Limited Time Offer: Use code CERTLABS10Copied! for 10% off your first subscription!

New CISSP Exam 2025: Domains, Questions & CertLabz Training

Kyle Mannings, CISSP, Senior Security Instructor April 10, 2025 22 min read
0Domains
0Max Questions
0Passing Score
0Score Scale
0Hour Time Limit
0Avg Salary $K

The Certified Information Systems Security Professional (CISSP) remains the gold standard in cybersecurity certification, and in 2024 to 2025 ISC2 refreshed the exam's Common Body of Knowledge (CBK) to keep pace with emerging threats. Zero-trust architecture, AI and machine learning security, supply chain risk management, and cloud-native security have all been elevated in the updated blueprint. If you are planning to sit the exam in 2025, this guide covers every domain, explains what changed, walks you through question types and the Computer Adaptive Testing (CAT) engine, and maps your study plan to the CertLabz CISSP Domain Refresher learning path.

2025 Update: ISC2 refreshed the CISSP CBK effective April 2024. All 8 domains remain, but sub-topics within Software Development Security (Domain 8) and Security Architecture & Engineering (Domain 3) saw the most significant additions, particularly around AI/ML system security and zero-trust design principles.
CISSP exam preparation with CertLabz

CISSP Exam Quick Facts

Exam Format (CAT)
125-175 questions
3 hours, adaptive testing
Passing Score
700 / 1000
8 Domains Include
Security & Risk Mgmt (16%)
Asset Security (10%)
Security Architecture (13%)
Software Dev Security (11%)
Experience Required
5 years (or 4 + degree)
Start CISSP Prep

The 8 CISSP Domains (2025 CBK)

The CISSP exam is organized around eight knowledge domains, each carrying a specific percentage weight. Questions are drawn proportionally from each domain, so a strong understanding of all eight is non-negotiable. You cannot pass by mastering only two or three.

Domain 1
Security & Risk Management
16%
Highest weighted domain
Domain 2
Asset Security
10%
Data classification & privacy
Domain 3
Security Architecture & Engineering
13%
Cryptography, models, zero-trust
Domain 4
Communication & Network Security
13%
Network architecture & protocols
Domain 5
Identity & Access Management
13%
IAM, MFA, federated identity
Domain 6
Security Assessment & Testing
12%
Auditing, pen testing, metrics
Domain 7
Security Operations
13%
Incident response, forensics, BCP
Domain 8
Software Development Security
10%
SSDLC, AI/ML security, DevSecOps

Domain Weight Distribution

Security & Risk Management16%
Asset Security10%
Security Architecture & Engineering13%
Communication & Network Security13%
Identity & Access Management13%
Security Assessment & Testing12%
Security Operations13%
Software Development Security10%

What's New in the 2025 CBK

ISC2 conducts periodic Job Task Analyses (JTAs) to ensure the CISSP exam reflects what working security professionals actually do. The 2024 to 2025 refresh did not restructure the domains, but it did update sub-topic emphasis substantially in several areas.

Domain 3: Security Architecture & Engineering

Zero-trust architecture is now a first-class topic rather than an emerging footnote. Candidates are expected to articulate zero-trust design principles (verify explicitly, use least privilege access, assume breach) and apply them to both on-premises and cloud-hybrid environments. Secure Access Service Edge (SASE), software-defined perimeters, and micro-segmentation all appear in the updated CBK topics. The cryptography section has been updated to reflect post-quantum considerations and the NIST post-quantum cryptography standardization effort.

Domain 8: Software Development Security

AI and machine learning system security has been added as a sub-domain. The updated CBK covers adversarial machine learning threats (data poisoning, model inversion, adversarial examples), secure AI/ML development practices, and the use of AI in defensive security tooling. DevSecOps practices, including shift-left security and automated security gates in CI/CD pipelines, are more prominently tested. Supply chain security for software components, covering SBOM (Software Bill of Materials) requirements, dependency scanning, and third-party risk in open-source components, also received expanded coverage.

Domain 1: Security & Risk Management

Governance, risk, and compliance (GRC) content has been refined to reflect frameworks like NIST CSF 2.0, which was published in early 2024. The updated framework adds a new "Govern" function, and CISSP candidates should understand how it integrates with the existing Identify, Protect, Detect, Respond, and Recover functions. Privacy regulations, including GDPR enforcement trends and the U.S. state privacy law landscape (CCPA, Virginia CDPA, and similar), are tested at the application level rather than at the definitional recall level.

