TL;DR: CISSP (Certified Information Systems Security Professional) is a globally recognized cybersecurity certification offered by (ISC)2 that validates expertise across eight security domains. It requires five years of professional work experience, passing a Computerized Adaptive Testing (CAT) exam of 125 to 175 questions, and an annual maintenance fee of $135. More than 500,000 professionals hold the credential worldwide, and the median salary for CISSP holders exceeds $124,000 in 2026.
Cybersecurity has shifted from a back-office IT concern to a board-level priority. Ransomware groups now target school districts, hospitals, and critical infrastructure on a weekly basis. Regulators in the United States, Europe, and Asia have responded with stricter breach disclosure rules, and the U.S. Bureau of Labor Statistics projects a 29 percent jump in information security analyst positions through June 2026. Hiring managers facing thousands of applicants per role are turning to vendor-neutral credentials to separate serious candidates from the rest of the pack.
The Certified Information Systems Security Professional (CISSP) certification sits at the top of that hiring signal stack. (ISC)2 reports that more than 500,000 members and certified professionals now hold the CISSP across 170-plus countries, up from roughly 140,000 in mid-2020. Employers recognize the credential because it is accredited under ANSI/ISO/IEC 17024, mapped to U.S. Department of Defense Directive 8140, and required for many government and defense contractor roles. If you are weighing whether to invest the time and money, this CISSP certification overview walks you through what the credential actually is, what the eight domains cover, who is eligible, how the exam works in 2026, what it costs, what salary you can expect, and how to plan your study path.
Post Contents
What Is CISSP Certification?
CISSP stands for Certified Information Systems Security Professional. It is a vendor-neutral, advanced-level cybersecurity certification issued by the International Information System Security Certification Consortium, commonly known as (ISC)2. The credential certifies that a practitioner can design, engineer, implement, and run a mature information security program. It does not certify a single product, platform, or vendor tool, which is why it carries weight across industries as different as banking, healthcare, government, retail, and aerospace.
First introduced in 1994, CISSP has consistently been ranked among the most respected IT certifications in the world. Independent salary surveys place it near the top of any “best paying” or “most requested by employers” cybersecurity certification list. The (ISC)2 organization itself is a nonprofit membership association that administers the credential, enforces a strict Code of Ethics, and handles the endorsement and audit process that backs the certification’s reputation.
CISSP is widely considered a milestone credential for security professionals transitioning from hands-on technical work into leadership roles such as security architect, security manager, security auditor, director of security, or Chief Information Security Officer (CISO). Many hiring managers treat it as a baseline requirement for senior positions, particularly within the financial services and federal government sectors. Because the certification is accredited under ISO/IEC 17024, it also holds weight internationally, making it a strong choice for professionals considering global career mobility.
The 8 CISSP Domains Explained
The CISSP exam draws questions from a framework called the Common Body of Knowledge, or CBK. The current CBK is organized into eight domains. (ISC)2 updates the weights of these domains periodically, and the table below reflects the official weights in effect for the 2026 exam outline.
- Domain 1: Security and Risk Management (16%) – Covers confidentiality, integrity, and availability; security governance principles; compliance with laws and regulations; threat modeling; supply chain risk; and professional ethics. This domain is the broadest and is often described as the “business of security.”
- Domain 2: Asset Security (10%) – Focuses on identifying and classifying information and assets, determining ownership, handling data appropriately, and applying appropriate retention and disposal controls. Expect questions on data lifecycle, labeling, and privacy protection.
- Domain 3: Security Architecture and Engineering (13%) – Tests your understanding of secure design principles, security models, cryptography, physical security, and the capabilities and limitations of security technologies. This domain has historically tripped up candidates who lack an engineering background.
- Domain 4: Communication and Network Security (13%) – Covers network architecture, transmission methods, secure protocols, and network attacks. Expect scenario questions on segmentation, zero trust, and cloud connectivity.
- Domain 5: Identity and Access Management (IAM) (13%) – Addresses physical and logical access control, identification, authentication, authorization, identity-as-a-service, and access control attacks. Multi-factor authentication and federation are heavily tested.
- Domain 6: Security Assessment and Testing (12%) – Covers the design, execution, and analysis of security testing, including vulnerability assessments, penetration testing, log reviews, and audit trails.
- Domain 7: Security Operations (13%) – Encompasses incident response, investigation, disaster recovery, business continuity, logging, monitoring, and resource protection. Expect questions on ransomware response and tabletop exercises.
- Domain 8: Software Development Security (10%) – Addresses software development lifecycles, secure coding, code review, and the security implications of DevOps, containers, and APIs.
