(ISC)² CISSP certification is a highly coveted cybersecurity certification for seasoned professionals and leaders in this space. CISSP stands for Certified Information Systems Security Professional and this guide will explain everything you need to know regarding the CISSP, how it can fit into your career and if it is worth pursuing.
- What Is CISSP?
- How To Pass The CISSP?
- Is CISSP Worth It?
- The (ISC)² CISSP Compared To Other Industry Certifications
- How To Maintain Your CISSP Certification
- CISSP Concentrations: ISSAP, ISSEP & ISSMP
What Is CISSP?
The CISSP is a globally recognized credential managed by the International Information Systems Security Certification Consortium (ISC)². Since its launch in 1994, it has become a standard in validating an individual’s deep technical and managerial knowledge and experience in the field of information security.
The (ISC)² CISSP Certification Exam Details
CISSP not only meets the requirements for ANSI/ISO/IEC Standard 17024, it was actually the first information security certification to do so. It is also an approved baseline certification under the U.S. Department of Defense (DoD) 8570 certification requirement.
For the purposes of this guide, all exam related information is aligned to the CISSP Computerized Adaptive Testing (CAT). The CISSP CAT exam is the standard used for all English-based CISSP exams. The CISSP exam is also available as a linear, fixed-form exam in:
- Brazilian Portuguese
- Simplified Chinese
Unless otherwise noted, details regarding the exam are aligned to (ISC)²’s CISSP Certification Exam Outline effective as of May 1, 2021
How Much Is The CISSP Exam?
The CISSP certification exam will cost $749 starting on May 1, 2021. It is currently $699.
How Long Is The (ISC)² CISSP Certification Exam?
The (ISC)² CISSP certification exam offers candidates up to 3 hours to complete the 100 – 150 multiple choice and advanced innovative questions. (ISC)²’s advanced innovative questions consist of drag and drop and hotspot style of questions.
What Are The CISSP Exam Domains?
The CISSP certification exam is based on (ISC)²’s Common Body of Knowledge (CBK®) which concentrates on 8 domains related to information security:
- Security and Risk Management 15%
- Asset Security 10%
- Security Architecture and Engineering 13%
- Communication and Network Security 13%
- Identity and Access Management (IAM) 13%
- Security Assessment and Testing 12%
- Security Operations 13%
- Software Development Security 11%
How Hard Is The CISSP Exam?
The CISSP certification exam is known to be one of the more challenging cybersecurity certification exams available. As such, it is not uncommon for even experienced cyber professionals to fail on their first attempt.
This certification requires candidates to be experienced in the field of cybersecurity, which is often helpful on the exam’s objective and performance based questions. However, many questions are aligned to how a security or risk manager would think and act, not how a technologist would perform. Years of technically performing information security tasks can actually lead to incorrectly answering questions that should be approached from a process or managerial standpoint. The biggest challenge is retraining yourself to the think to the test and how (ISC)² expects you to answer.
How To Pass The (ISC)² CISSP Certification Exam?
As mentioned above, the biggest challenge IS professionals face when tackling the CISSP exam is their tendency to answer from their viewpoint as a technologist in the field. In order to pass the CISSP certification exam, it is necessary to look at the exam from the viewpoint of an Information Security Manager and the process requirements such a role needs to adhere to.
In terms of preparation, most people take several months to thoroughly study the exam domains using an assortment of materials including:
- Instructor-led training courses
- Self-paced training videos
- Study guides
- Practice exams
- Flash cards
Before you can sit for the CISSP exam you need to meet specific experience requirements. This includes a minimum of 5 years cumulative paid work experience in at least 2 of the 8 CISSP CBK domains.
