The CISSP Certification Guide (2024)
What is CISSP certification?
The Certified Information Systems Security Professional, or CISSP certification, proves that you’re an experienced cybersecurity practitioner with the knowledge and ability to oversee organizational security efforts.
- Learn how to implement and manage enterprise-level security operations
- Discover how to design security architecture that keeps up with ever-evolving risks
- Show hiring managers that you have director-level security skills and knowledge
Key facts
- Last update: April 15, 2024
- Average U.S. salary for CISSP certification holders as of 2023: $140,131
- Recommended experience: 5+ years
Start your journey to becoming a certified professional with Infosec.
CISSP exam overview
The CISSP is offered by ISC2 and is one of the most requested cybersecurity certifications in job listings. It is a great way for cybersecurity practitioners working in their field for several years to prove they have what it takes to lead effective information security teams. After earning a CISSP certification, you may want to pursue the ISC2 certifications for security architecture, engineering or management.
The CISSP exam demonstrates knowledge and familiarity with information system security from the ground up. The latest version of the CISSP exam covers eight knowledge areas, or domains.
Domain 1: Security and risk management (16%)
- Professional ethics
- Security concepts and governance principles
- Privacy and regulatory requirements
- Information security legal and regulatory issues in a holistic context
- Requirements for investigation types
- Develop, document and implement security policy, standards, procedures and guidelines
- Business Continuity requirements
- Personnel security policies and procedures
- Risk management concepts
- Threat modeling concepts and methodologies
- Supply Chain Risk Management concepts
- Establish and maintain a security awareness, education and training program
Domain 2: Asset security (10%)
- Data and asset classification
- Information and asset handling requirements
- Asset ownership and management
- Manage data lifecycle
- Appropriate asset retention
- Data security controls and compliance requirements
Domain 3: Security architecture and engineering (13%)
- Engineering processes using secure design principles
- Fundamental concepts of security models
- Select controls based on systems security requirements
- Security capabilities of information systems
- Vulnerabilities of security architectures, designs and solution elements
- Cryptographic solutions
- Methods of cryptanalytic attacks
- Apply security principles to site and facility design
- Design site and facility security controls
Domain 4: Communication and network security (13%)
- Secure design principles in network architectures
- Secure network components
- Implement secure communication channels according to design
Domain 5: Identity and access management (IAM) (13%)
- Control physical and logical access to assets
- Identification and authentication of people, devices and services
- Federated identity with a third-party service
- Authorization mechanisms
- The identity and access provisioning lifecycle
- Implement authentication systems
Domain 6: Security assessment and testing (12%)
- Assessment, test and audit strategies
- Security control testing
- Collect security process data
- Analyze test output and generate report
- Security audits
Domain 7: Security operations (13%)
- Understand and comply with investigations
- Conduct logging and monitoring activities
- Configuration Management
- Foundational security operations concepts
- Resource protection
- Incident management
- Detective and preventative measures
- Patch and vulnerability management
- Change management processes
- Recovery strategies
- Disaster Recovery Plans and processes
- Business Continuity planning and exercises
- Physical security
- Address personal safety and security concerns
Domain 8: Software development security (10%)
- Security in the Software Development Life Cycle
- Security controls in software development ecosystems
- Assess the effectiveness of software security
- Security impact of acquired software
- Secure coding guidelines and standards
Learn more about the CISSP domains.
CISSP exam details
CISSP covers security for networks, software, communications and assets. Includes information on the entire security life cycle, including architecture, engineering, operations, assessment and testing.
| Launch date: | 1994 | Last update: | April 2024 |
| Number of questions: | 100-150 | Type of questions: | Multiple choice and advanced innovative items |
| Length of test: | 3 hours | Passing score: | 700 (out of 1000) |
| Recommended experience: | 5+ years cumulative paid work experience in two or more CISSP domains | Languages: |
English, German, Japanese, Chinese, Korean, Spanish |
| Validity duration: | Three years | CPEs needed for renewal: | 120 (at least 90 in Group A, up to 30 in Group B) |
| Exam cost: | $749 |
CISSP exam additional resources
There are a variety of free resources to help you prepare for your CISSP exam, but a good starting point is the CISSP exam outline. This comprehensive guide is the definitive resource on the CISSP certification exam’s Body of Knowledge, which is the collection of topics on the test. You can develop a training plan and seek out appropriate study materials based on this outline.
CISSP study guides and books
A number of training resources are available on Amazon and elsewhere, including the Official ISC2 CISSP CBK Reference and the ISC2 CISSP Certified Information Systems Security Professional Official Study Guide. Other popular CISSP exam prep guides and PDFs include:
- CISSP For Dummies, 7th Edition
- CISSP All-in-One Exam Guide by Shon Harris and Fernando Maymi
- CISSP Study Guide by Eric Conrad
- Eleventh Hour CISSP: Study Guide by Eric Conrad
- Free Sunflower CISSP PDF
You can also download the free CISSP exam tips ebook from Infosec.