The CAT Exam Format Explained

Unlike traditional fixed-length exams where everyone answers the same 250 questions (the pre-2020 format), CISSP now uses Computer Adaptive Testing. The CAT engine selects each subsequent question based on your performance on previous questions, targeting your individual ability threshold rather than averaging across a static question bank. The CertLabz SkillTracker assessments use the same adaptive philosophy so you train on the format you will see on exam day.

Exam Logistics

  • 125–175 questions
  • 3-hour time limit
  • Pearson VUE test centers
  • 700/1000 to pass
  • No partial credit

Question Types

  • Multiple choice (single answer)
  • Multiple choice (multi-select)
  • Drag and drop
  • Hotspot (click an image)
  • Ordered list

Eligibility

  • 5 years paid experience
  • In 2+ of the 8 domains
  • 4-year degree = 1-year waiver
  • Endorsement within 9 months
  • Pass = Associate if lacking XP

Retake Policy

  • 30-day wait after 1st fail
  • 90-day wait after 2nd fail
  • 180-day wait after 3rd fail
  • Max 3 attempts per year
  • Full fee each attempt

How CAT Scoring Works

The exam does not stop at 125 just because you have answered 125 questions. It stops when the system achieves a statistically confident assessment of your proficiency level. If you are clearly above or below the 700/1000 passing standard by question 125, the exam ends early. If your estimated score is near the boundary, the system continues asking questions up to the 175-question maximum to gain additional confidence. The practical implication is that finishing at 125 questions does not tell you whether you passed or failed. Both outcomes are equally possible at minimum length.

Ready to drill all 8 domains the adaptive way?
The CertLabz CISSP Domain Refresher covers the CAT format with 30 hands-on labs and a 75-question SkillTracker.
Get Free Certificate

CISSP Practice Questions (2025 Style)

CISSP Practice Questions

Questions reflect the 2025 CBK emphasis. Think like a manager, not a technician.

Score: 0 / 0
Domain 1: Security & Risk Management

An organization adopts NIST CSF 2.0. The new "Govern" function is best described as:

  • A replacement for the Identify function
  • Overarching context and priorities that inform all other CSF functions
  • A mandatory audit requirement imposed by NIST
  • A technical control framework for network segmentation
Correct: B. In NIST CSF 2.0, the Govern function provides overarching organizational context (mission, risk tolerance, roles, and policies) that shapes how the other five functions (Identify, Protect, Detect, Respond, Recover) are implemented. It is not a replacement for any existing function.
Domain 3: Security Architecture & Engineering

A CISO is designing a zero-trust architecture for a hybrid-cloud enterprise. Which principle is most fundamental to the zero-trust model?

  • Encrypt all data at rest using AES-256
  • Require VPN access for all remote workers
  • Never trust any user or device; verify continuously regardless of network location
  • Enforce multi-factor authentication only for privileged accounts
Correct: C. The foundational zero-trust principle is "never trust, always verify." Network location (inside or outside the perimeter) grants no implicit trust. Continuous verification applies to all users, devices, and sessions, not just privileged accounts or remote users.
Domain 8: Software Development Security

A machine learning model used for fraud detection begins producing significantly more false positives after a software update to the training pipeline. The MOST likely explanation is:

  • Data poisoning: malicious or corrupted training data was introduced
  • Model inversion: an attacker has extracted the model's weights
  • Overfitting: the model memorized training data too closely
  • Adversarial examples: crafted inputs designed to confuse the model at inference time
Correct: A. A sudden degradation in performance correlated with a pipeline update suggests data poisoning, where corrupt or malicious data is introduced into the training set. Model inversion and adversarial examples operate at inference time, and overfitting typically manifests on test data, not as a sudden shift after a pipeline change.
Domain 5: Identity & Access Management

A company wants to allow employees to use a single corporate identity to access third-party SaaS applications without entering separate credentials. The BEST solution is:

  • LDAP synchronization to replicate credentials to each SaaS platform
  • Federated identity using SAML 2.0 or OpenID Connect
  • Password vaulting with automatic rotation every 90 days
  • Mandatory hardware tokens for all SaaS applications
Correct: B. Federated identity (SAML 2.0 or OIDC) allows an identity provider (IdP) to assert a user's identity to service providers without transmitting credentials. LDAP sync replicates credentials rather than federating identity, and a password vault still requires separate credentials per system.
Domain 7: Security Operations

During incident response, an analyst discovers that an attacker maintained persistence via a scheduled task that downloads a payload from a public code repository. What is the FIRST action the incident commander should authorize?

