• United States



Josh Fruhlinger
Contributing writer

CISSP certification: Requirements, training, and cost

Jan 21, 20219 mins

This "gold standard" certification demonstrates your skills and testifies to your experience.

'expert knowledge' stamp of certification
Credit: Olivier Le Moal / Getty Images

CISSP definition: What is CISSP?  

Certified Information Systems Security Professional, or CISSP, is a certification for advanced IT professionals who want to demonstrate that they can design, implement, and manage a cybersecurity program at the enterprise level. It’s offered by the International Information System Security Certification Consortium, or (ISC)2, a nonprofit organization that focuses on certification and training for cybersecurity professionals. CISSP is (ISC)2‘s most widely known certification.

With more than 20 years of history behind it, CISSP is a respected certification that can help advance your career. To achieve this certification, you need to demonstrate competence across a range of technical areas and well as management, and you also need to build up relevant industry experience.

Who should get a CISSP? Jobs and career path

CISSP has been called the “gold standard” of security certifications. If you’re scanning cybersecurity jobs, you’ll often find that a CISSP is a prerequisite, or at least highly recommended. If you’re interested in a career path in the U.S. federal government, it’s a particular help. Because of the broad technical knowledge required for CISSP certification, it’s the mark of an infosec generalist who would be useful in many roles.

That said, CISSP isn’t for everyone. In particular, the technical depth and work experience it requires means that it isn’t a cert for those in the opening stages of their career, for whom a CompTIA Security+ certification might be more appropriate. The CISSP exam also covers management skills as well as technical know-how—another reason you’ll need some experience under your belt before you embark on your CISSP journey. 


Because CISSP covers some management-related material, you may be wondering about the difference between it and Certified Information Security Manager (CISM), another popular infosec certification. In a nutshell, a CISSP certification demonstrates in-depth technical knowledge over a broad range of security domains, along with an understanding of managerial responsibilities. CISM, on the other hand, is more strongly oriented towards managers, with an emphasis on understanding infosec incentives from a business point of view.

CISSP domains

The subject matter that the CISSP certification covers is broken down into eight areas, called domains. As of December 2020, those domains are as follows:

The CISSP exam outline gives you a good sense of the sort of topics that fall under each domain. For instance, to show competency in asset security, candidates need to know how to identify and classify information and assets; determine and maintain information and asset ownership; protect privacy; ensure appropriate asset retention; determine data security controls; and establish information and asset handling requirements.

In early 2021, (ISC)2 will be conducting a domain refresh, coming up with a slightly tweaked set of domains (which will be weighted slightly differently for exam scoring). However, the overall set will probably not change significantly.

CISSP requirements 

There are two main requirements to receive a CISSP certification. The first, and the one that most will focus on, is that you need to pass the exam. We’ll discuss this in more detail in a moment.

But first let’s touch on the other requirement: experience. As we noted above, CISSP is a not certification for beginners, and that’s actually mandated by (ISC)2. In order to receive CISSP certification, you need to have five years of full-time work experience in two of the eight CISSP domains described above. There is a certain amount of wiggle room here: you can apply internships and part-time experience towards this requirement, and a college degree or another (ISC)2-approved certification can count as a year of experience. The (ISC)2 website has the nitty-gritty details.

There are also fees you’ll need to pay both to achieve and to maintain your CISSP certification, which we’ll cover later in this article. 

CISSP exam

The CISSP exam covers all the domains outlined above in roughly equal proportions. You can see the exact breakdown in the CISSP exam outline, along with some more details on what the exam is like in practice. It consists of two different types of questions: multiple choice and “advanced innovative items.” The latter type probably sound more intimidating than the questions actually are; they consist of identifying elements of diagrams and dragging-and-dropping answers from one side of a screen to boxes on the other.

The English-language version of the exam uses computerized adaptive testing (CAT). In essence, this means that you take the test on a computer that keeps track of your performance and adjusts the questions it asks you accordingly. This version of the test takes about three hours and consists of 100 to 150 questions. In all other languages, the test is linear (that is, you get the same set of questions no matter how you answer), consists of 250 questions, and takes about 6 hours to complete. For both types of exams, a passing grade is 700 out of 1000 points.

