Interested in a career as a cyber- or information-security professional? These skills are in immense demand today due to the dramatic increase in phishing attacks, brute force attacks, and other hacking attempts, as well as other causes of data breaches within businesses large and small, healthcare organizations, and even government agencies.

While there are many paths to becoming an infosec professional, they all involve professional training and education, culminating in certification. One of the most in-demand certifications is offered by (ISC)2. The CISSP certification has become the gold standard for this field and earning your certification will help ensure access to higher-paying, top-level jobs, even mission-critical ones.

With that being said, you’ll truly need to know your stuff here. You’ll have to register with (ISC)2, pass their background screening, and then schedule and take the exhaustive CISSP exam. While having in-depth knowledge about infosec threats, from hacking to viruses, will be essential, it’s also crucial that you know a few things about the exam itself, including CISSP exam scheduling, duration, scoring, and more.

What Is the Goal of the CISSP Exam?

Really, earning your CISSP certification does not prove that you have hands-on experience with any particular type of technology. It also does not certify that you have practical experience in a particular area. (There are eight domains covered in the organization’s critical body of knowledge, but the exam does not focus on a single domain. Rather, it broadly covers multiple domains). In truth, the CISSP exam only certifies that you are competent in the area of information security.

According to (ISC)2’s president, “Its ultimate purpose is to be able to provide an independent benchmark of your knowledge of the fundamentals of information security. It proves minimal competency. CISSPs do not walk on water, but they certainly do understand the information security profession.”

What Is the CISSP Exam Schedule, Duration and Format?

While preparing for the CISSP exam by taking practice tests, using the (ISC)2 study app and participating in organization-provided training will all help, it’s also important to know a few things about the test’s duration and format before you jump in.

The CISSP exam takes six hours, although you can complete it in less time if you’re capable. Test-takers have reported extremes in both directions, with a 15-year infosec veteran taking almost the entire allotted six-hour time to complete it, but another stating that it took him no more than three hours.

Obviously, preparation and familiarity with the material are crucial factors here, and you cannot expect to ace it based solely on your experience in the industry (although (ISC)2 does require that you have a minimum of five years of fulltime experience as a security professional in order to take the exam and qualify for the CISSP certificate).

The CISSP exam combines multiple choice questions with “advanced innovative” questions. Originally, it was all multiple choice, but the shift toward taking the test on a computer has allowed (ISC)2 to utilize more advanced formats. There are 250 questions on the exam. “Advanced innovative” questions can take a couple of different forms, including:

  • Drag and Drop: In these types of questions, you will need to drag one or more answers from one side of the screen, into a box on the other side of the screen. Only drag the correct answer(s).
  • Hotspot: Hotspot questions rely on you clicking on a particular point in a graphic representation. This might be a diagram of network architecture or something else. The question will usually ask you to identify where a particular component would be located, where a particular type of attack is likely to originate, and more.

The purpose of “advanced innovative” questions is to further assess knowledge and skills in a way that text-based questions cannot. It also adds an element of interactivity that is too often missing from text-only tests.

All questions can be drawn from any (and all) of the domains covered by the (ISC)2 CBK. Below, you’ll find a few examples of questions and their format:

  • Which of the following best describes the relationship between CobiT and ITIL?
    • CobiT is a model for IT governance, whereas ITIL is a model for corporate governance.
    • CobiT provides a corporate governance roadmap, whereas ITIL is a customizable framework for IT service management.
    • CobiT defines IT goals, whereas ITIL provides the process-level steps on how to achieve them.
    • CobiT provides a framework for achieving security goals, whereas ITIL defines a framework for achieving IT service-level goals.
  • Lacy’s manager has tasked her with researching an intrusion detection system for a new dispatching center. Lacy identifies the top five products and compares their ratings. Which of the following are the evaluation criteria most in use today for these types of purposes?
    • ITSEC
    • Common Criteria
    • Red Book
    • Orange Book
  • Layer 2 of the OSI model has two sublayers. What are those sublayers, and what are the two IEEE standards that describe technologies at that layer?
    • LCL and MAC; IEEE 802.2 and 802.3
    • LCL and MAC; IEEE 802.1 and 802.3
    • Network and MAC; IEEE 802.1 and 802.3
    • LLC and MAC; IEE E 802.2 and 802.3
  • Which of the following is not a common component of configuration management change control steps?
    • Tested and presented
    • Service-level agreement approval
    • Report change to management
    • Approval of the change
  • There are several components involved with steganography. Which of the following refers to a file that has hidden information in it?
    • Stego-medium
    • Concealment cipher
    • Carrier
    • Payload

Most of those who’ve taken the test warn that it’s important to take your time and not rush through these questions. The use of double negatives is common, as are sentence structures designed to confuse test-takers. Read each question thoroughly and answer when you’re sure you understand the meaning.

