ISC2 · CISSP
Validates deep technical and managerial competence in information security, covering security and risk management, asset security, security architecture, communication and network security, identity and access management, security assessment, security operations, and software development security.
Questions
850
Duration
180 minutes
Passing Score
700/1000
Difficulty
ProfessionalLast Updated
Feb 2026
Use this CISSP practice exam to prepare for Certified Information Systems Security Professional (CISSP) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 850 questions for ISC2 CISSP, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to patterns in your missed answers. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The Certified Information Systems Security Professional (CISSP) is a globally recognized advanced certification offered by ISC2 that validates deep technical and managerial competence across the full spectrum of information security. It covers eight comprehensive domains: Security and Risk Management, Asset Security, Security Architecture and Engineering, Communication and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations, and Software Development Security. The breadth of coverage ensures certified professionals can think holistically about enterprise security—from cryptographic solutions and network design to incident response, business continuity, and secure software development lifecycles.
Accredited under ISO/IEC Standard 17024 and approved by the U.S. Department of Defense under DoD 8140.03, the CISSP is consistently ranked among the most prestigious and sought-after credentials in cybersecurity. ISC2 periodically updates the exam through a rigorous Job Task Analysis (JTA) process to ensure alignment with the evolving responsibilities of practicing information security professionals. The certification is widely regarded as a benchmark for senior-level security expertise, signaling that holders possess not just technical knowledge but the strategic and managerial acumen required to lead security programs.
CISSP is designed for experienced information security practitioners who have already built a substantial career foundation and are ready to validate senior-level expertise. Primary target roles include Chief Information Security Officers (CISOs), Security Architects, IT Directors and Managers, Security Consultants, Network Architects, and Chief Information Officers. The certification is especially valuable for professionals who operate at the intersection of technical security implementation and organizational governance.
Candidates who do not yet meet the five-year experience requirement but pass the exam may become an Associate of ISC2, earning full CISSP status once the experience threshold is met. This pathway makes the certification accessible to motivated early-career professionals who want to demonstrate their knowledge while building qualifying work history.
ISC2 requires candidates to have a minimum of five years of cumulative, paid, full-time work experience in two or more of the eight CISSP domains. This experience must be verifiable and may be in a variety of security-related roles. Candidates who hold a four-year college degree or a qualifying credential from the ISC2-approved list may waive up to one year of the required experience, reducing the requirement to four years minimum.
While there are no mandatory formal training prerequisites, ISC2 strongly recommends that candidates have hands-on experience across multiple domains before attempting the exam. A solid working knowledge of networking fundamentals, operating systems, risk management frameworks (such as NIST or ISO 27001), cryptography, and access control models is essential. Most successful candidates have backgrounds spanning roles such as security analyst, systems administrator, network engineer, or security engineer before pursuing CISSP.
The CISSP exam is delivered exclusively in Computerized Adaptive Testing (CAT) format across all languages as of April 2024. Under CAT, the exam presents between 100 and 150 items, with the session ending early once the scoring algorithm can determine a candidate's ability relative to the passing threshold with 95% statistical confidence. The maximum time allotted is 3 hours. Item types include multiple-choice questions as well as advanced innovative items such as drag-and-drop and hotspot questions.
The exam is scored on a scale of 0 to 1000, with a passing score of 700. Because the CAT algorithm adjusts difficulty dynamically based on each response, different candidates receive different sets of questions. The exam is administered at Pearson VUE testing centers worldwide and through online proctoring. Maintaining the CISSP credential requires earning 120 Continuing Professional Education (CPE) credits every three years and paying an Annual Maintenance Fee (AMF) to ISC2.
CISSP certification consistently commands some of the highest salaries in the cybersecurity field. According to ISC2 and independent salary surveys, CISSP holders in the United States earn an average of approximately $143,000–$161,000 per year, with total compensation frequently exceeding $175,000. Senior roles such as CISO average $148,000–$195,000, and top earners in major markets exceed $230,000. The certification typically yields a 10–25% salary premium over non-certified peers at equivalent experience levels, and holders earn roughly 30% more than the U.S. Bureau of Labor Statistics median for all information security analysts ($124,910).
The CISSP is one of the top five most-requested certifications in U.S. cybersecurity job postings, with consistently over 9,500 active listings on major job boards requiring or preferring the credential. The BLS projects 33% growth for information security analyst roles through 2033—far above average—and ISC2's 2024 workforce study identifies a global cybersecurity talent gap of 4.76 million professionals, ensuring continued strong demand. Compared to alternatives like the CISM (which focuses more narrowly on management) or the Security+ (which targets entry-level roles), CISSP is uniquely valued for senior roles because it bridges both technical depth and strategic governance across all eight domains.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 850 questions.
Preview — answers shown1. A security operations team investigates suspicious activity where an attacker gained initial access through a phishing email, established persistence through a scheduled task, and moved laterally using stolen credentials. The team maps the attack to the MITRE ATT&CK framework. Which statement correctly describes the relationship between tactics and techniques in this scenario? (Select one!)
