Certified Information Systems Security Professional (CISSP) Certification Guide
The CISSP certification is one of the most well-respected certifications in the cybersecurity industry. However, getting this certification is not an easy feat. It requires time, effort, and a willingness to delve into the broad and ever-evolving landscape of cybersecurity. This security certification is often described as a mile wide and an inch deep, which refers to the broadness of the topics it covers. In other words, you need to have a solid understanding of the many different domains of cybersecurity to pass the exam.
If you’re thinking about taking the CISSP certification exam and wondering whether it’s a good fit, you need to understand the certification process to help you make an informed decision.
This guide will discuss everything you need to know about the CISSP certification, including the examination requirements, frequently asked questions, exam resources, and a study guide that will make it easier for you to pass the certification. We will also include the steps you need to take after passing the CISSP exam.
About the CISSP certification
The Certified Information Systems Security Professional (CISSP) certification is one of the most globally recognized certifications in the cybersecurity industry. It validates the skills and knowledge of security professionals in designing, developing and managing a cybersecurity program.
The CISSP Common Body of Knowledge (CBK) includes a broad spectrum of topics that encapsulates all relevant disciplines in the field of cybersecurity. These disciplines are categorized into the following eight domains:
The CISSP exam assesses your knowledge, and even more importantly, your competence as a security professional. We will take a more in-depth look at these 8 domains in the CISSP study guide section below.
Brief History of CISSP
First introduced in 1994, the CISSP certification is a vendor-neutral certification program granted by the International Information Systems Security Certification Consortium ISC2 to qualified security professionals. In 2004, this certification was accredited under the ANSI ISO/IEC Standard 17024:2003, making it the first security certification to be recognized.
It also meets the requirements of the U.S. Department of Defense (DoD) Directive 8570.1, which was replaced by DoD 8140.01 as of October 5, 2020. This means that the CISSP certification is an approved baseline certification for those who are planning to work in the DoD cyber workforce, specifically in the Information Assurance Technical (IAT), Information Assurance Managerial (IAM), and Information Assurance System Architect and Engineer (IASAE) categories.
In 2020, the CISSP security certification was deemed a qualification level comparable to Level 7 of the Regulated Qualifications Framework (RQF) by the U.K National Academic Recognition Information Centre. This means that a CISSP-certified individual has a qualification level equal to a master’s degree, not just in the U.K.
As of January 2023, there are 156,054 ISC2 members who hold the CISSP certification all over the globe.
What is an ISC2 certification?
The International Information Systems Security Certification Consortium ISC2 is a nonprofit membership organization for information security leaders. This organization specializes in training and certifications for cybersecurity professionals and is responsible for providing some of the most recognized certifications in the IT field.
It also created and maintains the Common Body of Knowledge (CBK) on which the ISC2 certifications, such as CISSP, are based. Basically, the CBK is responsible for defining the global industry standards and best practices in cybersecurity.
ISC2 certifications provide employers the proof that a cybersecurity professional has a solid foundation of knowledge needed to protect IT infrastructures including systems and networks. All certificates issued by the ISC2 are accredited and recognized by some of the highest global standards for professional certifications including the American National Standards Institute (ANSI), and the International Accreditation Forum, among others.
Apart from the CISSP certification, the organization also offers other certifications such as the Certified Cloud Security Professional (CCSP), the Systems Security Certified Practitioner (SSCP), the Certified Authorization Professional (CAP), the HealthCare Information Security and Privacy Practitioner (HCISPP) and the Certified Secure Software Lifecycle Professional (CSSLP).
CISSP certification requirements: How to become a certified information systems security professional
Passing the CISSP examination isn’t the only thing you need to do to be a CISSP. Here are all the steps you need to accomplish before you get your certification:
Before you can be certified, you need to have at least five years of cumulative paid work experience in two or more of the CISSP domains. This includes full-time and part-time work experience, as well as paid or unpaid internships. Here is a quick rundown of the work experience you need:
If you don’t have the minimum amount of cumulative experience, you can substitute a maximum of one year of the work experience requirement if you have relevant education or hold one of the approved (ISC) certifications. This means that you only need a total of 4 years of work experience to qualify for the CISSP examination.
No experience? No problem.
