Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Everything you need to know about ISC2's flagship security certification as of 2026, covering the eight domains, exam format, experience requirements, career paths, DoD 8140 status, and how CISSP compares to other senior credentials. A complete reference guide for anyone weighing the CISSP or trying to understand what it covers.
Governance, risk, compliance, and business continuity. The heaviest domain at 16%.
Data classification, ownership, handling, and the full data lifecycle.
Secure design, security models, and cryptography.
Secure network design, protocols, and components.
Authentication, authorization, and the identity lifecycle.
Assessment strategies, audits, and control validation.
Investigations, monitoring, incident response, and recovery.
Security across the software development lifecycle.
CISSP is ISC2's flagship security certification, first administered in 1994 and held by professionals across more than 170 countries today.
It validates the knowledge and experience to design, engineer, and run an organization's full security program across eight domains. The point isn't mastering any single area. It's proving you can hold all eight together the way a senior security leader has to, balancing technical depth against business risk.
The credential is ANAB-accredited under ISO/IEC 17024, approved under DoD 8140 at the Advanced level, and gated behind a five-year experience requirement that keeps it firmly in advanced territory. CISSP is issued and maintained by ISC2, the nonprofit that has administered the program since 1994.
Four things that have made CISSP the credential most often named when employers describe a senior security hire.
CISSP was the first information security credential to meet the ANSI National Accreditation Board (ANAB) ISO/IEC 17024 standard. That accreditation, plus three decades of history, is why a CISSP reads the same way in a SOC, a boardroom, or a federal contract.
Eight domains span governance, cryptography, network defense, IAM, operations, and software security. That width is exactly what architecture and management roles need, and it sits a tier above specialist certs in most hiring frameworks.
As of 2026, CISSP holders in the US commonly land in the $135,000 to $180,000 range, with senior architects and CISOs going higher. Our honest take on whether CISSP is worth it breaks down the math.
CISSP is an approved foundational qualification under DoD Manual 8140.03 at the Advanced proficiency level, mapped to eleven work roles in the DoD Cyber Workforce Framework (DCWF) across the Cybersecurity, IT, and Cyberspace Enabler elements.
It also satisfied the legacy DoD 8570 requirements before 8140 replaced 8570 in 2023, giving it long-standing federal recognition. Current qualification matrices are published at the DoD Cyber Exchange.
Everything you need to know about the certification, the exam structure, and how to maintain CISSP as of 2026.
ISC2 offers three advanced certifications that build on CISSP-level expertise. As of October 2023 they are standalone credentials, no longer concentrations, and their exams were overhauled in August 2025. You can earn any of them with a CISSP plus two years of relevant experience, or with seven years of experience and no CISSP.
The Information Systems Security Architecture Professional certification is built for security architects who design the controls and frameworks an organization runs on. It goes deep on access control models and infrastructure design.
The Information Systems Security Engineering Professional certification focuses on baking security into systems engineering. It's the natural deepening path for engineers on government and high-assurance systems.
The Information Systems Security Management Professional certification covers running a security program at scale, from leadership and governance to incident management and business continuity. It suits CISOs and senior managers.
CISSP is rarely a candidate's first certification or their last. It sits in the middle of a longer journey, building on foundational security credentials and leading into cloud, leadership, or advanced specialist paths.
Build the baseline
The pivot point
Two questions to answer before you commit: can you certify, and should you pursue CISSP specifically. Here's a straight answer to both.
You can certify in full.
You have five years of cumulative, paid experience across at least two of the eight domains. A relevant four-year degree or an approved credential can cover one of those years. Pass the exam, complete the ISC2 endorsement process, and you hold the full CISSP.
You can still pass now.
Sit the exam without the experience, and once you pass you become an Associate of ISC2. From there you have six years to earn the five years of experience and convert to full CISSP status, so the exam never has to wait on your resume.
CISSP maps to senior and leadership roles across the private sector and the federal cyber workforce. Several of these are DCWF work roles where CISSP qualifies at the Advanced level.
Designs the security controls, frameworks, and infrastructure an organization is built on. Maps to DCWF work role 652, where CISSP qualifies at the Advanced proficiency level.
Owns the security posture of a system or program. DCWF work role 722, one of the most common roles where DoD 8140 calls for a CISSP at the Advanced level.
Evaluates whether security controls are implemented correctly and operating as intended. DCWF work role 612, grounded in CISSP assessment and risk knowledge.
Holds the authority to accept risk and authorize a system to operate. A senior accountability role (DCWF 611) that leans on CISSP-level governance.
Advises organizations on building and maturing their security programs. CISSP is the credential clients most often expect a consultant to hold.
Sets security strategy at the executive level. CISSP is frequently the baseline credential before stepping into a chief information security officer seat.
All three are senior credentials, but they aim at different work. Here's how they line up.
| CISSP | CISM | CCSP | |
|---|---|---|---|
| Issuer | ISC2 | ISACA | ISC2 |
| Focus | Broad security across 8 domains | Security management and governance | Cloud security |
| Exam Format | Adaptive, 100 to 150 items, 3 hrs | 150 questions, 4 hours | Adaptive, 3 hours |
| Experience | 5 yrs in 2+ domains | 5 yrs in security management | 5 yrs IT, 3 in security |
| Renewal | 120 CPEs over 3 years | 120 CPEs over 3 years | 90 CPEs over 3 years |
| DoD 8140 Approved | Yes (Advanced) | Yes | Yes |
| Best For | Architects and senior generalists | Security managers and governance leads | Cloud security specialists |
Pricing and renewal details vary by region and membership status. Many practitioners eventually hold more than one of these credentials.
