You spent six months studying. You read the Shon Harris doorstop. You took 4,000 practice questions. You walked into that testing center, sat down, got your 100 questions, and then found out that 25 of them were just ISC2 experimenting on you.
Yeah. That’s a thing.
ISC2 embeds 25 unscored “pretest” questions into every CISSP exam. You won’t know which ones they are. They look exactly like the real questions. They’re scattered throughout. And they do not count toward your score. They are, functionally, field research wearing a suit.
So why does one of the most prestigious cybersecurity certifications in the world spend 25% of your exam day running a science experiment on you?
Because writing good certification questions is genuinely hard, and ISC2 has figured out that the only way to know if a question is good is to put it in front of real candidates and watch what happens.
A question that seems perfectly clear to the subject matter experts who wrote it might read as ambiguous to someone under exam pressure. A question that looks easy might have two answers that are technically both correct, depending on how you interpret the scenario. A question might be pitched at the wrong difficulty level for where it appears in the adaptive pool. You can’t find any of that out by staring at the question in a conference room. You find it out by running it live.
That process is called psychometric validation, and it requires a real sample size of actual test takers before a question earns its place in the scored pool. ISC2 needs to know things like: what percentage of strong candidates get this question right? Does it discriminate well between people who know the material and people who don’t? Is it too easy, too hard, or just right for its intended difficulty tier? None of that data exists until real humans with real stakes sit down and answer it.
The CISSP has always been an adaptive exam, which makes question quality even more important than it would be on a linear test. In the computerized adaptive testing format ISC2 uses, the exam is constantly adjusting which question to serve you next based on how you’ve been performing. The whole model breaks down if the questions feeding that algorithm have bad psychometric properties. So ISC2 needs a deep bench of rigorously validated questions, and the only way to build that bench is to keep cycling new items through the pretest pipeline.
From a candidate standpoint, the maddening part is that you will never know which 25 questions you can throw your hands up on. The upside is that the pressure is the same either way. You can’t game it. You can’t sit there trying to spot which questions feel “experimental.” They’re designed not to feel that way.
What you can take from this is that your 100-question exam is actually a 75-question scored exam with 25 invisible passengers, which means your real scoring margin is smaller than the question count implies. Getting through with a passing score requires consistent performance across those 75 scored items, not just a decent overall average across all 100. That doesn’t change how you prepare. It just means you bring your full effort to every single question, because you don’t get to know which ones are keeping score.
The system is a little annoying. It is also the reason the CISSP carries the weight it does. Every question on that exam earned its place by surviving exactly the process you just helped run.
Big Dog Cert
Alright, lemme give it to ya straight. No sugarcoating, no corporate fluff, just the real deal. I'm Mike. Fifty years on this planet, and I've done it all. I started out in IT back when "the cloud" was just what you saw out the window, worked my way through HR (yeah, I've been the guy who had to sit across the table from people and keep a straight face), and then did a stretch in sales where I learned real quick that if you can't sell yourself, nobody's buying what you're pitching. Three careers. One guy. Zero patience for textbooks that read like they were written by robots.