Pen used to fill out an exam.

Preparing and Passing Certification Exams

Certification Exams

Learn how to:
  •  Discover the gaps in your knowledge
  •  Teach yourself and improve your memory
  •  Find the correct answer
  •  Improve your chances on questions where you're uncertain

In order to prepare for, and pass, a professional certification exam, you need to understand the exam's goals. What is it trying to measure? In which group of people/ How does it do that?

Once a little reading and a few practice exam questions have shown you what it is that you don't yet know, you will have to learn and memorize some things. Learning new knowledge and recalling that information are two very different mental tasks.

In the mid 2010s CompTIA changed many of their questions so that their main focus is a very careful analysis of language. (ISC)2 has also started doing this. Yes, many questions really test your ability to carefully analyze English prose much more than they test your understanding of information technology. I have some examples of this and guidance for how to succeed.

I have taken and passed cybersecurity exams run by (ISC)2 and CompTIA — CISSP, CCSP, and Security+. However, many of these techniques will help you prepare and pass exams on other topics. They should help you on any multiple-choice professional certification exam.

Understand the Nature of Certification Exams

In 2023 the exams cost $370 or €334 or £219 for Security+, $599 or €555 or £479 for CCSP, and $749 or €650 or £560 for CISSP.

Maintaining a certification then costs an additional $50/year for Security+ and $125/year for all (ISC)2 certifications.

Yes, a certification company may file their taxes in a way that makes them a non-profit organization. But that doesn't mean that they don't make a lot of money. The U.S. National Football League was a non-profit organization exempt from paying taxes from 1942 to 2015. U.S. Major League Baseball was tax exempt until 2007. Meanwhile those organizations were bringing in billions of dollars and paying many multi-million dollar salaries.

Several organizations offers certifications. They can make a lot of money issuing certifications. And, of course, these organizations also run test-prep courses for significant fees.

(ISC)2 took control of the exam-prep course market for their certifications. They sent lawyers after firms offering courses purporting to prepare you for the CISSP exam. Then they changed their textbook and course in May 2021 to much more explicitly not be exam preparation. It's a very nice course for people already involved in cybersecurity, potentially making them significantly better in that field. It's a jam-packed week of long hours going through a 1,240 page book. But at the end of that course that costs US$ 3,600 to 4,100, the student isn't necessarily any closer to passing the exam. You would be ready to start your exam study and preparation, entirely on your own.

An organization wants to sell you a ticket to their exam, but they also want to continue to sell tickets. They must make sure that the public continues to think that their exams are meaningful. Imagine that people started saying "Oh, that exam was pretty easy. I didn't have to study very much, and I know someone who simply walked in with no preparation and passed it." Companies would no longer be willing to pay high prices for their employees to take the exams.

The extremely shady "educational integrity" industry

The testing organizations want to keep their exams difficult, even if the subject area is pretty straightforward. So, they make questions unfairly tricky and difficult to interpret.

The certification organization will have a list of things they want you to know, or at least know a certain percentage of them, before they give you a certification. Each question will attempt to measure whether or not you know one of those things.

Or, ideally from the certifier's view, multiple things. A question might pose the problem of encrypting a large set of data, like an entire file system. It would then ask you to select a cipher algorithm from a list of acronyms: AES, DES, ECC, and RSA. You can only answer that if you:

  1. Notice the mention of the large size of the data, and realize that speed is an issue;
  2. Know that symmetric ciphers are much faster than asymmetric ciphers when used with key sizes providing roughly equal strength against brute-force attacks, and that symmetric ciphers are really practical only for encrypting small pieces of data like symmetric cipher session keys;
  3. Know that AES and DES are symmetric, thus fast and practical for use with large data sets, while ECC and RSA are asymmetric and practical for handling symmetric session keys; and
  4. Know that DES dates from 1977 and has a 56-bit key, while AES is its 1998 replacement with keys up to 256 bits and correspondingly greater strength, making AES the best answer.

Now they have squeezed several questions into one!

Understand What Certification Exams Aren't

At least for the cybersecurity exams, they are not tests on the obvious subject matter. Don't approach a certification exam as a subject-matter expert. That certainly won't help you, and in fact it often hurts.

If you design and run enterprise servers, or if you run switches and routers, or if you write web application software, or if you manage software development projects, or if you work with sensitive data and must maintain regulatory compliance (HIPAA, GLBA, Sarbanes-Oxley, etc), do what you can to disregard your specialized knowledge and skill.

