The CISSP exam uses Computerized Adaptive Testing (CAT) with 125 to 175 questions and a 240-minute (4-hour) maximum time limit. The adaptive engine adjusts question difficulty in real-time based on your performance — if you consistently answer correctly, questions get progressively harder; if you struggle, they get easier. The exam can end as early as question 125 once the algorithm reaches 95% statistical confidence in your ability level, either above or below the passing threshold of 700 out of 1,000.
As the gold standard in information security certification, CISSP is held by over 160,000 professionals worldwide. The adaptive format makes the exam experience unique and unpredictable compared to fixed-length tests. Understanding how the CAT algorithm works, what the question distribution looks like across 8 domains, and how to manage your time and mindset is critical for success.
The CAT format is fundamentally different from fixed-length exams like Security+ or CEH. Here is exactly how it operates:
You cannot return to previous questions in the adaptive format. Each answer is final and directly influences the difficulty and topic of the next question. This means:
| Domain | % of Exam | ~Questions (at 125) | Key Topics |
|---|---|---|---|
| 1. Security & Risk Management | 16% | ~20 | Governance, compliance, risk assessment, business continuity, ethics |
| 2. Asset Security | 10% | ~13 | Data classification, ownership, privacy, retention, handling |
| 3. Security Architecture & Engineering | 13% | ~16 | Security models, cryptography, physical security, site planning |
| 4. Communication & Network Security | 13% | ~16 | Network architecture, protocols, secure channels, network attacks |
| 5. Identity & Access Management (IAM) | 13% | ~16 | Authentication, authorization, identity federation, access control models |
| 6. Security Assessment & Testing | 12% | ~15 | Vulnerability assessment, penetration testing, auditing, log analysis |
| 7. Security Operations | 13% | ~16 | Incident response, disaster recovery, investigations, change management |
| 8. Software Development Security | 10% | ~13 | SDLC, application security, secure coding, database security |
All 8 domains are tested throughout the exam. The adaptive algorithm ensures you face questions from every domain, adjusting difficulty within each. Your performance must be consistently above the competency line across all domains — excelling in 6 domains but failing in 2 can still result in a failing grade.
With a maximum of 240 minutes for up to 175 questions, you have approximately 82 seconds per question if you go the full distance. However, most candidates who pass finish around question 125 in approximately 2-3 hours.
| Question Range | Target Time | Strategy |
|---|---|---|
| 1-50 | ~75 min | Establish rhythm, read carefully, commit confidently |
| 51-100 | ~75 min | Maintain pace, don't rush — questions may be getting harder (a good sign) |
| 101-125 | ~40 min | Stay focused — the exam may end here if the algorithm is confident |
| 126-175 | ~50 min | If you reach this range, the algorithm needs more data — stay calm and consistent |
| Certification | Questions | Time | Format | Cost | Experience Required |
|---|---|---|---|---|---|
| CISSP (CAT) | 125-175 | 240 min | Adaptive MC | $749 | 5 years (2+ domains) |
| CISM | 150 | 240 min | Fixed MC | $575-$760 | 5 years IS management |
| CISA | 150 | 240 min | Fixed MC | $575-$760 | 5 years IS auditing |
| CASP+ | Up to 90 | 165 min | MC + PBQs | $494 | 10 years IT (recommended) |
| CCSP | 150 | 240 min | Fixed MC | $599 | 5 years (3 in security) |
| Item | Cost |
|---|---|
| First attempt | $749 USD |
| Retake | $749 USD |
| Waiting period after failure | 30 days (1st), 60 days (2nd), 90 days (3rd) |
| Maximum attempts per year | 3 |
| Annual Maintenance Fee (AMF) | $125/year after passing |
| CPE credits required | 40/year (120 over 3-year cycle) |
Most candidates need 3-6 months of dedicated study depending on experience level. The CISSP covers an extremely broad range of topics across 8 domains, making it one of the most study-intensive certifications in cybersecurity.
The CISSP CAT exam has 125-175 questions. The adaptive engine determines the exact number based on your performance — it can end as early as question 125 once the algorithm reaches 95% confidence.
700 out of 1,000. Due to the adaptive format, this represents consistent performance above the competency threshold across all 8 domains.
The CAT algorithm selects each question based on your previous answers. Correct answers lead to harder questions; incorrect answers lead to easier ones. The exam ends when the engine reaches 95% statistical confidence.
No. The adaptive format does not allow you to return to previous questions. Each answer is final.
240 minutes (4 hours) maximum. Many candidates finish in 2-3 hours if the adaptive engine reaches a confident determination.
Not necessarily. Finishing at 125 means the engine made a confident determination — which could be either pass or fail.
$749 USD per attempt, with a mandatory 30-day waiting period after failure.
5 years of cumulative paid work experience in 2 or more of the 8 CISSP domains. A 4-year degree or approved credential can waive 1 year.
Prepare for the CAT format with adaptive-style practice tests covering all 8 domains.
Start Free Practice Test →