The CISSP is a 250-question, multiple-choice test. You have six hours to complete it. It’s not like any college final I ever took, though cramming all of finals week into a six-hour session is almost a fair comparison. If you’re wondering how to pass CISSP, I can’t guarantee my method, but I’m glad to share what worked for me.
I’m not a lawyer, so I’ve never taken the bar exam. But the multiple-choice MBE, which is a 200-question, six-hour test, might be a fair comparison.
It took me a little over four hours to finish the test. I was paying more attention to the test than I was to how many people finished before me, but there weren’t many. It’s not just a knowledge test; it’s also an endurance test.
I studied the day before, but I didn’t cram. I took the day off before the exam to drive to Chicago. During my drive to Chicago, I listened to relevant information. I had taken the Wikipedia articles about a few topics I knew I was weak on, run them through a text-to-speech program, and burned the files to a CD. That helped.
When I arrived in Chicago, I ran through 300 questions, which took me 2-3 hours. Then I went out for pizza. After I returned, I reviewed the OSI model–a traditional weak point for me–for an hour or so, then I just did something else entirely for an hour or so before going to sleep.
I did get a good night’s sleep. That’s important for any test. I studied a little bit that morning before the test, but I’m not confident that I retained any of that material during the test.
Studying my weak points right up until five minutes before the test helped me on Security+. It seemed less helpful for CISSP, for what that’s worth. But since I’ll never see my CISSP score, I only have my gut feeling to go by.
Another CISSP mentor told me to eat a big breakfast that morning with lots of protein. Two pieces of Chicago-style pizza did the job for me. I studied a bit that morning, mostly trying to review the (in)famous Rainbow Series, another weak point for me. They’re fair game for the test, but I honestly don’t remember anymore if my test covered them at all or not. I can say it’s more important for you to know the difference between the ISO 9000 and ISO 27000 series if you’re taking the test now.
Also, you can bring a bottle of water and you can even bring some hard candy and/or a sandwich with you. The proctors will have to approve any food or beverages you bring in, but as long as it’s obvious that it’s store-bought and unaltered, they’re likely to approve it and that will help you get through the test. I forgot to to that, so I took two or three water-fountain breaks.
Arrive early. You will have to stand in line to register. The line moves at a reasonable rate, but you want to arrive whenever your registration form says to arrive.
Once you take the test, standard test-taking strategies apply. Answer the questions you know. When you don’t know, eliminate the goofball answers. There’s always at least one, but frankly I think most of the questions had two. Find the two reasonable answers, then rely on what you know to pick the better of the two. And if you just don’t know, mark it and come back. There’s a pretty good chance some future question will jar your memory. Sometimes the answer may even be in a future question.
For a couple of questions, I resorted to tallying up the number of A, B, C, and D answers I gave, looking at the two reasonable choices, and choosing the one I’d used least on the rest of the test. It’s better than flipping a coin.
Some questions make you read an essay, then answer some questions. Frequently, large portions of the essay were irrelevant on my test. That will prepare you for jobs like mine, where I ask people about their firewalls and they tell me all about their patch management process. So when you encounter that on the test, don’t let it rattle you.
The first five questions or so really rattled me. I can’t speak for any other test, but mine didn’t start off with any easy questions. The hardest questions were somewhere in the middle, but on a scale of 1-5, I’d say the first five questions or so pretty much all rated a 4. About five questions in, I resolved to mark the questions I was unsure about and come back to them. Pages 2 and 3 were a bit easier than page 1 had been. So don’t let page 1 mess with you.
I reviewed my answers twice. The rule of thumb when test-taking is that your first instinct is usually a better answer than your second-guessing. I think I ended up changing about five answers. Your first instinct is usually right. Not always. Sometimes some other test question will remind you of something when you come back around.
Reviewing my answers a third time seemed counter-productive. I changed a few answers on my first go-round. I changed far fewer on my second go-round, and the number of questions I felt unsure about didn’t really drop after my second go-round. Spending another hour agonizing over the test wasn’t going to make me any more sure about that set of questions, and after four hours, my judgment on those other 225 questions was only going to get worse.
After my first round, I had about 25 questions marked that I needed to come back to, which isn’t bad. I found that in my studies, any time I encountered new material I’d never seen before, I scored 80-90 percent, which meant I was wrong 10-20% of the time and didn’t know it. So let’s run through the worst-case scenario. Say I was wrong 20% of the time without knowing it. And say I missed all 25 of the questions I marked. Under those circumstances, I’d score a 70, which is the lowest passing grade.
I do think the test is designed to mess with your mind. Logically, if I assumed the worst, a passing score of 70% was just about the worst I could have possibly done. Did I have doubts as I drove home? You bet I did. Did I have doubts as I opened the message titled “(ISC)2 Examination Results?” Absolutely. In between? Enough that I had a contingency plan in place. But I had enough confidence that I stopped my 300-question-per-day regimen.
(ISC)^2 doesn’t tell you your score, so I’ll never know if my score was in the 70s or the 90s. Nor should I care. Now all I care about is running down the addresses of all of my employers and contact information for former supervisors so (ISC)2 can vet me.