CISSP certification – The ultimate guide

July 1, 2019 by Infosec


Cybersecurity is a huge consideration in today’s world due to the ongoing rise of cyber threats, in-house security breaches, phishing attempts and other forms of hacking. The demand for experienced cybersecurity professionals is at an all-time high and will only continue to grow as the gap between supply and demand increases. One of the best ways to get into one of these coveted positions is by becoming a Certified Information Systems Security Professional (CISSP).

What Is CISSP certification?

A CISSP certification validates your cybersecurity knowledge and skills in key areas are up to date. It shows you have a deep knowledge and understanding of not just existing threats, but emerging ones, as well as ways to prevent those threats from affecting an organization.

According to (ISC)2, it is a “vendor-neutral credential for those with proven deep technical and managerial competence, skills, experience and credibility to design, engineer, implement and manage their overall information security program to protect organizations from growing sophisticated attacks.”

There are eight “domains” covered in the CISSP CBK (critical body of knowledge), which include the following:

  • Security and risk management
  • Asset security
  • Security engineering
  • Communication and network security
  • Identity and access management
  • Security assessment and testing
  • Security operations
  • Software development security

Earning your CISSP certification will require that you have experience (we’ll touch on how much in the requirements section) in at least two of those eight domains.

According to (ISC)2, this certification is an ideal option for security consultants, security managers, IT directors and managers, security auditors, security architects, security analysts, security systems engineers, chief information security officers, directors of security and network architects, to name only a few.

What is (ISC)2?

While many technical certifications are issued by companies, (ISC)2 is actually an international nonprofit organization. It was formed over 25 years ago and has been instrumental in combating cyber threats.

CISSP certification is the organization’s best-known credential, but it offers others, all of which are “part of a holistic, programmatic approach to security.” Today, the organization has over 140,000 members in a wide range of security roles, from cybersecurity to infrastructure security and everything in between.

The rising demand

Not convinced that becoming a CISSP will really help further your career? Consider what David Shearer, CEO of (ISC)2, had to say at the organization’s conference in Orlando in September of 2016. “We have to take a holistic approach to security, so there is more demand for soft skills. The industry needs people that are good at technology, but also good at communication, business, and people. We need to build out the deep specialists to be able to communicate. The CISSP is often criticized as being too broad and I don’t disagree, but the power of CISSP is that you understand the breadth of any information security problem.”

Of course, in order to become a credentialed professional, you’ll need to understand the CISSP requirements, of which there are quite a few.

This is backed up and further explained by an interview that Alan Paller, director of research at the SANS Institute, gave to Ars Technica. “This idea that there’s a shortage is absolutely true,” he stated. “But it’s a focused shortage. The majority of the jobs that are hard to fill are the mission-critical jobs.”

How do I earn the CISSP?

Earning your credentials requires that you meet the current CISSP requirements. There is a lengthy testing process involved, but it goes much deeper than this. You need a significant amount of previous work experience, or you can become an Associate of (ISC)2 combined with a little less real-world experience with security work. The overall process will look like this:

  • Have the minimum required real-world experience.
    • If you lack the required years of experience, you can become an Associate of (ISC)2.
    • If you have a 4-year degree, you may qualify for a 1-year waiver.
  • Complete the exhaustive CISSP exam with at least a minimum score of 700 out of 1,000 points.
  • Complete the endorsement process and agree to the organization’s code of ethics.
  • Maintain your CISSP certification and recertify every three years.

What is the work experience required?

Perhaps the single most difficult requirement for those aspiring to earn their CISSP certification is the work experience needed. You’ll need a minimum of five years of experience working in the real world as a security professional. You must be able to show proof that you worked full time in this role and that you have experience in a minimum of two out of the eight domains highlighted in the (ISC)2 CBK.

If you have earned a four-year degree, or an accepted additional credential from the list of approved options, you can get a one-year waiver, meaning that you’ll only need to prove that you have four years of real-world, full time experience as a security professional.

Interested in taking part in a CISSP training program? Check out Infosec’s CISSP Boot Camp.

What is the Associate of (ISC)2?

For those who do not have the required work experience, it is possible to become an associate of (ISC)2. To do this, you’ll need to pass the CISSP exam, and then work as a security professional. You have six years from the date that you pass the exam to earn your full CISSP credential. If you are unable to do so during that time, you will need to retake the exam once more after you have completed at least five years of work.

