Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

200+ Free CISSP Practice Questions

Pass your Certified Information Systems Security Professional exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published by ISC2 Pass Rate
200+ Questions
100% Free
1 / 200
Question 1
Score: 0/0

Which framework provides a comprehensive set of controls specifically designed for organizations handling credit card data?

A
B
C
D
to track
Same family resources

Explore More ISC2 Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

ISC2 Certified in Cybersecurity (CC)

Practice QuestionsStudy GuideCheat SheetFlashcards1 video4 blogs

ISC2 SSCP

Practice Questions1 blog

ISC2 Certified in Governance, Risk and Compliance (CGRC)

Practice Questions

ISC2 Certified Secure Software Lifecycle Professional (CSSLP)

Practice Questions

CCSP

Practice Questions

ISC2 HealthCare Information Security and Privacy Practitioner (HCISPP)

Practice Questions

More From This Family

Videos and articles for deeper review.

VideoCISSP Experience Requirements and Endorsement (2026)This examVideoCISSP Study Plan: 3-Month Schedule + Hours (2026)This examVideoISC2 CC Certified in Cybersecurity Guide (FREE 2026)ArticleCISSP Experience Requirements and Endorsement (2026)11 min readArticleCISSP Study Plan: 3-Month Schedule + Hours (2026)16 min readArticleISC2 CC After Passing: AMF, CPE, Badge, Next Steps (2026)10 min readArticleISC2 CC Certified in Cybersecurity Guide (FREE 2026)24 min read
2026 Statistics

Key Facts: CISSP Exam

100-150

CAT Items

ISC2 exam outline

3 hours

Time Limit

ISC2 exam outline

700/1000

Passing Grade

ISC2 exam outline

$749

US Exam Fee

ISC2 exam pricing

5 years

Experience Required

ISC2 exam outline

120 CPE

3-Year Maintenance

ISC2 member policies

The current ISC2 CISSP exam outline effective April 15, 2024 uses eight weighted domains and CAT delivery. Official CISSP facts include 100-150 multiple-choice and advanced innovative items, 3 hours, 700/1000 passing grade, U.S. $749 standard registration in the Americas and several other regions, five years cumulative full-time experience in at least two domains with up to a one-year waiver, Associate of ISC2 path for candidates still earning experience, and maintenance through 120 CPE credits over three years plus annual AMF.

Sample CISSP Practice Questions

Try these sample questions to test your CISSP exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 200+ question experience with AI tutoring.