  • Delete the remote repository
  • Reimage all affected systems immediately
  • Preserve evidence and isolate affected systems before remediation
  • Notify law enforcement before taking any containment action
Correct: C. The incident response sequence is contain, eradicate, recover, but evidence preservation must happen before remediation destroys forensic value. Deleting the remote repo could constitute unauthorized computer access and destroy evidence. Reimaging first destroys volatile artifacts. Law enforcement notification timing depends on organizational policy and is not universally the first step.

Key Concepts: Domain Flashcards

Click each card to reveal the explanation. Use arrows to navigate.

Zero-Trust Architecture

Domain 3: Security Architecture & Engineering

Click to flip

A security model that eliminates implicit trust based on network location. Every access request is fully authenticated, authorized, and encrypted regardless of whether the user is inside or outside the corporate network. Core principles: verify explicitly, use least privilege, assume breach.

1 / 7

12-Week CISSP Study Plan

Candidates with 3 to 5 years of security experience typically spend 80 to 120 hours preparing for CISSP. The plan below is structured around the domain weights, so heavier domains get more dedicated time. Adjust based on your current role: a network engineer may need less time on Domain 4 but more on Domain 1.

Weeks 1 to 2: Domain 1, Security & Risk Management

Security governance, risk frameworks (NIST, ISO 27001), legal and compliance requirements, privacy law, BCP foundations. Work through the matching CertLabz CISSP Domain Refresher modules and complete the Domain 1 hands-on labs.

Weeks 3 to 4: Domains 3 & 5, Architecture and IAM

Cryptography fundamentals, security models (Bell-LaPadula, Biba), zero-trust design. Then IAM: authentication protocols, SAML, OAuth 2.0, OIDC, privileged access management, directory services. CertLabz IAM labs let you configure federation flows in a sandbox.

Weeks 5 to 6: Domains 4 & 7, Network and Operations

Network topologies, protocols, firewalls, IDS/IPS, network security architectures. Security operations: SOC processes, incident response, forensics, BCP/DRP. These two domains together account for 26% of the exam.

Weeks 7 to 8: Domains 2, 6 & 8, Asset, Testing and Software

Data classification, retention policies. Security testing: vulnerability assessments, penetration testing, code reviews. Software security: SSDLC, OWASP, DevSecOps, AI/ML security threats.

Weeks 9 to 10: SkillTracker Practice, 1,500+ Questions

Work through the CertLabz CISSP SkillTracker (75 adaptive questions per attempt) and the Cybersecurity Analyst Skill Track question banks. Track performance by domain. Domains below 70% need focused review. Practice explaining why each answer is right rather than memorizing.

Weeks 11 to 12: Weak Areas and Mind-Set Shift

Target domains under 70% from your CertLabz SkillTracker scores. Shift your mind-set from "security engineer" to "security manager" because many CISSP questions favor the managerial or policy answer over the immediate technical fix. Take two full-length mock attempts under timed conditions.

Stack the Cybersecurity Analyst Skill Track on top.
Hands-on SOC, threat-hunting, and forensics labs that map directly to Domain 6 and Domain 7. Each track issues a blockchain-verified completion certificate and CPE credits.
Browse CertLabz Plans

The CertLabz CISSP Training Path

CertLabz brings the entire CISSP preparation journey into one platform: lab modules mapped to the CBK, a SkillTracker that follows the CAT format, and blockchain-verified course certificates that count toward your annual ISC2 CPE requirement. No textbook stack, no scattered video logins.

CISSP Domain Refresher (Course Certificate)

Included with paid plans

10 lab modules covering all 8 CBK domains with 30 hands-on labs across zero-trust design, IAM federation, incident response, and AI/ML security. Earn 11.5 to 13 CPE credits and a blockchain-verified course certificate on completion.

CISSP SkillTracker Assessment

Adaptive, 75 questions

Adaptive 75-question SkillTracker follows the live CAT engine and reports a domain-by-domain proficiency score. Detailed explanations are written in the CISSP managerial tone so you train the "think like a manager" reflex.

Cybersecurity Analyst Skill Track

Skill Track

Pair the CISSP refresher with the Cybersecurity Analyst Skill Track for additional SOC, threat-hunting, and forensics labs that map directly to Domain 6 and Domain 7. Each track issues a blockchain-verified completion certificate.

Cloud Security Skill Track

Skill Track

Hands-on cloud labs covering zero-trust networking, SASE, SBOM workflows, and post-quantum-ready key management. Reinforces Domain 3 and Domain 8 of the updated CBK with practical cloud-native scenarios.

Free Course Certificates

Free tier

Sample several CertLabz course certificates at no cost to confirm fit before subscribing. Each free certificate is blockchain-verified, shareable on LinkedIn, and contributes CPE credits toward maintaining ISC2, CompTIA, ISACA, or EC-Council credentials.

