CISSP Mock Exams & Practice Exam Questions | ISC2 Certified Information Systems Security Professional

CISSP mock exams and practice exam questions for ISC2 Certified Information Systems Security Professional. Timed practice sets and detailed explanations in the AWS Exam Prep app (web, iOS, Android).

On this page

Interactive Practice Center

Start a practice session for CISSP — Certified Information Systems Security Professional below, or open the full app in a new tab. For the best experience, open the full app in a new tab and navigate with swipes/gestures or the mouse wheel—just like on your phone or tablet.

Open Full App in a New Tab

A small set of questions is available for free preview. Subscribers can unlock full access by signing in with the same account used on mobile.

Prefer to practice on your phone or tablet? Download the AWS Exam Prep – AWS, Azure, GCP & CompTIA exam prep app for iOS or AWS Exam Prep app on Google Play (Android) and then sign in with the same account on web to continue your sessions on desktop.

Tip: Begin with 20–25 question domain drills (risk, architecture, IAM, network/cloud, ops/IR, SDLC). Shift to scenario sets and finally full mocks. Aim for consistent ~75–80% on mixed sets before scheduling.

Suggested progression

Domain drills (daily): 2× 20–25 questions focused on one CBK domain (rotate through all 8 over 4–5 days).
Scenario sets (alternate days): 1× 20–25 items emphasizing architecture tradeoffs, governance/risk choices, and IR decision ordering.
Mixed sets (weekly): 1× 30–40 items blending 3–4 domains to test transfer and prioritization.
Full mocks (final 2 weeks): 2–3 complete exams mirroring CISSP’s tone and coverage. Review every miss and tag weak objectives.

Timeboxing

Domain set: ~35–40 minutes
Scenario set: ~40–50 minutes
Mixed set: ~60–70 minutes
Full mock: ~120 minutes (leave a buffer for flagged items)

Scoring & review

Mark + return: Flag time sinks; finish the set, then review flags.
Two-bullet rule: For each miss, write (1) why your option was wrong, (2) why the correct option better fits policy, risk appetite, and scalability.
Spaced repetition: Re-test that topic within 24–48 hours.
Pattern log: Track recurring miss themes: RBAC vs ABAC vs MAC/DAC, scan vs pen test, contain vs eradicate, PKI revocation, zero trust segmentation.

Fast remediations (common weak spots)

Risk decisions: Choose mitigate/transfer/avoid/accept based on business impact; cite RTO/RPO for continuity tradeoffs.
Architecture picks: Prefer preventive, auditable, scalable controls (segment, least privilege, verified access) over ad-hoc tools.
IAM confusion:
- SAML = web SSO assertions; OAuth 2.0 = delegation; OIDC = login on OAuth.
- Use PAM/JIT for admins; log & record sessions; revoke promptly (joiner/mover/leaver).
Crypto/PKI: TLS 1.3 with ECDHE + AEAD; understand OCSP/CRL and stapling; pick cert types correctly (DV/OV/EV, SAN, wildcard, code-signing, client).
Ops/IR: Contain → Eradicate → Recover; preserve evidence (order of volatility) when policy requires; maintain chain of custody.
Assessment & testing: VA scan = breadth/identification; Pen test = authorized exploitation to prove impact (scope/ROE).

What to pair with practice

Syllabus: 8-domain objective map → view
Cheatsheet: High-yield contrasts & decision heuristics → open
Overview: Format, mindset, and 6–10 week plan → read

Tips for CISSP-style pacing

First pass fast: ~60–70 seconds per item; flag long stems.
Aim your reading: For lengthy scenarios, read the final ask first, then mine the stem for policy/risk constraints.
Eliminate aggressively: Discard choices that break least privilege, defense-in-depth, secure-by-default, policy or operability.
Change answers sparingly: Only with new evidence from later questions.

Ready to drill?

