CISSP Exam Guide: Format, Domains, and How to Pass
A complete CISSP exam guide — the adaptive (CAT) format, all 8 domains and their weights, the passing score, experience requirements, and a study plan that works.
The CISSP (Certified Information Systems Security Professional) is ISC2’s flagship certification and one of the most respected credentials in cybersecurity. It is built for experienced practitioners who design, build, and manage security programs — not for entry-level candidates.
This guide covers what the exam actually is, how it is scored, what it tests, and how to prepare in a way that tells you when you are genuinely ready. Exam specifications change periodically, so always confirm the current format on the official ISC2 website before you book.
The CISSP exam format: computer adaptive testing (CAT)
The English CISSP exam is delivered as a Computer Adaptive Test. Instead of a fixed set of questions, the exam adapts to your performance: each question is chosen based on how you answered the previous ones, homing in on your true ability level.
Because it is adaptive, the exam is variable length and ends as soon as the scoring engine is statistically confident in a pass or fail decision. Most candidates answer somewhere between 100 and 150 questions within a multi-hour window.
Why CAT changes how you prepare
You cannot "flag and come back" the way you can on a fixed-form test, and a long exam is not automatically a bad sign. Practicing on a real adaptive simulator — not just flat quizzes — is the single best way to remove surprises on test day.
The 8 CISSP domains
The CISSP Common Body of Knowledge (CBK) is organized into 8 domains. Each carries a different weight on the exam, so your study time should be allocated accordingly rather than evenly.
- Security and Risk Management — the largest domain; governance, risk, compliance, and ethics.
- Asset Security — data classification, ownership, retention, and protection.
- Security Architecture and Engineering — secure design principles, cryptography, and models.
- Communication and Network Security — secure network architecture and components.
- Identity and Access Management (IAM) — authentication, authorization, and the access lifecycle.
- Security Assessment and Testing — audits, testing strategies, and security control validation.
- Security Operations — incident response, monitoring, and operational resilience.
- Software Development Security — building security into the development lifecycle.
What the questions are really like
CISSP questions are famous for being "managerial." They rarely ask you to recall a definition. Instead, they present a scenario where several answers are technically defensible and ask for the BEST or the FIRST action — the answer a security manager who thinks like a risk owner would choose.
This is why rote memorization fails so many candidates. You have to internalize the mindset: protect the business, prioritize people’s safety, follow due process, and choose the option that addresses root cause over symptom.
Scoring and the passing standard
CISSP is reported on a scaled score, and the passing standard is 700 out of 1000. Because the exam is adaptive and questions are weighted by difficulty, a raw "percent correct" does not map directly to the scaled score — answering harder questions correctly counts for more.
The practical takeaway: chase mastery across all 8 domains, not a percentage. A balanced profile with no weak domain is what carries you over the line.
Experience requirements and endorsement
Passing the exam is only part of certification. CISSP requires a minimum of five years of cumulative, paid work experience across at least two of the eight domains (a relevant degree or approved credential can satisfy one year). You then complete the ISC2 endorsement process.
If you pass the exam but do not yet have the experience, you can become an Associate of ISC2 and earn the full CISSP once you meet the requirement.
A study plan that tells you when you are ready
The candidates who pass do two things: they practice retrieval (questions and spaced repetition), and they track readiness instead of hours studied. A plan that works looks like this:
- Start with a diagnostic to find your weakest domains on day one.
- Study 20–40 focused minutes daily — weakest domain first, due reviews always.
- Use spaced repetition so missed concepts come back at the right interval.
- Sit full adaptive simulations to build stamina and pacing.
- Book your real exam when your readiness score clears the passing zone and a full simulation confirms it.
Know your number
CramKit gives you a readiness score that blends accuracy, coverage, and consistency — the same signal community lore is built on ("85+ and you are ready"). It is the difference between hoping you are ready and knowing.
Frequently asked questions
How many questions is the CISSP exam?+
The English CISSP exam is adaptive (CAT) and variable length — most candidates answer between 100 and 150 questions. The exam ends once the scoring engine is statistically confident in the result. Confirm the current range on the official ISC2 site.
What is the CISSP passing score?+
CISSP is reported on a scaled score and the passing standard is 700 out of 1000. Because the exam is adaptive, this does not equal a fixed percentage correct.
How long should I study for the CISSP?+
It varies with experience, but most working professionals study for two to four months. What matters more than total hours is reaching a consistent readiness level across all 8 domains, confirmed by full adaptive practice exams.
Do I need work experience to get CISSP certified?+
Yes. CISSP requires five years of cumulative paid experience across at least two of the eight domains (one year can be waived with a relevant degree or approved credential). You can pass the exam first and become an Associate of ISC2 while you accrue the experience.
Find out if you're actually ready.
Take a real adaptive exam and get a readiness score that means something — free.
Start free