top of page

-CISSP Infrequently Asked Questions-

Am I ready to take the CISSP exam? 


I usually recommend taking 5,000 questions before taking the exam.  Once you take the questions over and over again you start to see a pattern. 


It's true the real exam is nothing like the practice questions.  It may sound difficult to comprehend the concept, but believe me once you take the exam you'll understand what I mean about a pattern.  The Shon Harris questions are my fave,they are in my opinion the closest to the exam.


The key is to take as many practice exam questions as possible.  50% study should be books, and 50% study should be practice exam questions.  To take full advantage of these questions, you should not only try to get the answer right, but also realize why the other answers are wrong. 


The best way to know if you're ready for the exam is to open up a study guide book, point to any word on a random page, and be able to explain it thoroughly.  


How do we approach questions about ethics on the exam?


The set of ethics and morals we follow are dependent on our background and upbringing.  What is ethical to one person, can be seen as unethical to another. 


Here are some real-life ethical dilemmas:


A customer has disconnected their service with your company, but you are still receiving payments. What do you do? 


A customer's firewall is vulnerable to a certain exploit, but the customer has stated not to do anything about it.  What do you do? 


You are asked to spy on your employee who is also a friend, for any logic bomb activities since they are going to be fired soon.  Do you spy on them or give them a clue as to what the company is up to?


Each one of these ethical dilemmas can invoke a different type of response from all of us as security professionals.  


It is a bit easier on the exam, as you can go by the canons in most order of most important to least important:


Click here to read about the ISC2 Code of Ethics, they are testable on the exam.


When in doubt, always choose to protect society.


I've been getting 82-86% on practice questions.  Would you say I need to get a higher score on them to be ready for the CISSP?


82-86 percent is not bad at all, I've heard of folks who scored in the mid-70s that have passed the exam as well.  Frankly, I wouldn't make the relationship between test score vs exam readiness. 


The best way to know if you're ready for the exam is to open up a study guide book, point to any word on a random page, and be able to explain it thoroughly.  


Try to do at least 3,000 practice questions before sitting for the exam.


What layer does PPTP fall into, layer 2 or layer 5?  The books I am reading say different things.

For PPTP, I'm thinking that to be a Layer 2 protocol since it operates at the Data Link layer.


Is it the cloud service provider and the customer's responsibility for keeping systems and applications up to date and patched? Or is it just the cloud service provider's responsibility?

Depends on the TYPE of cloud service being utilized, is it an IaaS, SaaS, or PaaS?


So in an IaaS, the customer is responsible for all updates and patches.  


In a PaaS and SaaS, it is the CSP responsibility.  


I created a video and PDF download for just this type of question I don't know if you've seen it yet, here it is:


Luke, in your opinion what topics come to your mind that I should definitely know for the exam?


Try to know these thoroughly:  IPSec, mobile device security, BCP/DRP process, ARO/SLE formula and how to calculate them (not just a standard way, but try to make a variable x, and solve for it), PKI, asymmetric encryption, types of firewalls, and SDLC. 


One of the the things I plan on writing down is CIA and IAAA.  After taking practice tests, I realized that the IAAA doesn't just refer to people, but objects and processes as well.  Is this the right way of thinking for the exam?


Yes IAAA relates to the actual memory locations as well.  The processes, threads, covert timing channels etc. etc.  


I'd place CIA over IAAA as well.  I actually hadn't thought of also keeping IAAA in mind, but it's a great idea.  But again, I'd place CIA over IAAA given a scenario.


Quick question, what is the definition of an exception?  I was reading a practice question regarding why a security policy needs to be changed.  The answer they gave me was because of exceptions.  Can you please explain?



That's a broad sounding definition, "exception".  In terms of the question you saw, maybe a security policy needed to be modified or amended, much like the US Constitution.  Exception might be a bad way to put it, but Voting Rights Act and other legislative measures which were amended might be considered "exceptions" (even though they are unalienable rights), and changed in the Constitution or a security policy. 


Basically anything that doesn't align with the security policy, but is required, might be considered an exception.


In a more corporate environment, sometimes the more important an executive is, the less they have to adhere by a security policy, they would be an exception.  But I wouldn't keep this mindset for the CISSP exam.  For the exam, pretend you live in a perfect security world with proper BCP/DRP, security policies, and other functions in place to uphold CIA.  


For the question talking about security operations center, I didn't choose SLA because I wasn't sure if the security operations center was a center or part of the actual company.


For the true/false question regarding data owner and Senior management, I selected true because I thought Data Owner was a part of Senior Management.  At least that's what I had interpreted from the book.


It is senior management that decides who will be the data owner.  The keyword in the question was "ultimately", all responsibilities and decisions all ultimately fall on senior management.  The data owner is not always part of senior management i.e. manager or supervisor.  


Even if the data owner is still part of senior management, a decision has to be made by senior management to grant that right. 


Hey Luke, I failed the exam only by 7 numbers today.  Can you tell me what to do for second step.... For second step they charge full fee or what??


I believe they do charge full fee for second attempt.  Sorry to hear you did not pass the first time.  Especially by 7 points! 


Right now I'd just keep doing practice questions to stay fresh and take the exam again in maybe 1.5 months.  

Do I have to retake the exam after passing it? Is it valid forever? 


To answer your second question, the CISSP exam is valid forever.  The only way to maintain it from expiring is to pay ISC dues and provide some sort of credit hours in information security.  You can attend a 1 week security seminar and this will count as credit hours.  Of course you also have to pay $80! So in order to maintain the certification you don't have to re-take it, just keep up the dues and credit hours.

