This free CISSP study guide walks through every content domain the Certified Information Systems Security Professional exam tests, organized to the current ISC2 exam outline (effective April 15, 2024).[1]
It’s interactive, not a wall of text: every module has built-in checkpoint quizzes, flashcards, and practice questions, so you learn by doing — not just reading.
The CISSP tests eight official domains (one Common Body of Knowledge). We teach all eight in five study modules, grouping closely related domains, and we lead with the heaviest-weighted content.
Read a module, test yourself at each checkpoint, then drill gaps with our free practice test and flashcards. This guide is a high-yield overview that maps the official content — not a full security textbook.
CISSP is one of the 9 ISC2 certifications — explore our ISC2 study guides to compare and prep across the whole family.
CISSP Exam Snapshot
| Detail | CISSP Exam |
|---|---|
| Questions | 100–150 items (English CAT); 250 (non-English linear) |
| Format | Computerized Adaptive Testing (CAT); multiple choice + advanced items |
| Time | 3 hours (English CAT); 6 hours (linear) |
| Passing score | 700 out of 1000 points |
| Administered by | ISC2, delivered at Pearson VUE |
| Certifying body | ISC2 (formerly (ISC)²) |
| Eligibility | 5 years' experience in 2+ domains (1 yr waivable); or Associate of ISC2 |
| Cost | $749 USD (Americas) |
| Recertification | Every 3 years — 120 CPE credits + $135 annual maintenance fee |
| Outline version | Effective April 15, 2024 |
The CISSP covers eight domains, and unlike many exams the weights are fairly even — no single domain dominates. Security & Risk Management is the largest at 16%, and it frames everything else, so it is where to invest first.[1] Study by weight:
Security & Risk Management
16% of the exam
Asset Security
10% of the exam
Security Architecture & Engineering
13% of the exam
Communication & Network Security
13% of the exam
Identity & Access Management (IAM)
13% of the exam
Security Assessment & Testing
12% of the exam
Security Operations
13% of the exam
Software Development Security
10% of the exam
Module 1 · Security & Risk Management
One official domain, 16% of the exam — the largest. This domain is the foundation of the whole CISSP: the goals of security, how an organization governs and manages risk, and the ethics and legal duties a security professional carries. Master it and the rest of the exam makes sense.
1.1 CIA Triad, Governance & Ethics
Everything starts with the . prevents unauthorized disclosure (encryption, access control); prevents unauthorized change (hashing, digital signatures); and keeps systems reachable for authorized users (redundancy, backups). Its mirror image is DAD — Disclosure, Alteration, Destruction — the threats to each goal.
Security must be governed from the top. Senior management owns risk and sets the tone; the security professional translates business goals into policy. Know the policy hierarchy: policies (high-level intent) → standards (mandatory specifics) → procedures (step-by-step) → guidelines (recommended, optional).
Two governance duties are heavily tested: (doing the research and building the plan) and (acting on it). Together they form the “prudent person rule.”[1]
| Document | What it is | Mandatory? |
|---|---|---|
| Policy | High-level management statement of intent and goals | Yes |
| Standard | Specific mandatory requirements (e.g., 'use AES-256') | Yes |
| Procedure | Detailed step-by-step instructions | Yes |
| Baseline | A minimum required level of security | Yes |
| Guideline | Recommended, discretionary best practice | No |
Finally, every CISSP signs the . Its four canons are applied in order: (1) protect society and the infrastructure, (2) act honorably, (3) provide diligent service to principals, and (4) advance the profession. When two canons conflict, the earlier one wins.[3]
1.2 Risk Management & Analysis
Risk is the chance a exploits a to harm an asset. The management process is a continuous loop: identify assets and threats, assess the risk, choose a treatment, implement controls, and monitor.
- 1
Identify assets & threats
Inventory assets, assign value, and identify threats and vulnerabilities that could affect them.
- 2
Assess risk
Determine likelihood and impact — qualitatively (high/medium/low) or quantitatively (ALE = SLE × ARO).
- 3
Choose a risk treatment
Mitigate (add controls), transfer (insurance), avoid (stop the activity), or accept the residual risk.
- 4
Implement controls
Deploy administrative, technical, and physical controls cost-effectively (a control should not cost more than the asset).
