The CISSP (Certified Information Systems Security Professional), issued by ISC2, is the most respected and demanding cybersecurity certification in the world. With more than 160,000 certified professionals across 170 countries, CISSP is widely considered the "gold standard" of information security. This guide covers everything you need to understand, prepare for and pass the CISSP exam.
Eligibility: 5 years of experience required
CISSP is reserved for experienced professionals. ISC2 requires:
- 5 years of cumulative paid professional experience in at least 2 of the 8 CBK (Common Body of Knowledge) domains
- A 4-year degree or an approved certification can substitute for one year of experience
- An endorsement by a certified ISC2 member after passing the exam
- Agreement to the ISC2 Code of Ethics
CISSP exam format: CAT
Since 2021, the English CISSP exam uses the CAT (Computerized Adaptive Testing) format, which adapts question difficulty in real time based on your answers:
| Parameter | Detail |
|---|---|
| Format | CAT (Computerized Adaptive Testing) |
| Number of questions | 125 to 175 questions |
| Question types | Multiple choice, drag and drop, hotspot, multiple response |
| Maximum duration | 4 hours |
| Language | English (CAT); other languages in linear format, 250 questions / 6h |
| Passing score | 700/1000 |
| Cost | USD 749 |
| Validity | 3 years (renewal: 120 CPEs) |
The 8 CISSP CBK domains
Domain 1 - Security and Risk Management (15%)
The broadest domain. It covers governance, compliance, security policies and procedures, risk management (identification, assessment, treatment), business continuity (BCP) and security frameworks (ISO 27001, NIST, COBIT).
Domain 2 - Asset Security (10%)
Data classification and protection (personal data, intellectual property), data lifecycle management, encryption and asset security controls.
Domain 3 - Security Architecture and Engineering (13%)
Security models (Bell-LaPadula, Biba, Clark-Wilson), cryptography (symmetric, asymmetric, PKI, hashing), embedded systems and IoT security, secure design principles.
Domain 4 - Communication and Network Security (13%)
Secure network protocols (TLS, IPSec, SSH), network architectures (DMZ, segmentation, zero trust), VPN security, firewalls, IDS/IPS and wireless security.
Domain 5 - Identity and Access Management - IAM (13%)
Authentication (MFA, biometrics, SSO), access control (RBAC, ABAC, MAC, DAC), identity lifecycle management, federation (SAML, OAuth, OpenID Connect) and directories (LDAP, Active Directory).
Domain 6 - Security Assessment and Testing (12%)
Penetration testing, security audits, code reviews, vulnerability analysis, security regression testing, security metrics and KPIs.
Domain 7 - Security Operations (13%)
Incident management, digital forensics, SIEM, SOC, log management, disaster recovery (DR), day-to-day security operations supervision.
Domain 8 - Software Development Security (11%)
Secure software development lifecycle (SSDLC), code review, OWASP Top 10, API security, DevSecOps, dependency and third-party component management.
CISSP study strategy
CISSP is famously difficult: the exam does not just test technical knowledge but mostly the managerial reasoning of a CISO (Chief Information Security Officer). Key principles:
- Think "manager", not "technician": faced with an incident, the right answer is often to notify management or activate the response plan before acting technically
- Read the official ISC2 CBK (CISSP All-in-One Exam Guide by Shon Harris or the Official Study Guide from ISC2)
- Practice with mock exams: the CISSP question format is very specific and requires practice
- Plan 3 to 6 months of intensive preparation depending on your baseline experience
CISSP vs CISM: which to choose?
| Criterion | CISSP (ISC2) | CISM (ISACA) |
|---|---|---|
| Orientation | Technical + managerial (broad) | Managerial (IS governance) |
| Required experience | 5 years, 2 of 8 domains | 5 years, 3 of which in security management |
| Exam cost | USD 749 | USD 575 (ISACA members) |
| Recognition | Global, very strong | Strong, enterprise-oriented |
| Target roles | CISO, Security Architect, Security Manager | CISO, IT Risk Manager, IS Auditor |
| Average salary (US) | USD 120,000 - 170,000 | USD 110,000 - 155,000 |
CISSP is generally preferred for technical-managerial roles and operational CISO positions, while CISM is better suited to governance, compliance and security audit roles.
Salary ROI: what CISSP earns you
CISSP is consistently ranked among the highest-paying IT certifications worldwide. In the United States in 2025:
- CISSP Security Analyst: USD 95,000 - 130,000
- CISSP Security Architect: USD 130,000 - 175,000
- CISO: USD 170,000 - 250,000+ (much higher in large enterprises)
- CISSP Security Consultant: USD 110,000 - 160,000 + bonuses
According to ISC2, CISSP-certified professionals earn on average 35% more than their non-certified peers in similar roles. Amid the cybersecurity talent shortage, CISSP is a major competitive edge in the job market.
Prepare for your CISSP certification with Certifexpress
Access our practice tests and flashcards covering the 8 CISSP CBK domains
Browse certificationsDid this article help you better understand the CISSP certification?