Certified Information Systems Security Professional (CISSP)

How to become CISSP-certified

Becoming CISSP-certified requires more than passing the Certified Information Systems Security Professional certification exam. Candidates are required to have a minimum of five years of full-time, hands-on experience in at least two of the eight cybersecurity knowledge domains.

The (ISC)² advises a four-step pathway to certification for candidates, starting with ascertaining that the CISSP credential is the right credential for them. The (ISC)² recommends CISSP certification for candidates who are experienced cybersecurity practitioners, listing a number of positions for which the CISSP would be appropriate, including chief information security officer, chief information officer, director of security, IT manager, security systems engineer, security analyst, security manager, security auditor, security architect, security consultant and network architect.

The next step that (ISC)² recommends is preparing and registering for the certification exam. Preparation can be achieved through self-study and using CISSP practice books and study guides, as well as online practice exams. Many candidates also enroll in CISSP training courses to prepare for the exam.

CISSP requirements

To earn the CISSP credential, the candidate must pass the certification exam, as well as complete the CISSP exam agreement, subscribe to the (ISC)² code of ethics, answer background qualification questions and receive an endorsement from an active (ISC)²-certified professional.

To maintain the CISSP certification, candidates are required to earn at least 40 Continuing Professional Education (CPE) credits each year and pay an annual maintenance fee of $85.

CISSP exam

The CISSP exam is six hours long and consists of 250 multiple choice questions and advanced innovative questions testing the candidate's knowledge and understanding of the eight domains of the (ISC)² Common Body of Knowledge, which include security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, and software development security. The results are calculated on a scaled score, with a score of 700 or higher out of a 1,000 point maximum required to qualify for the credential.

The CISSP exam is offered in English, as well as other languages, including French, German, Brazilian Portuguese, Spanish, Japanese, simplified Chinese, Korean and a format for the visually impaired. The certification exam is administered by Pearson VUE and conducted at Pearson VUE test centers.

Cost of the CISSP exam

As of this writing, the exam costs $699, though exact pricing and taxes vary based on the location of the exam. Attendance at the certification exam can be rescheduled for a $50 fee; there is a $100 fee to cancel the exam.

The CISSP credential is valid for three years after the successful completion of the requirements. After three years, CISSP credential holders can recertify as long as they have paid the annual maintenance fee and submitted their 40 hours of CPE credits every year.

CISSP training

Because the CISSP certification exam is targeted to working cybersecurity professionals who have extensive hands-on experience in the field, candidates should not rely on formal CISSP training to gain the skills and knowledge they need to pass the certification exam.

Rather, CISSP training should focus on reviewing the Common Body of Knowledge -- the comprehensive framework for organizing the areas of expertise expected from cybersecurity professionals. It should also validate that the candidate is familiar with the test material and identify blind spots in the candidate's experience and knowledge.

CISSP concentrations

Professionals who currently hold the CISSP credential can also qualify by adding one of three CISSP concentrations: architecture (CISSP-ISSAP), engineering (CISSP-ISSEP) or management (CISSP-ISSMP). In addition to already having the CISSP certification, the candidate must have at least two years of work experience in one or more of the concentration's domains.

The ISSAP domains include access control systems and methodology, communications and network security, cryptography, security architecture analysis, technology-related business continuity planning and disaster recovery planning, and physical security considerations.

The ISSEP domains include systems security engineering, certification and accreditation/risk management framework, technical management, and U.S. government information assurance-related policies and issuances.

The ISSMP domains include security leadership and management; security lifecycle management; security compliance management; contingency management; and law, ethics and incident management.

The CISSP concentration exams are three hours long, are offered in English only and consist of 125 multiple choice questions for ISSAP and ISSMP and 150 multiple choice questions for ISSEP. The exam fees are all $599.

After passing their chosen exam by earning at least 700 points -- out of 1,000 -- candidates must go through a similar endorsement process as with CISSP. Candidates must also earn 20 Continuing Professional Education credits each year and pay a $35 annual maintenance fee to retain their certification.