- 5
Measure residual risk
Residual risk is what remains after controls; senior management formally accepts it.
- 6
Monitor & review
Continuously monitor; reassess as assets, threats, and the business change.
You assess risk two ways. Qualitative analysis is subjective — ranking risks high/medium/low (fast, but not in dollars). Quantitative analysis is objective and money-based, and the CISSP loves its formulas. The is the percentage of an asset lost per event; = Asset Value × EF; the is events per year; and = SLE × ARO is the expected yearly cost.[4]
SLE = AV × EF
Single Loss Expectancy = Asset Value × Exposure Factor (the % of the asset lost per event).
ALE = SLE × ARO
Annualized Loss Expectancy = Single Loss Expectancy × Annualized Rate of Occurrence (events per year).
Worked example
Asset = $200,000; a flood destroys 50% (EF = 0.5) → SLE = $100,000. A flood every 10 years (ARO = 0.1) → ALE = $100,000 × 0.1 = $10,000/year. Spend less than $10,000/year to mitigate.
Once you know the risk, you pick a treatment: (add controls), (insurance), (stop the activity), or (tolerate it with management sign-off). Whatever you do, remains — and a control should never cost more than the asset it protects.
| Treatment | What you do | Example |
|---|---|---|
| Mitigate (reduce) | Add controls to lower likelihood or impact | Deploy MFA to reduce account takeover |
| Transfer | Shift the financial impact to a third party | Buy cyber-insurance |
| Avoid | Stop the activity that creates the risk | Discontinue a risky product feature |
| Accept | Formally tolerate the residual risk | Management signs off on a low-impact risk |
1.3 Business Continuity & Disaster Recovery
Business continuity keeps critical functions running through a disruption; disaster recovery restores IT afterward. The process begins with management buy-in and centers on the , which identifies critical functions and sets the recovery targets every other decision serves.
- 1
Project scope & planning
Get senior management buy-in, form the BCP team, and define scope and resources.
- 2
Business Impact Analysis (BIA)
Identify critical functions and set MTD, RTO, and RPO; quantify the impact of disruption.
- 3
Continuity / recovery strategy
Choose recovery options that meet the RTO — hot, warm, or cold sites; backups; redundancy.
- 4
Plan development
Document the BCP and DR plans, roles, call trees, and emergency procedures.
- 5
Test, train & maintain
Exercise the plan (checklist → tabletop → simulation → parallel → full interruption) and keep it current.
Know the recovery metrics cold. is the outer limit a function can be down. is the target time to restore it (RTO must be less than MTD). is the maximum acceptable data loss, which dictates how often you back up. And recovery site choices trade cost against speed.
| Term / site | Meaning | Trade-off |
|---|---|---|
| MTD | Maximum Tolerable Downtime — the absolute limit | Drives the RTO |
| RTO | Recovery Time Objective — target time to restore | Must be shorter than the MTD |
| RPO | Recovery Point Objective — acceptable data loss | Drives backup frequency |
| Hot site | Fully equipped, near-real-time failover | Fastest recovery, most expensive |
| Warm site | Hardware and connectivity, data restored on demand | Moderate cost and speed |
| Cold site | Empty space with power/cooling only | Cheapest, slowest to bring online |
Checkpoint · Security & Risk Management
Question 1 of 10
An organization is deciding how to handle a risk that has low likelihood but catastrophic impact if it occurs. Leadership determines that the cost of full mitigation exceeds the asset value, but the residual exposure is unacceptable. Which risk treatment is MOST appropriate?
Module 2 · Asset Security & Architecture
Two official domains, 23% of the exam combined: Asset Security (10%) and Security Architecture & Engineering (13%). This module is about protecting data through its lifecycle and understanding the models, systems, and cryptography that enforce security.
2.1 Asset Security & Data Protection
Asset security starts with — labeling data by sensitivity so the right protection is applied. The (a senior business manager) is accountable and sets the classification; the (usually IT) is responsible for implementing the controls day to day. Under privacy law, the decides why and how data is processed, and a acts on the controller’s instructions.
