 — Boson (I think Thor Pederson has a coupon for Boson on his website)

Again, use this to supplement your learning. Make sure you stay “an inch deep” and do not chase any purple squirrels.

* 7/10 — Shon Harris CISSP Practice Exams, Fifth Edition (Amazon, $23)

I enjoyed how these questions were written as some of them had an “exam like” feel. Again, use this as a supplement and try not to go too deep. There are questions that are more than an inch deep….keep focused on the Sybex subjects.

* 7/10 — How To Pass Your INFOSEC Certification Test: A Guide To Passing The CISSP — Ben Masilow (Amazon Kindle — $10)

Short book and I’m happy I read through it.

* 8/10 — Study Notes and Theory — Luke Ahmed (website, free & subscription)

I did not sign up for membership but might have considered it when I first began studying. I watched most of his free videos

* 9/10 — IT Pro TV — Adam Gordon (subscription)

I signed up for one month and watched Adam Gordon’s Accelerated CISSP videos on 1.5x speed. Taking notes and pausing for more in depth subjects.

Note, I did about half of the Kaplan questions that came along with the subscription. Again, use your judgement here. I felt a many of the questions were either outside of what I felt the scope was for the exam. I would rate the questions 5/10.

* 10/10 — Adam Gordon Weekly Bootcamp — Promoted through Discord (free)

Most of the material is from Adam’s Accelerated Course however I felt that these bi-weekly sessions were valuable to learn from Adam outside of the pre-recorded course. Having the ability to interact with Adam and ask questions is beyond valuable.

* 9/10 — Rob Witcher Mind Maps and Associated Videos — YouTube

During my last week of studying I spent time on YouTube watching Rob’s videos.

* 8/10 — LinkedIN Learning — Mike Chapple course (subscription)

During my one hour commute I would listen to these videos on 1.5x speed.

* 8/10 — Old Cybrary MP3’s. Kelly Handerhan (subscription now required for Cybrary access)

Would listen to these MP3’s when I went for runs.10 question quiz before falling asleep or in the bathroom.

* 10/10 — Kelly Handerhan and Larry Greenblatt’s “CISSP Tips, etc (YouTube)
Take detailed notes…..they share tips that will help you pass.



Clearly a lot of materials here. I spent around six months prepping for my June 2019 exam. After failing the exam in June 2019 I knocked out the Security +, CySA+ and CRISC exams before spending three months studying for the June 2020 exam. Coming from an accounting background, it was important for me to build that baseline networking and security knowledge. 

Did I over study? Possibly but I can say confidently that everything I have learned will help support my career and my interactions with IT Professionals

.If I could go back and study all over again, I would cut down on the resources and multiple choice questions. Stick with one resource (e.g. IT Pro TV, Thor, Greenblatt, Chapple) and focus on understanding the core concepts and how they interact with the various Domains.


Comments are closed