The CISSP certification is continually one of the most popular certifications to obtain by cybersecurity practitioners. It is also one of the most in-demand certifications by cybersecurity employers.
According to Cyberseek data in 2024, the CISSP certification was:
- Number one on a list of job openings requiring certification with 66,011 openings.
- Number two on a list of most popular certifications with 91,765 professionals holding the cert.
This guide will examine the purpose and value of a CISSP designation by uncovering the certification costs and benefits. The requirements of qualifying for this professional designation are detailed as well.
What is the CISSP certification?
The CISSP is one of the most sought after professional certifications available in the security industry. The acronym CISSP stands for Certified Information Systems Security Professional, and it was created to demonstrate that a security professional is able to design, engineer, implement, and run an information security program.
Top salaries and a projected job growth rate far above average make obtaining a CISSP designation a priority for many security professionals.
An arduous exam and rigorous employment experience requirements make the CISSP challenging to obtain, but the popularity of this designation is an indication that obtaining certification is within the capabilities of most security career professionals.
The Certified Information Security Systems Professional (CISSP) Certification was introduced in 1994 by (ISC)², an international, nonprofit membership association and arguably the world’s leading cybersecurity professional organization.
It is designed to validate information security work experience and a working knowledge of security principles and practices.
The CISSP is not suitable for every security practitioner or executive but is one certification that should at least be considered by anyone building a career in information security at any level.
For some security roles, such as IT director, security analyst, and chief information security officer, CISSP certification should be considered a requirement.
What are CISSP requirements?
CISSP certification requirements include a combination of work experience, peer endorsement, ethics adherence, and successfully pass the CISSP exam.
A candidate must have a minimum of five years of direct full-time security work experience.
There are provisions whereby one year of work experience may be waived for having either a four-year college degree, a master’s degree in information security, or for possessing one of several other certifications.
In fulfilling their responsibility to build and maintain professionalism within the security industry, (ISC)2 requires candidates to accept the CISSP Code of Ethics and to attest to the truthfulness of their application assertions regarding professional experience and background.
That being said, they will, undoubtedly, verify those assertions as well.
The pièce de résistance of the CISSP certification process is a three-hour, 150 question, multiple-choice exam.
A candidate must pass this examination with a score of 700 points or more out of 1,000 possible points.
Last but not least, a candidate must also have their qualifications endorsed by an (ISC)2 certification holder, who ostensibly has accepted the CISSP Code of Ethics.
While (ISC)² does not publish a comprehensive list of what employment experience qualifies as relevant for the CISSP certification, their promotional materials list the following jobs as ideal for holders of this certification:
- Chief information security officer
- Director of security
- IT director/manager
- Security systems engineer
- Security analyst
- Security manager
- Security auditor
- Security architect
- Security consultant
- Network architect
Security work experience submitted as part of a CISSP certification application is evaluated by (ISC)2 for elements indicative of educational and professional achievements.
Work requiring a college degree, management skills, or regular use of security practices and principles are particularly important.
A CISSP candidate may have worked in a wide variety of security positions but must prove work experience specific to two or more of the eight domains of the (ISC)² CISSP Common Body of Knowledge (CBK).
It is worth noting that a candidate without the required experience to become a CISSP may, after successfully passing the CISSP exam, become an Associate of (ISC)².
The Associate of (ISC)² will then have six years to earn the experience needed for CISSP certification.
How much does obtaining a CISSP certification cost?
The total cost of preparing for a CISSP certification will vary depending on the candidate’s knowledge and experience.
A candidate with a minimum of applicable knowledge and experience can choose a comprehensive CISSP course to help them prepare for the exam.
In contrast, a more seasoned candidate may only need to brush up using a few books or videos.
CISSP courses designed to help candidates pass the test are available in four formats:
Training, seminars, courseware, and self-study aids are available directly from (ISC)² or one of their official training providers.
In addition to official training providers, there are a myriad of websites, books, and videos designed to help candidates pass the CISSP exam.
Care should be taken when considering unofficial sources for CISSP exam information. The exam format has changed within the last few years and older guides and training materials may be outdated.
Popular official training providers offer self-paced e-learning courses starting from $2,499. These courses include an exam voucher and a number of practice tests.
Courses that include an instructor-led component start at around $2,900 and can cost over $4,400 depending on the level of instructor involvement. Some of these courses include an exam pass guarantee.
For candidates more inclined to piece together their own study materials, CISSP reference books and videos are widely available. Books run about $100 and videos about $300.
Use the most current material available to avoid receiving outdated information.
Over and above the costs associated with training courses and materials, there are soft costs to be considered as well.
Time spent preparing for the exam will require sacrifice and as time is money, those costs should be considered when deciding the overall cost-benefit question.
Even so, the higher salaries and increased job opportunities enjoyed by CISSP holders, pursuing the certification will nearly always come out favorable in that equation.