Protect data across its three states — at rest (encrypt the disk/database), in transit (TLS/IPsec), and in use (the hardest, e.g., enclaves). At end of life, you must defeat with proper : clearing (overwrite for internal reuse), purging (degauss/strong overwrite to release externally), or destruction (shred, pulverize, incinerate).[8]
| Concept | Detail |
|---|---|
| Data owner | Accountable; sets classification and protection requirements (senior manager) |
| Data custodian | Responsible for day-to-day controls (backups, access) — usually IT |
| Data controller | Decides why and how personal data is processed (privacy law) |
| Data processor | Processes data on the controller's instructions (often a vendor) |
| At rest | Stored data — protect with full-disk/database encryption |
| In transit | Moving data — protect with TLS, IPsec, or VPNs |
| In use | Data being processed in memory — hardest to protect |
2.2 Security Models & Architecture
Security models formalize a policy into rules a system can enforce. The two you must know cold are (confidentiality) and (integrity) — they are mirror images.
Bell-LaPadula
Protects Confidentiality
- Simple Security Property: no READ UP
- *-Property (Star): no WRITE DOWN
- "No read up, no write down"
Biba
Protects Integrity
- Simple Integrity Axiom: no READ DOWN
- *-Integrity Axiom: no WRITE UP
- "No read down, no write up"
A third, , protects integrity through well-formed transactions and . Underneath the models, the mediates every access between subjects and objects, implemented by the security kernel within the .
| Model | Protects | Key idea |
|---|---|---|
| Bell-LaPadula | Confidentiality | No read up, no write down |
| Biba | Integrity | No read down, no write up |
| Clark-Wilson | Integrity | Well-formed transactions + separation of duties |
| Brewer-Nash (Chinese Wall) | Confidentiality | Access changes dynamically to prevent conflicts of interest |
2.3 Cryptography
Cryptography delivers confidentiality, integrity, authentication, and . uses one shared key (AES) — fast but hard to distribute; uses a public/private key pair (RSA, ECC) — slower but it solves key exchange and enables signatures. Real systems use both (hybrid): asymmetric to exchange a symmetric session key.
For integrity, produces a one-way fixed-length digest (SHA-256). A hashes a message and encrypts the hash with the sender’s private key — giving integrity, authenticity, and non-repudiation. All of this trust is managed by .
| Goal | Use this key | Result |
|---|---|---|
| Confidentiality (encrypt for someone) | Recipient's PUBLIC key | Only the recipient's private key can decrypt |
| Authenticity (sign a message) | Sender's PRIVATE key | Anyone can verify with the sender's public key |
| Integrity | Hash function (no key) | A changed message produces a different digest |
Checkpoint · Asset Security & Architecture
Question 1 of 10
An organization is classifying data and must label information whose disclosure would cause exceptionally grave damage to national security. In the U.S. government classification scheme, this level is:
Module 3 · Network Security & IAM
Two official domains, 26% of the exam combined: Communication & Network Security (13%) and Identity & Access Management (13%). This module covers how data moves securely across networks and how the right people — and only the right people — get access.
3.1 Communication & Network Security
The backbone here is the — seven layers from Physical to Application. CISSP maps devices, protocols, and attacks to layers: switches at Layer 2, routers at Layer 3, and security protocols at various layers. then layers controls so a single failure doesn’t expose the asset.
| Layer | OSI layer | Example |
|---|---|---|
| 7 | Application | HTTP, DNS, SMTP |
| 6 | Presentation | Encryption, encoding (TLS sits around 6/7) |
| 5 | Session | Session setup and teardown |
| 4 | Transport | TCP, UDP (port numbers) |
| 3 | Network | IP, routers, IPsec |
| 2 | Data Link | MAC addresses, switches |
| 1 | Physical | Cables, signals, hubs |
Know the secure protocols by purpose: TLS secures application traffic (HTTPS), IPsec secures IP at Layer 3 (VPN tunnels), and SSH gives secure remote administration. Segmentation (VLANs, subnets), firewalls, and strong wireless security (WPA3) round out the controls. Beware insecure legacy protocols (Telnet, FTP, WEP).
3.2 Identity & Access Management
Access control is a four-step sequence: (claim an identity) → (prove it) → (what you may do) → (log it). Strong authentication means — combining factors from different categories: something you know (password), have (token), and are (biometric).[7]
Two principles govern who gets what: (only the minimum access needed) and (no one person controls a sensitive task end to end). Authorization is enforced through access control models.
