Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

ISC2 CISSP Certification Essentials

Published by Mike McNelis on June 27, 2024

ISC2 CISSP Certification Essentials

The ISC2 CISSP certification is a highly respected credential in the field of cybersecurity, sought after by experienced professionals and leaders. CISSP, which stands for Certified Information Systems Security Professional, represents a benchmark of excellence. This guide provides comprehensive insights into the CISSP certification, its relevance to your career, and whether it’s worth pursuing.

What is CISSP?

The CISSP (Certified Information Systems Security Professional) is a highly esteemed certification offered by the International Information Systems Security Certification Consortium, commonly known as ISC2. Since its inception in 1994, it has served as a benchmark for validating an individual’s advanced technical and managerial competency in the field of information security.

ISC2 CISSP Certification Exam Details

The CISSP certification exam meets all the requirements for ANSI/ISO/IEC Standard 17024 and was the first information security credential to do so. It is also recognized as an approved baseline certification under the [U.S. Department of Defense (DoD) 8570 certification requirement. As of April 15, 2024, the linear, fixed-form exam format will be discontinued. Unless otherwise indicated, details outlined here align with the (ISC)² CISSP Certification Exam Outline effective April 15, 2024.

How Much Is The CISSP Exam?

The CISSP certification exam costs $749. The ISC2 CISSP Certification Exam is a Computerized Adaptive Testing (CAT) format for the English version, which consists of 125-175 multiple-choice and advanced innovative questions. and must be completed within 4 hours. The updated CISSP exam includes innovative question types such as drag-and-drop and hotspot questions, in addition to traditional multiple-choice questions.

What Are The CISSP Exam Domains?

The CISSP certification exam focuses on eight specific domains related to information security:

  1. Security and Risk Management 15%
  2. Asset Security 10%
  3. Security Architecture and Engineering 13%
  4. Communication and Network Security 13%
  5. Identity and Access Management (IAM) 13%
  6. Security Assessment and Testing 12%
  7. Security Operations 13%
  8. Software Development Security 11%

How Hard Is The CISSP Exam?

The CISSP certification exam is widely regarded as one of the most challenging cybersecurity exams available. It is not uncommon for even seasoned cybersecurity professionals to fail on their first attempt.

This certification demands substantial experience in cybersecurity, which proves beneficial for tackling the exam’s objective and performance-based questions. However, many questions are designed from the perspective of a security or risk manager rather than a technologist. Years of hands-on technical experience can sometimes lead to incorrect answers, as the exam often requires a managerial or process-oriented approach. The primary challenge lies in retraining your thinking to align with the test’s expectations and how ISC2 anticipates you to respond.

How to Pass the ISC2 CISSP Certification Exam

As noted, one of the biggest hurdles for IT professionals taking the CISSP exam is their tendency to answer questions like a technologist rather than an Information Security Manager. To successfully pass the CISSP certification exam, candidates must adjust their mindset to focus on process and managerial requirements.

The preparation process usually involves several months of studying the exam domains using various resources, including:

  • Instructor-led training courses
  • Self-paced training videos
  • Study guides
  • Practice exams
  • Flashcards
  • User Groups

What are the CISSP Requirements

To be eligible for the CISSP certification, candidates must meet several key requirements. Candidates must have a minimum of five years of cumulative, paid work experience in two or more of the eight domains of the CISSP Common Body of Knowledge (CBK). These domains are:

    • Security and Risk Management
    • Asset Security
    • Security Architecture and Engineering
    • Communication and Network Security
    • Identity and Access Management (IAM)
    • Security Assessment and Testing
    • Security Operations
    • Software Development Security

A post-secondary degree (bachelor’s or master’s) in computer science, information technology (IT), or related fields can satisfy up to one year of the required experience. Part-time work and internships may also contribute towards meeting the experience requirement. Alternatively, holding an additional credential from the ISC2 approved list can also account for up to one year of the required experience. Some of these certifications include:

