What Is CISSP?

Who Creates and Administers CISSP

ISC2 (International Information System Security Certification Consortium) developed CISSP in 1994 and has maintained it ever since. ISC2 is a nonprofit member organization with over 600,000 certified members globally. They update the exam every three years to reflect current security practices, with the most recent update in April 2024.

The exam itself is delivered through Pearson VUE testing centers worldwide. You can also take it at authorized testing locations in some regions. The computerized adaptive testing (CAT) format adjusts question difficulty based on your responses, which means your exam experience differs from everyone else’s.

ISC2 operates under ANSI/ISO/IEC Standard 17024, which means the certification meets international standards for personnel certification bodies. This accreditation matters because government agencies and regulated industries often require certifications from accredited bodies. The U.S. Department of Defense, for example, recognizes CISSP for information assurance positions under DoD Directive 8570/8140.

The Eight CISSP Domains Explained

CISSP organizes security knowledge into eight domains. These aren’t arbitrary categories—they represent how ISC2 believes security professionals should think about protecting organizations. The domains interconnect, so understanding one requires knowledge of the others.

Domain 1: Security and Risk Management (15%) covers governance, compliance, risk assessment, and security policies. This domain gets the highest exam weight because everything else flows from understanding risk. You’ll learn frameworks like NIST and ISO 27001, legal and regulatory requirements, and how to build security programs aligned with business objectives. Concepts covered include risk assessment methodologies, business continuity planning, and security awareness training.

Domain 2: Asset Security (10%) addresses data classification, ownership, privacy, and retention. Organizations can’t protect assets they haven’t identified and classified. This domain teaches you to think about information lifecycle from creation through destruction, including privacy requirements under regulations like GDPR and CCPA.

Domain 3: Security Architecture and Engineering (13%) dives into security models, cryptography, and secure design principles. You’ll study everything from the Bell-LaPadula and Biba models to modern zero-trust architecture. The cryptography section alone covers symmetric and asymmetric algorithms, hashing, digital signatures, and PKI—knowledge that appears throughout security work.

Domain 4: Communication and Network Security (13%) covers network architecture, protocols, and secure communication channels. Firewalls, VPNs, network segmentation, and wireless security all live here. Understanding how data moves across networks—and how attackers exploit those pathways—is foundational to most security roles.

CISSP
8 Domains

Risk Management

Asset Security

Architecture

Network Sec

IAM

Assessment

Operations

Software Sec

Domain 5: Identity and Access Management (13%) examines how organizations control who accesses what resources. Authentication methods, authorization models, identity federation, and access control attacks are central topics. With cloud adoption accelerating, IAM has become one of the most operationally relevant domains for modern security work.

Domain 6: Security Assessment and Testing (12%) covers vulnerability assessments, penetration testing, security audits, and continuous monitoring. You’ll learn how to design assessment strategies, interpret findings, and validate that security controls actually work. This domain connects directly to compliance requirements that mandate regular security testing.

Domain 7: Security Operations (13%) addresses incident response, disaster recovery, investigations, and day-to-day security management. SOC analysts and incident responders spend most of their time in this domain’s territory. Topics include evidence handling, forensic procedures, and business continuity planning.

Domain 8: Software Development Security (11%) covers secure coding practices, software development lifecycle integration, and application security testing. Even if you’re not a developer, understanding how applications introduce vulnerabilities—and how to prevent them—matters for security architecture and risk decisions.

Experience Requirements: The Five-Year Bar

CISSP requires five years of cumulative paid work experience in two or more of the eight domains. This isn’t five years in IT—it’s five years doing actual security work. ISC2 publishes detailed guidelines on what counts toward experience requirements.

A four-year college degree or equivalent credential waives one year, reducing the requirement to four years. Certain other certifications from the ISC2-approved list also waive one year. You can’t stack waivers—the minimum is four years regardless of education and other certifications.

If you don’t have enough experience yet, you can still take the exam. Passing makes you an Associate of ISC2, giving you six years to accumulate the required experience. Many professionals use this path while building their careers, then convert to full CISSP status once they meet the experience threshold.

The experience requirement exists because CISSP validates professional competence, not just knowledge. ISC2 wants certification holders who’ve applied security concepts in real organizations, not people who memorized a textbook. This is why CISSP carries more weight than certifications with no experience requirements.

The Exam: CAT Format and What to Expect

The CISSP exam uses Computerized Adaptive Testing (CAT) for English-language test takers. You’ll answer between 125 and 175 questions over a maximum of four hours. The adaptive algorithm adjusts difficulty based on your responses—answer correctly, and subsequent questions get harder. The exam ends when the algorithm determines with 95% confidence whether you’ve passed or failed.

Question types include standard multiple choice, drag-and-drop, and hotspot questions where you identify items on an image. Expect scenario-based questions that require applying knowledge to realistic situations rather than simple recall. A question might describe an organization’s situation and ask which control best addresses their specific risk profile.

The passing score isn’t public, but ISC2 uses a scaled scoring system where 700 out of 1000 points represents the passing threshold. Because the exam adapts to your performance, two candidates can pass with different numbers of correct answers—what matters is demonstrating competence at the required difficulty level.

Non-English versions of the exam use a linear format with 250 questions over six hours. The content coverage is identical; only the delivery mechanism differs.

