Certification guide
Certified Information Systems Security Professional (CISSP) is ISC2’s flagship credential and the closest thing security leadership has to a universal standard. It validates that you can design, build, and run an information security program end to end — governance and risk, cryptography and architecture, networks, identity, assessment, operations, and secure software — and it is the certification hiring managers reach for when staffing CISOs, security architects, security managers, and senior engineers. Like CGRC, it holds a place on the U.S. DoD 8140 approved list, making it a fixture in federal, defense-contractor, and regulated-industry roles.
What separates the CISSP from technical certifications is the vantage point. The exam relentlessly tests judgment: two answers will often be technically true, and passing means recognizing which one a security professional advising the business should choose first. The current outline took effect April 15, 2024 — Security and Risk Management grew to 16% and Software Development Security trimmed to 10% — and ISC2 has woven cloud, zero trust, and supply chain thinking throughout all eight domains. Delivery is Computerized Adaptive Testing in every language: the engine serves you 100 to 150 questions over three hours, adapting difficulty as you answer.
Security and Risk Management
Domain 1 · 16%The exam’s center of gravity: governance, risk assessment and treatment, legal and regulatory compliance, privacy, professional ethics, business continuity foundations, security policy, awareness, and supply chain risk management.
Asset Security
Domain 2 · 10%Information and asset handling across the full lifecycle — data roles and ownership, classification and labeling, retention and minimization, media sanitization and remanence, and protecting data at rest, in transit, and in use.
Security Architecture and Engineering
Domain 3 · 13%Secure design principles, formal security models, cryptography and cryptanalytic attacks, hardware and virtualization security, cloud shared responsibility, and the physical and environmental design of facilities and data centers.
Communication and Network Security
Domain 4 · 13%Secure network architecture and protocols: segmentation and screened subnets, IPsec and TLS, wireless security, 802.1X port-based access control, VoIP and converged networks, SDN, and the attacks that target each layer.
Identity and Access Management (IAM)
Domain 5 · 13%The identity lifecycle end to end — authentication factors and biometrics, federation with SAML, OAuth, and OIDC, Kerberos, access control models, privileged access management, just-in-time access, and zero trust.
Security Assessment and Testing
Domain 6 · 12%Proving controls actually work: vulnerability assessments versus penetration tests, SAST, DAST, and fuzzing, audit strategies and SOC reports, security metrics, and validating disaster recovery without breaking production.
Security Operations
Domain 7 · 13%Security day to day — incident response, digital forensics and evidence handling, logging with SIEM and UEBA, backups and recovery sites, patch and change management, and catching exfiltration before it succeeds.
Software Development Security
Domain 8 · 10%Security built into software rather than bolted on: secure SDLC and DevSecOps, threat modeling, injection and XSS, software supply chain and SBOMs, secrets management, and secure design principles like complete mediation.
Each Certifym CISSP practice exam is a full-length, 100-question timed simulation stratified to the official 2024 weights — 16 questions from Security and Risk Management down to 10 from Software Development Security, mirroring exactly what the live exam emphasizes. Questions are written the way ISC2 writes them: scenario-driven, best-answer format, from the perspective of a security professional advising the business, with a detailed explanation on every question covering why the right answer wins and why the tempting distractors lose. ISC2 scores the live exam on a 700-out-of-1000 scale; we set the pass mark at 70% as the honest raw-score equivalent, so a passing run here means genuine coverage across all eight domains — not luck in the heavy ones.
ISC2 CISSP - Practice Exam
Full-length ISC2 CISSP practice exam aligned to the current (April 2024) exam outline. 100 questions weighted across all eight domains: Security and Risk Management (16%), Asset…
Subscribe to startTrademark notice & independence. ISC2®, CISSP®, CGRC®, and CBK® are registered marks of ISC2, Inc. Certifym.net is operated by Certifym Exam Services LLC and is not affiliated with, endorsed by, or sponsored by ISC2, Inc. Certification names and marks are used solely to identify the certifications for which our independent practice materials are designed. The CISSP exam outline and its domain structure are the property of ISC2, Inc.; candidates should download the official, current exam outline directly from isc2.org.
All questions, answers, and explanations on Certifym are original content created for practice purposes. They are not actual ISC2 examination questions and are not represented as such. Practicing with these materials does not guarantee a passing result on any live certification exam.
Frequently Asked Questions
How many questions are on the CISSP exam?
Between 100 and 150 questions in the Computer Adaptive Testing (CAT) format. The exam adapts to your performance and ends once ISC2's algorithm reaches a pass or fail confidence threshold. As of April 15, 2024, all CISSP exams in every supported language use the CAT format.
What is the CISSP passing score?
700 out of 1000 on the scaled scoring system. This is not a raw 70 percent because different question forms are weighted differently and the CAT algorithm evaluates confidence rather than raw counts.
How much does the CISSP exam cost?
$749 USD in the Americas as of 2026. Pricing varies by region and includes local taxes. Verify the current fee at isc2.org before you book through Pearson VUE.
How long is the CISSP exam?
Three hours. This was cut from the prior six-hour linear format when the CAT transition completed on April 15, 2024, though the number of scored questions per candidate varies by performance.
What are the 8 CISSP domains and their weights?
Security and Risk Management (16 percent), Asset Security (10 percent), Security Architecture and Engineering (13 percent), Communication and Network Security (13 percent), Identity and Access Management (13 percent), Security Assessment and Testing (12 percent), Security Operations (13 percent), and Software Development Security (10 percent). These weights took effect April 15, 2024.
What experience do I need for CISSP certification?
Five years of cumulative paid work experience in at least two of the eight CBK domains. A four-year college degree or an approved ISC2 credential waives one year. Effective April 2026, ISC2 reduced the list of credentials that waive a year of experience u2014 verify your credential is still on the approved list before applying.
What if I pass the CISSP but do not have the required experience?
You become an Associate of ISC2 for up to six years while you build the required experience. Once you meet the requirement and complete the endorsement process, you become a full CISSP. Associates pay a reduced Annual Maintenance Fee of $50 per year rather than the full $135.
How do I maintain the CISSP certification after I pass?
Pay the $135 Annual Maintenance Fee to ISC2 and earn 120 Continuing Professional Education (CPE) credits every three-year cycle u2014 90 Group A credits directly related to the CBK and up to 30 Group B credits from broader professional development.
How many practice questions does Certifym provide for CISSP?
1,000 unique CAT-style practice questions across 10 exam sets, plus a randomized full-length simulator, all mapped to the current 2024 CBK domain weights with detailed explanations for every answer choice.