Open the app above and choose:

Domain Drills: SRM • Asset • Arch/Eng • Network • IAM • Assess/Test • Ops • SDLC
Scenario Sets: Architecture tradeoffs • IAM/federation choices • IR ordering • PKI/TLS picks
Full Mocks: Exam-length simulations with review mode

Exam snapshot

Certification: CISSP — Certified Information Systems Security Professional
Audience: Security architects/engineers, senior analysts, managers, consultants, and aspirants targeting leadership roles
Experience target: ~5 years cumulative, paid, full-time experience across 2+ CBK domains (waivers may apply)
Format mindset: Judgment-heavy, scenario-driven questions that reward risk-based, policy-aligned, preventive & auditable decisions

Study funnel: Read this Overview → work the Syllabus domain-by-domain → keep the Cheatsheet open for contrasts → validate with Practice .

What CISSP measures (8 CBK domains)

Security & Risk Management — Governance stack (policy→standard→procedure), ethics, risk treatments, BCP/DR math (RTO/RPO), compliance & privacy.
Asset Security — Classification, ownership/stewardship, data handling and retention, masking/tokenization.
Security Architecture & Engineering — Principles (least privilege, fail-safe, complete mediation), models (Bell-LaPadula, Biba, Clark-Wilson), crypto/PKI, hardware/firmware security.
Communication & Network Security — Segmentation/microsegmentation, secure protocols, wireless, zero-trust patterns, secure remote access.
Identity & Access Management (IAM) — Federation/SSO (SAML/OAuth/OIDC), RBAC vs ABAC vs MAC/DAC, provisioning, PAM/JIT, Kerberos/LDAP.
Security Assessment & Testing — Metrics, logging, vulnerability scanning vs penetration testing, audits, assurance.
Security Operations — Monitoring (SIEM/UEBA/EDR), IR phases, evidence handling & forensics basics, continuity, supply chain, investigations.
Software Development Security — SDLC/DevSecOps, threat modeling, SAST/SCA/DAST, secure coding and build/signing/IaC controls.

Readiness checklist (be honest)

I can articulate policy → standard → baseline → procedure → guideline and key roles (Owner, Custodian, Steward, DPO).
I choose controls using risk appetite, least privilege, and defense-in-depth—not just “more security.”
I can compute SLE/ALE and pick mitigate / transfer / avoid / accept with rationale.
I map RBAC/ABAC/MAC/DAC to scenarios and justify PAM/JIT for admins.
I can pick sound crypto/PKI/TLS options and spot weak configurations.
I design segmented, zero-trust-leaning network/cloud architectures in prose.
I distinguish scan vs pen test, outline IR phases, and respect evidence handling.

If fewer than ~6 boxes are checked, slow down: rework the Cheatsheet sections + targeted drills before full mocks.

Compact 6–10 week plan

Weeks 1–2 — Governance & Architecture

SRM, Asset Security, BIA/BCP math; Architecture principles & security models; crypto/PKI basics
Daily: 20–25 mixed questions focused on risk & architecture

Weeks 3–4 — Networks, IAM & Cloud

Segmentation, secure protocols/wireless/remote access; IAM (SAML/OAuth/OIDC, RBAC/ABAC, PAM/JIT); cloud/shared responsibility
Lab: design a zero-trust sketch (IdP → PDP/PEP → segmented resources)

Weeks 5–6 — Ops/IR & Assessment/Testing

Monitoring (SIEM/UEBA/EDR), IR phases, evidence handling; scanning vs pentesting; assurance & audits
Case work: turn every miss into two bullets (why wrong, why right)

Weeks 7–8+ — Software Security & Polishing

SDLC/DevSecOps (SAST/SCA/DAST, signing, IaC), supply chain; two full mocks with deep post-mortems
Shore up weak domains; repeat targeted drills within 24–48 hours (spaced repetition)

High-yield heuristics (match the exam’s voice)

Choose preventive, auditable, scalable controls aligned with policy and risk.
Architect first: segment, minimize trust, verify explicitly, monitor continuously.
Operations: during incidents, contain → eradicate → recover; preserve evidence per policy.
IAM: prefer MFA, federation/SSO, and JIT/PAM over standing admin.
Cloud: respect shared responsibility; least-privilege roles; managed services; central keys (HSM/KMS).
If two options work, pick the one with lower risk and better governance.

Browse Exams — Mock Exams & Practice Tests