The CISSP exam has a maximum time limit of three hours. You’ll answer between 100 and 150 questions during that window, depending on how the adaptive testing engine evaluates your responses. Some test takers finish in under two hours, while others use nearly all three.
How the Adaptive Format Affects Length
The CISSP uses Computerized Adaptive Testing (CAT), which means the exam adjusts the difficulty of each question based on how you answered the previous one. Rather than giving every candidate the same fixed set of questions, the algorithm selects harder or easier items to zero in on your ability level. Once the system has enough statistical confidence that you’re above or below the passing standard, the exam ends.
This is why the question count is a range (100 to 150) rather than a fixed number. If the algorithm can determine your competency after 100 questions, you’re done. If your performance is closer to the pass/fail borderline, the system keeps serving questions, up to the 150 maximum, to gather more data before making a final determination. Finishing at 100 questions does not mean you passed or failed. It simply means the algorithm reached a confident decision early.
What Happens at Question 150
If you reach the maximum of 150 questions, the exam stops regardless of whether the algorithm has reached high confidence. At that point, your result is based on your overall performance across all 150 items. The same applies if the three-hour clock runs out before you finish. Any unanswered questions at that point won’t count in your favor, so pacing matters.
Breaks Count Against Your Clock
ISC2 does not limit the number or duration of breaks you take during the exam. However, the three-hour timer keeps running while you’re away from your seat. A ten-minute bathroom break is ten minutes of exam time you won’t get back. If you plan to take a break, factor that into your time management. Most candidates treat the break policy as an emergency option rather than a planned rest period.
What the Exam Covers
The CISSP draws from eight domains of cybersecurity knowledge, each weighted differently on the exam. As of the April 2024 refresh, the domain weights are:
- Security and Risk Management: 16%
- Asset Security: 10%
- Security Architecture and Engineering: 13%
- Communication and Network Security: 13%
- Identity and Access Management: 13%
- Security Assessment and Testing: 12%
- Security Operations: 13%
- Software Development Security: 10%
Security and Risk Management carries the most weight at 16%, so you can expect a proportionally larger share of questions from that domain. The adaptive engine pulls from all eight domains throughout the exam rather than grouping them into sections, so you’ll jump between topics as you go.
How to Pace Yourself
With a three-hour maximum and up to 150 questions, you have roughly 1 minute and 12 seconds per question if you use the full exam. At the minimum of 100 questions, that stretches to about 1 minute and 48 seconds each. In practice, some questions take 30 seconds while scenario-based items can take two or three minutes to read and work through.
A useful benchmark is to check your progress at the one-hour mark. If you’ve answered around 50 questions, you’re on a comfortable pace. If you’re significantly behind that, you may need to spend less time deliberating on questions you’re unsure about. Since the CAT format doesn’t let you go back and change previous answers, there’s no benefit to rushing through easy questions to bank time for later review. Give each question your best answer and move on.
Previous Exam Lengths
The CISSP exam has gotten shorter over time. Before CAT was introduced for all languages, non-English versions used a linear (fixed-form) format with 250 questions and a six-hour time limit. As of the April 2024 refresh, the linear version has been eliminated entirely. All candidates in every language now take the three-hour CAT version with 100 to 150 questions. If you’ve seen references to a four-hour or six-hour CISSP exam online, those apply to older versions that are no longer administered.