Find Prep Courses

CISSP (Certified Information Systems Security Professional)

The premier certification for experienced security professionals. CISSP validates deep, broad security knowledge and is often required for senior security roles, CISO positions, and high-level consulting work.

Best for: Security professionals with 5+ years experience seeking senior/management roles, or those targeting organizations that explicitly require CISSP

Who Is CISSP For?

✓ This certification is a good fit if you…

  • Have 5+ years of cumulative paid work experience in 2 or more CISSP domains
  • Are targeting senior roles: Security Manager, Security Architect, CISO, Director of Security
  • Want to move from technical security work into leadership/management
  • Work in industries with compliance requirements that specify CISSP (finance, healthcare, government contractors)
  • Want the most widely recognized security certification globally
  • Are a consultant who needs a credential that opens enterprise doors

✗ You might consider alternatives if you…

  • Have less than 5 years security experience—you won't meet requirements; consider Security+ or SSCP first
  • Want hands-on technical/hacking skills—CISSP is managerial; look at OSCP or CEH
  • Are early in your security career—CISSP's breadth assumes years of context
  • Need a quick certification—CISSP requires substantial study even for experienced pros
  • Work in a niche that values specialized certs more (cloud security, pen testing)

Prerequisites (In Plain English)

The experience requirement is real and enforced:

  • 5 years of cumulative, paid, full-time work experience in 2 or more of the 8 CISSP domains
  • OR 4 years if you have a 4-year degree, approved credential (like Security+), or master's degree in infosec

What counts as relevant experience? Security architecture, security operations, incident response, risk management, security consulting, security engineering, access control administration, cryptography work, security policy development, and similar roles. General IT work doesn't count unless it was specifically security-focused.

Associate of (ISC)² option: You can pass the exam before meeting experience requirements. You become an "Associate of (ISC)²" and have 6 years to earn the required experience. The exam is identical.

Endorsement requirement: After passing, another CISSP must endorse your application, verifying your experience. (ISC)² can act as endorser if you don't know a CISSP personally.

What You'll Learn

CISSP covers 8 domains (the "Common Body of Knowledge"):

  1. Security and Risk Management (15%): Security governance, compliance, ethics, risk management, threat modeling, business continuity
  2. Asset Security (10%): Data classification, ownership, privacy, retention, data security controls
  3. Security Architecture and Engineering (13%): Security models, system design, cryptography, site security, vulnerabilities
  4. Communication and Network Security (13%): Network architecture, secure protocols, network attacks, network components
  5. Identity and Access Management (13%): Authentication, authorization, identity management, access control models
  6. Security Assessment and Testing (12%): Vulnerability assessment, pen testing, audits, security metrics
  7. Security Operations (13%): Incident response, investigations, disaster recovery, logging, monitoring
  8. Software Development Security (11%): Secure SDLC, application vulnerabilities, secure coding, DevSecOps

The CISSP mindset: The exam tests you as a risk advisor/manager, not a technician. Questions ask what you'd recommend to leadership, not how to configure a firewall. Think "a mile wide and an inch deep" across all security domains.

Exam Format & Scoring

Exam format: Computer Adaptive Testing (CAT). The exam adapts to your performance—questions get harder or easier based on your answers.

Question count: 125–175 questions. If you're doing well, you may finish at 125. If borderline, it extends to gather more data (up to 175).

Time limit: 4 hours maximum. Most finish in 2–3 hours due to CAT format.

Question types: Multiple choice and "innovative" questions (drag-and-drop, hotspot). No simulations or hands-on labs.

Passing score: 700 out of 1000 (scaled). Due to CAT, this doesn't translate to a simple percentage—the algorithm accounts for question difficulty.

Testing: Pearson VUE centers only—no online proctoring option for CISSP.

Results: Preliminary pass/fail immediately. Official confirmation within 24–48 hours via email.

Recommended Study Plan

Standard Track

4–6 months

For security professionals balancing work:

  1. Month 1: Read the Official (ISC)² CISSP Study Guide cover-to-cover. Don't memorize—build mental framework. Take notes on unfamiliar topics.
  2. Month 2: Watch a video course (Destination Cert MindMaps or similar). Focus on domains where you have less hands-on experience.
  3. Month 3: Start practice questions. 50–100 per day. Focus on understanding the "CISSP mindset"—why answers are right, not just which ones.
  4. Month 4: Deep dive on weak domains. Re-read those chapters. Watch supplemental videos. More practice questions.
  5. Month 5–6: Full practice exams. Boson or CCCure. Score 75%+ consistently. Review every wrong answer. Book exam when ready.

