ISC2 · Advanced

ISC2 CISSP — Certified Information Systems Security Professional (CISSP) practice exam & study guide

The CISSP (Certified Information Systems Security Professional) is ISC2’s flagship certification for experienced security practitioners who design, engineer, and manage an enterprise security program. It validates broad, vendor-neutral expertise across eight domains — from risk management and security architecture to operations and software development security.

CISSP is a management-and-architecture credential, not an entry-level technical exam. Questions favor risk-based judgment and the “best” answer from a manager’s perspective over pure technical recall, and the live exam uses Computerized Adaptive Testing (CAT).

This free hub gives you everything you need to prepare: a syllabus breakdown by exam domain, realistic practice questions with teacher-style explanations, a glossary of the security concepts the exam relies on, and full-length timed mock exams that mirror the real testing experience.

100
Questions
180 min
Time limit
70%
Mock pass %
8
Domains

Start studying CISSP

New here? Follow the three steps below in order. Everything is free and needs no account.

  1. 1
    Learn the plan

    See all 8 domains in exam-weight order.

    Open study path
  2. 2
    Drill by domain

    Practice one topic at a time with explained answers.

    Start with the first domain
  3. 3
    Sit a timed mock

    100 questions · 180 min · 70% to pass our mock.

    Take the mock exam

All CISSP study resources

CISSP exam domains

The CISSP exam is weighted across 8 domains. Pick any domain below to drill it — or read the full breakdown in the FAQ.

Exam domainExam weightPractice
Security and Risk Management16%Practice this topic
Asset Security10%Practice this topic
Security Architecture and Engineering13%Practice this topic
Communication and Network Security13%Practice this topic
Identity and Access Management (IAM)13%Practice this topic
Security Assessment and Testing12%Practice this topic
Security Operations13%Practice this topic
Software Development Security10%Practice this topic

Sample CISSP questions

A sample of the CISSP questions on this hub. Each links through to the full question, the correct answer, and an explanation of why every other option is wrong.

Key CISSP terms

Start with these terms, then explore the full glossary. Each links to a plain-English definition written for the CISSP exam.

CISSP frequently asked questions

What is the CISSP certification?+

CISSP is widely regarded as the benchmark certification for senior information-security roles and is a common requirement in job listings for security managers and architects.

It is broad rather than deep: the eight domains span the whole security profession, so success rewards a wide, connected understanding rather than deep specialization in any single area.

What topics are on the CISSP exam?+

The CISSP exam is organised into eight weighted domains. The percentages below are ISC2’s official weightings for scored content, so bias your study toward the heavier domains — Security and Risk Management alone is the single largest slice of the exam.

Security and Risk Management (16%)

The largest domain. Covers the CIA triad, governance, compliance and legal issues, professional ethics, security policies, and the full risk-management lifecycle (identification, assessment using ALE/ARO/SLE, treatment) plus business-continuity requirements and personnel security.

Asset Security (10%)

Covers information and asset classification, ownership, and handling; the data lifecycle including retention and secure destruction (remanence); data roles such as owner, controller, processor, and custodian; and protecting privacy through baselines, scoping, and tailoring.

Security Architecture and Engineering (13%)

Covers secure design principles (least privilege, defense in depth, zero trust), security models such as Bell-LaPadula and Biba, cryptography and PKI, vulnerabilities of architectures (cloud, IoT, ICS, embedded), and physical security.

Communication and Network Security (13%)

Covers secure network architecture and segmentation, secure protocols such as IPsec and TLS, securing network components, wireless and cellular security, and preventing and mitigating network attacks.

Identity and Access Management (IAM) (13%)

Covers identification, authentication (including MFA), and accountability; access control models (RBAC, ABAC, MAC, DAC); federated identity, SSO, SAML, and OIDC; and the provisioning-to-deprovisioning identity lifecycle.

Security Assessment and Testing (12%)

Covers designing and validating assessment and audit strategies, vulnerability assessment and penetration testing, log reviews, code review and testing, and collecting and reporting security process data.