If you don’t have the required work experience to become a CISSP, you can still take the CISSP exam. However, instead of being awarded the CISSP certification, you will become an Associate of (ISC) . You will then be given six years to complete the five years of required work experience.
There are tons of free and paid CISSP study materials which we will discuss in more detail below. Some candidates are able to pass the exam with self-study using study guides and books, while others choose to attend CISSP training instead. Both options can help you prepare for the exam, but it’s up to you which type of training works based on your experience in the industry, learning style, and time available to study.
Easier said than done, right? While the CISSP examination is considered one of the hardest certifications to pass, with enough preparation, you can pass the test. We have listed many useful resources you can use to prepare for the test in the following sections.
After you pass the CISSP exam, you will be given nine months from the date of the test to complete the endorsement process, which includes getting endorsed by another CISSP holder or by ISC2 itself.
Once you’ve earned your CISSP certification, you become a member of ISC2. However, your membership and CISSP certification will only last three years. This means that you need to recertify every three years, which can be accomplished by earning continuing professional education (CPE) credits and paying an Annual Maintenance Fee (AMF) to support the ongoing development of the certification. Otherwise, you’ll have to take the exam again. You definitely don’t want to ever take the exam again once you’ve passed it!
CISSP study guide:
The 8 domains of CISSP
Here at Destination Certification, we make it easy for you to confidently pass the CISSP exam, and we’ve provided a thorough overview of all the major topics in each of the eight domains. The following guides provide an excellent starting point for all that you need to know in each domain.
Domain 1:
Security and risk management
This domain covers the fundamental concepts of information security including governance, compliance, regulations, and how to assess and manage risks. Domain 1 makes up 15% of the CISSP exam.
Domain 2:
Asset security
This domain deals with data and asset classification, data handling, managing the data lifecycle, data protection methods, and data states. Domain 2 makes up 10% of the CISSP exam.
Domain 3:
Security architecture and engineering
This domain covers the fundamental concepts of information security including governance, compliance, regulations, and how to assess and manage risks. Domain 1 makes up 15% of the CISSP exam.
Domain 4:
Communication and network security
This domain tests your skills in securing networks and communication channels. It also includes assessing and implementing secure design principles in network architectures. Domain 4 makes up 13% of the CISSP exam.
Domain 5:
Identity and access
management (IAM)
This domain deals with identity management, implementation and management of authorization mechanisms, access control, and implementation of authentication systems. Domain 5 makes up 13% of the CISSP exam.
Domain 6:
Security assessment and testing
This domain includes all techniques and tools needed to assess and find vulnerabilities in different systems and networks. It also covers how to conduct or facilitate security audits. Domain 6 makes up 12% of the CISSP exam.
Domain 7:
Security operations
This domain covers security investigation, digital forensics, threat intelligence, Configuration Management (CM), resource protection, Disaster Recovery (DR), Business Continuity (BC), and incident management. Domain 7 makes up 13% of the CISSP exam.
Domain 8:
Software development security
This domain deals with the Software Development Life Cycle (SDLC) and security controls in software development ecosystems. It also tests your knowledge of assessing the effectiveness of software security and the security impact of acquired software. Domain 8 makes up 11% of the CISSP exam.
CISSP study guide: The 8 domains of CISSP
Here at Destination Certification, we make it easy for you to confidently pass the CISSP exam, and we’ve provided a thorough overview of all the major topics in each of the eight domains. The following guides provide an excellent starting point for all that you need to know in each domain.
Domain 1:
Security and risk management
This domain covers the fundamental concepts of information security including governance, compliance, regulations, and how to assess and manage risks. Domain 1 makes up 15% of the CISSP exam.
Domain 2:
Asset security
This domain deals with data and asset classification, data handling, managing the data lifecycle, data protection methods, and data states. Domain 2 makes up 10% of the CISSP exam.
Domain 3:
Security architecture and engineering
This domain covers the fundamental concepts of information security including governance, compliance, regulations, and how to assess and manage risks. Domain 1 makes up 15% of the CISSP exam.
Domain 4:
Communication and network security
This domain tests your skills in securing networks and communication channels. It also includes assessing and implementing secure design principles in network architectures. Domain 4 makes up 13% of the CISSP exam.
Domain 5:
Identity and access
management (IAM)
This domain deals with identity management, implementation and management of authorization mechanisms, access control, and implementation of authentication systems. Domain 5 makes up 13% of the CISSP exam.
