CISSP prep, eight-domain security manager roadmap with ARIA
The ISC2 Certified Information Systems Security Professional (CISSP) is a CAT-adaptive exam of 100 to 150 questions delivered over 3 to 6 hours, scored on a 1000-point scale with 700 to pass, and considered the gold-standard infosec credential globally. ISC2 requires five years of cumulative paid work in at least two of the eight domains (four years with an eligible four-year degree), plus an endorsement from an existing CISSP after you pass. 
ARIA runs the adaptive evaluation, builds your eight-domain roadmap, and stands behind it with a pass guarantee tied to five measurable conditions.
Start your CISSP roadmap. About five minutes to the first signal.
TL;DR
- CISSP is ISC2's flagship infosec credential, current as of 2026: CAT-adaptive on the English version, 100 to 150 questions across 3 to 6 hours, scaled to 1000 with 700 to pass.
- Eight domains span breadth no other infosec exam matches: governance and risk, asset security, architecture, networking, identity, assessment, operations, and software security.
- Five years of cumulative paid work in two or more of the eight domains is required, or four years if you hold an eligible four-year degree. Endorsement from an existing CISSP follows the pass.
- The CISSP CAT engine and ClaudeLab's CAT evaluation share the same adaptive logic, so the prep loop trains the exact response pattern the exam will measure.
- Pass guarantee eligibility requires every milestone done, two mock exams passed, one gauntlet at 80 percent or higher, and a live readiness score of 80 or higher when you sit the exam.
What the CISSP exam is
CISSP is a scenario-driven exam that asks you to think like a security manager across the full stack, from cryptographic primitives to vendor governance. The questions rarely reward you for naming a control. They reward you for picking the answer that a senior security professional would defend in front of leadership, given the stated constraints. The exam is wide, dense, and intentionally exhausting.
Domain weights, current as of 2026
| Domain | Weight |
|---|---|
| Security and Risk Management | 16% |
| Asset Security | 10% |
| Security Architecture and Engineering | 13% |
| Communication and Network Security | 13% |
| Identity and Access Management | 13% |
| Security Assessment and Testing | 12% |
| Security Operations | 13% |
| Software Development Security | 10% |
The blueprint is unusually flat. No single domain dominates. Six of the eight sit between 10 and 13 percent, and the heaviest (Security and Risk Management) is only 16 percent. That flatness is why CISSP is hard: there isn't a corner to skip. Every domain shows up on every form, and weak coverage anywhere drags the scaled score down.
CAT-adaptive format
The English version of CISSP runs as a computerized adaptive test through the ISC2 CBT delivery network. You'll answer somewhere between 100 and 150 items. The session ends the moment the engine has 95 percent statistical confidence that you're either above or below the passing standard, and it can also end at the time cap (6 hours) or the item ceiling (150). Most pass attempts finish in the 100 to 130 range. A pass is 700 on a 1000-point scaled score, with item difficulty and your response pattern both feeding the calculation. You won't see your raw correct count.
If the adaptive logic is unfamiliar, I wrote a separate piece on it: why 25 questions beats 50, the CAT evaluation in plain English. The CISSP exam runs longer than my evaluation does, but the underlying convergence math is the same.
The CBK and the manager mindset
The CISSP body of knowledge (CBK) is ISC2's published taxonomy for the eight domains. It's the source of truth for what's in scope and how ISC2 frames each topic. The framing matters more than the topic list. CISSP doesn't ask "what does AES-256 do." It asks "given a regulated workload with stated business constraints, which protection approach best aligns with policy and operational reality." The right answer is almost always the one a thoughtful security manager would defend, not the most technically aggressive option. Candidates who pass on the first attempt internalize that mindset before exam day. Candidates who fail usually answered like a senior practitioner instead of a manager.
How ARIA preps you for it
CISSP gets the longest, densest treatment in the catalog. The setup, the roadmap shape, and the cadence all reflect that.
The CAT evaluation surfaces gaps across all eight domains. I open every cert with a CAT adaptive test. For CISSP, the evaluation has to sample broadly because the exam itself does. With eight domains in scope, a 25-question CAT will spend roughly two to four items per domain, enough to put a level (Novice, Developing, Competent, Proficient) on each. That domain-by-domain read is the input that decides which phase your roadmap opens with.
The roadmap is the longest typical plan in the catalog. Working security professionals studying 30 to 45 minutes a day usually end up with a 12 to 16 week plan, broken into four or five phases. Novices on three or more domains stretch to 18 to 20 weeks. Phases are sequenced lowest-domain first, because building advanced work on a weak foundation is how candidates fail with strong scores in their best areas. See the roadmap overview for how phases, milestones, and tasks fit together.
The gauntlet is weighted heavily. The CISSP exam is a 6-hour endurance test even in the shorter CAT scenarios. Holding the manager mindset over that span is a separate skill from knowing the content. I unlock the gauntlet at 80 percent readiness and require at least one gauntlet pass at 80 percent or higher for pass-guarantee eligibility. On CISSP, that gate matters because shorter sessions don't surface the moment fatigue tilts you toward technically defensible (and wrong) answers. See the gauntlet docs for the unlock rules.
The error backlog tags concept versus management perspective. Every wrong answer goes into a backlog with a tag. Did you miss it because you didn't know the concept (Diffie-Hellman vs RSA, RTO vs RPO), or because you knew it but answered from the wrong frame (technically correct vs management correct). The two failure modes get different remediation. Concept misses come back as targeted micro-sessions within 24 hours. Frame misses come back as scenario drills a few days later, because the only way to fix a framing slip is to repeat the choice under similar pressure.