The exams are written for the very broad range of people who take them. They're written for people who have never worked in your specific field. If you aren't careful, you will do poorly in the areas in which you're knowledgeable. Leave your expertise, and even more so any job-specific requirements, outside the testing room.

When you're doing a question from your area of expertise, remember that it's meant to see if someone who doesn't have your background knows just enough to pass the exam.

What is the Certification Exam Audience and Purpose?

People often say "To pass these exams, think like a manager." That isn't exactly right.

Security+ Details

CompTIA Security+ — They assume this is very likely your third CompTIA exam — you probably did their A+ or PC hardware certification, and then worked in the area for a few years. Then you took their Network+ certification and became more involved in networking. Now, a few years after that, you're back for your third exam. Or at least you followed that career trajectory, not necessarily taking the earlier two exams.

The Security+ exam tries to determine if you're ready to help the people doing hands-on technical work — desktop support, system administrators, database administrators, and network engineers — communicate with their managers and the layer of management above them. To some extent, it's a vocabulary test to see if you can use the right words when one party in the conversation doesn't necessarily know all that much about the topic.

CISSP Details CCSP Details

(ISC)2 CISSP and CCSP — These are for people who will be a little further away from the hands-on workers. CCSP in particular is allegedly about cloud security, but several of its questions are explicitly about non-cloud situations. It's much more consistently about regulatory compliance — international, national, and state and provincial law, plus industry regulations.

The (ISC)2 exams try to determine if you're ready to be a subject-matter expert giving advice to upper management. Can you provide useful advice to top management for their business decisions about corporate risk management and compliance?

Upper management doesn't want to know how to configure BIND, SSH, or Nginx.

They do appreciate knowing that DNSSEC can protect corporate identity, that forward secrecy provides strategic protection of corporate information, and that TLS 1.3 can better protect your customers' data while simultaneously improving your web site's performance.

To distinguish CompTIA and (ISC)2 exams: CompTIA exams are about memorizing — acronyms, TCP port numbers, and specific words and phrases.

(ISC)2 exams, on the other hand, are about analyzing — what does this mean for matters important to management, like compliance and business decisions.

That's enough on specific cybersecurity exams. Let's look at general studying and test-taking advice.

If You Do Nothing Else, Do This

You can't take anything into the testing room, but go ahead and make the crib sheet you would like to have.

In most classes in undergraduate and grad school electrical engineering at Purdue, I could take one sheet of paper into an exam. Whatever the topic — electromagnetics, organic chemistry, Russian — you were allowed to do whatever you thought appropriate to compress all of the semester up to that point onto a single page. Cramped tiny writing, lists, tables of grammar, sketches of antennas and feedlines, example Smith charts, whatever you could cram onto one page.

How to study,
how to learn
Part 1
How to study,
how to learn
Part 2

You worked on your crib sheet for hours, and you worried that you might lose it. You triple-checked that you had it with you when you went to the exam. And then...

Once you began the exam, you didn't look at it.

You didn't need it. The process of analyzing the material, figuring out "What do I need to know?", and organizing that and writing it down had made you learn it.

Make your crib sheet to learn the material. Then use it for your last-minute review when you're relaxing outside the examination room before going in. Lock it up with all your other possessions and go in to ace the exam.

Use Practice Exams Carefully

The best practice exams I have seen are those from Sybex. They're the best simulation of the real exam questions. The answer keys in the back not only tell you what the correct answer is, but why.

CompTIA Security+ SYO-701 Practice Tests
Amazon 1394211384
Cover of ISC2 'CISSP Official Practice Tests'
Amazon 1119787637
CompTIA Security+ SYO-701 Study Guide
Amazon 1394211414
Cover of ISC2 'CISSP Official Study Guide'
Amazon 1119786231

The Sybex study guide books are decent explanations, and they have practice quizzes with 10 to 30 questions at the ends of the chapters. However, some of the Study Guide quizzes aren't as realistic. For example, in the CCSP Study Guide quizzes, the wrong choices tend to be too wrong. That makes its questions easier than the questions on the real test.

Don't over-expose yourself to practice questions. You can only use a practice questions a few times before you have unintentionally memorized it. You recognize it as a question you've seen before and you remember the choice for that specific one. Some people try to repeatedly do the same questions over and over in an attempt to learn the concepts. That doesn't work. You instead memorize that specific practice quiz. But you won't see those specific questions on the real exam.

