The CISSP Certification Guide (2024)

The Certified Information Systems Security Professional, or CISSP certification, proves that you’re an experienced cybersecurity practitioner with the knowledge and ability to oversee organizational security efforts.

  • Learn how to implement and manage enterprise-level security operations
  • Discover how to design security architecture that keeps up with ever-evolving risks
  • Show hiring managers that you have director-level security skills and knowledge

Key facts

Start your journey to becoming a certified professional with Infosec.

CISSP exam overview

The CISSP is offered by ISC2 and is one of the most requested cybersecurity certifications in job listings. It is a great way for cybersecurity practitioners working in their field for several years to prove they have what it takes to lead effective information security teams. After earning a CISSP certification, you may want to pursue the ISC2 certifications for security architecture, engineering or management.

The CISSP exam demonstrates knowledge and familiarity with information system security from the ground up. The latest version of the CISSP exam covers eight knowledge areas, or domains.

Domain 1: Security and risk management (16%)
  • Professional ethics
  • Security concepts and governance principles
  • Privacy and regulatory requirements
  • Information security legal and regulatory issues in a holistic context
  • Requirements for investigation types
  • Develop, document and implement security policy, standards, procedures and guidelines
  • Business Continuity requirements
  • Personnel security policies and procedures
  • Risk management concepts
  • Threat modeling concepts and methodologies
  • Supply Chain Risk Management concepts
  • Establish and maintain a security awareness, education and training program
Domain 2: Asset security (10%)
  • Data and asset classification
  • Information and asset handling requirements
  • Asset ownership and management
  • Manage data lifecycle
  • Appropriate asset retention
  • Data security controls and compliance requirements
Domain 3: Security architecture and engineering (13%)
  • Engineering processes using secure design principles
  • Fundamental concepts of security models
  • Select controls based on systems security requirements
  • Security capabilities of information systems
  • Vulnerabilities of security architectures, designs and solution elements
  • Cryptographic solutions
  • Methods of cryptanalytic attacks
  • Apply security principles to site and facility design
  • Design site and facility security controls
Domain 4: Communication and network security (13%)
  • Secure design principles in network architectures
  • Secure network components
  • Implement secure communication channels according to design
Domain 5: Identity and access management (IAM) (13%)
  • Control physical and logical access to assets
  • Identification and authentication of people, devices and services
  • Federated identity with a third-party service
  • Authorization mechanisms
  • The identity and access provisioning lifecycle
  • Implement authentication systems
Domain 6: Security assessment and testing (12%)
  • Assessment, test and audit strategies
  • Security control testing
  • Collect security process data
  • Analyze test output and generate report
  • Security audits
Domain 7: Security operations (13%)
  • Understand and comply with investigations
  • Conduct logging and monitoring activities
  • Configuration Management
  • Foundational security operations concepts
  • Resource protection
  • Incident management
  • Detective and preventative measures
  • Patch and vulnerability management
  • Change management processes
  • Recovery strategies
  • Disaster Recovery Plans and processes
  • Business Continuity planning and exercises
  • Physical security
  • Address personal safety and security concerns
Domain 8: Software development security (10%)
  • Security in the Software Development Life Cycle
  • Security controls in software development ecosystems
  • Assess the effectiveness of software security
  • Security impact of acquired software
  • Secure coding guidelines and standards

Learn more about the CISSP domains.

CISSP exam details

CISSP covers security for networks, software, communications and assets. Includes information on the entire security life cycle, including architecture, engineering, operations, assessment and testing.

Launch date: 1994 Last update: April 2024
Number of questions: 100-150 Type of questions: Multiple choice and advanced innovative items
Length of test: 3 hours Passing score: 700 (out of 1000)
Recommended experience: 5+ years cumulative paid work experience in two or more CISSP domains Languages:

English, German, Japanese, Chinese, Korean, Spanish

Validity duration:  Three years CPEs needed for renewal:  120 (at least 90 in Group A, up to 30 in Group B)
CISSP exam cost: $749    

CISSP exam additional resources

There are a variety of free resources to help you prepare for your CISSP exam, but a good starting point is the CISSP exam outline. This comprehensive guide is the definitive resource on the CISSP certification exam’s Body of Knowledge, which is the collection of topics on the test. You can develop a training plan and seek out appropriate study materials based on this outline.