AWS Certified Security – Specialty
Azure Security Engineer Associate
Certified in Governance, Risk and Compliance (CGRC)
Certified Cloud Security Professional (CCSP)
Certified Computer Examiner (CCE)
Certified Ethical Hacker v8 or higher
Certified Information Security Manager (CISM)
Certified Information Systems Auditor (CISA)
Certified Internal Auditor (CIA)
Certified Protection Professional (CPP) from ASIS
Certified in Risk and Information Systems Control (CRISC)
Certified Secure Software Lifecycle Professional (CSSLP)
Cisco Certified CyberOps Associate/Professional
Cisco Certified Internetwork Expert (CCIE) Security
Cisco Certified Network Associate Security (CCNA Security)
Cisco Certified Network Professional Security (CCNP Security)
CompTIA Advanced Security Practitioner (CASP+)
CompTIA CySA+
CompTIA Security+
Computer Hacking Forensic Investigator (CHFI)
CSA Certificate of Cloud Security Knowledge (CCSK)
EC-Council Certified Security Specialist (ECSS)
EC-Council Certified SOC Analyst (CSA)
Juniper Networks Certified Internet Expert (JNCIE-SEC)
Microsoft Identity and Access Management
Microsoft Security Operations Analyst
Microsoft Certified Cybersecurity Architect
Systems Security Certified Practitioner (SSCP)

Instructor-Led vs. Self-Paced CISSP Training Options

Choosing between instructor-led training (ILT) and self-paced training is often seen as an either-or decision for certification exam preparation. However, for the CISSP exam, both approaches can be crucial components of a comprehensive study plan. Given the challenging nature of the adaptive CISSP exam, it is not one that can be passed after a single week of training, whether self-paced, ILT, or a combination of both. Here is a suggested outline for effective preparation:

    1. Read the CBK: Start by reading through the CISSP Common Body of Knowledge (CBK) guide. Then, re-read and highlight areas where you need more understanding.
    2. Focus on Weak Areas: Dive deeper into the topics you find challenging. Look up answers online for any questions you have. Thier is a wide range of resoruces on all of the topics within the CISSP CBK
    3. Take an ILT Course: Join an instructor-led course. Learn from someone who has passed the CISSP exam and clarify any difficult topics you identified during your self-study.
    4. Practice Exams: Take multiple practice exams to identify other areas that need improvement.
    5. Review and Practice: Repeat steps 2 and 4 until you consistently score 85%+  on practice exams.
    6. (Optional) Retake ILT Course: Consider retaking the ILT course right before your exam for a final refresher. This is especially helpful if your course offers a free retake option.

By combining these methods, you can build a solid foundation and improve your chances of passing the CISSP exam.

Requirements After You Pass Your CISSP Exam

Passing the CISSP exam is a significant achievement, but there are several steps and ongoing requirements to maintain your certification:

  1. Endorsement: Within nine months of passing the exam, you must be endorsed by an ISC2 certified professional who can confirm your work experience. This endorsement process verifies that you have the required professional experience in the relevant domains.
  2. Adherence to the ISC2 Code of Ethics: You must commit to and follow the ISC2 Code of Ethics, which sets forth standards of professional conduct and ethical behavior.
  3. Pay Annual Maintenance Fees (AMF): You are required to pay an annual maintenance fee to keep your certification active. As of 2024, the fee is $125 per year.
  4. Earn Continuing Professional Education (CPE) Credits: To maintain your CISSP certification, you must earn and submit CPE credits every year. Specifically, you need to accumulate at least 40 CPE credits annually, and a total of 120 CPE credits over a three-year certification cycle.
  5. Submit CPE Credits: Regularly submit your CPE credits through the ISC2 online portal. These credits can be earned through various activities such as attending training courses, participating in webinars, writing articles, or attending industry conferences.
  6. Recertification: Every three years, you must recertify by ensuring you have met all the CPE and AMF requirements. This recertification process helps ensure that your knowledge and skills remain current in the ever-evolving field of information security.

By adhering to these post-exam requirements, you can maintain your CISSP certification and continue to demonstrate your commitment to professional development and excellence in the field of information security.

Is CISSP Worth It?