Explanation
In the MITRE ATT&CK framework, tactics represent the adversary's tactical objectives or goals during an attack (the why), while techniques describe the specific methods used to accomplish those objectives (the how). The scenario demonstrates multiple tactics: Initial Access is the tactic, achieved through the Phishing technique; Persistence is the tactic, achieved through the Scheduled Task technique; Lateral Movement is the tactic, achieved through credential theft techniques. This hierarchy helps organizations understand both the adversary's goals and their methods. Tactics are high-level goals, not low-level details; the statement inverts the relationship. Tactics and techniques serve different purposes in the framework with tactics being higher-level and techniques being more specific. The framework describes adversary behavior, not defensive controls. Understanding the tactic-technique relationship enables defenders to identify attacker objectives and anticipate potential techniques for each tactic.
2. A healthcare organization implements email security controls to protect patient health information transmitted to external specialists. The compliance officer requires cryptographic proof that emails originated from legitimate physicians and were not altered in transit. The organization currently uses SPF and DKIM. Which combination of email security mechanisms provides authentication, integrity, and non-repudiation? (Select one!)
Explanation
S/MIME provides the complete set of requirements including authentication, integrity, and non-repudiation through PKI-based digital signatures using X.509 certificates. When a physician digitally signs an email with their private key, the recipient can verify the signature using the sender's public key from their certificate, proving the sender's identity (authentication). The signature algorithm incorporates a hash of the message, so any tampering invalidates the signature (integrity). Because only the sender possesses the private key, they cannot later deny having sent the message (non-repudiation). S/MIME also supports encryption for confidentiality. DMARC with SPF and DKIM provides email authentication and integrity but not non-repudiation because the organization controls the signing keys, not individual senders. PGP provides similar capabilities to S/MIME but uses a web of trust model rather than hierarchical PKI with certificate authorities. STARTTLS provides transport encryption but no authentication or non-repudiation of message origin.
3. A database administrator configures access controls for a multi-classification database storing information at Secret, Confidential, and Unclassified levels. A user with Confidential clearance attempts to insert a new record with a primary key that already exists at the Secret level. The system allows the insert to succeed, creating two records with identical primary keys but different classification levels. Which database security mechanism prevents inference attacks through this approach? (Select one!)
Explanation
Polyinstantiation allows multiple rows with the same primary key to exist at different classification levels. When the Confidential user attempts to insert a duplicate key, the system allows it rather than rejecting the insert (which would reveal that a Secret-level record with that key exists, constituting an inference channel). This prevents inference attacks by not disclosing the existence of higher-classified data. Aggregation is the threat where combining multiple low-sensitivity data elements reveals high-sensitivity information. Inference is the threat being prevented, not the control mechanism. Cell suppression hides specific values in statistical databases to prevent identification.
4. A financial services organization evaluates passwordless authentication solutions to reduce credential theft and phishing attacks. The solution must eliminate shared secrets stored on servers while maintaining strong authentication assurance. Security architects compare FIDO2/WebAuthn against traditional multi-factor authentication. Which statement correctly describes FIDO2's security advantage over password-based MFA? (Select one!)
Explanation
FIDO2's phishing resistance derives from its public key cryptographic architecture where private keys never leave the authenticator device (hardware token or platform authenticator) and the cryptographic ceremony binds authentication to the specific web origin. Attackers cannot phish credentials that never traverse the network, and cloned phishing sites cannot complete authentication because domain binding prevents key usage on incorrect origins. FIDO2 still uses multiple factors (possession of authenticator plus biometric or PIN) so it does not eliminate multi-factor requirements. The security advantage is architecture, not biometric accuracy. FIDO2 explicitly avoids centralized credential storage; servers store only public keys which are useless to attackers. This architecture eliminates server-side credential databases as high-value targets, fundamentally changing the threat model compared to password-based systems.
5. A security architect designs defense-in-depth for a research laboratory storing trade secrets. Physical security includes a fence, badge-controlled doors, and security guards. The architect needs to add controls from different functional types. Which three controls represent detective, deterrent, and compensating functions respectively? (Select three!)
Multiple correct answersExplanation
Motion-activated CCTV cameras are detective controls because they identify security events during or after occurrence. Warning signs are deterrent controls because they discourage potential attackers by advertising consequences. The mandatory dual-person rule when biometrics are offline is a compensating control because it provides alternative security when the primary control is unavailable. Encrypted storage is a preventive technical control. Background investigations are preventive administrative controls. Fire suppression is a corrective physical control addressing safety, not security functions.
Certified Cloud Security Professional (CCSP)
CCSP · 850 questions
Certified in Governance, Risk and Compliance (CGRC)
CGRC · 850 questions
Information Systems Security Architecture Professional (ISSAP)
ISSAP · 850 questions
Information Systems Security Engineering Professional (ISSEP)
ISSEP · 850 questions
Systems Security Certified Practitioner (SSCP)
SSCP · 849 questions
Certified Secure Software Lifecycle Professional (CSSLP)
CSSLP · 841 questions
$17.99
One-time access to this exam