Domain 6:
Security assessment and testing
This domain includes all techniques and tools needed to assess and find vulnerabilities in different systems and networks. It also covers how to conduct or facilitate security audits. Domain 6 makes up 12% of the CISSP exam.
Domain 7:
Security operations
This domain covers security investigation, digital forensics, threat intelligence, Configuration Management (CM), resource protection, Disaster Recovery (DR), Business Continuity (BC), and incident management. Domain 7 makes up 13% of the CISSP exam.
Domain 8:
Software development security
This domain deals with the Software Development Life Cycle (SDLC) and security controls in software development ecosystems. It also tests your knowledge of assessing the effectiveness of software security and the security impact of acquired software. Domain 8 makes up 11% of the CISSP exam.
The CISSP examination guide
The CISSP exam comes in two versions: the Computerized Adaptive Testing (CAT) for all exams conducted in English and the linear, fixed-form exams for all non-English exams. Below, we discuss all the details you need to know about these tests:
Term | Computerized Adaptive Testing (CAT) exam |
|---|---|
Length of exam | 3 hours |
Number of questions | 100 to 150 |
Item format | Multiple choice and advanced innovative items |
Passing grade | 700 out of 1000 points. At least 70% must be achieved in each domain. |
Languages | English, Chinese, German, Japanese & Spanish |
In December of 2017, ISC2 transitioned from the linear, fixed-form exam to the CAT exam for all the English CISSP exams worldwide. While it is based on the same exam content outline as the previous iteration, the new testing format is a more precise and efficient way to evaluate your knowledge in the cybersecurity field. It allows you to prove your competency by answering fewer questions and completing the test in a shorter amount of time.
Note: An important consideration if you are considering taking the exam in a language other than English: you will need to take the older style linear exam, but a big benefit is that each question on the exam will be in your selected language (e.g. Spanish) and the English translation of the question will also be shown.
How does the CISSP CAT exam work?
The CISSP CAT exam uses an algorithm that determines your next questions based on your previous answers. It basically estimates your knowledge and abilities as you go along with the test.
The exam flow looks like this: the first few questions are simple and easy to answer. However, the more correct answers you enter, the harder the subsequent questions will get. While this may seem like a bad thing, the sooner you get through the hard questions, the quicker you can pass the test. If you provide a wrong answer or continually provide wrong answers, you can expect the next questions to be a little bit easier, but you’ll be further away from passing the test.
In other words, the CISSP CAT algorithm follows your response to a question and re-estimates your ability based on your answer and the difficulty of the question provided. As you answer more questions, the algorithm’s estimation will become more precise. This allows the system to gather information about your true ability level more efficiently compared to the previous type of testing.
In other words, the CISSP CAT algorithm follows your response to a question and re-estimates your ability based on your answer and the difficulty of the question provided. As you answer more questions, the algorithm’s estimation will become more precise. This allows the system to gather information about your true ability level more efficiently compared to the previous type of testing.
As a result of this more precise evaluation, the maximum exam administration time is reduced from 6 hours to 4 hours. It also reduces the number of questions from 250 to as little as 125. However, it doesn’t change the difficulty of the exam and you’re still expected to study all of the domains in the CISSP CBK.
A major downside of the CAT exam is you have no ability to mark a question for review, or go back and change your answer to a previous question. You must select an answer to each question before you can move on to the next question.
Important reminder: The exam content outline, exam weights, and passing standards for both versions are exactly the same. This means that you will still be assessed on the same content and should demonstrate the same level of competency regardless of the testing format.
The CISSP exam outline
Both the CISSP CAT exam and fixed-form linear testing exam follow the same exam weights. You can look at the full breakdown of the domains here. However, it’s important to remember that you will never know on the exam which domain a question is drawn from. The weight difference between the different domains is minimal. Essentially all of the domains are important and what you should really focus on is what you specifically need to learn in each domain, not the weighting difference between the domains.
Frequently asked questions
CISSP stands for Certified Information Systems Security Professional.
The CISSP CAT exam is 3 hours long and contains 100 to 15o items.