The Certified Information Systems Security Professional (CISSP) certification is highly regarded in the cybersecurity industry. Here are some reasons why pursuing the CISSP can be worthwhile:

  • Global Recognition: CISSP is recognized worldwide as a standard of excellence in the field of information security. It demonstrates a high level of competence and commitment to the profession.
  • Career Advancement: Holding a CISSP certification can open doors to advanced career opportunities. It is often required for senior and managerial positions in cybersecurity.
  • Higher Salary: CISSP-certified professionals typically earn higher salaries compared to their non-certified peers. The certification can significantly boost your earning potential.
  • Comprehensive Knowledge: The CISSP certification covers a broad range of topics in information security, ensuring that you have a deep and comprehensive understanding of key security concepts and practices.
  • Professional Network: Becoming a CISSP-certified professional connects you to a large network of other certified individuals. This network can be valuable for career growth, knowledge sharing, and professional support.
  • Credibility and Trust: The CISSP certification enhances your credibility with employers, clients, and peers. It shows that you have met rigorous standards and are committed to ongoing professional development.
  • Regulatory and Industry Standards: Many organizations and regulatory bodies recognize CISSP as a benchmark for information security expertise. Having the certification can help meet compliance requirements and industry standards.
  • Job Security: In an era of increasing cyber threats, cybersecurity skills are in high demand. CISSP certification can provide job security and make you a valuable asset to any organization.

While the CISSP certification requires a significant investment of time and effort, the benefits it offers in terms of career advancement, higher salary, and professional recognition make it a worthwhile pursuit for many information security professionals.

ISC2 CISSP Compared to Other Industry Certifications

The CISSP certification is often compared to other leading certifications in the information security field. Here’s how CISSP stacks up against some of the other prominent certifications:

CISSP vs. CISM

  • Focus: CISSP covers a broad range of security topics and is designed for professionals who design, implement, and manage security programs. CISM, on the other hand, focuses on managing and governing the security of information systems.
  • Target Audience: CISSP is ideal for security practitioners and managers. CISM is targeted at security managers and those who oversee enterprise-level security.
  • Domains Covered: CISSP has eight domains, including risk management and security architecture. CISM focuses on four domains, including information risk management and incident management.

CISSP vs. CASP+

  • Focus: CISSP emphasizes both managerial and technical aspects of security. CASP+ focuses on advanced-level security skills and hands-on technical expertise.
  • Target Audience: CISSP is suitable for experienced security professionals and managers. CASP+ is aimed at technical professionals who are looking to build advanced security skills.
  • Certification Requirements: CISSP requires five years of work experience in at least two domains. CASP+ has no formal experience requirement but recommends ten years of experience in IT administration, including five years of hands-on technical security experience.

CISSP vs. CRISC

  • Focus: CISSP covers a wide range of security topics. CRISC is specifically focused on risk management and the control of information systems.
  • Target Audience: CISSP is for security practitioners, managers, and executives. CRISC is targeted at IT professionals involved in risk management and control.
  • Domains Covered: CISSP covers eight domains, while CRISC focuses on four domains related to risk identification, assessment, and response.

CISSP vs. CISA

  • Focus: CISSP covers broad security principles and practices. CISA is focused on the audit, control, and assurance of information systems.
  • Target Audience: CISSP is suited for security practitioners and managers. CISA is intended for professionals who audit, control, and ensure the integrity of information systems.
  • Domains Covered: CISSP covers eight domains, while CISA covers five domains, including information systems auditing and governance.

CISSP vs. Security+

  • Focus: CISSP is an advanced-level certification that covers in-depth security management and practices. Security+ is an entry-level certification that provides a foundation in basic security principles and practices.
  • Target Audience: CISSP is for experienced professionals with managerial and technical responsibilities. Security+ is ideal for beginners and those starting their careers in cybersecurity.
  • Certification Requirements: CISSP requires five years of professional experience. Security+ has no formal experience requirement, making it accessible for newcomers to the field.

CISSP vs. CEH

  • Focus: CISSP covers a broad range of security topics with a focus on management and operational security. CEH focuses specifically on ethical hacking and penetration testing techniques.
  • Target Audience: CISSP is for security practitioners and managers. CEH is aimed at individuals looking to specialize in ethical hacking and penetration testing.
  • Domains Covered: CISSP covers eight domains, while CEH focuses on the techniques and tools used in ethical hacking.

