How Hard Is The CISSP? Real World Example

If you’re on the fence about committing to taking the CISSP, then this article is for you. The CISSP is a daunting exam, even with the recent changes.  Being able to concentrate long enough on the complete 100 questions is not an easy task.  Knowing you might face additional questions is an added layer of stress. 

So, how hard is the CISSP? Without a shadow of a doubt, the process to obtain the CISSP is demanding, requiring a consistent approach to studying and self-discipline. Even with years of cybersecurity experience and half a dozen certifications under my belt, I found the exam to be uniquely challenging.  

I’ll dive into the reasons why in the rest of this article and what you can do to make your journey easier.  The difficulty is of course subjective, so you might find obtaining a CISSP trivial, you might also find it’s the hardest challenge of your professional career.

What Makes the CISSP so Hard? 

As with any certification or exam, the difficulty is a very personal experience.  I personally found the CISSP to be one of the harder sit-down certifications I’ve ever completed, but it wasn’t the hardest I’ve had, and I’ve learned more useful information during other certification processes.  

No matter your experience, I would say that everybody will need to study to complete the CISSP.  It’s not an exam or certification that you can utilize your real-world experiences to pass, simply because it covers so many domains.  

The best way to ease the CISSP experience is to prepare for it in a consistent and well-thought manner.  Plan out how you’re going to study for it and ensure you can identify and work on your weak areas.  

I cover how to prepare for this CISSP in detail in this article. 

In addition to covering a lot of ground and subjects, the CISSP exam format is unique in my opinion.  The way questions are formatted can make them challenging.  I found myself reading some questions several times over before I confidentially say I knew exactly what they were asking. 

Even when you understand the question, the multiple-choice answers often present several answers that could be correct.  It’s important to be in the right mindset during the exam and think carefully about the framing of the question.  

For example, if the question asks you what you would do as a manager in a situation, you need to put yourself into the manager’s shoes and not immediately think about how you would respond in the real world as a Security Engineer. 

It’s often a question of picking the most correct answer bases on the scenario presented and I personally found it the most demanding aspect of the exam process. 

CISSP Study and Experience 

Your personal experiences will heavily impact your study requirements and the areas you’ll need to work on.  

I have worked in several areas during my cybersecurity career including Access & Identity Management, SOC, Vulnerability Management, Data Loss Prevention, and Security Architecture.  This experience meant some areas of study where straightforward, but other areas such as software development where tough.

Your own experiences will of course be different and will impact what areas you’ll need to work on the most.  

I found carrying out a practice test right at the start of my CISSP journey allowed me to understand my weak points where meaning I could better focus my efforts.  In addition, before starting a new domain, I completed a quick assessment to really dial in my current understanding of the subject matter. 

The method of study needs to play to your strengths.  So it’s a good idea to already have experience in studying for exams and certifications so you know what works for you.

I personally found 90 mins a day for approximately 8 weeks was more than enough to prepare, but your mileage may vary.

I also found practice tests were the best form of studying for me as it was more engaging and less dull.  For this, I used the CISSP Official (ISC)2 Practice Tests.  

My studying basically boiled down to download the audio version of the CISSP course to listen to during my commute.  Using CISSP flashcards on my phone and working through the practice tests. 

Once I could get over 80% on a practice test I was ready for the exam.

You might find studying and taking notes while working through the (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide a better way of studying. 

There is no right or wrong way of studying and having some prior experience of certifications will give you a good idea of what works for you.  I’m not a fan of intensive training courses, but that might be exactly what works for you.  

In terms of how long you need to study for the CISSP, I’ve covered this in-depth in this article.  But I would allow for between 60 – 120 hours of study, but it’s largely dependant on your prior experience.

Studying for 2 hours every night will allow you to complete the CISSP within 1 – 3 months. At this point, I should heavily emphasize that it might take you much longer than this, which is totally fine.  There is no limit on how long you can or should study for the CISSP. 

Why Get a CISSP?

The CISSP is one of the most sought-after certifications out there and it can and will open the doors to a variety of career paths within cybersecurity.  

It won’t, however, guarantee a job in any field.  But it should be enough to secure you an interview for many positions.  

The CISSP proves to your peers that you’ve attained a certain level of knowledge across multiple domains within the security field.  

Anyone that has passed the CISSP will understand the commitment and hard work that goes into attaining the certification, which also demonstrates your ability to work at something until you attain it. 

A CISSP can increase your earnings, with jobs advertising CISSP as a requirement frequently coming in at the top end of the pay scale for cybersecurity jobs. 

The CISSP will also give you a reason to keep learning and on top of your skillset.  To keep your CISSP active, you’ll need to gain 120 CPE credits every 3 years.  

CPE credits are gained by several means, for example: 

  • Reading an industry-related book
  • Gaining another certificate
  • Publishing a paper
  • Completing a degree
  • Attending a related conference

You’ll need to complete multiple types of learning activities to attain the full compliment of CPE credits. 

Final Thoughts

The CISSP is a challenging and rewarding experience for anyone with prerequisite 5 years of experience.  It’ll test even the most knowledgeable of security professionals.  

If you put in the hard work and find a way of studying that works for you, then there’s no reason why you can’t attain the CISSP.  It’s in many ways a hard exam process, while at the same being straightforward. 

As the topics covered in the CISSP are so varied, you don’t need to become an expert in any one area.  You’re not going to have to configure a firewall, but you need to know how they work at a theoretical level. 

This is the strength as well as the weakness of the CISSP.  You’ll know a bit about a lot of subjects, making you a well-rounded security professional, but without specializations and real-world experience, that knowledge is rarely directly applicable to real-life scenarios.

Jonathan Holmes

Jonathan Holmes is a writer for HKS Siblab, an education and business blog. He has a MSc in Cyber Security & Digital Forensics from the University of Hertfordshire and has been working in the cyber security industry since 2010. In his spare time, he enjoys reading, playing guitar and spending time with his family.

Recent Posts