CISSP exam tips from students and instructors Image

CISSP study guides and books

A number of training resources are available on Amazon and elsewhere, including the Official ISC2 CISSP CBK Reference and the ISC2 CISSP Certified Information Systems Security Professional Official Study Guide. Other popular CISSP exam prep guides and PDFs include:

  • CISSP For Dummies, 7th Edition
  • CISSP All-in-One Exam Guide by Shon Harris and Fernando Maymi
  • CISSP Study Guide by Eric Conrad
  • Eleventh Hour CISSP: Study Guide by Eric Conrad
  • Free Sunflower CISSP PDF

You can also download the free CISSP exam tips ebook from Infosec.

CISSP practice questions and exams

CISSP practice exams are a great way to gauge your exam readiness and understand the types of questions you’ll be asked. Even free CISSP dumps can be found, although it’s against ISC2 policy to disclose the actual exam questions being used. A few of the most popular CISSP practice question options are listed below:

Most paid CISSP training courses also offer practice questions. For example, Infosec Skills CISSP training has a customizable practice exam with more than 1,500 CISSP questions.

Other free CISSP training resources

There are a number of other free CISSP training materials being produced and shared by the community:

  • Forums like TechExams and Reddit allow you to connect directly with others who are studying for or have already taken the CISSP.
  • YouTube is another great place to connect with cybersecurity practitioners and learn about the CISSP exam. Although most CISSP courses cost money, numerous free CISSP videos are available to watch, including our CISSP exam webcast.
  • Podcasts may not help you directly study for your CISSP exam, but those like the Cyber Work Podcast are a great way to hear about the career and training journeys of fellow IT and cybersecurity professionals.

CISSP jobs and careers

CISSP certification is often a major stepping stone from being an information systems security practitioner to working in more advanced information security roles. It’s also one of the certifications approved to meet DoD Directive 8570.1. 

 

 Common CISSP job titles 

Some of the more commonly held positions for people who have a CISSP certification are:

Learn more about the job outlook for CISSP holders.

CISSP live boot camps and self-paced training

Obtaining your CISSP certification takes a lot of hard work and studying, and getting professional instruction can help all that hard work pay off. Paid training is also a great option for those looking to get certified quickly or those who want extra assistance mastering the concepts covered on the exam.

CISSP comparisons and alternatives

The CISSP is one of the most requested cybersecurity certifications, but it is not the only option available. Here is how CISSP certification stacks up to other related certifications.

CISSP vs. Security+

These certifications represent knowledge gained in information security but represent different skill levels. While earning CISSP certification requires five years working in a related field, CompTIA’s Security+ certification is more of an entry-level or beginner-level cybersecurity certification. If you’re trying to obtain your CISSP certification, you may already have Security+ certification. If you don’t, you may want to take the Security+ exam first.

CISSP vs. CISM

The ISACA Certified Information Security Manager (CISM) certification is similar to CISSP in knowledge and exam format. They both require more manager-level knowledge and perspectives concerning information security, and both can help you progress from practitioner to manager. However, CISM takes a slightly broader view of information security management than CISSP. CISSP certification teaches you more about the daily tasks and skills typically involved in operating a cybersecurity program, while CISM deals more with developing and managing a cybersecurity program in the longer term. In addition, the CISM exam is slightly shorter and less costly than the CISSP exam.

CISSP vs. ISSMP vs. ISSEP vs. ISSAP

Before October 2023, a CISSP certification was required in order to obtain CISSP "concentrations" or "specializations" around management, engineering or architecture. However, in October 2023, ISC2 began providing an alternate experience requirement so that qualified individuals without a CISSP can now earn the ISSMP, ISSEP and ISSAP certifications.

The Information Systems Security Management Professional certification is an advanced management certification that's somewhat comparable to the ISACA CISM and can help you advance through management positions in your chosen cybersecurity focus. The Information Systems Security Engineering Professional and Information Systems Security Architecture Professional are also advanced certifications, but they focus on cybersecurity engineering and architecture.

Other CISSP alternatives

Explore Infosec certifications to find the best fit for your career goals.