Accelerated Track

8–12 weeks

For experienced security professionals with broad exposure:

  1. Weeks 1–2: Take diagnostic practice exam. Identify weak domains. Skim study guide, focus on gaps.
  2. Weeks 3–4: Video course at 1.5x for familiar content. Deep-dive on weak areas.
  3. Weeks 5–8: Heavy practice questions—1,500+ total. Understand the "think like a manager" mindset.
  4. Weeks 9–12: Full-length practice exams. Analyze patterns in wrong answers. Book exam when scoring 80%+.

Critical study tip: CISSP asks what you SHOULD do, not what you COULD do. The "best" answer is often about advising leadership, managing risk, or following process—not the most technically impressive solution.

Prep Resources

Disclosure: Some links below are affiliate links. We may earn a commission at no extra cost to you. Learn more

Best Book

Official (ISC)² CISSP Study Guide

The definitive study guide aligned with current exam. Comprehensive coverage of all 8 domains. Essential baseline resource.

~$50–60

View on Amazon (affiliate)
Best Practice Exams

Boson CISSP Practice Exams

750+ questions with detailed explanations. Simulates exam difficulty well. Many consider it harder than the real exam—good preparation.

~$99

View Boson (affiliate)

Destination Cert MindMap Videos (YouTube)

Free video series with visual mind maps for each domain. Excellent for understanding how concepts connect. Great supplement to reading.

Free

Watch Free

Thor Teaches CISSP (Udemy)

Comprehensive video course covering all domains. Good for auditory learners. Frequently on sale.

~$15–20 on sale

View on Udemy (affiliate)

Additional Resources

  • 11th Hour CISSP: Condensed review book for final weeks—good for cramming, not primary study
  • CISSP Subreddit (r/cissp): Active community with exam experiences and study tips
  • CCCure Practice Questions: Large question bank, though quality varies more than Boson

Official Information

Always verify current pricing, experience requirements, and exam details with (ISC)²:

Visit (ISC)² Official Page →

External link to isc2.org. We have no affiliate relationship with (ISC)² exam registration.

Alternative Certifications to Consider

🛡️

CompTIA Security+

If you don't meet CISSP experience requirements yet. Industry-standard entry point for security careers.
🔐

SSCP (Systems Security Certified Practitioner)

Also from (ISC)², requires only 1 year experience. Good stepping stone to CISSP.
📋

CISM (Certified Information Security Manager)

ISACA's management-focused cert. More governance/risk emphasis than CISSP. Popular alternative for leadership roles.
☁️

CCSP (Certified Cloud Security Professional)

If your focus is cloud security. Also from (ISC)². Natural complement or alternative for cloud-focused roles.

Frequently Asked Questions

How hard is CISSP compared to Security+?

Significantly harder. Security+ is entry-level and primarily multiple choice. CISSP is broad, deep, and tests managerial judgment. Most CISSP candidates have Security+ already and still need 3–6 months of dedicated CISSP study. They're different levels entirely.

What's the CISSP pass rate?

(ISC)² doesn't publish official pass rates. Community estimates suggest 50–70% for first attempts, but this varies widely based on preparation. Well-prepared candidates with proper study (not just experience) have higher success rates.

Is CISSP worth the cost and effort?

For the right roles, yes. CISSP is consistently among the highest-paying IT certifications. Many senior security positions list it as required. However, if you're early in your career or in a technical niche, the ROI may be lower than specialized certs. Match the cert to your career goals.

Can I take CISSP without 5 years experience?

Yes—you become an "Associate of (ISC)²" until you meet experience requirements. The exam is identical. You have 6 years to earn the required experience, then submit endorsement to become a full CISSP. This is a valid path for motivated professionals.

How do I maintain CISSP?

Earn 40 Continuing Professional Education (CPE) credits annually (120 over 3 years). Pay $125 Annual Maintenance Fee (AMF). CPEs come from training, conferences, writing, teaching, volunteer work. It's manageable but requires ongoing investment.

CISSP vs CISM—which should I get?

Both are respected management-level certs. CISSP is broader (8 domains covering all security areas). CISM is more focused on governance, risk, and program management. CISSP is more recognized globally; CISM is popular in audit/compliance-heavy environments. Many senior security leaders hold both.

What jobs can I get with CISSP?

Security Manager, Security Architect, Security Director, CISO, Security Consultant, IT Auditor (security focus), Risk Manager. CISSP holders in the US typically earn $120,000–$180,000+, though this varies by location, industry, and experience level.