Cost Breakdown: Exam, Study Materials, and Maintenance

The CISSP exam costs $749 USD. If you fail, retake policies allow a second attempt after 30 days, a third after 90 days, and up to four attempts per year. Each retake costs the full $749, so adequate preparation matters financially as well as professionally.

Study materials range from free to several thousand dollars depending on your approach. The ISC2 official study guide costs around $70. Practice question banks typically run $30-150. Bootcamps and instructor-led training can cost $2,000-5,000, though many employers cover training expenses for certifications they require.

After passing, you’ll pay ISC2 an Annual Maintenance Fee (AMF) of $125. This maintains your certification status and membership benefits. You’ll also need to earn and report 40 Continuing Professional Education credits annually (or 120 over the three-year certification cycle). CPEs can come from training, conferences, publishing, teaching, or other professional development activities.

Total first-year cost typically runs $850-1,000 for self-study candidates, or $3,000-6,000 for those using formal training. Subsequent years cost $125 AMF plus whatever you spend on CPE activities—though many CPE sources are free.

Who Should Pursue CISSP

CISSP makes sense for security professionals aiming at management, architecture, or senior technical roles. The certification signals readiness for positions like Security Architect, Information Security Manager, Security Director, or CISO. If your career goal involves leading teams, designing security programs, or making strategic security decisions, CISSP validates the broad knowledge those roles require.

Mid-career professionals benefit most. If you have 3-7 years of security experience and want to move into senior roles, CISSP demonstrates you’ve formalized your knowledge and understand security beyond your current specialty. The certification helps you compete for positions that filter candidates by credentials.

CISSP also makes sense for IT professionals transitioning into security leadership. System administrators, network engineers, and developers with security responsibilities often use CISSP to validate their security knowledge and signal commitment to the security career track.

CISSP probably isn’t the right choice if you’re entry-level (consider Security+ first), focused on hands-on technical work without management aspirations (look at specialized certifications), or working outside information security with no plans to enter the field.

Market Value and Career Impact

According to the ISC2 2024 Cybersecurity Workforce Study, CISSP holders earn a median salary of $128,000 in the United States—significantly above the overall cybersecurity median of $113,000. The certification consistently ranks among the highest-paying IT credentials in industry salary surveys.

The Bureau of Labor Statistics projects information security analyst employment growing 32% through 2032, much faster than average. This demand, combined with persistent workforce shortages documented in ISC2 research, means CISSP holders have strong negotiating positions and ample job opportunities.

Beyond salary, CISSP opens doors that remain closed to uncertified candidates. Many organizations—especially in government, defense, healthcare, and finance—require CISSP for senior security positions. Government contractors working on classified systems often mandate CISSP for information assurance roles. Even when not strictly required, CISSP frequently appears in “preferred qualifications” for positions paying $120,000 and above.

The certification also provides mobility. CISSP is recognized globally, and the knowledge framework transfers across industries. A CISSP holder can move from healthcare to finance to technology without relearning fundamental security concepts—only the regulatory and technical specifics change.

Common Misconceptions About CISSP

Misconception: CISSP is a technical certification. CISSP is management-oriented. While it covers technical concepts, the exam emphasizes how security managers should think about problems rather than hands-on implementation details. If you want deep technical validation, consider certifications like OSCP for penetration testing or cloud-specific credentials.

Misconception: You need all eight domains of experience. The requirement is two or more domains, not all eight. Most professionals have deep experience in 2-4 domains and passing familiarity with others. The exam tests knowledge across all domains, but your work experience only needs to span two.

Misconception: CISSP expires if you don’t renew. Your certification enters suspended status if you don’t pay the AMF or earn CPEs, but it doesn’t disappear. You can reinstate by paying back fees and catching up on CPEs within a window period. Complete failure to maintain eventually requires retaking the exam, but there’s substantial grace period.

Misconception: CISSP guarantees a job. CISSP opens doors but doesn’t walk through them for you. Hiring managers still evaluate experience, skills, communication ability, and cultural fit. The certification gets you past HR filters and validates knowledge—you still need to interview well and demonstrate practical competence.

Getting Started: Your Path to CISSP

Assess your current experience against ISC2’s requirements. Count your years in security roles and identify which domains your work touches. If you’re short on experience, you can still study and take the exam, earning Associate status while building the required background.

Most successful candidates spend 3-6 months preparing, studying 10-20 hours weekly. Start with the official ISC2 body of knowledge to understand scope, then supplement with study guides and practice questions. Focus extra attention on domains outside your work experience—those represent knowledge gaps the exam will find.

Register for the exam through Pearson VUE when you feel ready. Many candidates recommend scheduling the exam before you feel fully prepared—having a fixed date creates accountability and prevents indefinite studying. The CAT format means you’ll know results immediately after completing the exam.

After passing, complete the endorsement process. You’ll need an existing ISC2 certified professional to verify your experience, subscribe to the ISC2 Code of Ethics, and pay the first year’s AMF. The endorsement typically completes within 4-6 weeks, after which you can officially use the CISSP credential.

CISSP represents a career investment that pays returns for decades. The knowledge makes you better at security work regardless of certification status—the credential ensures organizations recognize that competence when making hiring and promotion decisions.