Right, so I’ve just passed the CISSP. Second attempt. At 100 questions. And I’m fairly certain I aged about five years in those three hours at the testing centre.

For those blissfully unaware, the CISSP (Certified Information Systems Security Professional) is what happens when cybersecurity professionals decide they haven’t suffered enough and need a formal certification to prove they can think like a manager whilst simultaneously forgetting how to breathe.

It’s the sort of exam that makes you question your life choices, your career path, and whether that quiet farm with the goats might not be such a bad retirement plan after all.

the first attempt (or: pride before the fall)

April 2025. There I was, walking into the testing centre with what can only be described as misplaced confidence. I’d been studying for months, done all the practice tests, watched all the videos, read all the books. I was ready. I was prepared. I was absolutely going to nail this thing.

Narrator: He did not nail this thing.

Back then, ISC2 didn’t offer their “Peace of Mind” package (that lovely option where you get a second attempt included). It was one shot, one kill. Except I was the one that got killed. The exam absolutely destroyed me, and I walked out feeling like I’d just been in a very polite fight with someone who knew exactly how to hurt me using only the English language.

The thing nobody tells you about failing the CISSP is that it’s not like failing a normal exam. It’s more like having a philosophical conversation with someone who keeps pointing out flaws in your fundamental understanding of reality. “You thought you knew security? That’s adorable.”

the long gap (or: seven months of productive avoidance)

After that first failure, I did what any reasonable person would do: I avoided looking at anything CISSP-related for a solid few months. The books went on a shelf. The notes got filed away. I convinced myself I was “processing the experience” and “consolidating my knowledge,” which is a fancy way of saying I was pretending the exam didn’t exist.

But here’s the thing about the CISSP: it doesn’t let you forget. Every job posting mentions it. Every LinkedIn profile has those letters after their name. Every time you’re in a meeting about security governance, there’s that little voice asking “But do you really understand GRC, or are you just winging it?”

Eventually, I noticed ISC2 was offering their Peace of Mind package again (two attempts for a few extra hundred dollars). It felt like a sign. Or possibly like ISC2 admitting that their exam is hard enough that people deserve a do-over. Either way, I booked it.

the second attempt (or: embrace the chaos)

November 2025. Seven months after the first attempt, I’m back in that testing centre, except this time with a safety net. If I fail, I get another shot. Somehow, that made it both better and worse. Better because less pressure. Worse because I knew exactly what I was walking into, and it was going to be absolutely horrid.

The exam starts. Question one appears. My brain immediately goes into that familiar mode of “Is this English? This is technically English, isn’t it? Why does it feel like I’m reading poetry written by a lawyer who’s had a stroke?”

ISC2 has this special talent for taking perfectly reasonable security concepts and phrasing them in ways that make you question whether you’ve forgotten how to read. It’s like they hired poets with trust issues to write the questions. Every sentence has about seventeen subclauses, three implied assumptions, and at least one word that means something completely different in a security context than it does in actual human conversation.

the peculiar torture of adaptive testing

The CISSP uses CAT (Computerised Adaptive Testing), which is a fancy way of saying “the better you do, the harder it gets until you either prove your competence or break down completely.” It’s like a video game that actively hates you and wants you to suffer.

Questions 1-25: “Right, these aren’t too bad. I might actually know what I’m doing.”

Questions 26-50: “Okay, these are getting trickier, but I’m managing.”

Questions 51-75: “Is this still English? Have I accidentally switched to the advanced alien technology version of the exam?”

Questions 76-100: “I would like to hire someone else to think while I just focus on breathing, please.”

Everyone says “think like a manager” when answering CISSP questions. Excellent advice, except halfway through the exam, the only thing I wanted to manage was my escape from the testing centre. “Think like a manager” is great until you’re on question 87 and you’re thinking less like a manager and more like someone who’s forgotten how basic cognition works.

the moment of truth (or: please don’t make me do this again)

When the exam stopped at 100 questions, I had that special feeling that can only be described as “coin toss uncertainty.” The CAT algorithm has decided it’s collected enough data to make a determination about whether I’m competent or just very good at guessing.

I walked up to the counter. The nice person printed out a piece of paper. I looked at it with the sort of dread usually reserved for opening exam results at school.

CONGRATULATIONS

I swear I nearly hugged the receptionist. Managed to restrain myself, probably looked like I was having some sort of minor medical event instead. Apparently, this is the standard reaction of successful CISSP candidates: complete disbelief followed by an overwhelming urge to embrace strangers.

what actually helped (or: my survival toolkit)

If you’re contemplating this particular form of professional masochism, here’s what got me through:

The Books

Destination CISSP: A Concise Guide - Bless this book for being actually readable. It doesn’t try to bore you into submission like some of the other materials. It just explains things in a way that makes sense, then moves on to the next topic like a completely reasonable learning resource.

The Practice Questions

QuantumExams - You’ll curse the odd wording at first. The questions feel weirdly phrased and slightly off. But here’s the secret: compared to the real exam, QuantumExams feels like karaoke night. The actual CISSP is more like competitive poetry interpretation written by security professionals who’ve forgotten how to communicate with humans.

I did three non-CAT practice exams to build up stamina, then switched to CAT mode to get used to that particular flavor of psychological torture.

