CISSP Certification Requirements: Everything You Need to Know
A Comprehensive Guide to Achieving the Certified Information Systems Security Professional Certification
CISSP Certification Overview
CISSP certification is a globally recognized credential offered by the International Information System Security Certification Consortium( ISC2). Beginning the journey to earn your CISSP certification credential is a significant milestone in your career. Although it can be a time-consuming and challenging endeavor, this globally recognized certification from ISC2 is undeniably worth the effort. As a sought-after credential held by over a million professionals worldwide, the CISSP certification is essential for every project manager interested in advancing their career.
A CISSP certification is among the gold standards for IT and cybersecurity professionals. This credential can lead to higher salaries, a competitive advantage in the job market and knowledge of the latest industry advancements.
Increase Your Earning Potential
Salaries for CISSP-certified professionals vary by job title and location. On average, these workers earn around $128,000 per year in North America, according to Payscale. CISSP-certified professionals are some of the most well-paid IT professionals in the industry. This is because employers understand the rigorous process required to become a CISSP, and the credential is recognized on a global scale.
Become a More Competitive Job Candidate
Adding CISSP certification to your cybersecurity resume signifies to recruiters and employers that you are among the top candidates in the information security industry. This credential also guarantees that you have at least four or five years of hands-on experience. Some professionals plan to earn certification to pursue roles outside of their current organizations. (ISC)²’s 2023 workforce study indicates that 17% of respondents pursue credentials for a position with another company, while 15% considered certification to qualify for promotions.
Build Cybersecurity Expertise
Part of the CISSP certification process is becoming intimately familiar with all relevant information in the world of cybersecurity, both to pass the exam and to maintain certification.
After earning their certification, CISSPs must accumulate a set number of continuing education credits. Continuing education helps build expertise and ensure that CISSPs have current, relevant skills.
Participants in (ISC)²’s workforce study reported that their teams recognize the following benefits of employing cybersecurity professionals with certifications like the CISSP.
These workers have a deeper knowledge of critical cybersecurity topics.
Certified workers increase confidence in their teams’ ability to handle security challenges.
Hiring professionals with cybersecurity certifications ensures current knowledge and practice of information security trends.
Certification allows organizations to hire high-level workers with demonstrated expertise in cybersecurity.
Network with Other CISSPs
All CISSPs must become (ISC)² members, granting access to networking opportunities. More than 168,000 cybersecurity professionals are members of (ISC)².
How to Earn CISSP Certification
To earn CISSP certification, you must first meet requirements for work experience, education and professional credentials. Candidates may have five years of relevant work experience or four years if they also hold a related undergraduate degree or an (ISC)²-approved credential.
If you do not meet these requirements but are still interested in taking the CISSP exam, you can work toward becoming an Associate of (ISC)². Associates have passed the exam but cannot become fully certified until they have fulfilled the work experience requirements.
Pass the Certification Exam
Each candidate has four hours to complete the CISSP certification exam, which comprises 125 to 175 questions. You can find ample preparation resources, including practice exams and study materials, on (ISC)²’s website.
When the time comes, you can register online to take the exam, though the exam itself will take place in person at a Pearson VUE testing center. Note that the exam fee is $749.
To pass, you must score at least 700/1,000 or higher. If you do not pass the CISSP exam the first time, you’re in good company—many test-takers attempt the exam multiple times. You can retake the CISSP exam 30 days after your first try and up to four times within a 12-month period.
Get Endorsed
After passing the CISSP exam, you must obtain an endorsement from a current certification-holder before becoming certified yourself.
This endorsement validates that you have completed the necessary work experience to earn CISSP certification. You have nine months to find an endorsement after passing the exam. In the event you are unable to find someone, (ISC)² may act as your endorser.
Maintain Certification
Like many professional accrediting bodies, (ISC)² requires its members to stay up to date on the latest trends and research in cybersecurity. You must earn at least 120 continuing professional education (CPE) credits every three years to maintain CISSP certification. Many members earn their CPEs by attending courses or conferences, volunteering or teaching.
CISSP Experience Requirements
Candidates must have a minimum of five years cumulative, full-time experience in two or more of the eight domains of the current CISSP Exam Outline. Earning a post-secondary degree (bachelors or masters) in computer science, information technology (IT) or related fields may satisfy up to one year of the required experience or an additional credential from the ISC2 approved list may satisfy up to one year of the required experience. Part-time work and internships may also count towards the experience requirement.
A candidate who doesn’t have the required experience to become a CISSP may become an Associate of ISC2 by successfully passing the CISSP examination. The Associate of ISC2 will then have six years to earn the five years required experience.