DAC — Discretionary
The data owner decides who gets access (e.g., file permissions, ACLs). Flexible but prone to error.
MAC — Mandatory
The system enforces access from labels/clearances (e.g., classified data). Rigid and high-security.
RBAC — Role-Based
Access is granted by job role, not the individual. Scales well in enterprises.
ABAC — Attribute-Based
Access decided by attributes/policies (user, resource, time, location). The most granular.
Rule-Based
Global rules applied to everyone (e.g., a firewall ruleset, time-of-day restrictions).
Enterprises tie it together with and federation — (ticket-based, on a network), SAML (web SSO/federation), and OAuth/OIDC (authorization and federated login for apps and APIs).
| Factor | Type | Examples |
|---|---|---|
| Something you know | Knowledge | Password, PIN, passphrase |
| Something you have | Possession | Smart card, hardware token, phone |
| Something you are | Inherence (biometric) | Fingerprint, iris, face |
Checkpoint · Network Security & IAM
Question 1 of 10
Which firewall type inspects the state of active connections and makes decisions based on the context of traffic?
Module 4 · Assessment, Testing & Operations
Two official domains, 25% of the exam combined: Security Assessment & Testing (12%) and Security Operations (13%). This module is about proving controls work and running security day to day — including incidents and disaster recovery.
4.1 Security Assessment & Testing
You verify controls three ways. A is an automated, broad check for known weaknesses (no exploitation). A goes further — an authorized, simulated attack that actively exploits weaknesses to show real impact. A is an independent evaluation against a standard.
| Activity | What it does | Who / how |
|---|---|---|
| Vulnerability scan | Finds known weaknesses automatically | Frequent, low-risk, automated tool |
| Penetration test | Exploits weaknesses to prove impact | Authorized testers; rules of engagement |
| Security audit | Evaluates controls against a standard | Independent auditor (e.g., SOC 2) |
Penetration tests come in flavors by knowledge: black-box (no prior knowledge, simulates an outsider), white-box (full knowledge), and gray-box (partial). Round out the domain with code review (static analysis of source vs. dynamic testing of a running app) and third-party audit reports — SOC 2 covers security/availability controls, while SOC 1 covers financial-reporting controls.
4.2 Security Operations
Operations is where security runs daily. The ISC2 lifecycle is: Detection → Response → Mitigation → Reporting → Recovery → Remediation → Lessons Learned. You detect and confirm, respond to contain, mitigate and report, recover operations, remediate root causes, and capture lessons learned.[6]
| Phase | What happens |
|---|---|
| Detection | Identify and confirm that an incident has occurred |
| Response | Contain the incident to limit damage |
| Mitigation | Reduce the impact and stop the spread |
| Reporting | Notify stakeholders and required authorities |
| Recovery | Restore systems to normal operation |
| Remediation | Fix the root cause so it can't recur |
| Lessons Learned | Review the response and improve the plan |
Day-to-day operations also rely on logging and monitoring (a correlates events), (controlled, documented changes), and backups. Know backup types — full (everything), incremental (changes since the last backup of any kind; fast backup, slow restore), and differential (changes since the last full; slower backup, faster restore) — plus evidence handling and .
| Type | Backs up | Restore |
|---|---|---|
| Full | All selected data | Fastest (one set) |
| Incremental | Changes since the last backup of any type | Slowest (full + every increment) |
| Differential | Changes since the last full backup | Faster (full + one differential) |
Checkpoint · Assessment, Testing & Operations
Question 1 of 10
Which type of security testing involves an authorized simulated attack to evaluate exploitability of vulnerabilities?
Module 5 · Software Development Security
One official domain, 10% of the exam. This domain is about building security into software rather than bolting it on — across the development lifecycle, in the code, and in the supply chain.
