It’s June 2022, ISC² officially updated its CAT exams format. You now expect to see more questions (125-175 from 100-150), additional time (4 hours from 3 hours), more provisional/pilot questions (50 from 25), which don’t count to the actual score. The knowledge domains and weight remain the same.

Please check out details from the official ISC² site: https://www.isc2.org/Certifications/cissp/Certification-Exam-Outline#.

I took and passed my exam in February 2022. it is after a 7 week part time and spare time preparation. CISSP exam preparation is an amazing learning experience: it is systematic, comprehensive, up to date, rich content, and all knowledge points are tightly associated with real life work.

Here are some observations from my one time,100 question experience:

• I didn’t encounter multiple selections. This can be a huge break for most. However, you should still prepare with multiple selection so you force yourself into a stronger position. Identifying multiple correct answers is more about learning.
• I see a spike of questions related to cloud. I would say 15% of my exam touched cloud from various perspectives. The most favorite question and toughest of all is down selecting between IaaS and PaaS, which is top decisions as a cloud or security architect. ISC² is in the same pace with industry, as always.
• Pay attention to software defined network. At One Page Press, I did two blog post earlier: DevOps question and Infrastructure as code. In my case, 2 questions (different context and interest) showed up on SDN. This is how exam preparation help you, your practice question might ask you what is SDN, and the exam asks you what SDN does. There are a list of modern technology concepts you want to fully understand.
• Cyber attack and incident management. In practices, cyber security is more operation than anything else. The bottom line is do everything to prevent, detect, mitigate, report, and improve. Attack methods, counter actions, and entire incident management process are key knowledge points. And please include observability.
• The latest industry focuses are properly and timely reflected in CISSP exam. You will encounter newer concepts from traditional preparation books such as: zero trust architecture, supply chain risks, wireless and cellular security improvements, and continued emphasize on privacy and compliance.

CISSP CAT is a pleasant experience. No question is too simple or suffocating difficult. Time does pass fast. Since you can’t go back and change answers (CAT format), you want to have a good rhythm where you do not rush for an answer but balance the time spent on each question. Before next time, I might talk more about overall exam strategy, please enjoy, comment, and pass the information here if you feel it is relevant.