Note that (ISC)2 rebranded a few of the domains in 2024. The “Security Engineering” and “Communications and Network Security” titles were updated to “Security Architecture and Engineering” and “Communication and Network Security” respectively, and the weights were rebalanced. Always verify the current outline on the official (ISC)2 website before scheduling your exam.
CISSP Work Experience and Eligibility Requirements
CISSP eligibility is not based solely on passing an exam. Candidates must demonstrate a minimum of five years of cumulative, paid, full-time work experience in two or more of the eight CISSP domains. Part-time work and internships can be counted, but they are prorated. A four-year college degree, an approved credential from the (ISC)2 approved list, or a related master’s degree can substitute for one of the five required years, leaving you with a four-year experience requirement.
Your experience does not need to come from a single job title. Hiring managers and (ISC)2 reviewers look for the application of security principles, not a specific job label. Common roles that satisfy the requirement include security analyst, SOC analyst, security engineer, security architect, security consultant, IT auditor, penetration tester, network architect with security responsibilities, and even some compliance or GRC positions. (ISC)2 maintains a list of example roles on its qualification page, and the spirit of the rule is that the work must involve real security responsibility, not just peripheral exposure.
The Associate of (ISC)2 Path
If you do not yet meet the experience requirement, you can still sit for the CISSP exam. Candidates who pass the exam but lack sufficient experience are awarded the Associate of (ISC)2 designation. From that point, you have six years to accumulate the remaining work experience and complete the endorsement process to convert to full CISSP status. This path is popular among career changers and recent graduates, though employers sometimes view the “Associate” title as a half-step until full certification is achieved.
The Endorsement Process
Within nine months of passing the exam, every candidate must complete the endorsement process. This involves submitting an online application that documents your work experience in the relevant domains, then finding an active (ISC)2 member in good standing who can attest to the accuracy of your claims. If you do not personally know a current member, (ISC)2 can act as your endorser. The organization also reserves the right to audit applications, randomly or for cause, so accurate documentation pays off long term.
CISSP Exam Format in 2026
The CISSP exam uses Computerized Adaptive Testing, or CAT, for English-language candidates. CAT is a sophisticated format in which the testing engine selects the next question based on how you performed on the previous one. Get a question right and the next one becomes harder; get one wrong and the next one becomes easier. This approach gives (ISC)2 a precise read on your ability in fewer questions than a traditional fixed-form exam.
For the English CAT version, you will see between 100 and 150 questions (the exam ends as soon as your ability is determined, with a minimum of 100 questions). The non-English linear format contains 125 to 175 questions. You have up to three hours to complete the exam regardless of which version you take. Scoring uses a scaled 0 to 1000 scale, and you need a 700 to pass.
There is no public pass rate. Commercial training providers frequently advertise pass rates above 90 percent, but independent estimates from industry observers put the actual first-attempt pass rate somewhere between 50 and 60 percent. A common piece of wisdom on candidate forums is that the exam feels “like a mile wide and an inch deep,” meaning you need broad familiarity with every domain rather than deep expertise in any one.
Reschedule and Cancellation Rules
Once you have scheduled your exam through Pearson VUE, the test delivery partner, you have a brief window to reschedule at no cost. After that, fees of $50 and $100 apply for changes within certain windows. If you fail the exam, you must wait 30 days before retaking it, 60 days after a second failure, and 90 days after a third. Candidates may attempt the exam a maximum of four times within a rolling 12-month period. Be aware of these rules so a missed deadline does not turn into a financial penalty.
CISSP Certification Cost Breakdown
The CISSP exam fee is $749 in the United States in 2026, up from $699 in earlier years. (ISC)2 charges the same amount worldwide, although local taxes or currency conversion can change the final price on your credit card statement. The exam fee is paid when you schedule your appointment at a Pearson VUE test center or request an online proctored attempt.
The exam fee is only the first cost. Most candidates also invest in study materials, which typically run between $60 for the official (ISC)2 CISSP Study Guide and $500 for the official Practice Tests bundle. Popular third-party resources like the Destination Certification MindMaps or Pete Zerger’s Exam Cram video series add another $30 to $200. Candidates who prefer a structured environment often enroll in a five to seven-day boot camp priced between $2,000 and $4,000, which usually includes the exam voucher.
After passing, you must pay an Annual Maintenance Fee (AMF) of $135 to keep the certification active. Members in good standing also must earn 120 Continuing Professional Education (CPE) credits over each three-year cycle, with a minimum of 30 CPEs in any single year, plus an additional 10 CPEs specifically for submissions to the (ISC)2 Code of Ethics. The AMF and CPE system exists to ensure that CISSP holders keep their skills current.