The Videos

Pete Zerger on YouTube - Concise, clear, doesn’t make you feel like an idiot. His exam cram videos are brilliant for those final weeks when you need to consolidate everything without reading another thousand-page study guide.

The Secret Weapon

LLMs (AI tools) - Absolute lifesaver for explaining concepts in plain English and creating mnemonics that actually make sense. There’s something beautifully ironic about using artificial intelligence to help pass an exam about protecting systems from potentially dangerous artificial intelligence.

(For legal reasons, I should clarify: I didn’t use AI during the exam. I used it for studying and understanding concepts. The exam centre has better security than most government facilities, and they’d probably notice if I was consulting ChatGPT mid-test.)

the language barrier (or: ISC2’s special dialect)

Here’s something nobody warns you about: being a native English speaker doesn’t help as much as you’d think. Doesn’t matter where you’re from or how well you speak the language. ISC2 has invented their own dialect.

The questions are phrased like someone took a perfectly reasonable security scenario, translated it into Latin, ran it through a legal document generator, then translated it back into English via three other languages and a cryptographic cipher.

You’ll find yourself halfway through a question thinking “Is this asking what I think it’s asking? Or is there some hidden subtext about risk management frameworks embedded in the sentence structure?”

The answer is: probably both. And also neither. And somehow simultaneously all possible interpretations at once, until you choose an answer and collapse the quantum superposition into one very specific wrong interpretation.

why it’s actually worth it (no, really)

Despite everything I’ve just said (and I mean every word of it), passing the CISSP genuinely feels like an achievement. Not because the content is impossibly difficult, but because the exam is a proper test of whether you can:

  1. Understand security concepts at a strategic level
  2. Think through complex scenarios under pressure
  3. Parse deliberately confusing language to find the actual question
  4. Make decisions based on risk management principles, not technical preferences
  5. Survive three hours of psychological warfare disguised as a professional certification

The CISSP isn’t testing whether you can configure a firewall or write security policies. It’s testing whether you understand security as a business function, can think strategically about risk, and won’t panic when faced with scenarios that have no obvious right answer.

Plus, the fact that you need five years of professional experience (or four years plus a degree) just to sit the exam, followed by an endorsement process where someone with the certification has to vouch that you’re not making up your career history, makes it one of the few certifications that actually maintains its integrity.

the reality check (or: what it actually means)

Fifteen years in IT: Desktop Support, Network & Security, DevSecOps, now Cyber Engineering and GRC. I’ve collected my share of Cisco and AWS certifications along the way. Good credentials, useful knowledge, definitely helped my career.

But the CISSP is different. It’s not a technical certification. It’s not about knowing how to configure specific tools or deploy particular technologies. It’s about understanding security as a discipline: the governance, risk, compliance, asset security, architecture, communications, operations, and software development aspects that make up the eight domains.

Does passing the CISSP make me a better cybersecurity professional? Probably not immediately. What it does do is validate that I understand security at a level beyond “configure this tool” or “follow this procedure.” It proves I can think strategically about security as a business enabler, not just a technical tick box.

advice for the brave (or: if you’re considering this madness)

If you’re thinking about attempting the CISSP, here’s my honest take:

Do it if:

  • You have the required experience and work with security at more than just a technical level
  • You want to validate your security knowledge across all domains
  • You’re prepared to study concepts, not memorize facts
  • You can handle three hours of the most confusingly worded questions you’ve ever encountered
  • You need a certification that actually means something in the industry

Maybe reconsider if:

  • You’re purely technical and don’t care about governance/management
  • You think you can cram for it in a few weeks (you cannot)
  • You’re expecting straightforward technical questions (they don’t exist here)
  • You’re not prepared to potentially take it more than once

Definitely reconsider if:

  • You have a comfortable farm with goats as a backup plan and are seriously contemplating retirement

the final word (or: was it worth it?)

Yes. Absolutely. Would I do it again? Absolutely not, because I’ve already done it and that’s quite enough, thank you.

The CISSP is brutal, confusing, occasionally feels unfair, and definitely makes you question your life choices. It’s also one of the most respected certifications in cybersecurity for good reason: because earning it actually means something.

When that CONGRATULATIONS paper printed out, all the stress, studying, confusion, and seven months of avoiding the inevitable suddenly felt worth it. Not because I can now put letters after my name (though that’s nice), but because I genuinely proved to myself that I understand security at a level I wasn’t sure I did before.

To everyone still preparing: hang in there. It’s brutal, but when that pass sheet prints out, it’s pure bliss. Or possibly just profound relief that you never have to do it again. Sometimes those feelings are indistinguishable.

To everyone who’s already passed: we’re part of the gang now, apparently. I’m still not entirely sure what that means, but I’m told it involves nodding knowingly when someone mentions “think like a manager” and having strong opinions about risk management frameworks.

And to the nice receptionist at the testing centre: sorry for looking like I was about to hug you. That was just the adrenaline and profound relief that I wasn’t going to have to come back for a third time.

Written by someone who has now officially proven they can think like a manager, even if they still don’t entirely understand what GRC is actually made of. The investigation continues.

Study Resources That Saved My Sanity:

  • Destination CISSP: A Concise Guide
  • Pete Zerger’s YouTube Channel
  • QuantumExams Practice Tests
  • Various LLMs for explaining concepts (ChatGPT, Claude, etc.)
  • A truly unreasonable amount of tea and determination