CISSP Passing Score
You need 700 out of 1000 to pass — but CISSP is a computer adaptive (CAT) exam, so if you pass you usually just see “pass,” not a number. Here is how adaptive scoring really works, the eight CBK domains, what practice score means you are ready, and the retake policy.
01 The short answer
This is the single biggest difference between CISSP and the multiple-choice cloud and IT exams most candidates have sat before. On a fixed, linear exam such as AWS SAA-C03 or CompTIA Security+ you answer a set number of questions, your raw count is converted to a scaled mark, and you walk out with a number you can quote. CISSP throws that mental model out. You are not racing to accumulate points across a fixed paper; you are being measured against a standard, and the exam ends as soon as the result is no longer in doubt. Once you accept that, a lot of the anxiety around “what will my score be?” disappears — the only question that matters is whether you are clearly above 700.
02 How CAT scoring actually works
Computer Adaptive Testing is what makes CISSP scoring different from a fixed, linear exam — and it explains why “what was my score?” usually has no answer. Three mechanics do all the work.
1. The exam adapts to your ability
You start with an item pitched well below the passing standard. After each answer, the algorithm re-estimates your ability from the difficulty of every question you have seen and how you handled it. Answer correctly and the next item gets harder; slip and it eases off. With each response the estimate of your true ability becomes more precise, so the exam zeroes in on your level far faster than a fixed bank of questions could.
2. It ends on confidence, not a fixed length
The exam delivers between 100 and 150 items (up to three hours), and it stops the moment the algorithm is roughly 95% confident that your ability is clearly on one side of the 700 standard. If you are comfortably strong — or comfortably short — that confidence can arrive at the 100-item minimum and the screen simply ends. If you are hovering near the line, the exam keeps feeding you items to gather more evidence and can run all the way to the 150-item maximum. A long exam is not automatically a failing one; it just means you were borderline and the algorithm needed more data.
3. It is compensatory — no per-domain minimum
CISSP uses a compensatory model: a higher number of items answered correctly in one domain can make up for weaker performance in another. There is no minimum score per domain — only your overall ability against the 700 standard decides the result. Of the items you face, 25 are unscored pretest questions seeded at random to trial them for future exams, and you cannot tell which they are, so every item deserves your full attention.
Why a hard question is a good sign
One quirk of adaptive testing throws candidates off mid-exam: the questions often feel relentlessly difficult. That is the algorithm working as intended. As your running ability estimate climbs, the engine deliberately serves items near your level to extract the most information from each answer — so a strong candidate spends most of the exam being pushed. If every question feels hard, it frequently means you are performing well, not badly. The flip side is that you cannot read your result from how the questions felt, and you should never let a run of tough items rattle you into rushing. There is also no going back: once you submit an answer the engine has already used it to choose your next item, so you cannot flag, skip or revisit questions the way you can on a linear exam.
It is worth being precise about the “700” itself. ISC2 reports results on a scaled 0–1000 range so that candidates sitting slightly easier or harder item sets are held to the same standard — 700 is not “70% of questions correct.” Because the exam is adaptive and compensatory at once, no fixed percentage of items maps cleanly to a pass; what counts is the ability estimate the algorithm settles on. Aim to be comfortably clear of the standard so that neither a tough item set nor a borderline run can put the result in doubt.
03 The eight CBK domains and their weights
The CISSP Common Body of Knowledge (CBK) spans eight domains. Because scoring is compensatory and adaptive, the smart move is to weight your study toward the heaviest domains — though on a security exam you cannot afford a genuine blind spot anywhere. These are the weights from the current (April 2024) exam outline.
04 What practice score means you are ready
Here is the honest caveat: real CISSP practice tests are not adaptive. No third-party bank can reproduce the live CAT algorithm, so your practice percentage is a proxy for readiness, not a forecast of a scaled score. Used that way, a repeatable percentage on fresh, full-length, timed practice exams is still the best signal you have.
Make the proxy honest. A single 82% on a question bank you have already cycled through twice tells you almost nothing — you are scoring your memory, not your knowledge. What you want is the same 80%+ landing on fresh, full-length, timed sets, two or three sittings in a row, with the harder question styles (drag-and-drop, scenario, “best”-answer items) included rather than filtered out. If your accuracy swings wildly between sittings, you are still in borderline territory regardless of your best run; consistency is the signal. Track it by domain too, so a weak area cannot quietly drag your live result down while a strong one flatters your average.
05 If you fail: the retake policy
Falling short of 700 is not the end — but ISC2 makes the waits get longer with each attempt and charges the full fee every time, so it is worth being ready first. Unlike a pass, a failed CISSP does come with a numeric score and a ranked breakdown of the domains where you were weakest — use it. That breakdown is the most valuable thing a failed attempt gives you: it converts a vague “I need to study more” into a precise list of where the live exam actually found you short, which is exactly the targeting a self-set practice schedule tends to lack.
| Attempt | Wait before you can retest |
|---|---|
| After 1st fail | 30 days from your exam date |
| After 2nd fail | 60 days from your most recent attempt |
| After 3rd fail (and later) | 90 days from your most recent attempt |
| Annual cap | Maximum 4 attempts in any rolling 12-month period |
| Cost per attempt | The full exam fee every time — no discounted retake |
06 FAQ
What is the passing score for the CISSP?
You need 700 out of 1000 to pass the CISSP. Scores sit on a scaled 0 to 1000 range, and 700 is the minimum standard ISC2 sets. Because CISSP is a computer adaptive (CAT) exam, the algorithm only has to confirm you are above or below 700 — it does not need to pin down an exact number.
Does CISSP show your score?
If you pass, no — you simply receive a pass result with no number. CISSP is adaptive, so once the algorithm is statistically confident you are above 700 it ends the exam, and a precise score is never reported. Only candidates who fail get a numeric scaled score plus a breakdown of the domains where they were weakest, to guide a retake.
Do I need to pass each domain on the CISSP?
No. CISSP uses a compensatory model, so only your overall ability estimate against the 700 standard matters. There is no minimum score for any individual CBK domain — strong performance in one area can offset a weaker one, as long as your overall result clears the bar.
How long do I wait to retake the CISSP if I fail?
ISC2 makes you wait 30 days after a first failure, 60 days after a second, and 90 days after a third or later attempt, with a maximum of four attempts in any rolling 12-month period. You pay the full exam fee each time, so it pays to be genuinely ready before rebooking.