CISSP Salary and Career Outlook
PayScale and other compensation aggregators report an average U.S. salary of around $127,000 for CISSP holders in 2026, with senior and management-level positions pushing well past $170,000. The U.S. Bureau of Labor Statistics lists the median annual wage for information security analysts at $120,360 in its most recent Occupational Outlook Handbook, with the top 10 percent earning above $182,000. CISSP tends to be associated with the higher end of that range, particularly when paired with hands-on experience in cloud security or security architecture.
The job outlook is strong. The Bureau of Labor Statistics projects 33 percent growth in information security analyst positions from June 2026 through 2026, far faster than the average for all occupations. The (ISC)2 Cybersecurity Workforce Study estimates a global cybersecurity workforce gap of roughly 4 million unfilled positions, suggesting that demand for qualified professionals will continue to outpace supply for the foreseeable future.
Common job titles associated with the CISSP include Chief Information Security Officer (CISO), Director of Security, Security Architect, Security Manager, Security Consultant, IT Auditor, Senior Security Engineer, and Cybersecurity Program Manager. The credential is also useful for federal roles, where DoD Directive 8140 lists CISSP as a baseline qualification for several workforce categories including Security Architect, Security Engineer, and Authorizing Official representatives.
Why Get CISSP Certified? Key Benefits
Even after adjusting for the time and money required, the CISSP delivers a long list of career benefits.
- Globally recognized credential: CISSP is accredited under ANSI/ISO/IEC 17024 and accepted in 170-plus countries, which is rare for a security certification. A CISSP earned in Chicago is recognized in Singapore.
- Higher earning potential: Independent salary surveys consistently place CISSP in the top three highest-paying IT certifications. The credential often unlocks salary bands that are out of reach for non-certified peers.
- Career advancement: Hiring managers frequently require CISSP for senior and leadership roles. For many practitioners, the certification is the formal gate from senior contributor to management.
- Government and defense work: U.S. Department of Defense Directive 8140 lists CISSP as a required baseline for many workforce categories. Defense contractors and federal agencies typically require or prefer the credential.
- Vendor neutrality: CISSP does not lock you to a single vendor’s toolset, which makes it a durable investment as the security market shifts between vendors and platforms.
- Professional network: (ISC)2 membership provides access to local chapters, online communities, conferences, and special interest groups that can accelerate your career beyond the credential itself.
- Personal credibility: Earning CISSP signals to colleagues, clients, and recruiters that you have invested the time to master a broad security body of knowledge and adhere to a strict Code of Ethics.
CISSP vs Other Cybersecurity Certifications
CISSP is often mentioned alongside other well-known certifications such as CISM, CEH, CISA, and CompTIA CySA+. Each targets a different audience and skill set, and the right pick depends on your career stage and goals.
- CISSP vs CISM (Certified Information Security Manager): CISM, offered by ISACA, focuses on information security management, governance, and risk. CISM is management-focused with no technical questions, while CISSP covers both management and technical concepts. CISM is often considered a natural next step for CISSP holders moving into GRC leadership.
- CISSP vs CEH (Certified Ethical Hacker): CEH, offered by EC-Council, focuses on offensive security and penetration testing. CISSP is much broader and management-oriented. CEH is more appropriate for practitioners on a red team or penetration testing track.
- CISSP vs CISA (Certified Information Systems Auditor): CISA, also from ISACA, focuses on IT auditing, control, and assurance. CISSP covers a wider technical scope, while CISA is the gold standard for IT audit professionals.
- CISSP vs CySA+ (CompTIA Cybersecurity Analyst): CySA+ is an intermediate-level, vendor-neutral credential focused on security analytics, intrusion detection, and response. It is more affordable and accessible than CISSP and is often a stepping stone for candidates who plan to pursue CISSP later.
Most senior security professionals end up with a stack of certifications rather than a single one. A common career path is Security+ or CySA+ early in your career, CISSP after about five years of experience, and CISM or CISA once you move into management or audit roles. The right combination depends on your target job titles and industry.
Maintaining Your CISSP: CPE Credits and AMF
Passing the exam is not the final step. CISSP holders must keep their knowledge fresh through ongoing professional education. (ISC)2 requires 120 Continuing Professional Education (CPE) credits over each three-year certification cycle, with a minimum of 30 CPEs in any single year. CPE credits can be earned through activities such as attending conferences, taking training courses, publishing articles, teaching, volunteering on (ISC)2 working groups, and completing relevant self-study.
In addition to the CPE requirement, holders pay an Annual Maintenance Fee (AMF) of $135. The AMF funds (ISC)2’s credential management infrastructure, member services, and the local chapter program. Members who fail to pay the AMF or earn enough CPE credits can have their certification suspended and eventually revoked. Reinstatement is possible but involves additional fees and back-owed AMFs.
