CISSP difficulty is one of the most frequent questions I get once someone finds out I have it. “How hard is CISSP?” or “Could you pass CISSP again?” are two questions I get a lot.
They’re fair questions, and the answer is, it depends. But I can help you figure out the answer for yourself.
I’ll be honest. After I finished taking the CISSP test, I questioned everything I know about everything. I had to drive five hours to get home afterward, which was both a good and a bad thing. It took me 30 minutes to regain my composure enough to be able to drive.
I passed, by the way.
On the other hand, there’s James Arlen. Mr. Arlen is one of the minds behind Liquid Matrix Security Digest. He had been a security professional for a good 20 years before he took CISSP. He refused to take the test on principle for a number of years. A year or two ago, he sat for the test and passed. He talked about it afterward. It didn’t sound like he studied a lot and it didn’t sound like he found it exceptionally difficult.
Then again, if you’ve been doing general security work for 20 years, it probably shouldn’t be difficult. If the test is trying to assess how well a seasoned security professional can get through a rough day, a guy who’s been performing for 20 years at a high level ought to pass it.
It wasn’t a walk in the park for me. I’d been doing pure security work for a couple of years when I took it. Prior to that, I was a system administrator. Most of the sysadmin work I did was security-related. But CISSP covers 10 domains. My sysadmin experience covered two or three. My security work covered another two or three. That left a pretty good-sized gap. That meant I had to learn and recall a lot in six months to pass the test. For example, I knew very little about encryption going in, so I found that harder.
Someone who has some practical field experience with encryption and can spot good encryption and bad encryption when they see it will have a lot less trouble than I did.
And some of the material is just plain obscure. My post about Halon-2402 is a good example. Everything there is fair game for that test.
The job that required me to get CISSP involved evaluating security assessments. Someone else did the assessments, but I had to find the weaknesses in them and either make recommendations to shore them up, or make a convincing argument that the weaknesses met the minimum requirement. After six months of analyzing those assessments, I was a reasonably competent security generalist.
I wouldn’t call myself a generalist anymore. Today I specialize in a field called vulnerability management. I get pulled into generalist work from time to time since I have just enough background in it.
A year after taking CISSP, I would have had difficulty passing it again if I’d gone in and taken it cold. I’m not arrogant enough to say I could go in and take the test cold and pass it tomorrow. I’m confident enough to say that since I passed it once, I could pass it again. But I wouldn’t just take it cold.
Some CISSPs retake the test every three years because they find it easier to pass a test than to track and report CPEs. Others recoil at the idea of ever having to take the test again.
I don’t like tracking and reporting CPEs either, but it’s cheaper than retaking a test and it’s automatic.
So, is CISSP hard? Yes. It’s a reasonable simulation of a really rough day for a competent security professional with some experience. That gets less difficult with time. But I’m not ready just yet to call that easy.