Do I have to memorize everything in Cryptography like DES modes and other stuff like that? This cryptography stuff is overwhelming!


I had the same issue when dealing with the cryptography chapter! I'd memorize that DES uses 56 blocks out of the 64 blocks, or I'd memorize the following hashing algorithms: MD5, RIPE, SHA1, SHA256.  Then when I'd take a practice quiz, I'd totally forget if Diffie-Hellman was a symmetric or asymmetric algorithm.  Then I'd be even more frustrated to find out it's neither! It's a key exchange protocol!


The way I solved this is the old school way, pick up a pencil, tear off a sheet of paper from a notebook, and write over and over and over again everything that needed to be memorized from the Crypto chapter.

It's true you don't have to memorize it for the exam, but in the end, you do have to grasp the basic facts about crypto in order to apply the concepts.  Why is symmetric encryption a weakness in a big company? Because there would be a lot of keys too share out with everyone else.  If you had asymmetric encryption, each user would only need their private key, and obtain someone else's public key.

I found it helpful to embrace the cryptology as much as possible.  The word "cryptography" itself is pretty intimidating, I always thought it was some stuff of the dark arts of mathematics.  Soon I realized it's really not that bad, just have to keep reading about it.

The strategy I used, and it's tedious, was to go back and study the Cryptography chapter after reading every other chapter.


Read Crypto
Read Security Engineering
Read Crypto
Read Asset Security
Read Crypto

Cryptography topics definitely look shortened in the new CBK book.  But I will say, having read through the book, it doesn't simplify anything.  It assumes you already have a basic understanding of cryptography.  The Shon Harris book starts from the very beginning.

I just read your post and would like to know if you have the question bank by Shon Harris AIO 6th edition? I failed the cissp in july 2015. 
As of now I am referring to Eric Conrad, AIO, combined notes and CCCURE question bank. I don't have the question bank by AIO cause I got the entire book online.


Sorry to hear that you failed the exam, but it sounds like you've been studying all the right materials i.e. Shon Harris, Eric Conrad and CCCUre.  Those are the exact guides I studied for the exam.  Don't give up man!

Do you mean the Shon Harris book that contains just practice exam questions? Is that the question bank you are referring to?  I don't have that one, but even if I did, I don't think I'll be able to share it because it would violate copyright laws, and a violation of the CISSP Code of Ethics.

However, I did find these questions on the Internet by Mcgraw Hill that I think are free to practice for the general public:

I studied these questions a lot 2 weeks before taking my exam.  For the ones I got wrong, I thoroughly learned why I got it wrong, and why the other answer was correct.  It really helped!

Here is another resource I used before taking the exam, it's a free mindmap:

Have you joined our Facebook group, "CISSP Exam Preparation: Study Notes and Theory"? It's a small community of folks who are studying for the CISSP exam, and some that have even passed and are helping the rest of the group out.

Let me know if you have any other questions, and good luck Melvin for the second try! I'm sure you will pass!

Planning to go for CISSP. Before going to do that I do have some queries which I believe you are the right person to ask. If you don't mind please clear my doubts and queries.

1. Which book I should go for as a starter? Please mention version too.
2. What is the exact process to keep my certification valid even after 3 years. I read about 120 CPEs but it is not really clear to me.
3. Will it be worthy to self study CISSP and go for exam?



1.  To answer your questions, what I tell most people is to study the Shon Harris 6th Edition book.  It is one of the best out there.  It is clear and somewhat simply explains the different topics across all domains.  It is long and it is sometimes very boring, but you only have to read it until you pass the exam, it's worth it!

2.  I just recently became a fully endorsed and certified CISSP, so I'm facing questions about the CPE credits as well.  It sounds like you need to achieve at least 40 credits per year, in the 3 year 120 CPE credit cycle.  So that's 40 CPEs per year, for three years.  Also, you gotta fork up $85 to the ISC2, gotta pay your dues and everything.

3.  I studied and passed purely on self-study.  But don't get it wrong, self-study takes a lot of discipline and dedication, it took me 9 months.  If you're going to do this, you're going to have to commit to it.  If you do want to take a course, then take a boot camp right before you think you're ready for the exam.  Taking a boot camp alone won't help you pass the exam.  I mean could, but why take those chances if you have time to study?  Go for it, in the end, you'll see the exam isn't that difficult!

I found your blog very helpful especially in understanding concepts.  Can you advise me how to get useful practices questions?  Where did you get 5000 of them?  Thanks a millions.

Regards, a CISSP learner.


First of all thank you so much for visiting my CISSP blog, I hope it helps turn you from a "CISSP learner" to a full-fledged CISSP! 


When I said I took 5,000 practice exam questions, these were all from different sources.  Here is where I'd get most of my practice exam questions: 


*  Shon Harris Study Guides, mostly the 6th Edition, but I also went through the ones in the older editions.  You can never learn enough.  


*  Eric Conrad's CISSP Study Guide also had questions, but not as many.  It is meant to be a summary of the CISSP and read weeks before taking the exam to fine tune your weak domains.  


*I also went to the below link 2 weeks before my exam, I believe it is free to be distributed from McGraw so we're not violating any copyright laws or the CISSP Code of Ethics:


Not only did I try to understand the correct answer, but I also fully made sure to understand why the other answers were wrong.  That to me is the most important part.  


And basically I just Googled "cissp practice exam questions" and clicked on as many links as I could.  


That's how I got to over 5,000 questions before taking the exam! Trust me, sitting there in the testing center for 6 hours going over 250 questions, I'm glad I took every one of those practice exam questions.  

bottom of page