Scheduling and Taking the Exam

Before you can take the exam, you’ll need to register for it and create an account. The test is delivered in a Pearson VUE training center and you must create an account on the Pearson VUE (ISC)2 website. You’ll use this page to schedule, reschedule or cancel your exam.

What are the Identification Requirements for Testing?

In order to ensure accuracy, the Pearson VUE testing facility will require that you provide valid identification. You will need two forms of ID (primary and secondary). All primary IDs must have a permanent photo of you. These can include:

  • Government issued driver’s license or ID card
  • US Department of State driver’s license
  • US learner’s permit (only with a permanent photo)
  • National/state ID card
  • A valid passport
  • A valid passport card
  • Valid employee ID (with photo)
  • School ID (with photo)

Secondary ID forms can include:

  • Credit cards (current/valid)
  • Social Security cards
  • Debit/ATM card
  • Any other form of ID from the list above
  • Note that all secondary IDs must have a signature, but do not require a photo

CISSP Instant Pricing- Resources

The Arrival Process

For those taking a test in a physical testing center, the check-in process should be explained. You will need to show two forms of ID (as listed above). You will also need to provide your signature, which will be matched to the signature on both your primary and secondary IDs.

You will receive a palm vein scan (electronic scanning and vein mapping to identify you), and then you’ll sit to have your picture taken. No headwear, coats, or scarves can be worn during this time or during the actual test.

After your photograph, you’ll be provided with a locker in which to store your belongings. No personal belongings are allowed in the testing room. Note that the lockers are not particularly large, so avoid bringing sizeable items with you.

What are the Policies Rescheduling, Late Arrivals and Cancellations?

If you must reschedule, you are required to notify the testing facility/Pearson VUE at least 48 hours prior to your exam date, otherwise you will be charged the full amount, not just the rescheduling fee. The same applies to cancellation. If you schedule your exam but do not show up, and do not reschedule or cancel, you will be charged the full amount.

Note that if you are more than 15 minutes late for your exam, it will be counted as a no-show, you may not be allowed to take the test, and you will be charged the full amount. The testing facility administrator will determine whether you are allowed to sit for the exam.

Scheduling Your Test: When to Do It

You can only schedule your test after you have completed your studies. You’ll need to schedule your exam through the Pearson VUE website. Register for an account, log in, and you’ll be presented with your options in terms of testing centers and dates. Note that this information is not available outside of the Pearson VUE website, and it is only available for those with a registered account.

You Failed the Test – When Can You Retake It?

The CISSP exam is exhaustive, as evidenced by the fact that you’re allotted a full six hours to complete just 250 questions, and that it’s a globally recognized standard of achievement and measure of excellence. Failure is not uncommon, even for those who have prepared thoroughly.

If you need to retake your test, you can do so no sooner than 30 days after your initial test. A second failure will require that you wait 90 days to retake the test. A third failure will result in a delay of 180 days to retake the test. Note that you are only allowed to take the exam three times within a calendar year.

What is the Cost of Taking the CISSP Exam

You will need to pay a fee to take the CISSP exam. This fee has to be paid up front, and will vary depending on your location. It is $600 if you are in North or South America or in the Asia Pacific region. For Europe, the Middle East, and Africa, the price is €520, £415 or $600 (depending on the actual region).

It’s also important to understand that there are fees charged if you have to cancel or reschedule your exam. The rescheduling fee is $50/£35/€40. If you have to cancel the exam, it will cost you $100/£70/€80.

Exam Scoring: What Does It Take to Pass the CISSP Exam?

The CISSP exam consists of 250 questions, and you have six hours in which to answer them. In order to pass, you must score a minimum of 700 out of 1,000 possible points. Therefore, each question is worth four points, and you can miss a total of 75 questions (you must answer 175 correctly).


While the CISSP exam is exhaustive, and the testing process is very particular, it can be achieved successfully. Above all, it is crucial to study as much as possible. Use (ISC)2’s provided outline to prepare for the exam correctly. If you will be late, or unable to attend your testing day, it is very important that you inform the testing facility (Pearson VUE) as far ahead of time as possible to limit your expenses.

Once you’ve passed the CISSP exam, you’ll have the credentials today’s employers demand of infosec professionals, and the ability to start a rewarding career in a competitive field.



Be Safe

Section Guide


View more articles from Ryan

Earn your CISSP the first time with InfoSec Institute and pass your exam, GUARANTEED!

Section Guide


View more articles from Ryan