Work Experience
Your work experience must fall within two or more of the eight domains of the ISC2 CISSP Exam Outline:
Domain 1. Security and Risk Management
Domain 2. Asset Security
Domain 3. Security Architecture and Engineering
Domain 4. Communication and Network Security
Domain 5. Identity and Access Management (IAM)
Domain 6. Security Assessment and Testing
Domain 7. Security Operations
Domain 8. Software Development Security
Full-Time Experience: Your work experience is accrued monthly. Thus, you must have worked a minimum of 35 hours/week for four weeks in order to accrue one month of work experience.
Part-Time Experience: Your part-time experience cannot be less than 20 hours a week and no more than 34 hours a week.
1040 hours of part-time = 6 months of full time experience
2080 hours of part-time = 12 months of full time experience
Internship: Paid or unpaid internship is acceptable. You will need documentation on company/organization letterhead confirming your position as an intern. If you are interning at a school, the document can be on the registrar’s stationery.
Relevant Education or Certifications Held
4 Yr College Degree or Equivalent
You can substitute a maximum of one year of work experience if you hold one of the following:
- A four-year college degree or regional equivalent
- An advanced degree in information security from the U.S. National Center of Academic Excellence in Information Assurance Education (CAE/IAE)
ISC2 Approved Credential
You can satisfy one year work experience if you hold one of the approved credentials on the ISC2 approved list.
ISC2 Approved Credential List
AWS Certified Security – Specialty
Certified in Governance, Risk and Compliance (CGRC)
Certified Cloud Security Professional (CCSP)
Certified Computer Examiner (CCE)
Certified Ethical Hacker v8 or higher
Certified Information Security Manager (CISM)
Certified Information Systems Auditor (CISA)
Certified Internal Auditor (CIA)
Certified Protection Professional (CPP) from ASIS
Certified in Risk and Information Systems Control (CRISC)
Certified Secure Software Lifecycle Professional (CSSLP)
Certified Wireless Security Professional (CWSP)
Cisco Certified CyberOps Associate/Professional
Cisco Certified Internetwork Expert (CCIE) Security
Cisco Certified Network Associate Security (CCNA Security)
Cisco Certified Network Professional Security (CCNP Security)
CIW Web Security Professional
CIW Web Security Specialist
CompTIA Advanced Security Practitioner (CASP+)
CompTIA CySA+
CompTIA Security+
Computer Hacking Forensic Investigator (CHFI)
CSA Certificate of Cloud Security Knowledge (CCSK)
EC-Council Certified Security Specialist (ECSS)
EC-Council Certified SOC Analyst (CSA)
GIAC Certified Enterprise Defender (GCED)
GIAC Certified Incident Handler (GCIH)
GIAC Certified Intrusion Analyst (GCIA)
GIAC Cyber Threat Intelligence (GCTI)
GIAC Global Industrial Cyber Security Professional (GICSP)
GIAC Information Security Fundamentals (GISF)
GIAC Information Security Professional (GISP)
GIAC Security Essentials Certificate (GSEC)
GIAC Security Leadership Certification (GSLC)
GIAC Strategic Planning, Policy, and Leadership (GSTRT)
GIAC Systems and Network Auditor (GSNA)
HealthCare Information Security and Privacy Practitioner (HCISPP)
Information Security Management Systems Lead Auditor (IRCA)
Information Security Management Systems Principal Auditor (IRCA)
Juniper Networks Certified Internet Expert (JNCIE-SEC)
Microsoft Identity and Access Management
Microsoft Security Operations Analyst
Microsoft Certified Cybersecurity Architect
Offensive Security Certified Professional/Expert (OSCP/E)
Systems Security Certified Practitioner (SSCP)
The CISSP Exam
Each candidate has four hours to complete the CISSP certification exam, which comprises 125 to 175 questions. You can register online to schedule the exam, which will take place in person at a Pearson VUE testing center. The exam fee is $749.
To pass, you must score at least 700. If you do not pass the CISSP exam the first time, you can retake the CISSP exam 30 days after your first try and up to four times within a 12-month period.