An (ISC)2 CISSP certification is valid for three years in total. It is possible to retake the course and exam, or you can earn and submit 120 Continuing Professional Education credits (CPEs) during the three years. CPE credits are earned by participating in Continuing Professional Education activities.
As mentioned, the CISSP exam is one of the most difficult security exams. This is because it covers the wide range of cybersecurity topics needed to design, implement and manage a cybersecurity program. And, most importantly, the CISSP exam tests your competence as a security professional. Your ability to find the best answer amongst multiple correct answers, and not your ability to memorize a bunch of information.
Because of this, you have to know every topic in each domain and understand how to use this information to effectively manage a security function, to pass the exam. At the same time, the CAT exam can feel intimidating, because it hones in on any areas where you are weak.
But this doesn’t mean that you should not take the exam. The difficulty means that earning a CISSP certification is a testament to your expertise in the field.
The exam for CISSP certification is unfortunately a bit ridiculously expensive and costs $749 in all regions except the U.K., which costs £585, and Europe, which costs €665. If you need to reschedule your exam, you’ll need to pay $50/£35/€40 on top of the CISSP exam cost.
For cancellations, you’ll need to pay $100/£70/€80. If you don’t take your CISSP exam within a year of the initial scheduled exam date, you will not get a refund for canceling
You can simply create an account at Pearson VUE, which is the global administrator of all ISC2 exams. Then, select the certification exam you’re taking and schedule your exam at your nearest testing center.
Reminder: If you’re planning to take the exam in another language apart from English, make sure that the linear exam is available in your preferred language before you create an account at Pearson VUE.
You can take the CISSP examination at any authorized Pearson VUE testing center near you. At the moment, online testing isn’t available.
Reminder: Before you take the exam, make sure to review all ISC2 exam policies and procedures for the exam day to avoid any problems. If you need any special accommodation during the test, you can request it from ISC2.
You can register for the CISSP exam at the Pearson VUE website. Do note that you’re only allowed to have one ISC2 account. If you have multiple accounts, you may face some delay in receiving your exam results. On top of that, using different accounts to avoid fees such as rescheduling may result in a temporary or permanent ban of your account.
There’s no secret formula for passing the CISSP exam on your first try. Every candidate has a different level of skills and knowledge, so it’s really up to you how you want to tackle the process. However, with the right amount of determination, dedication, and preparation, along with the right resources, anyone can pass the exam on their first try.
Passing the CISSP in 30 days is challenging but possible, especially for individuals with extensive experience in all eight domains of the CISSP and the ability to dedicate a significant amount of time daily to intense study. Some candidates can even pass the exam by just attending our 5-day live bootcamp, which boasts a proven track record with a pass rate over 90%.
The CISSP is a vendor-neutral management-level certification that covers a very broad number of topics across cybersecurity. The CCNA, on the other hand, is offered by Cisco and is highly focused on networking fundamentals and architecture.
After you pass the CISSP exam, you’ll need to get endorsed by another CISSP holder and have our experience and endorsement reviewed and approved by ISC2. You also need to earn continuing professional education (CPE) credits to qualify for recertification after three years. We will discuss this in the following sections.
After CISSP, professionals may pursue further specializations or advanced certifications, such as CCSP or CISM, depending on their career interests.
How to prepare for the CISSP exam?
Preparing for the CISSP exam varies per candidate; what works for others may not work for you and vice versa. Some may require classroom training, while others are okay with self-paced online training. The way you study for the CISSP exam also depends on your current knowledge, experience, and abilities. So, the most important thing here is to understand where you’re currently at, as well as the amount of time you can dedicate to preparing for the certification.
To help you out, we have listed different CISSP resources that you can take advantage of to prepare for the exam. We also added recommended CISSP books and study guides you can read to supplement your journey.
Free CISSP training resources
There are tons of free CISSP resources available online, but you need to be very careful when choosing one. When using free resources, be sure to check the legitimacy of the information, so you won’t end up learning about the wrong concepts and wasting your time. Below are some of the most reputable free CISSP resources you can use:
- YouTube is one of the best free CISSP resources you can use, with numerous cybersecurity practitioners posting free training videos. Although the videos offered on this platform aren’t as in-depth as other paid courses, there are a bunch of videos that you can watch, like our MindMap series, that will help solidify your knowledge in the eight domains.