It is possible to reduce the work requirement by 1 year if you hold a 4-year college degree OR regional equivalent OR one of the approved credentials listed below:
- Certified Authorization Professional (CAP)
- Certified Business Continuity Professional
- Certified Cloud Security Professional (CCSP)
- Certified Computer Examiner (CCE)
- Certified Ethical Hacker v8 or higher
- Certified Forensic Computer Examiner (CFCE)
- Certified Fraud Examiner (CFE)
- Certified Information Security Manager (CISM)
- Certified Information Systems Auditor (CISA)
- Certified Internal Auditor (CIA)
- Certified Penetration Tester (GPEN)
- Certified Protection Professional (CPP) from ASIS
- Certified in Risk and Information Systems Control (CRISC)
- Certified Secure Software Lifecycle Professional (CSSLP)
- Certified Wireless Security Professional (CWSP)
- Cisco Certified Internetwork Expert (CCIE)
- Cisco Certified Network Associate Security (CCNA Security)
- Cisco Certified Network Associate – Cyber Ops (CCNA Cyber Ops)
- Cisco Certified Network Professional Security (CCNP Security)
- Cisco Cyber Security Specialist Program
- CIW – Security Analyst
- CIW Web Security Professional
- CIW Web Security Specialist
- CompTIA Advanced Security Practitioner (CASP)
- CompTIA Security+
- CompTIA CySA+
- CyberSecurity Forensic Analyst (CSFA)
- GIAC Certified Enterprise Defender (GCED)
- GIAC Certified Firewall Analyst (GCFW)
- GIAC Certified Forensic Analyst (GCFA)
- GIAC Certified Forensics Examiner (GCFE)
- GIAC Certified Incident Handler (GCIH)
- GIAC Certified Intrusion Analyst (GCIA)
- GIAC Continuous Monitoring Certification (GMON)
- GIAC Cyber Threat Intelligence (GCTI)
- GIAC Global Industrial Cyber Security Professional (GICSP)
- GIAC Information Security Fundamentals (GISF)
- GIAC Information Security Professional (GISP)
- GIAC Mobile Device Security Analyst (GMOB)
- GIAC Penetration Tester (GPEN)
- GIAC Security Essentials Certificate (GSEC)
- GIAC Security Leadership Certification (GSLC)
- GIAC Strategic Planning, Policy, and Leadership (GSTRT)
- GIAC Systems and Network Auditor (GSNA)
- HealthCare Information Security and Privacy Practitioner (HCISPP)
- Juniper Networks Certified Internet Expert(JNCIE-SEC)
- Information Security Management Systems Lead Auditor (IRCA)
- Information Security Management Systems Principal Auditor (IRCA)
- Master Business Continuity Professional (MBCP)
- Microsoft Certified Solutions Associate (MCSA)
- Microsoft Certified Solutions Expert (MCSE)
- Systems Security Certified Practitioner (SSCP)
Instructor-Led vs Self-Paced CISSP Training
More often than not, the question of instructor-led training (ILT) or self-paced training is presented as a one or the other approach for preparing for a certification exam. In relation to the CISSP exam, both options are often necessary as a part of a comprehensive study plan.
As mentioned previously, the CISSP exam is not one to take lightly and it is definitely not one that can be passed after a single week of training either through self-paced, ILT or both. Instead the below is a suggested outline for preparation.
- Start with the CBK. Read through the entire guide and then re-read and highlight the areas you are not well versed in.
- Read up on the problem areas. Take your textbook or study guide and read the sections related to the areas you don’t fully understand. As you have more questions on these areas, look up the answers online.
- Enroll in an ILT course. Go into the course with the mindset of learning from someone who has taken and passed the CISSP exam. Make sure you receive clarification on the trouble areas you have found in your self study.
- Practice the exams. Take as many practice exams as possible to identify other potential problem areas.
- Repeat steps 2 and 4 until you are consistently passing practice exams at a high percentage (85%+)
- (Optional) Retake an ILT course right before you plan to attempt the exam. We offer a free retake to students and it is very valuable for CISSP students to get a last minute refresher and time to discuss their final exam preparation with an instructor.
Requirements After You Pass Your CISSP Exam
Meeting the education requirements and passing your exam are not the only steps required to earning your CISSP certification. There are three more steps you need to complete before officially becoming a CISSP:
- Complete the endorsement process. This can be completed online and “attests that your assertions regarding professional experience are true and that you are in good standing within the cybersecurity industry.”
- Agree to the code of ethics. (ISC)² requires all candidates to agree to and uphold their code of ethics. Violating this code may result in the revocation of your CISSP certification.