5.1 Secure SDLC & Application Security
A weaves security into every phase: threat modeling in design, secure coding and code review in build, and security testing before release — so flaws are caught early, when they are cheapest to fix. is a common threat-modeling taxonomy. Maturity models such as BSIMM and OWASP SAMM measure and improve a program, and DevSecOps automates security testing inside CI/CD pipelines.
| Model | Characteristic |
|---|---|
| Waterfall | Sequential phases; rigid, good for stable requirements |
| Agile | Iterative sprints; flexible, frequent delivery |
| DevSecOps | Security automated into continuous integration/delivery |
| Spiral | Iterative with heavy risk analysis each cycle |
On the application itself, the names the highest-impact web risks — broken access control, cryptographic failures, and injection lead the list. The single most important defense against and similar attacks is rigorous input validation and parameterized queries — never trust user input.[10] Know the database threats too:inference (deducing data you can’t see directly), aggregation (combining harmless facts into sensitive ones), and polyinstantiation (a defense that stores different data at different classification levels).
Checkpoint · Software Development Security
Question 1 of 10
A buffer overflow that allows an attacker to execute code is MOST directly enabled by:
How to Use This CISSP Study Guide
This guide is built to be worked, not just read. The most efficient path to a pass:
- Study by weight, but cover all eight. The CISSP’s weights are relatively even — start with Security & Risk Management (16%), but no domain is small enough to skip.
- Think like a manager. CISSP questions ask for the best answer, often the one that addresses people, process, and governance — not just the most technical fix.
- Check off as you go. Use the Study Guide Contents to mark each section done; it raises your exam-readiness score.
- Take every checkpoint. The end-of-module quizzes show you exactly which domains need another pass.
- Drill the weak domain. Send your weak area into the flashcards and a practice test until the score climbs comfortably above 700.
CISSP Concept Questions
Common CISSP concepts candidates search while studying — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.
CISSP Glossary
The high-yield CISSP terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.
- Accountability
- Tying actions back to a specific identity through logging and monitoring.
- Annualized Loss Expectancy (ALE)
- The expected yearly cost of a risk: ALE = SLE × ARO. Used to cost-justify controls.
- Annualized Rate of Occurrence (ARO)
- The expected number of times a specific risk event will occur in one year.
- Asymmetric encryption
- Encryption using a public/private key pair (e.g., RSA, ECC); solves key exchange and enables digital signatures.
- Attribute-based access control (ABAC)
- Access decided by attributes and policy (user, resource, time, location); the most granular.
- Authentication
- Proving a claimed identity with a credential (knowledge, possession, or inherence factor).
- Authorization
- Determining what an authenticated identity is permitted to access and do.
- Availability
- Ensuring authorized users have timely, reliable access to systems and data; protected by redundancy, backups, and fault tolerance.
- Bell-LaPadula model
- A confidentiality model: Simple Security Property (no read up) and *-Property (no write down) — 'no read up, no write down.'
- Biba model
- An integrity model: Simple Integrity Axiom (no read down) and *-Integrity Axiom (no write up) — 'no read down, no write up.'
- Business continuity plan (BCP)
- A plan to keep critical business functions operating during and after a disruption.
- Business Impact Analysis (BIA)
- An analysis that identifies critical business functions and sets recovery objectives (MTD, RTO, RPO); the heart of continuity planning.
- Chain of custody
- Documentation showing who handled evidence and when, preserving its integrity for legal use.
- Change management
- A controlled process for evaluating, approving, and documenting changes to systems.
- CIA triad
- The three core goals of information security: Confidentiality (no unauthorized disclosure), Integrity (no unauthorized modification), and Availability (timely, reliable access for authorized users).
- Clark-Wilson model
- An integrity model enforcing well-formed transactions and separation of duties through the access triple (subject-program-object).
- Confidentiality
- Preventing the unauthorized disclosure of data; protected primarily by encryption and access controls.
- Data classification
- Labeling data by sensitivity (e.g., public, confidential, secret) so the right level of protection is applied.
- Data controller
- Under privacy law, the entity that decides why and how personal data is processed.
- Data custodian
- The party (usually IT) that implements and maintains the controls protecting data day to day.
- Data owner
- The senior business manager accountable for data, who sets its classification and protection requirements.
- Data processor
- A party that processes personal data on behalf of, and on the instructions of, the controller.
- Data remanence
- Residual data that remains on media after deletion or formatting and may be recoverable.
- Defense in depth
- Layering multiple, overlapping controls so that if one fails, others still protect the asset.
- Digital signature
- A hash of a message encrypted with the sender's private key, providing integrity, authenticity, and non-repudiation.