Our official ISC2 CISSP boot camp covers all eight domains over six days, with your exam voucher and a first-attempt pass guarantee included, so experienced practitioners leave exam-ready.
Exam prep, certification strategy, cost breakdowns, and career outcomes for CISSP.
A straight look at when the CISSP pays off and when it does not, with the salary math, the career trajectory it unlocks, and who should hold off for now.
A full walkthrough of the certification: the eight domains, what the exam tests, how to prepare, and what the credential does for your career once you hold it.
The real numbers behind earning and keeping a CISSP, from the exam voucher and training to the ongoing maintenance fees most candidates forget to plan for.
Why the CISSP is tough even for experienced professionals, where candidates tend to lose points, and the study approach that gets people across the line.
A look back at how the CISSP grew from a 1994 idea into the most recognized security credential in the field, and what that history means for candidates today.
How the broad CISSP stacks up against the cloud-focused CCSP, which one fits which career, and why many professionals end up earning both.
The concrete ways a CISSP changes your career: higher pay, access to senior and leadership roles, and the credibility that comes with a globally recognized credential.
The CISSP Common Body of Knowledge (CBK) is organized into eight domains, each carrying its own weight on the exam. Click any domain for what it covers.
Governance, risk management, compliance, legal and regulatory issues, threat modeling, supply chain risk, and business continuity. The heaviest-weighted domain and the management spine of the exam.
Information and asset classification, ownership, handling requirements, and the full data lifecycle from collection through retention and destruction.
Secure design principles, security models, cryptography, physical security, and the engineering of secure systems and facilities.
Secure network architecture, protocols, and components, plus the controls that protect data in transit across the enterprise.
Identification, authentication, authorization, the identity lifecycle, federated identity, and access control models.
Assessment and test strategies, security control validation, collecting and analyzing process data, and conducting or facilitating audits.
Investigations, logging and monitoring, incident management, disaster recovery, change management, and physical operations.
Building security into the software development lifecycle, secure coding practices, and assessing developed and acquired software.
Domains and weights reflect the ISC2 CISSP Exam Outline effective April 15, 2024. ISC2 updates the outline on a regular cycle.
The questions candidates ask most often when researching the Certified Information Systems Security Professional certification.
CISSP is ISC2's flagship security certification. It validates the knowledge and experience to design, engineer, and manage an organization's overall security posture across eight domains, and it's built for experienced practitioners moving into senior and leadership roles.
CISSP fits experienced security professionals with at least five years in the field who are heading toward senior, architect, or management roles. It isn't an entry-level certification. If you're starting out, Security+ or SSCP is usually the better first step.
The CISSP exam costs approximately $749 USD in the Americas and most other regions as of 2026. ISC2 sets the pricing and it can vary by region. Many boot camps fold the exam voucher into the course price, so check what's included before you pay separately.
The English CISSP uses Computerized Adaptive Testing (CAT) with 100 to 150 items over a three-hour window. Alongside standard multiple choice, expect advanced item types like drag-and-drop and hotspot questions. You need a scaled score of 700 out of 1000 to pass.
You need five years of cumulative, full-time paid experience in two or more of the eight domains. A relevant four-year degree or an approved credential can waive one year, but only one year can be waived.
Yes. You can sit and pass the exam before you have the required experience and become an Associate of ISC2. From there you have six years to earn the five years of experience needed to convert to full CISSP status.
They are Security and Risk Management, Asset Security, Security Architecture and Engineering, Communication and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations, and Software Development Security. Security and Risk Management carries the heaviest weight at 16 percent.
CISSP is valid for three years. To renew, you earn 120 Continuing Professional Education (CPE) credits across the cycle and pay an annual maintenance fee to ISC2. ISC2 recommends spreading the credits at roughly 40 per year so you're not scrambling at the end.
Yes. CISSP appears on the DoD 8140 Approved Qualifications Matrix V2.1 at the Advanced proficiency level, mapped to eleven DCWF work roles including Information Systems Security Manager, Security Control Assessor, and Authorizing Official. See the full DoD 8140 work role paths.
CISSP is the broad credential covering eight security domains. CISM from ISACA narrows in on security management and governance, while CCSP from ISC2 goes deep on cloud. Plenty of professionals earn CISSP first and add one of the others later to specialize.
ISC2 offers three advanced certifications that build on CISSP-level expertise: ISSAP for architecture, ISSEP for engineering, and ISSMP for management. As of October 2023 they're standalone credentials rather than concentrations, so you can earn any of them with a CISSP plus two years of experience, or with seven years of experience and no CISSP.
Two to four months is typical, though it depends heavily on your background. Experienced practitioners who take a boot camp can compress the instruction into a focused week and then review, while self-study timelines tend to run longer.
For mid-career professionals heading into senior or leadership security roles, yes. CISSP carries broad employer recognition, satisfies DoD 8140 at the Advanced level, and is consistently tied to higher pay. It's less useful for people early in their careers or committed to a purely hands-on technical track.
Whether you're weighing the certification, working out funding, or planning training for a team, tell us where you are and we'll help you map out the right path.