CISSP 2024 format change: real-world impact two years later | Pruvos — Pruvos

ISC² shifted CISSP from 125–175 questions (4 hours) to 100–150 questions (3 hours) in April 2024, and made CAT the default across all languages, not just English. I remember the initial confusion well — I got six emails in one afternoon from candidates asking whether the change made it harder or easier. Two years of data later, I have a clearer answer.

The factual changes

For the record, here is what the April 2024 update did:

Length: 100–150 items (was 125–175). Minimum 100; adaptive algorithm terminates after that if it has enough confidence.
Time: 3 hours (was 4 hours).
Format: CAT (computer adaptive testing) across all languages. Previously, some language versions used linear form.
Pass mark: still 700/1000.
Domains: same eight domains, same weights.
Item types: still drag-and-drop + hotspot + standard MC/MS, though hotspot items are rarer than they used to be.

ISC² did not change the content blueprint — the same eight domains with the same weights. What they changed was the delivery mechanics.

What actually happens in the exam room

Most candidates I have talked to post-exam report that they finished between item 100 and item 115. Almost nobody reports going to 150. This is the CAT algorithm converging: once it has enough confidence in your ability level, it stops.

If you do go to 150, one of two things is true: either the algorithm has not decided yet (you are close to the pass line), or you are being held for fairness reasons. Either way, it means the margin is tight. Do not read a long exam as a bad sign on its own, but combined with "nothing felt hard" it often means a fail. Combined with "everything felt hard" it often means a pass — because the algorithm escalates difficulty when you are doing well.

The pacing shift

3 hours for 100–150 items is ~1:12 to 1:48 per item. Compared to the old 4 hours / 125–175, which was ~1:22 to 1:55 per item, the average per-item time is slightly tighter but not dramatically so. The real pacing issue is psychological: people expect 4 hours, and they under-prepare for a 3-hour cognitive load.

My advice for pacing, post-change: practice in 50-question chunks of 60 minutes, not full-length sets. The shorter exam makes sustained concentration more important, not less, because you cannot afford a 20-minute low patch.

What the CAT algorithm rewards

Based on our question-level difficulty data:

Answering hard questions correctly matters more than answering easy questions correctly. The algorithm escalates difficulty when you get items right. Getting a "hard" item right is worth more ability-points than getting an easy one right.
Guessing is still worth it. Every item counts; there is no negative marking. If you are unsure, eliminate the worst two options and guess between the remaining two.
You cannot skip or flag. Once you answer, the algorithm selects the next item based on your response. This is the biggest day-of surprise for people who used to study with linear forms.

The 1,000-question audit finding

When I audited our own 1,000-question CISSP bank last month for alignment with the post-2024 format, here is what shifted:

Scenario-based items are up. Roughly 85% of our current bank is scenario-based, up from 70% pre-2024. That matches what candidates report from the live exam.
Conceptual direct-recall items are down. ISC² appears to have reduced the "definition" style items.
Domain 3 (Security Architecture) continues to be the hardest. No change there, but the questions now more frequently involve evaluating trade-offs between multiple secure designs, not identifying which single design is secure.
Ethics and legal (Domain 1) items are consistently short stems with long-answer options. Read all four before deciding.

What this means for study

If you are preparing for CISSP today, two changes from my old (pre-2024) advice:

Practice scenario-based items, not flashcards. Our data is overwhelming on this. People who drill flashcards for 80 hours and skip scenario practice fail at higher rates than people who spend 50 hours on scenarios and skip flashcards.
Do not practice for 4 hours straight. Practice in the 3-hour shape of the real exam. The stamina you are building is different than it was two years ago.

One thing that did not change

CISSP still requires five years of cumulative, full-time paid work experience in at least two of the eight domains (four years if you have a qualifying degree or certification). The exam score is only one half of the credential. Nothing ISC² did in 2024 touched the experience requirement.

If you are six months out from sitting CISSP, the 2024 format change does not require a different study plan — it requires a different practice environment. Shorter sessions, more scenarios, more trust in the CAT algorithm's willingness to hand you hard items. The ones that feel hardest are often the ones the algorithm thinks you are close to mastering.

Practice what you just read

Pruvos has 28,000+ exam-grade questions across 73 certifications.

Every question tagged by trap type. Free tier works without signup.

Browse certifications →