top of page

Fail The CISSP Exam? What To Do Next


I can't relax, I just failed this dumb exam after studying for 5 months!

It's not the end of the world.

Don't tell me that, I might lose my job!

You'll find another job.

You don't understand, I needed family needed this.

Failures can sometimes take our minds to dark places, but as hard as it seems right now, try to stay positive. The fact that you're even taking the exam means you probably work in IT, or are involved with it in some way. If you're in IT, you probably have a roof over your head, food on your table, and clothes on your back - you're already doing better than a good portion of the people on this planet.

Whenever I feel down, I take some time out to realize all the things I do have, instead of the things I don't. And that my wish to own a luxury car one day is insignificant compared to the wish of someone to just simply own a car.

If you did not pass the exam the first time, it's not the end of the world. It's enormously frustrating is what it is. Take comfort in knowing that just the fact you are taking the CISSP exam puts you a cut above the rest of a lot of other folks in this information technology field. To study security means you also have to know a little bit about everything: networking, coding, risk management, or the different types of fire sprinklers. Security is a tough gig, which is why the rewards are bigger.

Whether you passed or failed the CISSP exam, only later do you realize that the journey to the CISSP and the struggles along the way, is the real prize.

The only real failure is if you give up.

If you want to take it again, I've broken down what your score means, and what could be done to pass the exam next time. This is not official by any means, it's just my humble opinion and I hope it helps you in some small way.

Below Proficiency in 1-2 domains

Focus: 30% on study material, 70% on practice questions

So close. So, so close. If you failed with 1-2 below domains with a "Below Proficiency" level, you have every right to take your CISSP books and throw them in the trash. If you cried in your car in the parking lot of the testing center and swore you'd never take the exam again, I'm with you.

It may take a week or two to get over this anger, but it does subside, as time is the greatest healer.

Let's talk 2nd attempt tactics.

Believe it or not, right now you have an unbelievable advantage: you now know more about the CISSP exam than anyone else who has not taken it yet. You have conducted reconnaissance and evaluated the strengths of the enemy. At the same time, the enemy has shown you your weaknesses. Use this intelligence as weapon in your next attempt.

At this point, your primary focus should be taking as many practice questions as possible. I have always stressed the need to take at least 5,000 practice questions before attempting the CISSP exam. It is through practice questions we start to see the concepts. It is through practice questions that we understand what the ISC2 is really testing us on in the exam.

The more practice questions you take, the stronger you become at not only the concepts, but the ability to analyze a question, understand what it is asking for, eliminate at least 2 of the 4 choices right away, and give yourself the advantage of a 50% chance at the 2 other choices. A 50% chance at 2 choices is better than a 25% chance at four choices.

Grind, grind, grind on practice questions.

There is no need to go back and read your Sybex or Shon Harris cover to cover, you've done that enough already. If you need to, keep reviewing your handwritten notes, mindmaps, or PDF summaries, you can find an incredible set of notes in the Study Resources section of this website.

If your printout said you are weak in a certain domain, then read about that domain completely in your study guides. Don't let that domain become your weak point ever again, learn it to the point that you can teach it. It's the only way.

Practice cross-domain correlation, a technique I demonstrate in our videos section here. The cross-domain correlation technique is a great way to prove to yourself that you can see the bigger picture in this security thing. It proves that you can see how one topic in the Security and Risk Management domain can relate to the Software Development domain which is all the way on the other side of the CBK spectrum.

You basically have the certification right in front of you, it's just going to take a little push, a few more practice questions, a bit more reading, and your unrelenting drive to not give up and take another shot at the exam.

Below Proficiency in 5-7 domains

Focus: 50% on study material, 50% on practice questions

At this point it is about a delicate balancing act. You need to read, read, read, and couple it with a continuous rotation of practice exam questions.

You have the necessary basic grasp of the concepts, that's no issue. It's just that there might be some concepts you might have missed, some concepts that did not want to be so easily discovered while you were reading.

By reading over your books again and again, you can flush out these hidden concepts. By taking an additional 2,000 to 3,000 practice questions, you will find these elusive concepts. Focus 50% of your time reading and 50% of your time taking practice questions to create a powerful study combination.

Keep doing exactly what you have been doing, but push yourself and take it to the next level, next resource, next book, next sleepless night, next 6 a.m. alarm clock on your day off, and your next conviction to not give up.

Below Proficiency in 7-8 domains

Focus: 70% on study material, 30% on practice questions

Below Proficiency in 7-8 domains means you might not have a lot of information security experience, or the material is just not clicking into place yet.

Did you read the Sybex 7th Edition book cover to cover at least three times?

Did you read the Shon Harris 6th or 7th Edition book cover to cover at least once?

If you haven't, just do it.

I know it's a long book with extremely dry material, but reading the entire book once and understanding where things fall into place goes a long way in understanding the concepts faster.

If you read a lot of our "How to Crack the CISSP Exam" posts, a majority of the CISSPs have read at least one of the books all the way through.

You can also check out "How to Crack Your CISSP Exam".

While reading through either book, if something doesn't make sense, dedicate some time to external research.

For example, you read about polyinstantiation over and over again and you still don't understand it. Go to Google, and type "polyinstantiation" into the search bar. Take a look at the first 10 links and open each one in a new tab.

Go through and read all of them, chances are somebody else has the same questions you have about polyinstantiation which has been answered by other users. Don't read for the sake of reading, read to learn.

Then go to YouTube, type "polyinstantiation" into the search bar, and do the same thing - watch the first ten videos that come up. Don't watch for the sake of watching, watch to learn.

This is time consuming and takes a lot of effort, but it's a good way to just completely immerse yourself into the topic. It's helps to remember it this way.

As with the other previous scores, continue to keep doing practice exam questions as much as you can.

If you have exhausted all your study material, all the practice questions you can find, and all the everything - I offer a paid membership to this website. It's not meant to be your sure-fire way to a guaranteed pass, but it's just another source and a different way to study in your journey to the CISSP.

If you need a place where nothing but CISSP goes on 24 hours a day, then we also have this Telegram group. It is managed by CISSPs, supported by aspiring CISSPs, and provides contributions by security professionals. To some, this is a second home away from their regular studies.

Good luck, and may the Force be with you.


bottom of page