top of page

-CISSP Infrequently Asked Questions-

I have over 15 years IT experience from IT Generalist to IT Security guy 

I have several certs including MCITP EA CCNA(expired) VCP CCA CEH CHFI CASP EMCISC JNCIA to mention a few. However, I took CISSP first time on self study and did not pass. 


I am frustrated I didn't find a way or method  to study the domain and a way to answer those examination questions differently than I did. I mean how do I understand the concepts and apply the concepts to answer my questions? 


I studied for the exam for over 4 months and used your web site (which I came across recently) on attacking some of the domains. 


I thought I prepared well using CCCURE and lecture from SARI Greene Safari lecture.


Please provide guidance that you think might help. 


First I'm sorry you did not pass the first time, it sounds like you put in a lot of your own personal time to prepare for the cert.  Besides being humbled, let's be honest, you're probably feeling a bit angry too.  When I took the exam, I had no choice but to pass the first time.  I had spent over a year studying for it! AND the new exam was coming out a month after I was done the exam.  That means if I failed, I'd have to study ALL over again for the new exam!

What domain did you score the least on?  The most common advice is that you should go back and focus on that domain again.  But that's not what I'm going to advise.

Can you take a look at the printout of your exam result, and look at the domain which was your weakest.  Now, can you take that domain, and relate how it is interdependent or works in conjunction with all the other domains?

For example, say your weakest domain was the Risk Management domain.  Can you think about the Software Development Security domain, and find some examples how the Risk Management and Software Dev domain work together?  If you can't, let me give an example.  Software Dev is all about coding applications.  Programmers write programs.  But what kind of programs? That's based on necessity.  Necessity for a certain function of the business to operate.  Let's say the company developers need to code a new online shopping browser that uses SSL.  Why do they need to create a secure browser with SSL capabilities? So transactions can be secure.  Who or what determines why transactions need to be secure? The Risk Management team.  They do a risk analysis, and provide information to the management team who will provide the authorization to approve a project that allows the programmers to design a browser that uses SSL.

See how everything related together? Software dev topics? Risk Management topics? Both are needed symbiotically in order to work.  This is the essence of the CISSP exam, to have the ability to tie all this information together, and learn the high-level concepts.

To be honest, four months sounds like a short time to study.  Folks I talk to, (and I talk to about 50 people a day about CISSP stuff), it takes a little over 6 months.  Do you think you rushed through your studies? Were you surprised by your result and how the real questions were so different from the practice exam questions?

How did you do on the practice tests?  Were you scoring over 85%?  Did you not only get the answer right, but also know why the other answers were wrong?  How many practice exam questions did you take before the CISSP? I took over 5,000 questions from many, many different sources in books, and across the Internet.  And I'll tell you, every one of those 5,000 questions prepared me for the real exam.

Did you immerse yourself in your CISSP studies? Eat, sleep, breathe CISSP?

I see you have a lot of certifications, did you study hard for all of them?  Or did you use any exam dumps for them?  Remember I'm just a stranger, so admitting it to me is no problem.  I apologize for asking, but I only ask because exam dumps ruin your mentality when it comes to taking the CISSP.  If you did use them, I"ll tell you the reason why it kind of messes with your study habits.

Are you part of your CISSP Study Group on Facebook? If not, I'm proud to say, it has become an enormous amount of CISSP knowledge shared by people studying for the CISSP, and CISSP themselves.

I took the CISSP sometime last week and failed, my most horrible experience is the way ISC2 ask questions, I thought the questions will be asked like the ones I got when I sat for CAP, but they were totally different.


I just paid for another exam today scheduled for  23rd of next months, what will be your advice sir?


I know the only two domain am not comfortable with are Security Engineering and Communication and Network security.


I love the way you explain how to answer the questions which is the best way and I want to be familiar with that. How do I see more of the past question you've treated and questions that I can use to practice on my own? 


Please I need your help. 

I'm sorry to hear you did not pass the CISSP the first time! It must be incredibly frustrating!  $600 is a lot of money anywhere in the world, and the thought of paying it twice is really agitating!

Right now though, I advise you reschedule your CISSP exam from next month, to a later date.  It does not sound like you are quite ready.  Are you under pressure to pass the exam?  What makes you think you will be ready in a month?  You may be incredibly smart, but I am not, I would definitely take another 3 months to take the exam.

I took over 5,000 practice exam questions before taking the actual exam.  And you're right, the CISSP questions were NOTHING like what I expected.  What did you find so difficult?  The fact that all the answers would be the answer? Were you able to eliminate at least 2 of the wrong answers at least?

Here is what I suggest, and it's going to take a lot of patience.

Join our Facebook "CISSP Preparation Study Notes and Theory".  There have been a LOT of people recently who passed their exam after spending time with the group.  I think the group is esppecially great in coming up with scenario based questions like the exam.  But the most important part is that everyone not only explains why the answer is right, but also WHY the other answers were wrong.  The latter is an extremely important part of studying, to understand why the other answers are wrong.

What is your security background?  If you are having trouble with the Security Engineering and Network Security domain, I am assuming your background isn't at technical one like a security engineer or network engineer.

There really isn't a lot I can tell you in this email to give a single guaranteed way to pass the exam, you must experience it in the group, and in your own studies.  If you have difficulty with topics like IPSEC VPN or NAT, ask the Facebook group, and I promise people respond kindly without any judgement! And of course, I'll always be here too.