Members must also agree annually to abide by the (ISC)2 Code of Ethics, which covers four canons: protect society, the common good, necessary public trust and confidence, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; and advance and protect the profession. Violations can lead to revocation of the credential.
How to Prepare for the CISSP Exam
CISSP preparation is a serious commitment. Candidates with five or more years of security experience typically need two to three months of focused study, while career changers often spend four to six months. A common study plan allocates 10 to 15 hours per week over that period, balancing reading, video training, and practice questions.
The most recommended resources among active candidates include the official (ISC)2 CISSP Study Guide (OSG) and the companion Official Practice Tests (OPT) book. Many successful candidates supplement those with the Destination Certification MindMaps video series, Pete Zerger’s Exam Cram, and Mike Chapple’s Last Mile review on LinkedIn Learning. Practice question banks of 1,000 or more questions are widely considered essential, because the CAT format demands comfort with scenario-based, “think like a manager” questions that are very different from pure recall items.
One frequently mentioned shift in mindset is the “think like a manager” framing. Many CISSP questions describe a scenario with multiple technically correct answers and ask you to choose the best one from a governance, risk, or business perspective. Memorization alone will not carry you through; you need to internalize the manager’s voice. Joining a study group, such as the r/cissp subreddit, the (ISC)2 Community, or a local chapter, also helps reinforce the material and keeps motivation high.
Frequently Asked Questions
Is CISSP very difficult?
Yes. The CISSP exam is widely considered one of the toughest IT certifications. It uses Computerized Adaptive Testing (CAT) with 100 to 150 questions in three hours, covers a broad Common Body of Knowledge, and emphasizes scenario-based reasoning over memorization. Independent estimates place the first-attempt pass rate between 50 and 60 percent, though most candidates who prepare for two to six months do pass on a subsequent attempt.
Is CISSP still worth it in 2026?
Yes. Demand for senior cybersecurity talent continues to grow, with the U.S. Bureau of Labor Statistics projecting 33 percent growth in information security analyst roles. CISSP remains a baseline requirement for many senior and government positions, and certified professionals report average salaries above $124,000. The (ISC)2 Cybersecurity Workforce Study also estimates a global shortage of roughly 4 million security professionals, suggesting strong demand will continue.
Can I take the CISSP exam without experience?
You can sit for the exam without the full five years of experience, but you will be awarded the Associate of (ISC)2 designation rather than full CISSP status. From that point you have six years to accumulate the remaining experience and complete the endorsement process. A four-year degree or an approved credential can waive one of the five required years.
What jobs can you get with a CISSP?
CISSP holders commonly work as Chief Information Security Officer (CISO), Director of Security, Security Architect, Security Manager, Security Consultant, Senior Security Engineer, IT Auditor, and Cybersecurity Program Manager. The credential is also widely required or preferred for federal and defense contractor roles mapped to U.S. DoD Directive 8140 workforce categories.
How long does it take to study for the CISSP?
Candidates with five or more years of hands-on security experience typically need two to three months of focused study, while career changers often spend four to six months. A common study plan allocates 10 to 15 hours per week and combines a primary study guide, video training, and a practice question bank of 1,000 or more questions.
How does CISSP compare to other cybersecurity certifications?
CISSP is broader and more management-oriented than credentials like CEH, which focuses on offensive security, or CySA+, which targets security analysts at the intermediate level. CISSP is often compared to CISM (security management) and CISA (IT auditing), both offered by ISACA. Most senior professionals hold a stack of certifications rather than a single one, with CISSP commonly paired with CISM, CISA, or cloud-specific credentials.
Final Thoughts on the CISSP Certification
The CISSP certification overview above covers the major facts: it is a globally recognized, ANSI/ISO/IEC 17024 accredited, vendor-neutral cybersecurity credential offered by (ISC)2; it requires five years of qualifying experience (or four with an approved waiver); it uses a Computerized Adaptive Testing format with 100 to 150 questions in English; it costs $749 to sit, plus study materials and an annual $135 maintenance fee; and it continues to anchor strong salaries and career mobility in 2026.
If you are early in your security career, build a few years of hands-on experience, supplement it with Security+ or CySA+, and plan for CISSP once you have crossed the four or five-year mark. If you are already a senior practitioner, the question is less whether CISSP is worth the investment and more when you will sit for the exam. The credential has held its value for three decades, and the structural shortage of qualified cybersecurity talent suggests that will not change anytime soon. Visit the official (ISC)2 CISSP page to verify the latest exam outline, fees, and registration steps before you schedule your attempt.