Practice sessions train the manager-correct pattern. I deliberately build CISSP practice sessions around scenarios where the technically optimal answer and the management-correct answer diverge. ISC2 tests this pattern constantly. The drill is the single highest-payoff repetition for senior practitioners crossing into a manager-tier exam.
Readiness gates the demo test and the gauntlet. The demo test is locked until 60 percent readiness. The gauntlet is locked at 80 percent. Both reflect the point at which the next session type produces signal instead of noise. See readiness and decay for how the score moves and why it drops if you go quiet.
Common pitfalls on CISSP
These are the topics that quietly cost the most points. For each, here's what I do during prep.
Picking the technically correct answer over the manager-correct one. This is the single biggest CISSP trap. Three of the four answers will be technically defensible. Only one aligns the security decision with the business constraints in the prompt. I drill this pattern every Governance and Risk milestone because it's the through-line of the exam.
Confusing similar concepts. CISSP is full of pairs that look identical at a glance and aren't. Qualitative versus quantitative risk analysis. BIA versus DRP versus BCP. RTO versus RPO. Due care versus due diligence. The exam constructs distractors out of these confusions on purpose. I run dedicated discrimination drills inside the Risk and Operations milestones so the distinction becomes reflexive.
Cryptography concept depth without going implementation-deep. CISSP wants you to know what Diffie-Hellman does versus RSA, what AES modes are and why they differ, what symmetric versus asymmetric trade-offs look like in policy decisions. It does not want you implementing the algorithms. Candidates from a developer background often go too deep into math; candidates from a managerial background often go too shallow. I calibrate the depth in Architecture and Engineering milestones to land where ISC2 actually tests.
Software development models. SDLC variants, SAMM, BSIMM, secure coding practices, threat modeling approaches. The exam tests the manager's view of secure development: where security fits in the SDLC, what governance frameworks mean, how to evaluate a vendor's program maturity. I cover the model landscape in dedicated Software Development Security milestones.
Legal and regulatory familiarity. GDPR, HIPAA, SOX, PCI-DSS scope, data residency, breach notification timelines, cross-border transfer rules. CISSP doesn't ask you to recite the regulation text. It asks you to recognize which regulation governs a given scenario and what the security manager's obligation is under it. I weight regulatory drills toward scenario recognition because that's the testable skill.
Exam stamina across a 6-hour window. Even with the CAT cap-out, a typical pass attempt takes three to four hours of dense scenario reading. Mental fatigue doesn't appear in shorter sessions, which is why I require a gauntlet pass before the eligibility check flips. The gauntlet is the only place you'll learn how your decision quality holds up at hour three.
Common Questions
How does the CISSP experience requirement actually work?
ISC2 requires five years of cumulative paid work in two or more of the eight CISSP domains. A four-year college degree (or an approved credential from the ISC2 list) waives one year, dropping the requirement to four years. Experience must be verified by an existing CISSP through the endorsement process after you pass the exam. Time spent in roles outside the eight domains does not count.
Do I take the CISSP exam first or get endorsed first?
Exam first. You can sit and pass CISSP without the experience already in place. Once you pass, you have nine months to complete the endorsement, where an existing CISSP attests to your work history. If you pass without the experience requirement, you become an Associate of ISC2 and have up to six years to earn the time and convert to full CISSP status.
How does CAT scoring decide whether I pass CISSP?
ISC2 uses computerized adaptive testing on the English version. The exam runs between 100 and 150 questions over 3 to 6 hours. The engine ends as soon as it has 95 percent statistical confidence about whether you are above or below the passing standard. A pass is 700 or higher on a 1000-point scaled score, derived from item difficulty and your answer pattern, not a raw percentage.
How long should I expect to study for CISSP?
At 30 minutes a day, plan on 16 to 20 weeks. At 45 minutes a day, 12 to 16 weeks. At 60 minutes a day, 10 to 12 weeks. CISSP carries the longest typical roadmap in the catalog because the eight domains span breadth no other infosec exam matches. If your CAT evaluation lands you in the Novice band on three or more domains, add four weeks.
CISSP vs CISM vs CCSP, which one fits my track?
CISSP is the broad gold-standard credential, eight domains, technical and managerial. CISM is the management-track credential from ISACA, four domains, narrower and pointed at security manager and CISO seats. CCSP is the cloud security specialty from ISC2, six domains, deeper than CISSP on cloud architecture and provider-specific risk. Most candidates do CISSP first because it carries the widest recognition, then layer CISM or CCSP based on where the career is going.
What readiness score unlocks the gauntlet for CISSP?
Eighty. Below 80 readiness, the gauntlet stays locked. The gauntlet is a long-form exam-conditions session that mirrors the 6-hour CISSP endurance load. Below 80 it produces noisy data; above 80 it surfaces the framing slips and stamina drops that still cost points under fatigue.
Where do I see whether I am eligible for the pass guarantee?
On the dashboard, once all five conditions hold. The check runs after every milestone validation, and the eligibility flag flips automatically. Read the full breakdown of the conditions on the pass guarantee page, and the AI cert prep article for the structural reasoning behind the design.
Start your CISSP roadmap
The cheapest possible signal is a 15 to 25 question CAT evaluation against the CISSP blueprint. The output is a domain-by-domain skill estimate across all eight domains, a phase-by-phase roadmap sequenced from your weakest area forward, and your day-one task. If the evaluation tells you that you're answering from a senior-practitioner frame, the roadmap will start with Governance and Risk to anchor the manager lens. If it tells you that you already think across the eight-domain breadth, the roadmap will be tighter and focused on ISC2-specific framing patterns.
Either way, the measurement is more useful than another month of unmeasured study. Open the CISSP onboarding flow and start the evaluation. From there, practice sessions take over the daily cadence, and I pick the next task every time you reopen the app.