- Disaster recovery (DR)
- The processes and procedures to restore IT systems and operations after a disruptive event.
- Discretionary access control (DAC)
- Access decided by the data owner (e.g., file permissions, ACLs).
- Due care
- Acting on due diligence by implementing and maintaining reasonable controls — what a prudent person would do.
- Due diligence
- Doing the research and developing the plans/policies needed to protect the organization — the homework before acting.
- Exposure factor (EF)
- The percentage of an asset's value that would be lost if a specific risk event occurred.
- Hashing
- A one-way function producing a fixed-length digest used to verify integrity (e.g., SHA-256); not reversible.
- Identification
- A subject claiming an identity (e.g., a username) — the first step of access control.
- Incident response
- The structured process to detect, respond to, recover from, and learn from a security incident.
- Integrity
- Ensuring data is accurate and unaltered except by authorized parties; protected by hashing, digital signatures, and change control.
- ISC2 Code of Ethics
- Four canons every CISSP must follow, applied in order: protect society and the infrastructure; act honorably; provide diligent service to principals; advance and protect the profession.
- Kerberos
- A symmetric-key SSO authentication protocol using tickets and a Key Distribution Center (KDC).
- Least privilege
- Granting users and processes only the minimum access needed to do their job, and nothing more.
- Mandatory access control (MAC)
- Access enforced by the system from labels and clearances; rigid and high-security.
- Maximum Tolerable Downtime (MTD)
- The longest time a business function can be unavailable before the organization suffers unacceptable harm.
- Media sanitization
- Removing data from media via clearing, purging, or destruction so it cannot be recovered (NIST SP 800-88).
- Multi-factor authentication (MFA)
- Using two or more factors from different categories — something you know, have, and are.
- Non-repudiation
- Assurance that a party cannot deny having performed an action, achieved through digital signatures and logging.
- OSI model
- A seven-layer reference model for networking: Physical, Data Link, Network, Transport, Session, Presentation, Application.
- OWASP Top 10
- A community list of the most critical web application security risks (e.g., broken access control, injection).
- Penetration test
- An authorized, simulated attack that actively exploits weaknesses to demonstrate real impact.
- Public Key Infrastructure (PKI)
- The framework of certificate authorities, certificates, and policies that manages public keys and trust.
- Recovery Point Objective (RPO)
- The maximum acceptable amount of data loss measured backward in time; drives backup frequency.
- Recovery Time Objective (RTO)
- The targeted time to restore a system or function after a disruption; must be shorter than the MTD.
- Reference monitor
- The abstract concept that mediates all access between subjects and objects; implemented by the security kernel.
- Residual risk
- The risk that remains after controls are applied; senior management formally accepts it.
- Risk
- The likelihood that a threat will exploit a vulnerability, and the resulting impact on an asset.
- Risk acceptance
- A documented, management-approved decision to tolerate a risk and its potential impact.
- Risk avoidance
- Eliminating a risk by ceasing the activity that creates it.
- Risk mitigation
- Reducing risk to an acceptable level by implementing controls.
- Risk transference
- Shifting the financial impact of a risk to a third party, such as through insurance.
- Role-based access control (RBAC)
- Access granted by job role rather than the individual; scales well in enterprises.
- Secure SDLC
- Building security into every phase of the software development lifecycle rather than testing for it at the end.
- Security audit
- An independent, systematic evaluation of controls against a standard or policy.
- Separation of duties
- Splitting a sensitive task so no single person can complete it alone, reducing fraud and error.
- SIEM
- Security Information and Event Management — a system that aggregates and correlates logs for detection and analysis.
- Single Loss Expectancy (SLE)
- The expected monetary loss from a single occurrence of a risk: SLE = Asset Value × Exposure Factor.
- Single sign-on (SSO)
- One authentication that grants access to multiple systems (e.g., via Kerberos or SAML).
- SQL injection
- An attack that inserts malicious SQL through unvalidated input to read or alter a database.
- STRIDE
- A threat-modeling taxonomy: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege.
- Symmetric encryption
- Encryption using one shared secret key for both encrypting and decrypting (e.g., AES); fast, but key distribution is hard.
- Threat
- Any potential event or actor that could cause harm to an asset by exploiting a vulnerability.
