Definition

Certified Information Systems Security Professional (CISSP)

Certified Information Systems Security Professional (CISSP) is an information security certification developed by the International Information Systems Security Certification Consortium, also known as (ISC)². The CISSP designation is a globally recognized, vendor-neutral standard attesting to an IT security professional's technical skills and hands-on experience implementing and managing a security program.

CISSP is a certification sought by IT professionals; hiring organizations often look for candidates who have passed the CISSP exam because candidates with the CISSP credential are sufficiently knowledgeable about cybersecurity to be able to pass the certification exam, and have hands-on experience and, potentially, formal CISSP training.

How to become CISSP-certified

Becoming CISSP-certified requires more than passing the Certified Information Systems Security Professional certification exam. Candidates are required to have a minimum of five years of full-time, hands-on experience in at least two of the eight cybersecurity knowledge domains.

The (ISC)² advises a four-step pathway to certification for candidates, starting with ascertaining that the CISSP credential is the right credential for them. The (ISC)² recommends CISSP certification for candidates who are experienced cybersecurity practitioners, listing a number of positions for which the CISSP would be appropriate, including chief information security officer, chief information officer, director of security, IT manager, security systems engineer, security analyst, security manager, security auditor, security architect, security consultant and network architect.

The next step that (ISC)² recommends is preparing and registering for the certification exam. Preparation can be achieved through self-study and using CISSP practice books and study guides, as well as online practice exams. Many candidates also enroll in CISSP training courses to prepare for the exam.

CISSP requirements

To earn the CISSP credential, the candidate must pass the certification exam, as well as complete the CISSP exam agreement, subscribe to the (ISC)² code of ethics, answer background qualification questions and receive an endorsement from an active (ISC)²-certified professional.

To maintain the CISSP certification, candidates are required to earn at least 40 Continuing Professional Education (CPE) credits each year and pay an annual maintenance fee of $85.


Introduction to the (ISC)² CISSP certification
program

CISSP exam

The CISSP exam is six hours long and consists of 250 multiple choice questions and advanced innovative questions testing the candidate's knowledge and understanding of the eight domains of the (ISC)² Common Body of Knowledge, which include security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, and software development security. The results are calculated on a scaled score, with a score of 700 or higher out of a 1,000 point maximum required to qualify for the credential.

The CISSP exam is offered in English, as well as other languages, including French, German, Brazilian Portuguese, Spanish, Japanese, simplified Chinese, Korean and a format for the visually impaired. The certification exam is administered by Pearson VUE and conducted at Pearson VUE test centers.

Cost of the CISSP exam

As of this writing, the exam costs $699, though exact pricing and taxes vary based on the location of the exam. Attendance at the certification exam can be rescheduled for a $50 fee; there is a $100 fee to cancel the exam.

The CISSP credential is valid for three years after the successful completion of the requirements. After three years, CISSP credential holders can recertify as long as they have paid the annual maintenance fee and submitted their 40 hours of CPE credits every year.

CISSP training

Because the CISSP certification exam is targeted to working cybersecurity professionals who have extensive hands-on experience in the field, candidates should not rely on formal CISSP training to gain the skills and knowledge they need to pass the certification exam.

Rather, CISSP training should focus on reviewing the Common Body of Knowledge -- the comprehensive framework for organizing the areas of expertise expected from cybersecurity professionals. It should also validate that the candidate is familiar with the test material and identify blind spots in the candidate's experience and knowledge.

CISSP concentrations

Professionals who currently hold the CISSP credential can also qualify by adding one of three CISSP concentrations: architecture (CISSP-ISSAP), engineering (CISSP-ISSEP) or management (CISSP-ISSMP). In addition to already having the CISSP certification, the candidate must have at least two years of work experience in one or more of the concentration's domains.

The ISSAP domains include access control systems and methodology, communications and network security, cryptography, security architecture analysis, technology-related business continuity planning and disaster recovery planning, and physical security considerations.

The ISSEP domains include systems security engineering, certification and accreditation/risk management framework, technical management, and U.S. government information assurance-related policies and issuances.

The ISSMP domains include security leadership and management; security lifecycle management; security compliance management; contingency management; and law, ethics and incident management.

The CISSP concentration exams are three hours long, are offered in English only and consist of 125 multiple choice questions for ISSAP and ISSMP and 150 multiple choice questions for ISSEP. The exam fees are all $599.

After passing their chosen exam by earning at least 700 points -- out of 1,000 -- candidates must go through a similar endorsement process as with CISSP. Candidates must also earn 20 Continuing Professional Education credits each year and pay a $35 annual maintenance fee to retain their certification.

This was last updated in December 2018

Continue Reading About Certified Information Systems Security Professional (CISSP)

Dig Deeper on CISSP certification

Join the conversation

7 comments

Send me notifications when other members comment.

Please create a username to comment.

Thank you Margaret...
Cancel
Does your enterprise require CISSP certification of its IT security employees? Are there other certifications of higher importance?
Cancel
In my experience, which again is just "my" experience (and I'm a consultant who travels A LOT), I have NOT run into any private sector jobs which "require" a CISSP.  

Pretty much every public sector sector project I have worked requires a Security+ or a CISSP.  That's likely due to 8570 rules.
Cancel
Are there any certifications available for non-technical Information Security management?
Cancel
I'm not aware of any non-technical security (or other technology) certifications, largely because there is probably not that much demand for professionals who *lack* technical expertise.
Cancel
Are there any certifications available for non-technical Information Security management?

Yes, the CISSP is a non-technical cert.  
Cancel
What would you consider a technical security certification if the CISSP is *not* technical?
Cancel

-ADS BY GOOGLE

File Extensions and File Formats

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close