After passing the exam, you’ll have access to ongoing training options, as well as other benefits. You will need to maintain your status, though, which will require that you earn 15 CPE (continuing professional education) credits every year and pay a $35 annual fee.

During this time, you will need to work toward your full CISSP certification and start the endorsement process, which will ultimately turn your associate certificate into a CISSP certificate.

The process looks like this:

  • Choose your certification preference (CISSP in this case).
  • Schedule the exam and agree to the code of ethics.
  • Take the exam and pass.
  • Maintain your status and work toward your CISSP certification. You have six years to complete five years of real-world experience.

The examination questions, format and length

As of December 2017, all English-language CISSP exams use Computer Adaptive Testing (CAT), which adjusts the difficulty of the questions based on the test-taker’s previous answers.

According to ISC2, “This more precise evaluation enables us to reduce the maximum exam administration time from 6 hours to 3 hours, and it reduces the items necessary to accurately assess a candidate’s ability from 250 items on a linear, fixed-form exam to as little as 100 items on the CISSP CAT exam..”

They are mixed multiple choice and what the organization calls “advanced innovative” questions. These are drag-and-drop questions, as well as “hotspot questions” that are designed to measure both knowledge and cognitive skills. For instance, you may be presented with a question, and then you must drag all the correct answers from one side of the test into a “correct answers” box on the other side of the test (tests are done on computers, not on paper).

Multiple choice questions are based on many factors. A couple of examples can be found below:

  • Which one of the following is the MOST important security consideration when selecting a new computer facility?
    • Local law enforcement response times
    • Adjacent to competitors’ facilities
    • Aircraft flight paths
    • Utility infrastructure
  • Which one of the following describes a SYN flood attack?
    • Rapid transmission of Internet Relay Chat messages
    • Creating a high number of half-open connections
    • Disabling the domain name service (DNS) server
    • Excessive list linking of users and files

How does the CISSP endorsement process work?

Once you’ve passed the CISSP test, your work is not yet done. You’ll need to complete the organization’s endorsement process before you can actually earn your certification. This will require that you have the endorsement form digitally signed by an existing (ISC)2 certified professional, who is a member of the organization in good standing.

The endorser must be able to verify that you have professional experience and that your work experience is true to the best of his or her knowledge. Note that you will have to have the member’s certification number when completing the endorsement form. If you do not have a connection with an existing (ISC)2 member in good standing, the organization itself can act as an endorser.

It’s also important to understand a couple of other things. First, time is limited when it comes to getting your endorsement. You’ll need to have your endorsement completed within nine months of passing the CISSP exam or you’ll have to retake the test (and pay the fees again).

It pays to think about your connections prior to taking the test and, if you do not know any members of the organization currently, cultivate some contacts within the organization beforehand. In a worst-case scenario, the organization itself can act as your endorser.

You should also understand that the organization regularly audits a random number of those who pass the exam. They have this to say about audits. “A percentage of the candidates who pass an (ISC)2 examination and submit endorsements will be randomly subjected for audit and required to submit additional information, as required, for verification.” You will be notified via email if your application is selected for audit.

What are the candidate background qualifications?

(ICS)2 does not allow just anyone to take the examination. There is a rigorous background screening involved and you’ll need to ensure that you meet these CISSP requirements before you start the process. The organization states that no refunds are given on exam fees or other expenses if you do not meet background requirements and have already taken the test.

There are four questions that you’ll need to pay close attention to during the background screening. Answering “Yes” to any of these may make you ineligible for any certification through the organization. However, if you feel that you have been denied without true cause, you can contact them by email to plead your case. The four questions to watch for are as follows:

  • Have you ever been convicted of a felony, a crime based on dishonesty (felony or misdemeanor involving lying) or a Court Martial in military service, or is there a felony charge now pending against you?
  • Have you ever been involved, or publicly identified, with criminal hackers or hacking?
  • Have you ever had a professional license, certification, membership or registration revoked, or have you ever been censured or disciplined by any professional organization or government agency?
  • Have you ever been known by any other name, alias, or pseudonym?

Make sure that you resolve any potential conflicts so that your background check is clean and you do not raise any red flags during this process.


The CISSP requirements set forth by (ISC)2 are designed to be stringent, including five years of real-world experience working as a security professional. However, those requirements are what makes the CISSP certification so enticing to employers. Earning a CISSP certification will give you one of the most sought-after credentials by hiring managers around the world looking to add information and cybersecurity professionals to their teams.


Posted: July 1, 2019
Articles Author
View Profile