How Hard Is the CISSP Exam? CAT Format, Passing Score & 8 Domains (2026)
The CISSP is ISC2's flagship credential and one of the most respected certifications in cybersecurity. It's also one of the most misunderstood exams — mostly because of how it's scored. Here's what you're actually up against.
CISSP exam format at a glance
- Format: Computerized Adaptive Testing (CAT)
- Questions: 100–150 items
- Time limit: 3 hours
- Scoring: Scaled score from 0 to 1000
- Passing score: 700
- Delivery: Computer-based at a test center
What "CAT" actually means
Unlike a fixed exam, Computerized Adaptive Testing adjusts question difficulty based on your answers. Get one right and the next tends to be harder; miss one and it eases off. The algorithm is building a precise estimate of your ability with each item.
Practical consequences:
- You can't go back. Once you answer, the next question is chosen based on it.
- The exam can end anywhere from 100 to 150 items. It stops when the algorithm is confident (with ~95% certainty) that you're clearly above or below the passing standard.
- Finishing early isn't necessarily good or bad — it just means the algorithm reached confidence quickly.
The eight CISSP domains (and weights)
The CISSP Common Body of Knowledge (CBK) spans eight domains:
| Domain | Weight |
|---|---|
| Security and Risk Management | 16% |
| Asset Security | 10% |
| Security Architecture and Engineering | 13% |
| Communication and Network Security | 13% |
| Identity and Access Management (IAM) | 13% |
| Security Assessment and Testing | 12% |
| Security Operations | 13% |
| Software Development Security | 10% |
The weighting is unusually flat — no single domain dominates, which is exactly why breadth is the challenge.
What makes CISSP hard
- It's a mile wide. Eight domains span risk, cryptography, networking, IAM, secure development, and operations. Few people are strong in all eight.
- "Think like a manager." CISSP rewards risk-based, business-aligned answers over the most technically aggressive option. The "best" answer is often the one that protects the organization's interests, not the coolest control.
- The CAT format is unforgiving of careless early mistakes and rewards consistency.
How to prepare
Because CISSP is adaptive and broad, you want to find and close your weakest domains before exam day:
- Practice across all eight domains and watch which ones lag.
- Take full-length, domain-weighted mock exams scored on the 0–1000 scale.
- Use spaced repetition to retain a body of knowledge this large.
That's the CertPrepX approach — a readiness score per domain so "ready" is a measurement, not a feeling.
See the full CISSP exam prep guide, or start free practice.
Frequently asked questions
What is a passing CISSP score? 700 out of 1000 on the scaled CAT score. It does not map to a simple percentage of questions correct.
How many questions are on the CISSP CAT? Between 100 and 150 items; the exam ends when the algorithm is confident in your result.
How long should I study for the CISSP? Most candidates spend 3–6 months given the breadth — though experienced practitioners move faster. Plan backwards from your exam date and prioritize weak domains.