Do you know how load balancers, proxies, and SSH works? If not, it is time to deep-dive into the topic and learn it.  You have to go beyond the textbook, and research on your own.  I apologize if you already do this, I am just giving some suggestion of what I did.

I am currently working as a software QA analyst and thinking about taking CISSP training to take my career to next level. Do I need to take diff security training before CISSP or I can just take it directly now? Any boot camp you may recommend or just straight books? What I am looking at salary wise.


The CISSP is a security-oriented certification, is that the career you are in now, or want to be in?  What is the next level in your career, and how would the CISSP get you there?  The CISSP is good for network security engineers, SOC managers, any security management or positions of leadership roles, or a penetration tester.  It is not technical in nature, but still a gold standard.  If your current position of software QA analyst deals with security, I say go for the cert.  Otherwise, if you have zero security experience, having the CISSP alone won't help you get a security job, you'll need to have experience.

These are just some of my thoughts for your situation.

As far as if you need to take different security training, there is only 1 pre-requisite for the CISSP: 5 years of information security experience.  You can take the exam at anytime however, but personally, I feel like my 3 years of information security experience really helped me pass the exam.

I didn't take any boot camps myself, but others have said they are okay.  They are best taken a week before sitting for the exam.

I just hit the books over and over again, and tried to understand concepts instead of memorizing facts.

I have no insight into the salaries for such positions, but for the US you could say about $100,000 for software QA with a CISSP.  A network security engineer with CISSP can make $110,00, and managers or executives with CISSP can make $200,000+.

Why do we use primary and foreign keys in databases? Which one can't exist without the other?


P/F keys exists for identity, mostly for relational guys.  If you have a big old single flat table, you could get away with just have PKs.  But if you need to work on some normalization type of stuff, that's where you really get some FKs in action.  The FKs will links back to the "main" PK entry. 


A shopping cart system is the a simple song and dance - have a big old table of buyers, a big old table of inventory, and then a nice table of orders with FK that point back to the two.

What are the three main types of database integrity services?

Referential Integrity - Foreign key cannot exist without Primary Key

Semantic Integrity - All the data types should be intact with values and database should follow a proper structure

Entity Integrity - Each row has to be uniquely identified (primary key)

What is polyinstantiation used for as an example in real life? Polymorphism?

Polyinstantiantion is slick.  It means "many instances".  So you decide to keep a record of all the books that you are currently reading, and you share this with the world.  You are currently reading a book titled "How to communicate with woodland creatures".  While you wish to keep this database accurate (integrity), you don't want people to know that you are reading this book (conf). 


So, you have one record that sets the boolean field "currently_reading" to 0/false.  You then insert another record at a higher/different security level with the same exact entry (PK and all), and set that boolean field to true.  That way, when people with the lower/less security look at this table - they will wonder why you have this book, but won't be too worried because they think that your not reading it.

Polymorphism means "many forms".  I love animals so I always use them as examples.  You have a class called Animal, and then two other classes that are called "Bird" and "Rabbit", and it inherits from Animal class.  Rabbit and Bird can do the same things differently (i.e. hop and fly).

I failed the exam.  My top 3 weak domains were Network Security, Software Development, and Risk Management.  I thought I studied hard for it for months, but still failed.  English isn't my first language so I faced some difficulty. Please advise Luke.

Okay, those three domains are pretty spread out and not very closely related, so I don't think you have an obvious weak domain.  The language barrier is a tough one to get over, the CISSP exam questions are difficult even for someone with English as their 1st language, much less a second.  


In your current situation, I like to recommend studying with a method known as "domain correlation".  This means to pick a concept from the book, and do your best to try and come up with how it correlates to the other domains. 


For example, take a firewall for instance.  


Why do we have a firewall? (Network Security Domain)
For network security, to only allow access to machines that are allowed to access other machines.  


Why are we trying to allow only specific machines to other machines? (Asset Security Domain)

To minimize the number of people who should have access to the data.  

Why are we trying to minimize the number of people who have access to the data? (Security and Risk Management Domain)

To prevent disclosure and loss of confidentiality.  To prevent unauthorized individuals from changing data and ruining the integrity of the data.  


Who decides how to protect the confidentiality, integrity, and availability of data? (Security and Risk Management Domain)
Senior management implements controls to uphold the CIA Triad.  


So we went from why do we have a firewall, to who implements the CIA Triad.  I tried to do this with the concepts as I studied them.  It's tedious, but it really helps for the exam itself.  


In the end, it all comes back to the CIA Triad.  If you encounter a question or something you're reading in your books, try to think if it is dealing with confidentiality, integrity, or availability.  This makes understanding the question, and getting the answer correct easier.  

I want to achieve associate of ISC2 , I am doing my masters in Cybersecurity and I worked for two years as information security analyst. I am just trying to make good use of my summer break I have registered for exam on August 10. I am done with sybex and sybex practice tests I am scoring 80% on average. Can you suggest any practice exams or any books to make best use of one month I am left with?

I would suggest these practice questions:


The Shon Harris practice question collection on Amazon is pretty good too.  


The key is to take as many practice exam questions as possible.  50% study should be books, and 50% study should be practice exam questions.  To take full advantage of these questions, you should not only try to get the answer right, but also realize why the other answers are wrong. 


The best way to know if you're ready for the exam is to open up a study guide book, point to any word on a random page, and be able to explain it thoroughly.  


If you are in my Facebook group I would suggest participating in the forums and giving detailed explanations - this helps to tell not everyone else, but you that you know the material.  If you can explain in simple terms the concepts of the study guides, then you are in good shape to take the exam. 

bottom of page