Security Operations (13%)

Covers investigations and digital forensics, logging and monitoring (SIEM, UEBA), the incident-management lifecycle, configuration and change management, patching, backups, and disaster recovery (RTO/RPO).

Software Development Security (10%)

Covers embedding security in the SDLC, secure coding practices, assessing software and acquired-software security, common web/application vulnerabilities, and DevSecOps and API security.

Is the CISSP hard?+

CISSP is a hard exam because it is broad and demands a manager’s-perspective judgment: you must often choose the “best” of several defensible answers based on risk, not just the technically correct one.

The eight domains cover the entire security profession, and the adaptive format means questions adjust to your performance. Experienced candidates still study for weeks; the challenge is breadth and mindset, not obscure trivia.

How many questions are on the CISSP exam and how long is it?+

The live CISSP exam is delivered in English as a Computerized Adaptive Test (CAT) of 100–150 items in 3 hours, using multiple choice and advanced item types.

Our full-length practice mock uses a fixed 100-question, 180-minute session so you can rehearse pacing and stamina across all eight domains before test day.

What score do you need to pass the CISSP?+

CISSP is scored on a scale of 0 to 1000, and you need a scaled score of 700 to pass. Because the live exam is adaptive, questions are not all worth the same and there is no penalty for guessing, so answer everything. Our practice mock uses a 70% threshold as a study checkpoint; aim comfortably beyond it before test day.

How much does the CISSP exam cost?+

The CISSP exam fee is set by ISC2 and varies by region — check the ISC2 site for current pricing. Certification also requires meeting the experience requirement and paying an annual maintenance fee to keep the credential active. Everything on this hub is free.

Who should take the CISSP?+

CISSP is aimed at experienced security practitioners, managers, and architects — think security analysts moving into leadership, security engineers, and consultants.

ISC2 requires five years of cumulative paid work experience across two or more of the eight domains (one year is waivable with a qualifying degree or credential). Those without the experience can pass the exam and become an Associate of ISC2 while they earn it.

What jobs and salaries can the CISSP lead to?+

CISSP maps to roles such as security manager, security architect, security consultant, CISO, and senior security analyst.

How much any certification affects pay depends heavily on geography, seniority, and hands-on experience, so treat any single salary figure with caution. CISSP is best viewed as validation of broad, senior-level security competence.

How long does it take to study for the CISSP?+

Experienced candidates often need two to four months of steady study, because the challenge is connecting eight broad domains rather than memorizing facts.

Review every explanation, including for questions you answered correctly, because CISSP distractors are built from plausible but sub-optimal choices. Use the per-domain results here to find your weakest area, then finish with full-length timed mocks.

How should you prepare for the CISSP?+

Study the eight domains above, giving the heaviest weight to Security and Risk Management, then drill scenario questions domain by domain. Every MockAPI question reveals a full explanation and tells you why each wrong answer is wrong.

When you can reason to the “best” answer comfortably, move to full-length timed mocks. Use the glossary to keep concepts like the CIA triad, Bell-LaPadula, and RTO/RPO straight, and aim to score consistently above the checkpoint before you book.

Can you take the CISSP exam online?+

ISC2 delivers CISSP exclusively at Pearson VUE test centers — there is currently no at-home online-proctored option, so you sit the exam in person at a scheduled testing center. Bring government-issued photo ID; the center provides a secure, monitored environment.

If you do not pass, ISC2 enforces a retake policy with a waiting period between attempts and a cap on attempts per year — check the current policy before rebooking.

What certification should you take after the CISSP?+

After CISSP, common next steps include ISC2’s CCSP for cloud-security depth, or CISSP concentrations (ISSAP, ISSEP, ISSMP) that specialize in architecture, engineering, or management.

For many, the real next step is applying the breadth CISSP validates to lead a security program. Pairing it with hands-on leadership is what turns the certificate into a career.