Free CertLabz Trial

7-day full access

Spin up the full CertLabz environment for 7 days: every lab, every SkillTracker, every certificate. Use the trial to complete the first three CISSP refresher modules and get a real domain-by-domain readiness baseline before you commit.

The "Think Like a Manager" Framework

The single most-cited reason experienced security professionals fail CISSP is answering questions with a technician's mindset rather than a manager's. ISC2 designs questions to test security management judgment, not hands-on technical skill. Understanding this distinction is what separates candidates who pass at 125 questions from those who reach 175.

When you encounter a scenario question, apply this filter before selecting an answer:

Exam Day Strategy

The three hours allotted for 125 to 175 questions works out to roughly 60 to 85 seconds per question, which is more time than most candidates realize they have. Anxiety about the adaptive format causes many test-takers to rush unnecessarily. Use the time deliberately.

For each question read all four options before selecting. Many CISSP distractors are plausible and technically correct in isolation, and the question asks for the best answer given the scenario context. Eliminate obviously wrong options first (anything that eliminates risk entirely, anything purely reactive), then evaluate the remaining two using the manager framework. If you are genuinely uncertain, flag the question and move on. The CAT engine handles unanswered questions differently than incorrect ones, and returning to them with fresh context often reveals the answer.

Take the full CertLabz environment for a spin.

7 days, every lab, every SkillTracker, every certificate. Complete the first three CISSP refresher modules and walk away with a real domain-by-domain readiness baseline.

Start Free Trial

Frequently Asked Questions

What changed in the 2025 CISSP exam?
ISC2 refreshed the CISSP CBK in 2024 to 2025, primarily expanding coverage in Domain 3 (zero-trust architecture, post-quantum cryptography) and Domain 8 (AI/ML security, DevSecOps, SBOM). Domain 1 was updated to reflect NIST CSF 2.0. The CAT format, 8-domain structure, and 700/1000 passing score are unchanged.
How many questions are on the CISSP exam?
The CISSP CAT exam presents between 125 and 175 questions. The exam ends when the system achieves statistical confidence in your proficiency level. Most candidates receive between 125 and 150 questions. The 175-question maximum is reached only when your estimated score is consistently near the passing boundary.
What is the hardest CISSP domain?
Domain 1 (Security & Risk Management) and Domain 3 (Security Architecture & Engineering) are most frequently cited as the most challenging. Domain 1 requires deep understanding of governance frameworks and risk management concepts that can be abstract for technically oriented candidates. Domain 3's cryptography section trips up many candidates who have not used formal crypto in their day-to-day work.
How does the CertLabz CISSP Domain Refresher prepare me for the exam?
The CertLabz CISSP Domain Refresher course certificate covers all 8 CBK domains across 10 lab modules with 30 hands-on labs, a 75-question adaptive SkillTracker assessment, and 11.5 to 13 CPE credits on completion. The certificate is blockchain-verified, shareable on LinkedIn, and counts as continuing education toward the ISC2 annual CPE requirement.
How long does it take to prepare for CISSP?
Most candidates spend 3 to 6 months preparing, with 80 to 150 total study hours. Candidates who work in security management roles typically need less time than those with purely technical backgrounds, since the exam tests managerial judgment. Rushing preparation is a common reason for failure, so commit to at least 1,500 SkillTracker questions before sitting the exam.
Can I take CISSP without 5 years of experience?
Yes. You can sit the exam without meeting the experience requirement. If you pass, you become an Associate of ISC2 rather than a CISSP, and you have 6 years to accumulate the required 5 years of paid security work experience in at least 2 of the 8 domains. A 4-year university degree or an approved certification (CCNA Security, CEH, and similar) waives one year of the experience requirement.
How much does the CISSP exam cost in 2025?
The exam fee is $749 USD in North America. Combined with the annual ISC2 maintenance fee ($125 per year) and optional endorsement costs, the total first-year cost typically falls between $900 and $1,100 when you prepare with the CertLabz CISSP Domain Refresher rather than assembling materials from multiple vendors.

Related Articles

CISSP Salary Guide
CISSP

CISSP Salary, Cost & Complete Study Guide

 CISSP Experience Requirements
CISSP

CISSP Experience & Endorsement Requirements

 Free CISSP Practice Test
Practice

Free CISSP Practice Test: 10 Questions

 Free CertLabz Course Certificates
CertLabz

Free CertLabz Course Certificates & CPE Credits
Start Free Trial See Pricing Free Certificates