Certified Information Systems Security Professional (CISSP)

Contributor(s): Taina Teravainen , Ed Tittel

Certified Information Systems Security Professional (CISSP) is an information security certification developed by the International Information Systems Security Certification Consortium, also known as (ISC)². The CISSP designation is a globally recognized, vendor-neutral standard for attesting to an IT security professional's technical skills and experience in implementing and managing a security program. The CISSP is a certification sought by IT professionals with job titles such as security auditor, security systems engineer, security architect and chief information security officer, among others.

To become a CISSP, the candidate must pass the Certified Information Systems Security Professional exam with a scaled score of 700 or higher out of a 1000 point maximum. The six-hour long exam, consisting of 250 questions in multiple choice and "advanced innovative" formats, tests the candidate's knowledge and understanding in eight domains drawn from the more extensive (ISC)2 Common Body of Knowledge: security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations and software development security.

Candidates are required to have a minimum of five years full-time experience in at least two of the eight domains. They must also complete the CISSP examination agreement, subscribe to the (ISC)2 code of ethics, answer several background qualification questions and receive an endorsement from an active (ISC)2 certified professional.

As of this writing, the exam costs U.S. $599 in most regions, except for Europe. It is offered in English as well as other languages including French, German, Brazilian Portuguese, Spanish, Japanese, simplified Chinese, Korean and a format for the visually impaired.

To maintain the CISSP certification, candidates are required to earn at least 40 continuing professional education credits each year and pay an annual maintenance fee of U.S. $85.

CISSP concentrations

In addition to the CISSP, candidates can also qualify for a CISSP concentration in architecture (CISSP-ISSAP), engineering (CISSP-ISSEP) or management (CISSP-ISSMP). Candidates must already be a CISSP and have at least two years of work experience in one or more of the concentration's domains.

The ISSAP domains are: access control systems and methodology, communications and network security, cryptography, security architecture analysis, technology related business continuity planning and disaster recovery planning and physical security considerations.

The ISSEP domains are: systems security engineering, certification and accreditation/risk management framework, technical management and U.S. government information assurance related policies and issuances.

The ISSMP domains are: security leadership and management; security lifecycle management; security compliance management; contingency management and law, ethics and incident management.

The CISSP concentration exams are three hours long, offered in English only and consist of 125 questions for ISSAP and ISSMP and 150 questions for ISSEP; the exam fees are all U.S. $399. After passing their chosen exam by earning at least 700 points (out of 1000), candidates must go through a similar endorsement process as with CISSP. Candidates have to earn 20 continuing professional education credits each year and pay a U.S. $35 annual maintenance fee to retain their certification.

Introduction to the CISSP certification program by (ISC)2

This was last updated in October 2016

Continue Reading About Certified Information Systems Security Professional (CISSP)

Dig Deeper on CISSP certification

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Thank you Margaret...
Does your enterprise require CISSP certification of its IT security employees? Are there other certifications of higher importance?
Are there any certifications available for non-technical Information Security management?


File Extensions and File Formats