- Pay your first year’s AMF. (ISC)² collects an Annual Maintenance Fee (AMF) by all certification holders that goes toward the cost of maintaining their certification. Your AMF is due on the anniversary of your certification and if you hold multiple (ISC)² certifications, you only pay the AMF once on the anniversary of your earliest certification. The cost is $125.
Is CISSP Worth It?
It can be! If you are pursuing a managerial path in cybersecurity, then the CISSP is an ideal fit and can help you attain higher salaries and greater career opportunities than your non-certified peers.
It is typically best suited for professionals holding or aspiring to hold the following job titles:
- Chief Information Security Officer
- Chief Information Officer
- Director of Security
- IT Director/Manager
- Security Systems Engineer
- Security Analyst
- Security Manager
- Security Auditor
- Security Architect
- Security Consultant
- Network Architect
The CISSP certification is also an IA approved baseline certification under the DoD Directive 8570.01-M for the following job categories:
- IAT Level III
- IAM Level II
- IAM Level III
- IASAE I
- IASAE II
The (ISC)² CISSP Compared To Other Industry Certifications
While the CISSP is a highly coveted cybersecurity certification, it is certainly not the only available and it may not be the best fit. Below is a quick breakdown of how the CISSP certification compares to other credentials so you can choose the best path for your career.
CISSP vs CISM
CISSP leans heavily into the operational side of security whereas the ISACA CISM focuses on how your information security practices fits into your business objectives. CISM is often a next step after CISSP if your goal is to become a CIO or Risk Management Professional.
CISSP vs CASP+
If you want an advanced level certification but don’t intend to pursue a management role in cyber, then CompTIA’s CASP+ is your perfect choice. According to CompTIA, “CASP+ is the only hands-on, performance-based certification for practitioners — not managers — at the advanced skill level of cybersecurity. While cybersecurity managers help identify what cybersecurity policies and frameworks could be implemented, CASP+ certified professionals figure out how to implement solutions within those policies and frameworks.”
CISSP vs CRISC
ISACA’s CRISC is narrowly focused on controlling and mitigating risk whereas the CISSP addresses a broader range of cybersecurity topics with risk management only accounting for about 15% of the exam. In terms of career opportunities, CISSP will open more doors in cybersecurity than CRISC but if your goal is a role in risk management then CRISC will help you standout.
CISSP vs CISA
Similarly to the CRISC comparison, CISA is a highly concentrated exam on Information Systems auditing. This concentration is a benefit for an auditor but doesn’t provide the broad industry acceptance that the CISSP garners.
CISSP vs Security+, CEH or CCSP
CISSP doesn’t really compare to certifications such as the CompTIA Security+, EC-Council CEH or even the (ISC)² CCSP because they are each designed for very different audiences and skill levels.
- CISSP is an advanced cybersecurity certification for managers;
- Security+ is an entry-level cybersecurity certification;
- CEH is an intermediary certification concentrated in ethical hacking.
- CCSP is an advanced cybersecurity certification concentrated in cloud computing.
CISSP Average Salary
According to Payscale.com, the average salary for a CISSP is $121,000 annually. Over 80% of respondents report they are in mid-career or later stages of experience.
Jobs For CISSPs
As mentioned previously, the CISSP certification is broad enough to apply to a number of cybersecurity job roles. Over 73,000 jobs on LinkedIn mention the CISSP and titles include:
- Compliance Manager
- Security Consultant
- Director of Information Security
- IT Security Specialist
- Security Standards and Compliance Analyst
- SOC Manager
- Penetration Manager
- IT Auditor
- Threat Management Specialist
- Cyber Security Analyst
Similarly, these opportunities are available across a number of industries. Banking, Automotive, IT, Computer Software, Civil Engineering, Insurance, Aviation & Aerospace, Defense & Space, Financial Services, Government, Higher Education & more all have posted jobs for looking for CISSPs.
How Many CISSPs In The World?
Only 156,054 professionals hold the CISSP certification worldwide as of July 2022. According to Cyber Seek, there are currently more open positions requesting the CISSP than there are CISSP certification holders.