- Communities on Reddit and Discord allow you to connect directly to CISSP holders and other candidates who are studying for the CISSP exam. This can give you the support you need throughout your journey. On top of that, you can also get study tips and techniques from others that have recently passed the exam that can better prepare you for the test.
Paid CISSP training resources
While there are numerous free resources, it typically takes a fair bit of additional effort on your part to cobble together these resources, sort through the inconsistencies, and ensure you’ve sufficiently covered all the topics you may encounter on the exam. The free resources aren’t usually comprehensive enough to help you understand every domain of the CISSP CBK. They act as supplementary resources that can help make your exam preparation easier.
For most people, enrolling in a paid course is the most efficient and effective method to keep you motivated and properly prepare you for the CISSP exam, Here are some paid CISSP training resources that can help you pass the exam:
With all of the CISSP courses available online, it’s hard to find the right one that fits your needs. Most of them are targeted to anyone who’s planning to take the CISSP exam, which means that you’re going to tackle all the domains in the CISSP CBK, even those that you may already have extensive knowledge in. Our online platform allows you to access our course from anywhere, regardless of your location.
While there’s nothing wrong with that, it often makes the exam preparation take a lot longer. With our Destination Certification CISSP online training, the MasterClass adjusts depending on your knowledge, similar to how the CISSP CAT exam estimates your abilities as you go through the test.
In addition, you also have a personal mentor who will guide you in your studies and our system creates a personalized review guide for you that almost automatically focuses you on the things you need to learn. This makes studying more efficient because it helps you focus your attention on the domains that you are least familiar with. Apart from this customized training, you’ll also get:
- One-on-one mentoring calls to create a study plan that’s tailored for you, and to ensure you are fully prepared for the exam before you take it
- Comprehensive study material that covers the complete May 2021 CISSP exam outline
- Proven exam strategies and techniques you need to pass the exam
- Weekly live mentoring calls with our expert teachers
- Personalize schedules to help you stay focused
- CISSP Welcome Box including our printed CISSP Guidebook and our CISSP Workbook
- Flashcard app to help you memorize the terminology you need for the exam
- Visual MindMaps to connect key ideas across all the 8 domains
- Practice exam modeled on the real CISSP exam
Destination CISSP flashcard app
The CISSP CBK contains hundreds of terms that you need to know to pass the exam. Listing all of them manually can be tedious and daunting. With our CISSP Flashcard app, all the terms you need to know are already covered. This means that you don’t have to write down every term you encounter to create your own study material.
On top of that, it allows you to mark the terms you’re already familiar with, so you don’t have to go through them over and over again. It also connects to your MasterClass account, allowing our system to get a more detailed understanding of your knowledge and what you need to focus on, creating a more tailored and efficient studying experience.
Here’s what you’ll get in the app:
Destination CISSP questions app
For those who want to test their acquired knowledge of the CISSP CBK, the Destination CISSP Questions app is a great tool to have. The app contains more than 100 questions that accurately mimic real CISSP exam questions. And just like our flashcard app, the practice question app integrates with our system to create an ever more tailored learning experience for you.
In addition, you’ll also get:
CISSP Books
Apart from videos, communities, and training apps, books can also help accelerate your learning progress. Here are our top CISSP book recommendations:
CISSP certification vs other certifications
If you’re still unsure whether the CISSP certification is for you, we have created a quick comparison between the CISSP and other popular security certifications to help you make an informed decision.
When it comes to information security certifications, ISACA’s Certified Information Security Manager (CISM) and ISC2 CISSP are two of the most recognized. They both validate a cybersecurity professional’s knowledge and abilities to become a security manager and require five years of relevant experience in the field. On top of that, both require the fulfillment of continuing professional education (CPE) credits for recertification. Read more about CISSP vs CISM.
However, the main difference between the two certifications is the scope they cover. With the CISSP, you are tested on your knowledge to design, implement, and manage cybersecurity programs. Apart from the management side, it also covers some technical aspects of the field. On the other hand, CISM focuses more on testing your knowledge in managing security teams.
The CISSP and Certified Cloud Security Professional (CCSP) are meant to be companion certifications from ISC2. The CISSP covers a broad number of topics across all the major areas of security. Whereas the CCSP is focused on, you guessed it, cloud security, including design, implementation, architecture, operations, controls, and compliance with regulatory frameworks.