(ISC)2 has a good resource page with practical information about how to schedule your exam, what to expect in terms of formats, and what taking the exam is like. If you’re interested in getting real-world reports of how the test-taking experience played out, you might want to check out this LinkedIn post from Dex Yuan, as well as pseudonymous reports from the (ISC)2 community forums and Reddit. One great thing about the test: you get a preliminary score at the testing site, so you know whether or not you passed. 

How long should I study for the CISSP?

If you’re an infosec pro with lots of experience, you’ll have a wealth of real-world know-how to draw from in order to answer the questions on the CISSP exam. That said, few people will be equally experienced in all of the test domains, and just about everyone needs a refresher before taking a big test like this.

The amount of time you’ll need to put into studying for the test will of course depend on your own preparedness and study style. In an essay on LinkedIn, cloud architect Sujith Prasad recommends putting most of your free time towards studying for a few months leading up to the exam. An (ISC)2 community forums poster said they put in around 150-160 hours in total preparing in the months leading up to the exam. Saaz Rai, writing on Quora, says he passed after studying 6 to 7 hours a day for about three weeks. On the other hand, a poster on the Infosec Institute’s community forums says they passed after studying for a “couple of weekends.”

CISSP study guide    

Many test takers will want a guide to structure their preparation. (ISC)2 puts out an official study guide to help you, but that’s by no means your only option. The CISSP All-in-One Exam Guide is widely beloved, and has a companion set of practice exams. SSI Logic has book with 1,000 practice questions and detailed solutions you can grind your way through. And if that’s not enough, check out the Netwrix blog for more study guide options.   

CISSP training 

If you’re looking for more formal training, that’s available as well. (ISC)2 has an official self-paced CISSP training course as well as authorized instructor-led training both online and in classrooms.

Beyond that, there are of course numerous third-party training courses and bootcamps, far too numerous to list here. Digital Defynd maintains a frequently updated list of its top five CISSP courses; at the moment, these include offerings from Udemy, the Infosec Institute, and Learning Tree. Alpine Security, meanwhile, provides a guide for figuring out if a CISSP training course is a good fit for you.

CISSP exam cost

Most of these study guides and courses are not free, of course, and that’s only the beginning of your costs. You’ll need to pay for the exam itself; registration is $699 in the United States, and the same price or a close equivalent in local currency elsewhere.

CISSP certification and CISSP certification cost

Passing the exam (and paying for it) is the biggest hurtle to being CISSP certified, but there are still more steps you need to go through — and costs you need to pay. First, you’ll need to agree to the (ISC)2 code of ethics. Next, there’s the matter of the work experience requirements we discussed above; once you’ve passed your test, you’ll need to demonstrate that you have met this prerequisite by securing endorsements from colleagues. You actually can take the CISSP exam before you’ve accumulated enough work experience to be certified; if you pass, you have six years to meet the work experience requirements.

In order to maintain your CISSP certification , you need to pay an annual maintenance fee of $125, due on the anniversary of your certification date. (If you have multiple (ISC)2 certifications, you only need to pay that fee once per year for all of them.) If you’ve passed the exam but haven’t met the work experience requirement yet, you’re considered an “Associate of (ISC)2” and pay only $50 a year until you do.

Is CISSP worth it? CISSP salary 

Not all certs are created equal, but the nearly universal assessment is that the not-insignificant costs associated with the CISSP certification will come back to those who are certified in the form of higher compensation. According to ZipRecruiter, CISSPs make on average $125,000 a year. The Balance deemed it one of the seven best IT certifications of 2020, mentioning not just high salaries but how prevalent job postings are for which a CISSP is a requirement or strongly suggested.

And the rewards go beyond the financial. One common thread you’ll find in many of the personal anecdotes we’ve linked to here? May CISSP holders feel like the certification validates a career’s worth of hard work, demonstrating not just their knowledge but their experience. Especially if you’re trying to break into infosec from an adjacent field elsewhere in IT, that can go a long way.