The CISSP (Certified Information Systems Security Professional), issued by ISC2, is the most respected and demanding cybersecurity certification in the world. With more than 160,000 certified professionals across 170 countries, CISSP is widely considered the "gold standard" of information security. This guide covers everything you need to understand, prepare for and pass the CISSP exam.

Eligibility: 5 years of experience required

CISSP is reserved for experienced professionals. ISC2 requires:

  • 5 years of cumulative paid professional experience in at least 2 of the 8 CBK (Common Body of Knowledge) domains
  • A 4-year degree or an approved certification can substitute for one year of experience
  • An endorsement by a certified ISC2 member after passing the exam
  • Agreement to the ISC2 Code of Ethics
Associate of ISC2 status: If you pass the exam without the required experience, you become an "Associate of ISC2". You then have 6 years to gain the experience and earn full CISSP certification.

CISSP exam format: CAT

Since 2021, the English CISSP exam uses the CAT (Computerized Adaptive Testing) format, which adapts question difficulty in real time based on your answers:

ParameterDetail
FormatCAT (Computerized Adaptive Testing)
Number of questions125 to 175 questions
Question typesMultiple choice, drag and drop, hotspot, multiple response
Maximum duration4 hours
LanguageEnglish (CAT); other languages in linear format, 250 questions / 6h
Passing score700/1000
CostUSD 749
Validity3 years (renewal: 120 CPEs)

The 8 CISSP CBK domains

Domain 1 - Security and Risk Management (15%)

The broadest domain. It covers governance, compliance, security policies and procedures, risk management (identification, assessment, treatment), business continuity (BCP) and security frameworks (ISO 27001, NIST, COBIT).

Domain 2 - Asset Security (10%)

Data classification and protection (personal data, intellectual property), data lifecycle management, encryption and asset security controls.

Domain 3 - Security Architecture and Engineering (13%)

Security models (Bell-LaPadula, Biba, Clark-Wilson), cryptography (symmetric, asymmetric, PKI, hashing), embedded systems and IoT security, secure design principles.

Domain 4 - Communication and Network Security (13%)

Secure network protocols (TLS, IPSec, SSH), network architectures (DMZ, segmentation, zero trust), VPN security, firewalls, IDS/IPS and wireless security.

Domain 5 - Identity and Access Management - IAM (13%)

Authentication (MFA, biometrics, SSO), access control (RBAC, ABAC, MAC, DAC), identity lifecycle management, federation (SAML, OAuth, OpenID Connect) and directories (LDAP, Active Directory).

Domain 6 - Security Assessment and Testing (12%)

Penetration testing, security audits, code reviews, vulnerability analysis, security regression testing, security metrics and KPIs.

Domain 7 - Security Operations (13%)

Incident management, digital forensics, SIEM, SOC, log management, disaster recovery (DR), day-to-day security operations supervision.

Domain 8 - Software Development Security (11%)

Secure software development lifecycle (SSDLC), code review, OWASP Top 10, API security, DevSecOps, dependency and third-party component management.

CISSP study strategy

CISSP is famously difficult: the exam does not just test technical knowledge but mostly the managerial reasoning of a CISO (Chief Information Security Officer). Key principles:

  • Think "manager", not "technician": faced with an incident, the right answer is often to notify management or activate the response plan before acting technically
  • Read the official ISC2 CBK (CISSP All-in-One Exam Guide by Shon Harris or the Official Study Guide from ISC2)
  • Practice with mock exams: the CISSP question format is very specific and requires practice
  • Plan 3 to 6 months of intensive preparation depending on your baseline experience
The "two best answers" rule: CISSP often offers two answers that look correct. Always pick the one that matches the perspective of a security manager, not a technician. Risk management and asset protection come before technical action.

CISSP vs CISM: which to choose?

CriterionCISSP (ISC2)CISM (ISACA)
OrientationTechnical + managerial (broad)Managerial (IS governance)
Required experience5 years, 2 of 8 domains5 years, 3 of which in security management
Exam costUSD 749USD 575 (ISACA members)
RecognitionGlobal, very strongStrong, enterprise-oriented
Target rolesCISO, Security Architect, Security ManagerCISO, IT Risk Manager, IS Auditor
Average salary (US)USD 120,000 - 170,000USD 110,000 - 155,000

CISSP is generally preferred for technical-managerial roles and operational CISO positions, while CISM is better suited to governance, compliance and security audit roles.

Salary ROI: what CISSP earns you

CISSP is consistently ranked among the highest-paying IT certifications worldwide. In the United States in 2025:

  • CISSP Security Analyst: USD 95,000 - 130,000
  • CISSP Security Architect: USD 130,000 - 175,000
  • CISO: USD 170,000 - 250,000+ (much higher in large enterprises)
  • CISSP Security Consultant: USD 110,000 - 160,000 + bonuses

According to ISC2, CISSP-certified professionals earn on average 35% more than their non-certified peers in similar roles. Amid the cybersecurity talent shortage, CISSP is a major competitive edge in the job market.

Prepare for your CISSP certification with Certifexpress

Access our practice tests and flashcards covering the 8 CISSP CBK domains

Browse certifications

Did this article help you better understand the CISSP certification?