CISSP exam domains
The CISSP exam is weighted across 8 domains. Pick any domain below to drill it — or read the full breakdown in the FAQ.
| Exam domain | Exam weight | Practice |
|---|---|---|
| Security and Risk Management | 16% | Practice this topic |
| Asset Security | 10% | Practice this topic |
| Security Architecture and Engineering | 13% | Practice this topic |
| Communication and Network Security | 13% | Practice this topic |
| Identity and Access Management (IAM) | 13% | Practice this topic |
| Security Assessment and Testing | 12% | Practice this topic |
| Security Operations | 13% | Practice this topic |
| Software Development Security | 10% | Practice this topic |
Sample CISSP questions
A sample of the CISSP questions on this hub. Each links through to the full question, the correct answer, and an explanation of why every other option is wrong.
- A hospital's wireless network keeps dropping clinical tablets from its access points. Analysis of captured traffic shows a steady stream of spoofed 80…View question
- A retail chain offers free customer Wi-Fi using an open (unencrypted) SSID for convenience. Security notices that attackers are setting up rogue acces…View question
- A hospital's network team discovers that unauthorized laptops are being plugged into wall jacks in patient waiting areas and gaining access to the int…View question
- A global engineering firm needs an access control model for a new document repository. Access decisions must consider a combination of the user's depa…View question
- A financial services firm has employees who frequently transfer between departments. An internal audit reveals that many long-tenured staff retain acc…View question
- During a security audit of a financial services firm, the auditor finds that three database administrators all log into production systems using a sin…View question
- A financial services firm is purchasing a specialized loan-origination application from a small vendor. Because the software will process sensitive cu…View question
- A retailer's e-commerce platform experiences credential-stuffing attacks. Currently, each successful breach costs an average of $50,000, and the compa…View question
- A financial services firm is performing a quantitative risk assessment on its data center. Historical records and industry data show that a major powe…View question
- A security tester reviewing a company's REST API discovers that changing the numeric account ID in the URL path /api/v1/accounts/1042/statements to /a…View question
Key CISSP terms
Start with these terms, then explore the full glossary. Each links to a plain-English definition written for the CISSP exam.
CISSP frequently asked questions
What is the CISSP certification?+
CISSP is widely regarded as the benchmark certification for senior information-security roles and is a common requirement in job listings for security managers and architects.
It is broad rather than deep: the eight domains span the whole security profession, so success rewards a wide, connected understanding rather than deep specialization in any single area.
What topics are on the CISSP exam?+
The CISSP exam is organised into eight weighted domains. The percentages below are ISC2’s official weightings for scored content, so bias your study toward the heavier domains — Security and Risk Management alone is the single largest slice of the exam.
Security and Risk Management (16%)
The largest domain. Covers the CIA triad, governance, compliance and legal issues, professional ethics, security policies, and the full risk-management lifecycle (identification, assessment using ALE/ARO/SLE, treatment) plus business-continuity requirements and personnel security.
Asset Security (10%)
Covers information and asset classification, ownership, and handling; the data lifecycle including retention and secure destruction (remanence); data roles such as owner, controller, processor, and custodian; and protecting privacy through baselines, scoping, and tailoring.
Security Architecture and Engineering (13%)
Covers secure design principles (least privilege, defense in depth, zero trust), security models such as Bell-LaPadula and Biba, cryptography and PKI, vulnerabilities of architectures (cloud, IoT, ICS, embedded), and physical security.
Communication and Network Security (13%)
Covers secure network architecture and segmentation, secure protocols such as IPsec and TLS, securing network components, wireless and cellular security, and preventing and mitigating network attacks.
Identity and Access Management (IAM) (13%)
Covers identification, authentication (including MFA), and accountability; access control models (RBAC, ABAC, MAC, DAC); federated identity, SSO, SAML, and OIDC; and the provisioning-to-deprovisioning identity lifecycle.