CISSP Certification Exam Outline
The CISSP exam uses Computerized Adaptive Testing (CAT) for all English exams. C
Length of exam 3 hours
Number of items 125 – 150
Item format Multiple choice and advanced innovative items
Passing grade 700 out of 1000 points
Exam language availability Chinese, English, German, Japanese, Spanish
Testing center ISC2 Authorized PPC and PVTC Select Pearson VUE Testing Centers
Details of the domains are outlined below:
Security and Risk Management - 16%
1.1 – Understand, adhere to, and promote professional ethics
- ISC2 Code of Professional Ethics
- Organizational code of ethics
1.2 – Understand and apply security concepts
- Confidentiality, integrity, and availability, authenticity, and nonrepudiation (5 Pillars of Information Security)
1.3 – Evaluate and apply security governance principles
1.4 – Understand legal, regulatory, and compliance issues that pertain to information security in a holistic context
- Cybercrimes and data breaches
- Licensing and Intellectual Property requirements
- Import/export controls
- Transborder data flow
- Issues related to privacy (e.g., General Data Protection Regulation (GDPR), California Consumer Privacy Act, Personal Information Protection Law, Protection of Personal Information Act)
- Contractual, legal, industry standards, and regulatory requirements
1.5 – Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards)
1.6 – Develop, document, and implement security policy, standards, procedures, and guidelines
- Alignment of the security function to business strategy, goals, mission, and objectives
- Organizational processes (e.g., acquisitions, divestitures, governance committees)
- Organizational roles and responsibilities
- Security control frameworks (e.g., International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), Control Objectives for Information and Related Technology (COBIT), Sherwood Applied Business Security Architecture (SABSA), Payment Card Industry (PCI), Federal Risk and Authorization Management Program (FedRAMP))
- Due care/due diligence
1.7 – Identify, analyze, assess, prioritize, and implement Business Continuity (BC) requirements
- Business impact analysis (BIA)
- External dependencies
1.8 – Contribute to and enforce personnel security policies and procedures
- Candidate screening and hiring
- Employment agreements and policy driven requirements
- Onboarding, transfers, and termination processes
- Vendor, consultant, and contractor agreements and controls
1.9 – Understand and apply risk management concepts
- Threat and vulnerability identification
- Risk analysis, assessment, and scope
- Risk response and treatment (e.g., cybersecurity insurance)
- Applicable types of controls (e.g., preventive, detection, corrective)
- Control assessments (e.g., security and privacy)
- Continuous monitoring and measurement
- Reporting (e.g., internal, external)
- Continuous improvement (e.g., risk maturity modeling)
- Risk frameworks (e.g., International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), Control Objectives for Information and Related Technology (COBIT), Sherwood Applied Business Security Architecture (SABSA), Payment Card Industry (PCI))
1.10 – Understand and apply threat modeling concepts and methodologies
1.11 – Apply Supply Chain Risk Management (SCRM) concepts
- Risks associated with the acquisition of products and services from suppliers and providers (e.g., product tampering, counterfeits, implants)
- Risk mitigations (e.g., third-party assessment and monitoring, minimum security requirements, service level requirements, silicon root of trust, physically unclonable function, software bill of materials)
1.12 – Establish and maintain a security awareness, education, and training program
- Methods and techniques to increase awareness and training (e.g., social engineering, phishing, security champions, gamification)
- Periodic content reviews to include emerging technologies and trends (e.g., cryptocurrency, artificial intelligence (AI), blockchain)
- Program effectiveness evaluation
Asset Security - 10%
2.1 – Identify and classify information and assets
- Data classification
- Asset Classification
2.2 – Establish information and asset handling requirements
2.3 – Provision information and assets securely
- Information and asset ownership
- Asset inventory (e.g., tangible, intangible)
- Asset management
2.4 – Manage data lifecycle
- Data roles (i.e., owners, controllers, custodians, processors, users/subjects)
- Data collection
- Data location
- Data maintenance
- Data retention
- Data remanence
- Data destruction
2.5 – Ensure appropriate asset retention (e.g., End of Life (EOL), End of Support)
2.6 – Determine data security controls and compliance requirements
- Data states (e.g., in use, in transit, at rest)
- Scoping and tailoring
- Standards selection
- Data protection methods (e.g., Digital Rights Management (DRM), Data Loss Prevention (DLP), Cloud Access Security Broker (CASB))
Security Architecture and Engineering - 13%
3.1 – Research, implement and manage engineering processes using secure design principles
- Threat modeling
- Least privilege
- Defense in depth
- Secure defaults
- Fail securely
- Segregation of Duties (SoD)
- Keep it simple and small
- Zero trust or trust but verify
- Privacy by design
- Shared responsibility
- Secure access service edge
3.2 – Understand the fundamental concepts of security models (e.g., Biba, Star Model, Bell-LaPadula)
3.3 – Select controls based upon systems security requirements
3.4 – Understand security capabilities of Information Systems (IS) (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)
