About the ISC2 CISSP (Certified Information Systems Security Professional) exam
The CISSP is ISC2's flagship credential for experienced security practitioners who design, build, and manage an organization's overall security posture rather than operating a single tool. It is deliberately broad: passing demonstrates that you can reason across risk management, architecture, networking, identity, operations, and software security and connect technical controls to business and legal objectives.
It is aimed at people already several years into a security career — security managers, architects, analysts, consultants, and engineers moving toward leadership. The exam rewards a "manager's mindset": choosing the most defensible, risk-based answer rather than the most technically clever one.
CISSP matters because it is one of the most widely recognized security certifications worldwide, is frequently named in job descriptions and government frameworks, and satisfies common baseline requirements for senior security roles. For many practitioners it functions as a career gate into management-track positions.
ISC2 CISSP (Certified Information Systems Security Professional) exam format at a glance
| Attribute | Detail (as of 2026, verify on the official page) |
| Exam name / code | CISSP |
| Number of questions | 100-150 items (English adaptive format) |
| Question types | Multiple choice plus advanced innovative items |
| Format | Computerized Adaptive Testing (CAT) in English; linear fixed-form (~125 items) in other languages |
| Duration | Up to 4 hours (since the April 2024 update, for both English CAT and linear versions) |
| Passing score | 700 out of 1000 |
| Cost | About USD $749 (US); verify regional pricing |
| Languages | English and several additional languages |
| Delivery | Pearson VUE test centers and ISC2-authorized online proctoring |
| Validity / recert | 3-year cycle: 120 CPEs total (40/year minimum) plus an Annual Maintenance Fee |
ISC2 CISSP (Certified Information Systems Security Professional) domains & what they cover
- Security and Risk Management (~16%): The largest domain — governance, compliance, ethics, risk assessment, and security policy. It frames how every other domain ties back to business risk.
- Asset Security (~10%): Classifying, handling, and protecting data and assets across their lifecycle, including ownership, retention, and privacy considerations.
- Security Architecture and Engineering (~13%): Secure design principles, cryptography, and the models and physical controls used to build trustworthy systems.
- Communication and Network Security (~13%): Secure network architecture, protocols, segmentation, and the controls that protect data in transit.
- Identity and Access Management (~13%): Authentication, authorization, federation, and the lifecycle of identities and entitlements across systems.
- Security Assessment and Testing (~12%): Designing and running audits, vulnerability assessments, and control tests, and interpreting the results.
- Security Operations (~13%): Day-to-day defense — monitoring, incident response, forensics, disaster recovery, and business continuity.
- Software Development Security (~10%): Embedding security into the development lifecycle, secure coding, and assessing the security of acquired software.
How hard is ISC2 CISSP (Certified Information Systems Security Professional)?
CISSP is widely considered hard, but the difficulty is conceptual rather than memorization-heavy. The exam tests judgment: questions often present several technically correct options and ask for the best one given a business and risk context. Candidates from a hands-on technical background frequently stumble here because the "right" answer favors policy, people, and risk over the deepest technical fix.
Common sticking points include risk management terminology, the breadth of domains far outside your day job, and the adaptive format, which can feel relentless because it keeps targeting your weak areas. A realistic preparation window is roughly 8 to 16 weeks of consistent study for someone already working in security.
How to prepare for ISC2 CISSP (Certified Information Systems Security Professional): a study plan
- Weeks 1-2: Read a reputable CISSP study guide cover to cover for a first pass. Don't aim for mastery — build a mental map of all eight domains.
- Weeks 3-8: Study one domain at a time. After each, do a focused set of practice questions and, crucially, read the explanation for every item — right or wrong — to internalize the reasoning pattern.
- Weeks 9-12: Switch to mixed, full-length timed question sets to simulate the adaptive experience. Track scores per domain and revisit your two or three weakest areas.
- Final week: Stop cramming new material. Review your notes, mnemonics, and missed-question log, and practice pacing.
Use practice questions to train judgment, not recall: when two answers seem correct, articulate why one is better. That habit is the single biggest predictor of passing.
ISC2 CISSP (Certified Information Systems Security Professional) FAQ
How much does the CISSP exam cost? The US exam fee is around USD $749 as of 2026; pricing varies by region, so confirm on the official ISC2 page.
How long is the certification valid? Three years. You maintain it by earning 120 continuing professional education (CPE) credits over the cycle — at least 40 per year — and paying an Annual Maintenance Fee.
What is the work-experience requirement? Five years of cumulative paid experience in at least two of the eight domains. One year can be waived with a qualifying degree or approved credential.
What if I pass but lack the experience? You can become an Associate of ISC2 and have up to six years to earn the required experience and convert to full CISSP.
What is the retake policy if I fail? ISC2 enforces a waiting period before retakes (longer after each successive attempt) and limits the number of attempts within a 12-month window. Verify current timing on the official site.
Is the CISSP worth it? For practitioners targeting senior or management security roles, it is one of the highest-recognition credentials available and frequently appears as a hiring requirement, making it a strong long-term investment.