CISSP vs. CCSP

  • Focus: CISSP covers general security principles and practices. CCSP focuses specifically on cloud security and the unique challenges of securing cloud environments.
  • Target Audience: CISSP is for a broad range of security professionals. CCSP is for professionals who design, manage, and secure data, applications, and infrastructure in the cloud.
  • Domains Covered: CISSP has eight domains, while CCSP covers six domains, including cloud architecture and operations.

Each of these certifications has its own strengths and focuses, catering to different roles and expertise levels within the information security field. The CISSP certification is well-regarded for its comprehensive coverage and is often seen as a benchmark for security professionals seeking to advance their careers in a variety of security-related roles.

CISSP Average Salary

The Certified Information Systems Security Professional (CISSP) certification is highly valued in the cybersecurity industry and is often associated with higher earning potential.

Globally, the average salary for CISSP-certified professionals ranges from $100,000 to $120,000 annually. This figure can vary significantly based on factors such as location, industry, and years of experience.

In the United States, CISSP holders often earn between $110,000 and $140,000 per year. In Europe, the average salary typically falls between €80,000 and €100,000 annually. In the Asia-Pacific region, salaries can range from $70,000 to $100,000 per year, depending on the country and demand for cybersecurity expertise.

Industry-specific salaries also vary. In the finance sector, CISSP professionals can earn significantly higher salaries, often exceeding $150,000 annually due to the critical importance of cybersecurity in financial institutions. In healthcare, CISSP holders can expect salaries ranging from $110,000 to $130,000 per year, reflecting the sector’s growing emphasis on data security and compliance. In the technology industry, average salaries for CISSP-certified professionals typically range from $120,000 to $140,000 annually.

Top Jobs for CISSP-Certified Professionals

Holding a CISSP certification opens doors to a variety of high-level cybersecurity positions.

  • Chief Information Security Officer (CISO): As the highest-ranking executive responsible for an organization’s information security, the CISO develops and implements security policies and strategies to protect digital assets.
  • Security Consultant: Security consultants advise organizations on how to protect their information systems and networks. They assess security measures, identify vulnerabilities, and recommend improvements.
  • IT Security Manager: IT security managers oversee an organization’s IT security infrastructure. They manage security teams, implement security policies, and ensure compliance with regulatory requirements.
  • Security Analyst: Security analysts monitor and protect an organization’s networks and systems. They analyze security breaches, perform risk assessments, and implement security measures to prevent future incidents.
  • Security Architect: Security architects design and build secure IT systems and networks. They develop security policies, assess risks, and ensure that systems are resilient against cyber threats.
  • Security Engineer: Security engineers implement and maintain security measures within an organization’s IT infrastructure. They configure security tools, manage security incidents, and ensure system integrity.
  • Incident Manager: Incident managers coordinate responses to security breaches and incidents. They lead incident response teams, investigate incidents, and develop strategies to prevent future occurrences.
  • Penetration Tester: Also known as ethical hackers, penetration testers simulate cyberattacks to identify vulnerabilities in an organization’s systems and networks. They conduct tests and provide recommendations to improve security.

How Many CISSP credential holders are there?

As of the latest available data, there are over 150,000 CISSP-certified professionals worldwide. This number continues to grow as the demand for skilled cybersecurity professionals increases across various industries and regions. The CISSP certification, being one of the most respected and recognized credentials in information security, attracts a large number of professionals seeking to validate their expertise and advance their careers in cybersecurity. As of the latest data, there are over 36,828 job postings on LinkedIn that mention CISSP. This high number reflects the significant demand for CISSP-certified professionals in the cybersecurity field.

Maintaining Your CISSP Certification

Your CISSP certification is valid for three years from the date it was earned. To renew it, you need to earn and submit a total of 120 Continuing Professional Education (CPE) credits within this three-year cycle.

ISC2 categorizes CPEs into two groups:

  • Group A CPEs: These must be earned and submitted annually, with 30 Group A CPEs required each year. These credits are related to domain-specific education, contributions to the profession, and unique work experiences.
  • Group B CPEs: These can be earned and submitted at any time during the three-year cycle. Group B credits are for general professional development activities.

