I'm sitting for the CISSP in three weeks and the adaptive testing format is messing with my head. I keep reading about people finishing at 100 questions and passing, and others going to 150 and also passing, and I can't tell if there's any real signal in the question count. I've been studying about four months, roughly two hours a day, and my Boson practice scores are consistently in the 78–82% range.
My background is eight years in network security, the last three focused on risk management and governance. Domains 1 and 5 feel solid, domain 4 is decent, but domain 3 (security architecture) and domain 7 (security operations) are weaker. I've been focusing the last few weeks on those gaps but there's a lot of ground in domain 3 especially.
The thing I keep hearing is to think like a manager, not a technician — but that's easier said than done when you've spent eight years being the technician. Does that framing actually help when you're sitting there second-guessing answer choices, or is it more useful in retrospect as an explanation for why you got something wrong?
78–82% on Boson is a solid indicator — Boson questions are harder than the actual exam in most domains. I was scoring similarly and passed at 100 questions. The real exam felt slightly more straightforward on the application-level questions.
I finished at 125 questions and passed. The whole drive home I was convinced I'd failed because a stretch around question 90 felt impossibly hard. Turns out that's normal — the CAT engine pushes you to your ceiling. Hard questions are not a bad sign.
The manager framing is real and it takes practice to internalize. When two answers are both technically correct, ask which one a CISO presenting to a board would choose. That shift changed how I read questions in a way no textbook explanation could.
Domain 3 tripped me up too. I made a one-page summary of the main security models — Bell-LaPadula, Biba, Clark-Wilson, Brewer-Nash — with their use cases and reviewed it every morning for two weeks before my exam. Made that domain manageable.