1An organization is developing its information security program and wants to ensure alignment with business objectives. Which role is PRIMARILY responsible for defining the acceptable level of risk for the organization?
A.Chief Information Security Officer (CISO)
B.Chief Information Officer (CIO)
C.Senior management / Board of Directors
D.Security architect
Explanation: Senior management and the Board of Directors are ultimately responsible for defining the organization's risk appetite and acceptable risk levels. While the CISO advises on security matters and the CIO manages IT operations, it is senior leadership that sets the strategic direction and accepts residual risk on behalf of the organization.
2Which security governance principle ensures that organizational security policies are derived from and support the overall business strategy?
A.Separation of duties
B.Strategic alignment
C.Due diligence
D.Least privilege
Explanation: Strategic alignment is the governance principle that ensures security initiatives directly support and derive from business objectives. This means security spending, policies, and controls are prioritized based on their contribution to business goals rather than being implemented in isolation from organizational strategy.
3A company has implemented a security policy requiring all employees to complete annual security awareness training. Six months later, a phishing attack succeeds because multiple employees clicked malicious links. What governance control is MOST lacking?
A.Directive controls
B.Monitoring and enforcement controls
C.Preventive technical controls
D.Corrective controls
Explanation: While the directive control (the policy) exists, the organization lacks effective monitoring and enforcement to ensure the training actually changed employee behavior. Governance requires not just creating policies but actively measuring compliance and effectiveness. Regular phishing simulations and follow-up training for employees who fail would help close this gap.
4Which framework provides a comprehensive set of controls specifically designed for organizations handling credit card data?
A.HIPAA
B.SOX
C.PCI DSS
D.FISMA
Explanation: PCI DSS (Payment Card Industry Data Security Standard) is specifically designed to protect cardholder data and applies to any organization that stores, processes, or transmits credit card information. HIPAA covers healthcare data, SOX addresses financial reporting for publicly traded companies, and FISMA governs federal information systems.
5An organization wants to adopt a risk management framework that is widely recognized internationally and provides a structured approach to establishing, implementing, maintaining, and continually improving an information security management system (ISMS). Which standard should they adopt?
A.NIST SP 800-53
B.ISO/IEC 27001
C.COBIT
D.ITIL
Explanation: ISO/IEC 27001 is the internationally recognized standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). It provides a systematic approach to managing sensitive information through risk assessment and treatment. NIST SP 800-53 provides security controls but is primarily US-focused, COBIT is an IT governance framework, and ITIL focuses on IT service management.
6During a board meeting, the CISO presents the organization's security posture and requests approval for a new security initiative. The board challenges whether the security team has been performing its responsibilities properly. Which concept describes the board's expectation that the security team has been taking reasonable steps to protect the organization?
A.Due care
B.Due diligence
C.Prudent person rule
D.Fiduciary duty
Explanation: Due care refers to the ongoing responsibility to act reasonably and take appropriate steps to protect the organization's assets. It means the security team is "doing the right thing" on a continuous basis. Due diligence, by contrast, is the process of investigating and understanding risks before making decisions. The board is questioning whether the team exercised due care in its daily responsibilities.
7A multinational corporation is establishing a security governance structure. Which of the following BEST describes the relationship between security policies, standards, guidelines, and procedures?
A.Policies are optional; standards are mandatory; guidelines are mandatory; procedures are optional
B.Policies are mandatory high-level statements; standards define mandatory requirements; guidelines are recommendations; procedures are step-by-step instructions
C.Policies and standards are interchangeable; guidelines and procedures are interchangeable
D.Policies define technical controls; standards define administrative controls; guidelines define physical controls; procedures define all controls
Explanation: The security documentation hierarchy flows from policies (mandatory high-level management statements of intent) to standards (mandatory specific requirements for compliance), to guidelines (recommended best practices that are not mandatory), to procedures (detailed step-by-step instructions for carrying out tasks). This hierarchy ensures consistent governance from strategic intent to operational execution.
8An organization undergoes a third-party audit and discovers that while they have comprehensive security policies, many employees are unaware of them. The auditor notes a lack of security awareness training. In terms of governance, the organization has failed at which aspect?
A.Policy development
B.Security awareness and training
C.Incident response planning
D.Risk assessment
Explanation: Security awareness and training is a critical governance function that ensures all personnel understand their security responsibilities and the organization's policies. Having well-written policies is insufficient if employees are not trained on them. Effective governance requires a continuous security awareness program to ensure policies are understood and followed.
9A security analyst determines that a specific server has an asset value of $100,000, the exposure factor for a particular threat is 40%, and the annualized rate of occurrence is 0.5. What is the Annualized Loss Expectancy (ALE)?
A.$20,000
B.$40,000
C.$50,000
D.$200,000
Explanation: The ALE is calculated as: ALE = SLE × ARO. First, calculate the Single Loss Expectancy: SLE = Asset Value × Exposure Factor = $100,000 × 0.40 = $40,000. Then, ALE = $40,000 × 0.5 = $20,000. This means the organization can expect to lose $20,000 per year from this specific threat, which helps justify security spending up to that amount.
10Which risk assessment methodology uses numeric values such as asset value, exposure factor, and annualized rate of occurrence to calculate potential losses?
A.Qualitative risk assessment
B.Quantitative risk assessment
C.Hybrid risk assessment
D.Delphi technique
Explanation: Quantitative risk assessment assigns specific monetary values and probabilities to risks, using formulas like SLE = AV × EF and ALE = SLE × ARO to calculate expected losses. This contrasts with qualitative risk assessment, which uses subjective ratings (high/medium/low) rather than precise numerical values. Quantitative analysis provides more objective results but requires more data and effort.

About the CISSP Exam

CISSP validates experienced information security professionals who can design, engineer, implement, and manage an organization-wide security program across governance, risk, asset protection, architecture, network security, IAM, assessment, operations, and software security.