You don't learn concepts from practice quizzes. Instead, they give you practice recalling information that you have already learned or at least memorized.

Go through the domains, try a 10 to 20 question example quiz for each. There's no need to do a large number of questions, and it would hurt you because of early over-exposure to questions before you're really ready. Mark your practice exam answer sheets, recording which exam questions you used, and which ones you got wrong.

Now you should know which domains you're doing OK in, and which ones need work. Read study guide material to learn the concepts.

When you feel that you're better prepared, try those same questions again. If you don't do better, then apparently you need to put more effort into those reading and study sessions!

Now, if you do better, you don't know if that's because you have a better understanding, or if you just remembered the answers from before. So try another 10-20 questions that you haven't seen yet.

When you think you're at your goal for one domain, try a larger set of questions just on that domain. Maybe 40 or 50.

When you think you're at your goal for all the domains, now it's time to try a realistic test. A mix of questions from all the domains, as many questions as you get on the real test.

If you're scoring at your goal on a mixed-domain realistic exam, it's time to take the test immediately!

What About Another Book?

Hopefully you can read one book and come to understand the topics covered by the exam.

A different author will explain things differently, so try a second book if needed.

Note that the books published by (ISC)2 are not good study books. See the above discussion — the certification company has no interest in making their exam easy. The (ISC)2 CCSP book, on cloud computing security, is about 600 pages long. Just one short paragraph mentions containers, and it says next to nothing about container security. One of its two authors focuses on introducing management to the potential business advantages of cloud computing. The other is fascinated by the history and development of privacy regulations. Neither of those topics is on the test. (ISC)2 charges $800 for their book, and if you teach an (ISC)2 test-prep course and you don't use their book, you'll hear from their lawyers.

However, if you have read two quality study-guide-style books and you still don't understand several topics, reading a third and then a fourth book probably isn't going to help. Apparently you aren't extracting the information from the books.

I had a student in a test-prep course once who had read something like 8 CISSP test-prep books and was desperate to get recommendations for a 9th and 10th. He was naming titles that I had never heard of. He was downloading bootleg PDF versions of these books, so who knows if they were even complete versions.

If you have read both the Sybex and All-in-One study guides for a cybersecurity exam like Security+, CISSP, or CCSP, and you still don't understand the topics, I really have no further suggestions for useful books to read. If you're in this situation, you need to figure out what the books should have said. I would guess that you've gotten yourself overwhelmed by the volume of information, and the more you read the less you get out of each book. Reading yet another book will make things worse, not better.

Organize your own study guide or outline. Who knows how many pages long it will be. That's OK, you need to get the information organized in a way that makes sense to you. Later you can make multiple passes through it, shortening it down to just what it needs to be.

Reading Books Versus Doing Practice Questions

The details of this story are on another page, but on a solo trip to Japan I wanted to learn the katakana and hiragana scripts for phonetically spelling Japanese. That way I could, I hoped, make sense of menus in hole-in-the-wall places, where the menus tend to be strips of paper tacked to the wall. えだまめ = edamame, やきとり = yakitori, ラーメン = ramen, and so on.

Every time I sat down to eat or drink — a meal, coffee, a beer in an izakaya or tavern — I would write out the table of glyphs at least one time. Once I knew a third to a half of them, I would try to then write names of places I had visited, what I was eating and drinking, where I would go later that day. This helped me to form new memories.

Then, when I was doing my tourism, seeing temples and shrines, walking through markets, and riding trains, I would try to pronounce all the signs that I could. This helped me to recall memories.

Writing the tables and words was helping me learn. I had read the Wikipedia pages on katakana, hiragana, and the Japanese writing system, and had printed copies with me to re-read as needed. This is like you reading the study guide book, deciding what really matters, and making your study guide.

Walking around and pronouncing out loud what I saw on signs was helping me recall the information. This is like you doing practice questions.

I couldn't learn to pronounce Japanese phonetic writing by walking around Kyōto looking at signs, or sitting in a tavern and looking at the menu. For the same reason, you can't learn test topics by doing practice quizzes.

Menu in an izakaya in Fukuoka.

These menus in an izakaya or tavern and a tachinomiya or stand-up bar in Fukuoka provide excellent practice at recalling katakana and hiragana, but you can't learn how to pronounce phonetically spelled Japanese script by looking at them.