3.5 – Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
- Client-based systems
- Server-based systems
- Database systems
- Cryptographic systems
- Industrial Control Systems (ICS)
- Cloud-based systems (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))
- Distributed systems
- Internet of Things (IoT)
- Microservices (e.g., application programming interface (API))
- Containerization
- Serverless
- Embedded systems
- High-Performance Computing systems
- Edge computing systems
- Virtualized systems
3.6 – Select and determine cryptographic solutions
- Cryptographic life cycle (e.g., keys, algorithm selection)
- Cryptographic methods (e.g., symmetric, asymmetric, elliptic curves, quantum)
- Public key infrastructure (PKI) (e.g., quantum key distribution
3.7 – Understand methods of cryptanalytic attacks
- Brute force
- Ciphertext only
- Known plaintext
- Frequency analysis
- Chosen ciphertext
- Implementation attacks
- Side-channel
- Fault injection
- Timing
- Man-in-the-Middle (MITM)
- Pass the hash
- Kerberos exploitation
- Ransomware
3.8 – Apply security principles to site and facility design
3.9 – Design site and facility security controls
- Wiring closets/intermediate distribution facilities
- Server rooms/data centers
- Media storage facilities
- Evidence storage
- Restricted and work area security
- Utilities and Heating, Ventilation, and Air Conditioning (HVAC)
- Environmental issues (e.g., natural disasters, man-made)
- Fire prevention, detection, and suppression
- Power (e.g., redundant, backup)
3.10 – Manage the information system lifecycle
- Stakeholders needs and requirements
- Requirements analysis
- Architectural design
- Development /implementation
- Integration
- Verification and validation
- Transition/deployment
- Operations and maintenance/sustainment
- Retirement/disposal
Communication and Network Security - 13%
Identity and Access Management (IAM) - 13%
Security Assessment and Testing - 12%
Security Operations - 13%
Software Development Security - 10%
Ready to Get Started?
If your work experience and education meet the qualifications and requirements, we’d love to help you get started on your application and on the way to passing your exam by enrolling in one of our public CISSP Boot Camp classes. We offer classes in over 20 cities and online, usually once a month. Our instructor led courses cover all aspects of the examination as well as extremely helpful test taking strategies and exam simulators to make sure you are fully ready.
Steps After Passing the CISSP Exam
Get Endorsed
After passing the CISSP exam, you must obtain an endorsement from a current certification-holder before becoming certified yourself.
This endorsement validates that you have completed the necessary work experience to earn CISSP certification. You have nine months to find an endorsement after passing the exam. In the event you are unable to find someone, (ISC)² may act as your endorser.
Maintain Certification
Like many professional accrediting bodies, (ISC)² requires its members to stay up to date on the latest trends and research in cybersecurity. You must earn at least 120 continuing professional education (CPE) credits every three years to maintain CISSP certification. Many members earn their CPEs by attending courses or conferences, volunteering or teaching
Application Process
Because the ISC2 application is quite an involved process, we recommend that you gather all the relevant information related to your application before you begin. Once the application has begun, it cannot be canceled; however, you can save your application and complete it later. The first thing we recommend is that you register to become a member of the ISC2
Frequently Asked Questions About CISSP Certification
What does a CISSP do?
A CISSP professional maintains an organization’s IT security systems, securing data against external threats. Responsibilities may also include running security audits, gathering data on security performance, managing teams of IT security professionals and creating security reports for stakeholders.
Is CISSP a good certification?
Yes, the CISSP credential is one of the most respected certifications in the cybersecurity field. Its rigor and high standards are well-known in the industry, and many organizations place a high value on recruiting CISSPs.
Is CISSP for beginners?
No, CISSP certification requires five years of professional experience in a cybersecurity-related role or a combination of work experience and education.
What is the CISSP experience waiver and how does it work?
If you have a security-related degree from an accredited college or institution or has additional (ISC)2 credentials from their approved list the participant may be able to waive one of the five years of the required experience.
Can You take the CISSP exam without Experience?
You can pass the CISSP exam without having the full five years of required work experience. However, passing the exam without the experience will earn you the title of Associate of ISC2 rather than full CISSP certification. You’ll then have six years to gain the necessary experience to upgrade to full CISSP status.
Does CISSP Expire After 3 Years?
The CISSP certification is valid for three years. To maintain the certification, holders must earn and submit a total of 120 Continuing Professional Education (CPE) credits within these three years and pay the annual maintenance fee. This process, known as recertification, ensures that CISSP professionals keep their skills and knowledge up to date.