CISSP practice questions and exams
CISSP practice exams are a great way to gauge your exam readiness and understand the types of questions you’ll be asked. Even free CISSP dumps can be found, although it’s against ISC2 policy to disclose the actual exam questions being used. A few of the most popular CISSP practice question options are listed below:
- ISC2 CISSP Certified Information Systems Security Professional Official Practice Tests 3rd Edition (from Sybex)
- ISC2 Official CISSP Flash Cards
- Boson CISSP practice exam
Most paid CISSP training courses also offer practice questions. For example, Infosec Skills CISSP training has a customizable practice exam with more than 1,500 CISSP questions.
Other free CISSP training resources
There are a number of other free CISSP training materials being produced and shared by the community:
- Forums like TechExams and Reddit allow you to connect directly with others who are studying for or have already taken the CISSP.
- YouTube is another great place to connect with cybersecurity practitioners and learn about the CISSP exam. Although most CISSP courses cost money, numerous free CISSP videos are available to watch, including our CISSP exam webcast.
- Podcasts may not help you directly study for your CISSP exam, but those like the Cyber Work Podcast are a great way to hear about the career and training journeys of fellow IT and cybersecurity professionals.
CISSP jobs and careers
CISSP certification is often a major stepping stone from being an information systems security practitioner to working in more advanced information security roles. It’s also one of the certifications approved to meet DoD Directive 8570.1.
Common CISSP job titles
Some of the more commonly held positions for people who have a CISSP certification are:
- Information security manager
- Cybersecurity analyst
- Information security analyst
- Chief information security officer
- Security engineer
- Security architect, IT
Learn more about the job outlook for CISSP holders.
CISSP live boot camps and self-paced training
Obtaining your CISSP certification takes a lot of hard work and studying, and getting professional instruction can help all that hard work pay off. Paid training is also a great option for those looking to get certified quickly or those who want extra assistance mastering the concepts covered on the exam.
Live CISSP Boot Camp
Live online or in-person boot camps are often considered the premium CISSP training experience. For example, the Infosec CISSP Boot Camp allows you to earn your CISSP certification in one week — with six training days plus a day to schedule and take your CISSP exam.
Advantages of enrolling in a boot camp include:
- Live instruction: Boot camps allow interaction with instructors and peers with useful industry or exam experience to share.
- Complete certification package: When searching for a boot camp, find out if there will be any additional costs for training materials, exam vouchers or other resources.
- Higher pass rates: Boot camps prepare you to pass the exam on your first attempt, and providers like Infosec back their training with an Exam Pass Guarantee.
Learn more about the live CISSP Boot Camp.
Self-paced CISSP training
Some people absorb new knowledge better when they can study at their own rate. Others have hectic lifestyles that don’t fit into traditional class schedules. For those situations, Infosec offers self-paced CISSP training courses.
The advantages of the self-study approach include:
- Train at your own pace: Train when it’s convenient for you — 30 minutes over lunch or a few hours on the weekend. There’s no need to set aside 40-60 hours for a week of intense, live instruction.
- Build an individual training plan: Since you’ll be training by yourself and not with a group, target your training around the domains and objectives you need to learn the most.
- Test on your schedule: With a self-study approach, you can take the exam when you feel ready — take as little or as much time as you need to prepare.
Learn more about the self-paced CISSP training.
CISSP comparisons and alternatives
The CISSP is one of the most requested cybersecurity certifications, but it is not the only option available. Here is how CISSP certification stacks up to other related certifications.
CISSP vs. Security+
These certifications represent knowledge gained in information security but represent different skill levels. While earning CISSP certification requires five years working in a related field, CompTIA’s Security+ certification is more of an entry-level or beginner-level cybersecurity certification. If you’re trying to obtain your CISSP certification, you may already have Security+ certification. If you don’t, you may want to take the Security+ exam first.
CISSP vs. CISM
The ISACA Certified Information Security Manager (CISM) certification is similar to CISSP in knowledge and exam format. They both require more manager-level knowledge and perspectives concerning information security, and both can help you progress from practitioner to manager. However, CISM takes a slightly broader view of information security management than CISSP. CISSP certification teaches you more about the daily tasks and skills typically involved in operating a cybersecurity program, while CISM deals more with developing and managing a cybersecurity program in the longer term. In addition, the CISM exam is slightly shorter and less costly than the CISSP exam.
CISSP vs. ISSMP vs. ISSEP vs. ISSAP
Before October 2023, a CISSP certification was required in order to obtain CISSP "concentrations" or "specializations" around management, engineering or architecture. However, in October 2023, ISC2 began providing an alternate experience requirement so that qualified individuals without a CISSP can now earn the ISSMP, ISSEP and ISSAP certifications.
The Information Systems Security Management Professional certification is an advanced management certification that's somewhat comparable to the ISACA CISM and can help you advance through management positions in your chosen cybersecurity focus. The Information Systems Security Engineering Professional and Information Systems Security Architecture Professional are also advanced certifications, but they focus on cybersecurity engineering and architecture.
Other CISSP alternatives
Which certification is better for your career? Is the CISSP the best certification for you? It depends on you and your career goals. Check out these articles to learn more:
Explore Infosec certifications to find the best fit for your career goals.