- Threat modeling
- Systematically identifying and prioritizing threats to a system during design (e.g., using STRIDE).
- Trusted Computing Base (TCB)
- The totality of hardware, software, and firmware that enforces a system's security policy.
- Vulnerability
- A weakness in a system, process, or control that a threat can exploit.
- Vulnerability scan
- An automated check that identifies known weaknesses without exploiting them.
CISSP Study Guide FAQ
The English CISSP exam uses Computerized Adaptive Testing (CAT): 100 to 150 items in 3 hours. The number you see varies because the test adapts to your performance. It includes multiple-choice and advanced innovative item types. Non-English linear exams have 250 items in 6 hours.
From the 2024 ISC2 outline: Security and Risk Management (16%), Asset Security (10%), Security Architecture and Engineering (13%), Communication and Network Security (13%), Identity and Access Management (13%), Security Assessment and Testing (12%), Security Operations (13%), and Software Development Security (10%).
You need a scaled score of 700 out of 1000 points to pass. The CAT exam adapts the difficulty of items to your ability, so a raw question count does not translate directly to a percentage; the 700 threshold reflects a consistent ability standard.
You need at least five years of cumulative, full-time paid work experience in two or more of the eight domains. One year can be waived with a relevant four-year degree or an approved ISC2 credential. Without the experience, you can pass the exam and become an Associate of ISC2, earning the experience within six years.
Study by weight. Security and Risk Management is the largest domain (16%), so start there, then work through Asset Security and Architecture, Network Security and IAM, Assessment and Operations, and Software Development. Read each module, take the checkpoint, then drill gaps with our free practice test and flashcards.
The exam fee is about $749 USD in the Americas. After certifying, you recertify every three years by earning 120 Continuing Professional Education (CPE) credits and paying an annual maintenance fee of $135.
The CISSP is widely considered one of the hardest security certifications because of its breadth — eight domains spanning governance, risk, cryptography, networking, IAM, operations, and software security — and its 'manager's mindset' questions that ask for the best answer, not just a correct one. Broad, organized review and practice with scenario questions are essential.
The CISSP is issued by ISC2 and delivered at Pearson VUE test centers. This study guide, the checkpoints, the glossary, the practice test, and the flashcards are 100% free with no account required.
References
- 1.ISC2. “CISSP Certification Exam Outline (effective April 15, 2024).” isc2.org. ↑
- 2.ISC2. “CISSP — Certified Information Systems Security Professional.” isc2.org. ↑
- 3.ISC2. “ISC2 Code of Ethics.” isc2.org. ↑
- 4.National Institute of Standards and Technology. “SP 800-30 Rev. 1: Guide for Conducting Risk Assessments.” csrc.nist.gov. ↑
- 5.National Institute of Standards and Technology. “SP 800-53 Rev. 5: Security and Privacy Controls.” csrc.nist.gov. ↑
- 6.National Institute of Standards and Technology. “SP 800-61 Rev. 2: Computer Security Incident Handling Guide.” csrc.nist.gov. ↑
- 7.National Institute of Standards and Technology. “SP 800-63: Digital Identity Guidelines.” csrc.nist.gov. ↑
- 8.National Institute of Standards and Technology. “SP 800-88 Rev. 1: Guidelines for Media Sanitization.” csrc.nist.gov. ↑
- 9.International Organization for Standardization. “ISO/IEC 27001 — Information Security Management Systems.” iso.org. ↑
- 10.OWASP Foundation. “OWASP Top 10 Web Application Security Risks.” owasp.org. ↑
- 101.National Institute of Standards and Technology (NIST). “Cryptographic Standards and Guidelines.” csrc.nist.gov, accessed 19 June 2026. ↑
- 102.National Institute of Standards and Technology (NIST). “SP 800-115: Technical Guide to Information Security Testing.” csrc.nist.gov, accessed 19 June 2026. ↑
- 103.National Institute of Standards and Technology (NIST). “SP 800-34: Contingency Planning Guide.” csrc.nist.gov, accessed 19 June 2026. ↑
- 104.National Institute of Standards and Technology (NIST). “SP 800-218: Secure Software Development Framework (SSDF).” csrc.nist.gov, accessed 19 June 2026. ↑

Career Employer
Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.
All PostsCareer Employer’s Editorial Process
Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.