Here's our CISSP vs CCSP guide where you can learn more about these two ISC2 certifications.
The CISSP and CompTIA Security+ certifications are targeted toward different cybersecurity professionals. As established, the CISSP is perfect for professionals who are looking at transitioning or already are in managerial positions. On the other hand, Security+ validates the baseline skills needed to pursue an IT security career, which makes it ideal for IT professionals looking to land an entry-level position in the security field. Here's CISSP vs Security+ breakdown that we have made for easier choice.
CISSP Careers
The CISSP and CompTIA Security+ certifications are targeted toward different cybersecurity professionals. As established, the CISSP is perfect for professionals who are looking at transitioning or already are in managerial positions. On the other hand, Security+ validates the baseline skills needed to pursue an IT security career, which makes it ideal for IT professionals looking to land an entry-level position in the security field.
Here are some of the jobs that require or use CISSP certifications:
Chief Information Officer | Network Architect |
|---|---|
Chief Information Security Officer | Security Architect |
IT Director/Manager | Security Auditor |
Director of Security | Security Manager |
Security Analyst | Security Systems Engineer |
How much does a CISSP make?
Important reminder: There are many factors that need to be taken into account to calculate a CISSP’s salary attainment. These can include country, region, industry, experience, the current level within an organization, performance, and more. That’s why the information shared below should not be considered as an estimated salary for all individuals holding the CISSP.
According to the ISC2 Cybersecurity Workforce Study 2022, below are the median salaries for cybersecurity professionals in different regions:
Region | Average salary in U.S. dollars ($) |
|---|---|
North America | $134,800 |
Latin America | $22,185 |
Europe, Middle East, and Africa (EMEA) | $93,535 |
Asia-Pacific (APAC) | $59,379 |
United States | $135,000 |
I passed CISSP. What’s next?
If you’ve recently passed the CISSP examination, congratulations! However, passing the exam isn’t the only thing you need to do to be CISSP certified. You also need to complete the endorsement process and earn CPE credits. Let’s discuss them in detail below:
The CISSP endorsement process
As briefly mentioned, the endorsement process to become a CISSP includes getting endorsed by another ISC2 member or by the organization itself. Here’s how it works:
- After receiving a notification that you’ve passed the CISSP exam, you can start a Certification Application.
- Before you begin with the application you are required to provide an endorser, which is another ISC2 -certified professional in good standing, who can attest to your experience. If you don’t know anyone, you can opt for ISC2 to endorse you.
- Your chosen endorser will vouch for all the information you provided regarding your professional experience, and that you are in good standing within the cybersecurity industry. To do this, you will need their member or certification number so you can provide it when filling out the online application form.
- Next, you also need to provide all relevant experience and any experience waiver if you have any relevant education or credentials to cover some of the work experience required. Then, you’ll need to send this application to ISC2 for evaluation.
- Once your application is approved, you will need to pay your first Annual Maintenance Fee. If you hold other ISC2 certifications, you are not required to pay an additional AMF for your latest certification.
How to earn CISSP CPE credits
To maintain your CISSP certification, you are required to earn 120 CPEs every three years. However, the ISC2 CPE handbook suggests earning 40 CPE credits annually instead, so that it’s easier to achieve the required CPEs and retain your certification.
CPE credits are classified into two categories: Group A and Group B. You are required to earn 90 Group A CPEs and 30 Group B CPEs to get recertified.
This type of CPE credit relates directly to activities performed in the eight domains of CBK. This can be earned from projects, assignments, or activities that fall outside of your job responsibilities or description. However, you can also earn credits for activities during your regular work hours, but you can only earn a maximum of 10 points for those.
Some examples of Group A credits are:
- Taking an educational course (instructor-led, self-paced, or blended)
- Reading a whitepaper, magazine or book
- Publishing a whitepaper, magazine or book
- Attending a conference, educational course, seminar, or presentation (online or virtual)
- Performing a work-related project that isn’t included in your day-to-day work duties
The Group B credits are awarded for activities outside the eight domains that are considered to enhance the general professional skills, knowledge, and competencies of the CISSPs. These activities can include attending programs involving public speaking or management classes, as well as the following:
- Attending non-security conferences
- Involvement in a non-security-related committee in government, the private sector, or a charitable organization