Also notice the non-trivial Wi-Fi password below. d614a906ad124d  Nice.

Menu in tachinomiya or stand-up bar in Fukuoka.

How Good Do I Need To Be?

I'm certain everyone loses a few (or several!) percentage points due to stress when you walk in to the real exam.

I'm also certain that waiting until you get 100% on practice exams, or almost 100%, will never finish. Unless you use unrealistic practice exams, which makes no sense!

My personal goal: Half-way between the just-barely passing grade and 100%.

CompTIA — 82.5% = passing

So, at least 91 to 92% on a practice exam spanning all domain areas.

(ISC)2 70% = passing

So, at least 85% on a practice exam spanning all domain areas.

What Percentage of People Pass These Exams?

We don't know.

The organizations will not tell anyone.

I have seen training companies claim that they know the percentage of test-takers who pass. They don't.

It's in their interest to claim that the overall pass rate is very low, while the pass rate for their customers is very high. But they aren't going to know the pass rate for their own customers, let alone everyone.

I also saw a large U.S. state government ask for that information just for the thousands of their employees who were going to take exams. They were willing to sign all sorts of non-disclosure agreements. Their requests were turned down.

The testing organizations do not release any information about the percentage of people who pass their exams.

Which Test Version?

Despite the common rumors and myths, (ISC)2 does not suddenly deploy a new version of a test. Yes, they will publish an update to the exam outline, or an update to their (frankly poor) books, which they charge $800 for and require training companies to use in test-prep courses. But meanwhile their exams are undergoing constant gradual evolution and updating.

CompTIA, on the other hand, does deploy major revisions — SY0-401 to SY0-501, then to SY0-601, and so on. And then, despite what they say, they make frequent changes during the life of that one release.

What Is Important?

Compress practice exam questions and their answers to shorter forms. This will make you better at understanding questions, and spotting correct answers. Let's say that a question asks:

Alice has a sensitive data file. Alice needs to send the file to Bob, who also works on the same project and is authorized to have the same access to the information. If an intruder were to intercept the message, they must be unable to read it. What should Alice do?

  1. Encrypt the message with Alice's private key
  2. Encrypt the message with Alice's public key
  3. Encrypt the message with Bob's private key
  4. Encrypt the message with Bob's public key

The correct answer is D. But the important thing to recognize is that this question is really testing to see if you know:
For confidentiality, encrypt with the receiver's public key.
That's all that really matters here. It's much shorter and simpler than the question plus the correct answer choice. Your crib sheet after a few revisions might be very terse:
CONF: enc. w/ rcvr pub.
AUTH: enc. w/ sender priv.

Explain it to Someone

Hunter S. Thompson and others on learning by writing (or explaining)

List the concepts you find difficult. Then explain them to someone else. Maybe you have a study partner. If not, children are pretty tolerant of having things explained to them. Dogs are extremely tolerant.

You have to think about a thing carefully to talk about it, and you have to come to some understanding to explain it. This is another form of figuring out what really matters, and simplifying descriptions to the minimum.

Think Like a Devious Test Author

Let's say you're uncertain about this cluster of related concepts: MTTR, MTBF, RTO, RPO, BCP, COO, DRP. Try to write your own multiple-choice questions involving these! Make it so it could be answered, but avoid giving away the answer.

Then look at what you wrote — how could you make it tougher while still possible to answer? This will force you to think carefully about the topic, and realize how information still leaks through in the question and exposes some information about what choices are right or wrong.

When you get a practice question correct, do the same thing. How could you make it more difficult, but still possible to answer?

Be Self Aware

Try to be aware of what you're doing as you're answering practice exam questions.

Say to yourself while reading through the question, "There, that is the word (or phrase) that tells me what the answer is."

Or, while looking through the choices, "That word is why this one is not the correct answer."

If you're by yourself, try saying it out loud and pointing at the book or screen. That may feel strange, but it helps. You are involving multiple areas of your brain at the same time. It's quite easy to miss information or make an error when only one part of your brain is involved. But it's much more difficult, much less likely, to confuse several areas of your brain in the same way at the same time.

Point and Call

Looking, pointing, and talking is how Japanese train systems operate almost 100% error-free. See my page explaining how the Point and Call system works.

What Works For You?

We're all different. Some of what works for me will work for you, but some won't. And vice-versa. Experiment and see what works for you.

