Cyber security certification overhaul brings new questions and longer exams

Dark-haired, smiling woman working from home with a silver laptop on a cluttered desk
(Image credit: Shutterstock)

Cyber security industry body and issuer of the Certified Information Systems Security Professional (CISSP) exam has announced an overhaul to the way the exam will be run this year.

Starting 1 June 2022, CISSP exam participants using the Computerised Adaptive Testing (CAT) format will be exposed to double the number of ‘dummy questions’ in the exam paper - experimental questions that are unscored but are used to inform the suitability of questions in future exam papers.

The International Information System Security Certification Consortium, commonly referred to as (ISC)², said the exam will now have an additional 25 pretest questions, bringing the total to 50.

Experts have said the move could bring a positive change to the exam, including more accurate testing.

"Setting fair examinations is an art in itself, so the introduction of ‘dummy’ questions can potentially lead to more accurate results," said Kevin Curran, IEEE senior member and professor of cyber security at Ulster University.

“The exam has been ‘fluid’ for many years as it raises the difficulty level for each person taking the exam in response to questions which have previously been answered,” he added. “There is also a need to combat any techniques used by those taking the exam remotely, so approaches like this could perhaps be adopted by other professional certification authorities in the future.”

Other exam bodies, such as ISACA and CompTIA, have moved to remote testing in recent years after candidates said it was more convenient for them than travelling to a testing centre, and due to social distancing measures brought on by the pandemic.

(ISC)² has also recently begun online proctoring its remote examinations - a process involving an exam supervisor watching the exam-taker via a webcam link and monitoring for things like on-screen assistance software using screen-sharing technology.


Successful WAN and security transformation powers the digital enterprise

Applications are delivered in the cloud - security should be too


The latest change can be seen as one that targets testing development rather than the candidates themselves, said Adam Seamons, systems and security engineer at GRC International Group.

The minimum and maximum number of questions participants will have to answer will be raised from 100-150 to 125-175, and the exam’s maximum duration will be extended by an hour to four hours-long to accommodate the additional questions. The domains and domain weights contained within the CISSP exam outline have not changed.

“Pretest items enable (ISC)² to continue expanding our item bank to strengthen the integrity and security of the CISSP for all those who earn the certification,” said the industry body.

“The additional 25 pretest items will be evaluated for inclusion as operational (scored) items in future exams. The pretest items will be indistinguishable from operational (scored) items and should be considered carefully to select the best possible answer.”

There have been complaints in the past that the wording and expected answers could, at times, be difficult to interpret, so a more comprehensive screening of questions could lead to a reduction in this, said Phil Robinson, principal consultant and founder at Prism Infosec.

“If (ISC)² is planning an extensive question refresh, then it is a positive that they are conducting analysis on questions and answers to minimise ambiguity and ensure a sufficient percentage of candidates can make the correct choice, prior to rolling them out into live question sets,” he told IT Pro.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.