Security Assessment and Testing (12%)
Covers designing and validating assessment and audit strategies, vulnerability assessment and penetration testing, log reviews, code review and testing, and collecting and reporting security process data.
Security Operations (13%)
Covers investigations and digital forensics, logging and monitoring (SIEM, UEBA), the incident-management lifecycle, configuration and change management, patching, backups, and disaster recovery (RTO/RPO).
Software Development Security (10%)
Covers embedding security in the SDLC, secure coding practices, assessing software and acquired-software security, common web/application vulnerabilities, and DevSecOps and API security.
Is the CISSP hard?+
CISSP is a hard exam because it is broad and demands a manager’s-perspective judgment: you must often choose the “best” of several defensible answers based on risk, not just the technically correct one.
The eight domains cover the entire security profession, and the adaptive format means questions adjust to your performance. Experienced candidates still study for weeks; the challenge is breadth and mindset, not obscure trivia.
How many questions are on the CISSP exam and how long is it?+
The live CISSP exam is delivered in English as a Computerized Adaptive Test (CAT) of 100–150 items in 3 hours, using multiple choice and advanced item types.
Our full-length practice mock uses a fixed 100-question, 180-minute session so you can rehearse pacing and stamina across all eight domains before test day.
What score do you need to pass the CISSP?+
CISSP is scored on a scale of 0 to 1000, and you need a scaled score of 700 to pass. Because the live exam is adaptive, questions are not all worth the same and there is no penalty for guessing, so answer everything. Our practice mock uses a 70% threshold as a study checkpoint; aim comfortably beyond it before test day.
How much does the CISSP exam cost?+
The CISSP exam fee is set by ISC2 and varies by region — check the ISC2 site for current pricing. Certification also requires meeting the experience requirement and paying an annual maintenance fee to keep the credential active. Everything on this hub is free.
Who should take the CISSP?+
CISSP is aimed at experienced security practitioners, managers, and architects — think security analysts moving into leadership, security engineers, and consultants.
ISC2 requires five years of cumulative paid work experience across two or more of the eight domains (one year is waivable with a qualifying degree or credential). Those without the experience can pass the exam and become an Associate of ISC2 while they earn it.
What jobs and salaries can the CISSP lead to?+
CISSP maps to roles such as security manager, security architect, security consultant, CISO, and senior security analyst.
How much any certification affects pay depends heavily on geography, seniority, and hands-on experience, so treat any single salary figure with caution. CISSP is best viewed as validation of broad, senior-level security competence.
How long does it take to study for the CISSP?+
Experienced candidates often need two to four months of steady study, because the challenge is connecting eight broad domains rather than memorizing facts.
Review every explanation, including for questions you answered correctly, because CISSP distractors are built from plausible but sub-optimal choices. Use the per-domain results here to find your weakest area, then finish with full-length timed mocks.
How should you prepare for the CISSP?+
Study the eight domains above, giving the heaviest weight to Security and Risk Management, then drill scenario questions domain by domain. Every MockAPI question reveals a full explanation and tells you why each wrong answer is wrong.
When you can reason to the “best” answer comfortably, move to full-length timed mocks. Use the glossary to keep concepts like the CIA triad, Bell-LaPadula, and RTO/RPO straight, and aim to score consistently above the checkpoint before you book.
Can you take the CISSP exam online?+
ISC2 delivers CISSP exclusively at Pearson VUE test centers — there is currently no at-home online-proctored option, so you sit the exam in person at a scheduled testing center. Bring government-issued photo ID; the center provides a secure, monitored environment.
If you do not pass, ISC2 enforces a retake policy with a waiting period between attempts and a cap on attempts per year — check the current policy before rebooking.
What certification should you take after the CISSP?+
After CISSP, common next steps include ISC2’s CCSP for cloud-security depth, or CISSP concentrations (ISSAP, ISSEP, ISSMP) that specialize in architecture, engineering, or management.
For many, the real next step is applying the breadth CISSP validates to lead a security program. Pairing it with hands-on leadership is what turns the certificate into a career.