Skip to main content

Understanding the CISSP Exam Pattern: Is There Negative Marking?

The Certified Information Systems Security Professional (CISSP) certification, offered by (ISC)², is one of the most recognized credentials in the cybersecurity industry. It validates an individual’s ability to design, implement, and manage a best-in-class cybersecurity program. Let’s break down the CISSP exam structure and address a common question: Is there negative marking in the CISSP exam?

cissp sample questions

CISSP Exam Structure

The CISSP exam follows a Computerized Adaptive Testing (CAT) format, which means the questions you receive will adjust based on how well you answer previous questions. Here are the key details of the exam pattern:

  • Number of Questions: The CISSP exam consists of 100 to 150 questions. This range exists because of the adaptive nature of the test.

  • Duration: The exam must be completed in 3 hours.

  • Question Types: The majority of the exam consists of multiple-choice questions, but you may also encounter advanced innovative questions like drag-and-drop or hotspot items that test practical knowledge.

  • Domains: The exam covers 8 domains from the (ISC)² Common Body of Knowledge (CBK), which includes:

  • Security and Risk Management
  • Asset Security
  • Security Architecture and Engineering
  • Communication and Network Security
  • Identity and Access Management (IAM)
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security
  • Is There Negative Marking in the CISSP Exam?

    No, there is no negative marking in the CISSP exam. This means that you won’t lose points for incorrect answers. Given the adaptive nature of the test, each question aims to determine the level of your knowledge, so it's beneficial to attempt all questions. If you're unsure about an answer, it’s still worth taking a guess since you won't be penalized for it.

    Scoring and Passing Criteria

    The CISSP CAT exam uses an advanced algorithm that continuously evaluates your performance throughout the test. To pass, you must achieve a minimum score of 700 out of 1000. The algorithm stops the exam once it has enough data to determine whether you have met the passing criteria.

    Advanced Innovative Questions Sample

    Here are some examples of advanced innovative questions that you might encounter in the CISSP exam, focusing on drag-and-drop and hotspot question types. These are designed to test practical knowledge beyond simple multiple-choice answers.

    1. Drag-and-Drop Question: Security Architecture and Engineering

    Question: Drag the following security controls to their corresponding layers of the OSI model.

    Items to Drag:

  • Firewall
  • SSL/TLS
  • Intrusion Detection System (IDS)
  • Data Encryption
  • Target Layers (to drop into):

  • Network Layer
  • Transport Layer
  • Application Layer
  • Data Link Layer
  • Correct Answers:

  • Firewall → Network Layer
  • SSL/TLS → Transport Layer
  • IDS → Network Layer
  • Data Encryption → Application Layer

  • 2. Drag-and-Drop Question: Risk Management Framework

    Question: Match the steps of the Risk Management Framework (RMF) with their corresponding descriptions.

    Items to Drag:

  • Categorize
  • Select
  • Implement
  • Assess
  • Authorize
  • Monitor
  • Target Descriptions (to drop into):

  • Evaluate the security controls to ensure effectiveness.
  • Choose appropriate security controls based on categorization.
  • Continuously observe and evaluate the system for ongoing security.
  • Classify the system based on sensitivity and risk level.
  • Deploy the selected security controls.
  • Provide formal approval to operate the system.
  • Correct Answers:

  • Categorize → Classify the system based on sensitivity and risk level.
  • Select → Choose appropriate security controls based on categorization.
  • Implement → Deploy the selected security controls.
  • Assess → Evaluate the security controls to ensure effectiveness.
  • Authorize → Provide formal approval to operate the system.
  • Monitor → Continuously observe and evaluate the system for ongoing security.

  • 3. Hotspot Question: Network Security

    Question: Click on the part of the diagram where you would place an Intrusion Prevention System (IPS) to block malicious traffic before it reaches the internal network.

    Diagram: A simplified network topology showing:

  • External network (Internet)
  • Firewall
  • DMZ (Demilitarized Zone)
  • Internal Network
  • Correct Answer: The correct location to click would be between the external network (Internet) and the firewall to prevent malicious traffic from entering the internal network.


    These types of questions challenge candidates to apply their theoretical knowledge to practical scenarios, ensuring a deeper understanding of security concepts.

    Conclusion

    The CISSP exam is designed to challenge and adapt to your knowledge level, but one major relief is that there is no negative marking. This gives you the freedom to guess if needed, without fear of penalty. Prepare thoroughly across all eight domains, and you’ll be well on your way to earning this prestigious certification!

    Popular posts from this blog

    Decoding Container Security: A Beginner's Guide to Essential Concepts

    Understanding the Basic Terms and Concepts of Container Security  Introduction to Container Security Container security is an essential aspect of modern software development, particularly in the context of DevOps and cloud-native applications. As organizations increasingly adopt containerization technologies like Docker and Kubernetes, ensuring the security of these containers becomes paramount. Container security encompasses a set of practices designed to protect containerized applications from various threats and vulnerabilities. Unlike traditional security practices, which focus on securing physical servers or virtual machines, container security emphasizes the protection of the containerized environment. Containers are lightweight, standalone units that package an application and its dependencies, enabling consistent deployment across different environments. This characteristic introduces unique security challenges that necessitate specialized approaches. The fundamental princi...