How To Maintain Your CISSP Certification
A CISSP certification is valid for 3 years from the date it was earned but it can be renewed if the certification holder earns and submits a total of 120 Continuing Professional Education (CPE) credits during the three-year certification cycle. (ISC)² requires two categories of CPEs which they simply label as Group A or B.
Group A CPEs must be earned and submitted annually and (ISC)² requires CISSP certification holders to submit 30 Group A CPEs each year to qualify for renewal. Domain-Related Education, Contributions to the Profession, and Unique Work Experience are all considered Group A CPEs.
Group B CPEs can be earned and submitted at any point during the three year certification cycle. General Professional Development is labelled as Group B CPEs. In addition to the 90 Group A CPEs, (ISC)² requires an additional 30 CPEs that are either Group A or B for members to renew their CISSP certification.
Sample CISSP CPE Activities
Example of Group A CPE activities include the below activities as long as the content relates back to the CISSP domains:
- Participating in either a self-paced or instructor-led training course
- Attending a higher education course
- Reading a book, magazine, whitepaper, etc.
- Publishing a book, whitepaper, blog post, article, etc.
- Attending a conference, seminar or other similar event either in-person or virtually
- Presenting information security related material
- Performing a unique work-related project outside of your normal duties
- Volunteering in an information security related capacity
Example of Group B CPE activities include the below activities as they relate to general professional development outside of the CISSP domains. These activities are generally in a management or public speaking capacity:
- Attending industry conferences
- Participating in education courses
- Preparing for a presentation/lecture/training
- Involvement on a Government/Private Sector/Charitable Organizations Committee
|Continuing Education Activity||Estimated CEUs Earned|
|(ISC)² Offered CPE Activities||Generally you will earn 1 CPE per 1 hour of participation. Some CPE maximums apply to activities. Reference Handbook for more details.|
|Education (Self-paced or instructor-led)||Generally you will earn 1 CPE per 1 hour of instruction. A maximum of 40 CPEs can be earned per activity. CPE maximums apply to books, magazines and whitepapers. Reference Handbook for more details.|
|Contributions to the Profession: Create New Industry Knowledge||CPE maximums apply to the creation of books, articles, book chapters, professional blog posts, whitepapers, training courses, etc. Reference Handbook for more details.|
|Contributions to the Profession: Volunteer Service||Generally you will earn 1 CPE per 1 hour of participation. CPE maximums apply to delivering (ISC)2|
Safe and Secure Online (SSO) presentations. Reference Handbook for more details.
|Unique Work Experience||Generally you will earn 1 CPE per 1 hour of participation. Reference Handbook for more details.|
|Professional Development: Non-Domain related|
|Generally you will earn 1 CPE per 1 hour of participation. Reference Handbook for more details.|
What’s Next? CISSP Concentrations
After earning your CISSP, the next step in your security certification path could be a CISSP concentration. CISSP concentrations signify that you not only have the skills of an (ISC)² CISSP, but that you also have achieved subject matter mastery in the field of information security architecture, engineering or management.
The CISSP Information Systems Security Architecture Professional (CISSP-ISSAP) is most appropriate for either a chief security architect or analyst, according to (ISC)². It is closely aligned to the consultative process of information security and makes the most sense for independent contractors or government leaders who need to meet 8570 requirements.
The CISSP Information Systems Security Engineering Professional (CISSP-ISSEP) is ideal for senior systems engineers or IA officers/analysts. This certification was developed in conjunction with the U.S. National Security Agency (NSA) and ensures that certification holders can develop secure systems using systems engineering processes. The CISSP-ISSEP also meets DoD 8570.01-M certification requirements.
The CISSP Information Systems Security Management Professional (CISSP-ISSMP) is designed for cybersecurity leaders such as, CIOs, CISOs, CTOs, or other security executives. From establishing to governing information security programs, this certification attests that you have all the necessary skills. For government leaders, the CISSP-ISSMP also meets DoD 8570.01-M certification requirements.
Register Now For An Upcoming (ISC)² CISSP Training Course!
Complete the form below to schedule a time to speak with an Admissions Advisor about our upcoming (ISC)² CISSP Training.