Memory is difficult to research, even more so in patients with memory problems, like those with Alzheimer's. But what we do know is that memory requires both creating a memory initially, and then recalling it later. As this Nature article says, repeated recall of a memory is needed. Practice quizzes! This Scientific American article cites the author's publications in Nature and PNAS, exploring the distinctions between forming and recalling memory. We have so much left to learn.

What About On-Line Practice Exams?

There are many on-line practice tests. Most of them are junk.

Many on-line practice exams contain many irrelevant things that aren't on the real test, while omitting many things that are on the real test. Others are shady operators that move from domain to domain. Sometimes you will find that there are both .com and .org variants for a given domain, each of which redirects you to completely different unrelated domains.

There once was aiоtе, as in "all-in-one test king". In mid-2017 they seem to have migrated to briеfmеnо and then to briеfmеnо By November 2017, the two briеfmеnоw domains had entirely different content, then a month later the .com one was an empty site. Meanwhile, aiоtе now directed you to еxamcollе, which had a mix of paid and supposedly free content.

Sybex, Transcender, and others run legitimate practice exam sites. That means that they don't have verbatim question content, but they're reasonably close. has questions in the form of a game or a puzzle. The format is very different from the real test, but that can be good if it makes you think about the same thing a different way. It has a few things that aren't in the real test, but during the last year or two of the SY0-401 exam, most of it exactly covered the content. has had questions, but what they claim are the answers are often wrong.

Lead2Pass seems to be a "dumps" dealer, selling illicit verbatim exam content. They use the tell-tale term "dumps" term on their web site.

Further warning: While of course you would never look at "brain dump" sites with verbatim material, and therefore this warning is irrelevant... Some verbatim "brain dump" web sites have fuzzy photographs of actual questions and answer choices, accompanied by incorrect "explanations" of what the correct answers supposedly are.


A student from one course event got in touch with me later, saying that they thought had been very helpful. Some quizzes there may be helpful, but anyone can upload anything, including irrelevant and outdated content, and totally wrong answers.

It's not always nuclear weapons secrets, but who knows what you'll find.

Be Careful About Language

Some questions have a list of choices that are all true and useful. You must figure out what they are asking for within that list. You must carefully analyze the English grammar, and pay special attention to the verbs. I have some examples and explanations in the practice quizzes I use when I teach test-prep courses. Here is one of them:

You want to use a system that can protect communication by authenticating the server, and also providing a copy of the server's public key in a trustworthy format. A provider of trusted certificates will only provide one when you follow their rules. There is a protocol that you can use to check in real time whether a certificate should be trusted or not. You must have a copy of the currently untrusted certificates locally, to reduce network traffic. Rather than a complete copy of the key, you may refer to its hash instead. There are ways to prevent a breach today from exposing secrets based on keys in the past. What do you need?

  1. TLS
  2. CPS
  3. OCSP
  4. CRL
  5. thumbprint
  6. PFS

This is really an English prose analysis question. All the choices are correct, relevant, and part of the story.

I have made it relatively easy by putting the answer choices in the same order they are referenced in the question text:

"a system that can ... in a trustworthy format" = TLS, Transport Layer Security
"the rules" = CPS, Certificate Practices Statement
"a protocol" = OCSP, Online Certificate Status Protocol
"copy of the revoked keys" = CRL, Certificate Revocation List
"its hash" = thumbprint
"exposure today doesn't expose keys from the past" = PFS, Perfect Forward Secrecy

"What do you need?" is the actual question. One of the sentences says "You must have", it's a requirement. The others state that the item provides some feature, or describe your plan.

You want to use a system that can protect communication by authenticating the server, and also providing a copy of the server's public key in a trustworthy format. A provider of trusted certificates will only provide one when you follow their rules. There is a protocol that you can use to check in real time whether a certificate should be trusted or not. You must have a copy of the currently untrusted certificates locally, to reduce network traffic. Rather than a complete copy of the key, you may refer to its hash instead. There are ways to prevent a breach today from exposing secrets based on keys in the past. What do you need?

The requirement is for a local copy of the CRL, which is used for a step that's less obviously part of the certificate analysis process. This makes it a better question from the CompTIA point of view. Less commonly considered makes the question more challenging.

Good luck!

You're on your way to making your own one-page crib sheet. The smaller your study guide or crib sheet becomes, the more you already know and the less you have to be reminded of.

Type my address.

Let us know how you did! Especially let us know if there were any surprises on the exam, any questions on topics we don't yet realize we need to cover.