The history of CISSP [updated 2021]

June 17, 2021 by Daniel Brecht

During the late 1980s, the need for vendor-independent certification programs in the field of information security was high. As a result, the International Information Security Certification Consortium or (ISC)² came into existence in 1989. A non-profit organization, it has since then become famous for providing standardized information security certifications.

The Certified Information Systems Security Professional (CISSP) certification is the best-known credential of the many offered by the organization, and it recognizes those who can prove their “knowledge and experience to design, develop and manage the overall security posture of an organization,” according to the certifications page of the official (ISC)² website.

(ISC)²’s CISSP certification was launched back in 1994 for experienced security practitioners, managers and executives and has become a suitable (and preferred) option for many cybersecurity professionals.

In 2005, the CISSP became the first credential from the field of information security to have met the requirements of the ISO/IEC Standard 17024.

More recently, the certificate has fulfilled requirements for the U.S. Department of Defense (DoD) workers (Directive 8570.1) to get a commercial certification credential that has been accredited by the American National Standards Institute (ANSI). 

CISSP exam changes

(ISC)² is notorious for changing the curriculum and other things about CISSP, time and time again. In 2015, several changes were made to the common body of knowledge (CBK) for the CISSP credential that featured 10 domains. The CBK reflects the most current and relevant topics required to practice the profession and needs constant updating (normally every three years) to reflect in the best possible way the knowledge and skills truly required by professionals in the ever-changing, dynamic field of information security.

According to the official CISSP website, “enhancements are the result of a rigorous, methodical process that (ISC)² follows to routinely update its credential exams. This process ensures that the examinations and subsequent continuing professional education requirements encompass the topic areas relevant to the roles and responsibilities of today’s practicing information security professionals.”

The changes normally lead to the expansion and realignment of pertinent topics that fall under different domains. This helps in achieving the organizational objective of ensuring accurate reflections of managerial and technical brilliance that is expected of a vetted professional in the field of information security.

The recent changes, however, have been slight and not massive, but have also included a domain renaming to be able to describe the topics more articulately. On May 1, 2021, the weight of domains for the (ISC)² CISSP credential exam has been refreshed, as follows: 

2018 CISSP exam 2021 CISSP exam
1. Security and risk management 15% 1. Security and risk management 15%
2. Asset security 10% 2. Asset security 10%
3. Security architecture and engineering 13% 3. Security architecture and engineering 13%
4. Communication and network security 14% 4. Communication and network security 13%
5. Identity and access management (IAM) 13% 5. Identity and access management (IAM) 13%
6. Security assessment and testing 12% 6. Security assessment and testing 12%
7. Security operations 13% 7. Security operations 13%
8. Software development security 10% 8. Software development security 11%

As you can see, the weights have changed for two of the eight domains. Domain four now has 1% less weight while domain eight’s weight has increased by 1%. The weights of all other domains are unchanged. Here’s a brief overview of the current eight CISSP domains.

Candidates undergo a three-hour English exam consisting of 100 to 150 questions for the computerized adaptive testing (CAT). Alternatively, they answer 250 questions in a six-hour testing window if taking the linear, fixed-form test administered in all other languages. To pass the exam, you need to earn a minimum of 700 out of 1000 points. If you want more information about CISSP, you can download the official CISSP guide from this link.

Are you eligible for the certification? A candidate is required to have a minimum of five years of cumulative paid full-time work experience in two or more of the eight domains of the CISSP CBK.

Ready for examination? Schedule a test date at the Pearson Vue testing center.

When, on May 1, 2021, the CISSP content was updated, the exam registration fee increased, from $699 to $749.

Note: (ISC)² understands online examination is of interest to candidates and is exploring the possibility of future online proctoring exams. Read more about the pilot test for CISSP here.