To renew your CISSP certification, you need 90 Group A CPEs and an additional 30 CPEs, which can be from either Group A or Group B.

By staying on top of these requirements and regularly submitting your CPE credits, you can ensure your CISSP certification remains active and valid.

Sample CISSP CPE Activities

Group A CPEs are directly related to the CISSP domains. Examples include attending conferences, seminars, or workshops focused on information security, enrolling in advanced courses related to cybersecurity, and participating in webinars and training sessions that cover CISSP domains. Other examples include writing and publishing articles or whitepapers on information security topics, presenting at industry conferences or seminars, and developing and delivering training sessions or workshops on CISSP-related subjects.

Additionally, engaging in special projects at work that involve the application of CISSP domains, serving as a mentor to junior information security professionals, and participating in research projects related to cybersecurity count as Group A CPE activities.

Group B CPEs pertain to general professional development. Examples include taking courses on project management, communication skills, or leadership, attending seminars or workshops on general IT topics that are not specifically focused on security, and participating in community or volunteer work that enhances professional skills.

Other examples include enrolling in courses or attending webinars on emerging technologies such as cloud computing, blockchain, or artificial intelligence, participating in cross-disciplinary training that supports a broader understanding of IT and business operations, and taking workshops or courses on soft skills like public speaking, negotiation, or teamwork. Engaging in activities that improve critical thinking, problem-solving, or analytical skills also fall under Group B CPE activities. You can also review the most updated requirements within the ISc2 CPE handbook

What’s Next?

After obtaining the CISSP (Certified Information Systems Security Professional) certification, professionals often consider advancing their careers and expertise by pursuing additional specialized certifications. Here are some common next steps:

1. CISSP-ISSAP (Information Systems Security Architecture Professional)

Designed for professionals who focus on security architecture. It emphasizes the skills needed to develop and analyze security solutions within an enterprise architecture framework. Key areas of focus include:

  • Enterprise security architecture
  • Security operations architecture
  • Governance, risk management, and compliance (GRC) architecture
  • Technical integration of enterprise components

2. CISSP-ISSEP (Information Systems Security Engineering Professional)

The ISSEP  is tailored for professionals who specialize in security engineering. It covers the practical aspects of security engineering and the integration of security in all phases of the systems development lifecycle. Key areas of focus include:

  • Systems security engineering
  • Certification and accreditation
  • Technical management
  • U.S. government information assurance regulations

3. CISSP-ISSMP (Information Systems Security Management Professional)

Aimed at professionals who manage information security programs. It focuses on the skills necessary to establish, present, and govern information security programs. Key areas of focus include:

  • Enterprise security management practices
  • Risk management
  • Business continuity planning and disaster recovery planning
  • Law, ethics, and incident management

Additional Learning Resources and Forums for CISSP Certification

  • ISC2 Official Resources
    • ISC2 Learning Platform: Offers official training courses, webinars, and interactive sessions led by certified instructors.
  • Books and Study Guides
    • CISSP Official ISC2 Practice Tests: A comprehensive guide with practice questions for each of the eight domains.
    • How To Think Like A Manager for the CISSP Exam: A highly regarded book that covers how to resist thinking from a technical perspective to one that is more holistic of the entire organization.
  • Online Forums and Communities
    • Reddit: The r/CISSP subreddit is a community of CISSP candidates and certified professionals sharing tips, resources, and experiences. Join the discussion at Reddit r/CISSP.
    • ISC2 Community: An official forum where members can discuss certification topics, share study tips, and network with peers. Access it through the (ISC)² Community.
  • Practice Exams and Flashcards
    • CISSP Study Notes and Theory: Provides realistic practice exams with detailed explanations for each question. Learn more at Study Notes and Theory
    • Quizlet: Offers user-created flashcards covering CISSP topics for quick revision. Explore flashcards on Quizlet.

By utilizing these resources and engaging with the community, CISSP candidates can effectively prepare for the exam and enhance their knowledge and skills in information security.

author avatar
Mike McNelis
Back to All Posts