CISSP Exam Format: What to Expect
The CISSP is a Computerized Adaptive Test (CAT) — 100–150 questions in up to 3 hours, where the engine picks each item from your last answer and you cannot go back or skip. Here is exactly what the exam looks like on screen, the question types, what exam day feels like, and how pass/fail scoring works.
01 The format in one minute
Below is a close approximation of what a single question looks like in the Pearson VUE test engine. Notice what is missing: there is no “of 150” total in the header and no “Previous” button, because in adaptive mode neither exists:
An organization discovers that a departing administrator still holds active credentials to a production database three weeks after termination. Which control would have most effectively prevented this access from persisting?
Illustration of the test-engine layout — not an actual exam question.
That single screen captures what makes the CISSP tick: dense, judgement-based scenario stems, four options where several are good practice but only one is the best answer to the stem, and a one-way path through the test. There is no flag-and-review safety net — once you confirm and move on, that item is locked and feeds the engine’s next choice.
02 Question types you'll face
The CISSP keeps the forms of its questions limited — the difficulty is in the managerial, “think like a CISO” judgement, not exotic interactions. The defining trait is not a question type at all: it is the adaptive engine deciding what you see next.
Multiple choice
Four options, exactly one correct. The other three are usually legitimate security controls that are simply less effective for the specific stem. The clear majority of the exam.
Most questionsAdvanced innovative items
ISC2’s name for interactive formats — drag-and-drop ordering and hotspot (click-the-diagram) questions. You will meet a few; they are scored the same as multiple choice.
A handfulAdaptive difficulty
The defining trait. The engine raises difficulty when you answer well and lowers it when you slip, then ends once it can place you firmly above or below the standard — so a hard run of questions is often a good sign.
Every itemNo going back / no skipping
Each item must be answered before the next appears. You cannot skip, cannot return, and cannot change a confirmed answer — there is no end-of-test review screen.
Always03 The eight domains & weighting
You have up to 3 hours for between 100 and 150 questions. The first 25 items in a minimum-length sitting are unscored pretest questions ISC2 is trialling; they are mixed in invisibly, so treat everything as real. Questions are drawn across the eight domains of the Common Body of Knowledge, weighted as below.
| Domain | Weight | What it covers |
|---|---|---|
| 1. Security & Risk Management | 16% | Governance, risk, compliance, ethics, policy |
| 2. Asset Security | 10% | Data classification, handling, ownership, retention |
| 3. Security Architecture & Engineering | 13% | Secure design, cryptography, models, physical security |
| 4. Communication & Network Security | 13% | Secure network architecture, protocols, components |
| 5. Identity & Access Management | 13% | Identification, authentication, authorization, lifecycle |
| 6. Security Assessment & Testing | 12% | Audits, vulnerability testing, logging, control review |
| 7. Security Operations | 13% | Incident response, monitoring, recovery, investigations |
| 8. Software Development Security | 10% | Secure SDLC, code review, application security controls |
04 What exam day actually looks like
The CISSP is delivered in person at ISC2-authorized Pearson VUE test centres. There is no come-and-go schedule and the 3-hour timer simply runs down — there are no scheduled breaks built into the exam, so if you step out for a restroom visit the clock keeps ticking. Here is the typical check-in flow.
Arrive early
Get to the test centre at least 30 minutes ahead. Late arrivals can forfeit the appointment and the fee.
Two IDs & biometrics
Present two valid forms of ID (one a government photo ID). Expect a palm-vein or fingerprint scan, a photo, and a signature; pockets are emptied and personal items go in a locker.
Whiteboard, not paper
You are given an erasable whiteboard or noteboard and marker for scratch work — no personal paper. A non-disclosure agreement appears first and is untimed.
The adaptive exam
Questions appear one at a time. Answer, confirm, continue — with no way back. A proctor and cameras monitor the room throughout.
The clock keeps running
There are no scheduled breaks. You may leave the room for the restroom with proctor sign-out, but the 3-hour timer does not pause.
Provisional result
The exam ends the moment the engine decides. You collect a printed provisional pass or fail at the front desk; the official outcome posts to your ISC2 account shortly after.
Allowed
- Two valid IDs, one a government photo ID
- The centre-provided whiteboard or noteboard for scratch work
- Earplugs or noise-cancelling headphones supplied by the centre
- Requesting accommodations arranged with ISC2 before booking
Not allowed
- Phones, smartwatches, or any personal electronics at the desk
- Your own notes, books, or scratch paper
- Going back to, skipping, or changing a previous question
- Leaving without proctor sign-out (and the clock keeps running)
05 How scoring & results work
The CISSP standard is 700 out of 1000 points. Under CAT, though, that number is mostly conceptual: you never see a score. Adaptive scoring weights each item by difficulty and tracks your ability estimate in real time, ending the exam when it is statistically confident you are clearly above or clearly below the standard. The output you receive is simply Pass or Fail.
You receive a provisional pass or fail on paper at the test centre, with the official result confirmed in your ISC2 account afterward. A failing report includes a ranked list of the domains where you performed weakest, which is the most useful guide for a retake. If you do not pass, ISC2 enforces escalating waits: 30 days before a second attempt, 90 days before a third, and 180 days before a fourth, with a cap on attempts in a rolling 12-month period — and the full fee is due each time.
06 FAQ
What is the CISSP CAT (adaptive) exam format?
CISSP is a Computerized Adaptive Test. You answer between 100 and 150 questions in up to 3 hours, and the engine chooses each question from how you answered the previous ones — doing well brings harder items, struggling brings easier ones. It ends as soon as it can decide pass or fail with statistical confidence, which can be as few as 100 questions. The first 25 items in a minimum-length exam are unscored pretest questions you cannot identify.
Can you go back and change answers on the CISSP exam?
No. Because the CISSP is adaptive, every confirmed answer is used to choose your next question, so the engine cannot let you return to a previous item. You cannot skip a question, you cannot revisit an earlier one, and you cannot change an answer once you move on. Each item must be answered before the next appears, and there is no review screen at the end.
How many questions are on the CISSP exam and how long is it?
The English CISSP is 100 to 150 questions with a maximum of 3 hours. Since April 2024 every language runs in the same CAT format; the old 250-question, 6-hour linear paper for non-English candidates has been retired. Your exam may stop at 100 questions if the engine is already confident, or run all 150 if your result is close to the borderline.
What is the CISSP passing score?
The standard is 700 out of 1000 points, but under CAT you do not receive a numeric score — the result you are given is simply Pass or Fail. ISC2 reports a provisional pass or fail at the test centre and the official result lands in your ISC2 account shortly after. A failing report includes a ranked breakdown of the domains where you were weakest.