CISSP for security professionals

(ISC)² has been striving to nurture the talent and the experience in the information security field for over two decades now, and CISSP has been gaining more and more relevance with each passing year. As of now, there are over 90,000 CISSP certified professionals in the U.S. alone. The complete list of CISSP member counts across 170 countries can be seen here.

According to the (ISC)² Cybersecurity Workforce Study, there’s a global cyber workforce shortage of over 3.1 million men and women, so there is no better time to accelerate your career development with a CISSP certification that is ideal for people working in the following positions (among others):

  • Director of security
  • Network architect
  • Security consultant
  • Security manager
  • Security architect
  • Security analyst
  • Security systems engineer
  • Chief information security officer
  • IT director/manager
  • Security auditor 

After clinching the CISSP credential, security professionals can:

  1. Fill the skills gap in the cybersecurity industry.
  2. Demonstrate the expertise and competence that they have gained through years of work in the field.
  3. Stand out against the competition when applying to job openings.
  4. Have an edge in terms of promotions and pay increases.
  5. Show commitment to lifelong learning and growth in their line of work. 

What are the various CISSP concentrations?

(ISC)² produced three concentrations that can be taken on by CISSP-certified professionals to further nurture their knowledge and expertise in the field of information security. The three currently offered are: 


The Information Systems Security Architecture Professional (ISSAP) requires two years of cumulative, paid work experience in one or more of the six domains of the CISSP-ISSAP CBK. A more detailed outline is available here.

The credential is beneficial for a chief security architect or analyst.


The Information Systems Security Engineering Professional (ISSEP) requires two years of cumulative, paid work experience in one or more of the five domains of the CISSP-ISSEP CBK. A more detailed outline is available here.

The credential is beneficial for those who incorporate security (practically apply systems engineering principles and processes to develop secure systems) into all facets of business operations.


The Information Systems Security Management Professional (ISSMP) certification requires the candidate to have two years of cumulative, paid work experience in one or more of the six domains of the CISSP-ISSMP CBK. A more detailed outline is available here.

The credential is beneficial for those who have management and leadership skills and can excel at establishing, presenting and governing information security programs.

What is the HealthCare Information Security and Privacy Practitioner (HCISSP)?

The healthcare industry has been facing ever-increasing challenges related to patient data protection and privacy. Therefore, the HCISSP certification is ideal for those charged with guarding protected health information (PHI). Information regarding the exam outline can be found here.

The candidate’s knowledge will be checked in the following seven domains:

  • Regulatory and standards environment
  • Privacy and security in healthcare
  • Risk management and risk assessment
  • Third-party risk management
  • Healthcare industry
  • Information governance in healthcare
  • Information technologies in healthcare 

If you are working in any of the following positions, the HCISSP certification could be perfect for you:

  • Privacy officer
  • Compliance auditor
  • Risk analyst
  • Compliance officer
  • Information security manager
  • Health information manager
  • Practice manager
  • Medical records supervisor
  • Information technology manager
  • Privacy and security consultant

Exploring your career through the CISSP

If you want to garner certified credibility and outshine your competition, then you might consider (ISC)²’s CISSP that has become perhaps the single most sought-after credential on the part of employers.

With the demand for experienced professionals at an all-time high and expected to grow as the gap between supply and demand increases, one of the best ways to get into one of these coveted positions is by becoming certified. You can read more about certifications whether HCISSP or CISSP) would be ideal for you.



CISSP, (ISC)², Inc.

Domain Refresh, (ISC)², Inc.

CISSP Concentrations, (ISC)², Inc.

Certification Exam Outline, (ISC)², Inc.

CISSP Domain Refresh FAQ, (ISC)², Inc.

(ISC)2 Certification Testing, Pearson VUE

Why Does the CISSP Exam Change?, (ISC)², Inc.

7 Reasons Why You Should Pursue CISSP Certification, (ISC)², Inc.

Posted: June 17, 2021
Daniel Brecht
View Profile

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.

Leave a Reply

Your email address will not be published.