Assessment

100-150 CAT items, including 25 pretest/unscored items as part of the minimum-length exam

Time Limit

3 hours

Passing Score

700 out of 1000 points

Exam Fee

U.S. $749 standard registration in the Americas and several other regions; pricing and taxes vary by exam location (ISC2 / Pearson VUE)

CISSP Exam Content Outline

16%

Security and Risk Management

Professional ethics, governance, compliance, investigations, policy hierarchy, business continuity, personnel security, risk management, threat modeling, supply chain risk, and awareness.

10%

Asset Security

Information and asset classification, ownership, handling, data lifecycle, retention, remanence, destruction, data states, privacy, and data protection controls.

13%

Security Architecture and Engineering

Secure design principles, security models, control selection, system security capabilities, architecture vulnerabilities, cryptography, PKI, physical security, and lifecycle engineering.

13%

Communication and Network Security

Secure network architecture, network components, secure channels, OSI/TCP/IP, segmentation, wireless, SDN, VPC, monitoring, remote access, and third-party connectivity.

13%

Identity and Access Management (IAM)

Physical and logical access, identification, authentication, federation, authorization, provisioning lifecycle, MFA, SSO, access control models, service accounts, and privilege management.

12%

Security Assessment and Testing

Assessment strategy, control testing, vulnerability assessment, penetration testing, log review, code review, misuse case testing, compliance checks, remediation, and audit reporting.

13%

Security Operations

Investigations, logging and monitoring, configuration management, operations controls, incident response, forensics, disaster recovery, business continuity, backups, and change management.

10%

Software Development Security

Secure SDLC, development environments, source control, CI/CD, code review, threat modeling, DevSecOps, software supply chain, vulnerability management, and secure deployment.

How to Pass the CISSP Exam

What You Need to Know

  • Passing score: 700 out of 1000 points
  • Assessment: 100-150 CAT items, including 25 pretest/unscored items as part of the minimum-length exam
  • Time limit: 3 hours
  • Exam fee: U.S. $749 standard registration in the Americas and several other regions; pricing and taxes vary by exam location

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

CISSP Study Tips from Top Performers

1Study CISSP as a risk and governance exam first: the best answer usually supports business objectives, due care, least privilege, defense in depth, and accountable ownership.
2Use the official eight-domain weights to plan study time, but practice mixed scenarios because CAT does not present content in fixed domain sections.
3Train yourself to choose between policy, process, people, architecture, and technology controls before reaching for a tool-specific answer.
4Master the language of asset ownership, risk treatment, access governance, testing evidence, incident response, and lifecycle accountability.
5Practice forward-only CAT pacing because ISC2 does not allow item review after an answer is finalized.

Frequently Asked Questions

What is the CISSP exam format?

ISC2 lists CISSP as a computerized adaptive test with 100-150 multiple-choice and advanced innovative items, a 3-hour time limit, and a passing grade of 700 out of 1000 points. The CAT page also states that CISSP includes 25 pretest or unscored items as part of the minimum-length exam, and candidates cannot identify them.

What are the current CISSP domain weights?

The current ISC2 outline lists Security and Risk Management 16%, Asset Security 10%, Security Architecture and Engineering 13%, Communication and Network Security 13%, Identity and Access Management 13%, Security Assessment and Testing 12%, Security Operations 13%, and Software Development Security 10%.

What are the CISSP experience requirements?

ISC2 requires at least five years of cumulative full-time experience in two or more current CISSP domains. An approved degree or credential can satisfy up to one year, and candidates without the full experience can pass the exam and become an Associate of ISC2 while earning the required experience.

Does ISC2 publish a CISSP pass rate?

No official CISSP pass-rate percentage was available in the opened ISC2 sources. Readiness should be measured through domain judgment, mixed scenario practice, ability to explain why a control fits, and comfort with CAT timing rules rather than pass-rate estimates.

Can I review previous CISSP CAT questions during the exam?

No. ISC2 states that item review is not permitted on CAT exams because each finalized answer affects the adaptive item selection algorithm.

How much does the CISSP exam cost?

ISC2 exam pricing lists U.S. $749 standard registration for CISSP in the Americas, Asia Pacific, Middle East, Africa, and all other regions not separately listed. Pricing, currency, and tax depend on exam administration location and Pearson VUE checkout.

How do I maintain CISSP certification?

ISC2 member policies list 120 CPE credits over a three-year CISSP cycle, including 90 Group A and 30 Group A or B credits, and an annual maintenance fee for CISSP-level certified members.