There are also ongoing costs associated with maintaining a CISSP certification. Once certified, a holder must re-certify every three years.
Recertification is accomplished by earning 120 continuing professional education (CPE) credits over three years and paying a $125 Annual Maintenance Fee (AMF) to support the ongoing development of the program.
CISSP bootcamps: What to expect?
The CISSP exam was revised on May 1, 2021, to align with the latest security threats. One of the most effective ways to prepare for this exam is through a CISSP Bootcamp.
What you’ll learn during a CISSP bootcamp
CISSP bootcamps are intensive programs that equip you with the technical skills needed for the CISSP certification. The curriculum focuses on the eight domains of the (ISC)² CISSP Common Body of Knowledge (CBK). These include areas like security and risk management, asset security, and security architecture and engineering. While the bootcamp won’t make you an expert, it will provide enough knowledge to pass the exam.
The networking advantage
Attending a CISSP bootcamp also offers the benefit of networking. You’ll be learning alongside industry-recognized experts and like-minded individuals. This is crucial because networking is essential in the cybersecurity field.
The financial upside
Holding a CISSP certification can significantly boost your earning potential. In the U.S., CISSP-certified professionals earn up to 9 percent more than their non-certified peers, and in Europe, the figure is 12 percent.
Bootcamp prerequisites and time commitment
Before taking the CISSP exam, you must have a minimum of five years of full-time, relevant work experience. The bootcamps are designed for professionals and are relatively shorter than other cybersecurity bootcamps, usually lasting between 5 to 10 days. They can be attended on-site or online.
Bootcamp cost
The cost of a CISSP bootcamp varies and can range from $2,499 to $5,000 or more, depending on the provider and the format. Some bootcamps offer additional services like CISSP exam vouchers, study guides, and 1v1 tutoring.
Post-bootcamp steps
After the bootcamp, you’ll be prepared to take the CISSP exam, which has a pass rate of about 20 percent. The exam costs around $749 in the US and varies in other regions. Once you pass, you’ll need to get your experience endorsed by an (ISC)² qualified professional to become fully certified.
Deep dive into the CISSP exam
The CISSP exam cost is $699. A voucher for this fee is sometimes included in commercially available courses. English language tests are administered using Computerized Adaptive Testing (CAT).
With this form of computer-administered testing, test items selected to be administered depend on the correctness of the test taker’s responses to previous items. In this way, the test adapts to the examinee’s ability level.
The 100 to 150 test items on the CISSP exam will come from the information covered in one of the eight domains of the (ISC)² CISSP CBK. Each CBK domain is weighted, as shown below:
DOMAINS OF THE CBK | WEIGHTS |
Domain 1: Security and Risk Management | 15 percent |
Domain 2: Asset Security | 10 percent |
Domain 3: Security Architecture and Engineering | 13 percent |
Domain 4: Communication and Network Security | 14 percent |
Domain 5: Identity and Access Management (IAM) | 13 percent |
Domain 6: Security Assessment and Testing | 12 percent |
Domain 7: Security Operations | 13 percent |
Domain 8: Software Development Security | 10 percent |
The CISSP test is a timed exam. Each candidate has up to three hours to complete the exam. The test items are multiple-choice or advanced innovative questions.
The pass/fail rate for CISSP exam takers is not publicly available.
If the exam is failed on the first attempt, a candidate can retest after 30 days. If they don’t pass a second time, they can retest after 60 test-free days or 90 days from their original test date. If they don’t pass a third time, they can retest after 90 test-free days or 180 days from their first exam attempt. Candidates may attempt an (ISC)² exam up to four times within 12 months at a maximum.
CISSP salary information
The CISSP is one of the most sought after professional designations largely because the CISSP certification consistently ranks as the top-paying industry certification. In 2018, (ISC)2 reported the average salary for CISSP holders was $131,030.
While (ISC)2 has not published salary figures for subsequent years, the current skills gap in information security jobs has most assuredly driven CISSP salaries even higher.
The Bureau of Labor Statistics indicates that expected job growth for information security analysts for the years 2019 to 2029 is much faster than average at a 31 percent growth rate.
The CISSP is US Department of Defense (DoD) approved and opens numerous opportunities within the US Federal Government. (ISC)² reports that members earn 35 percent more than non-members.
The CISSP is a globally recognized certification and can open doors to international travel and positions around the world.
Frequently asked questions about the CISSP
The Certified Information Systems Security Professional (CISSP) is a globally recognized certification in the field of information security. It is offered by the International Information Systems Security Certification Consortium, also known as (ISC)².
The CISSP certification is targeted at professionals who are already established in their IT or cybersecurity careers and who want to certify their skills. It’s often pursued by those in roles like security consultant, security analyst, security manager, IT director/manager, network architect, security auditor, security systems engineer, and chief information security officer.
To qualify for the CISSP certification, you need to have a minimum of five years of cumulative, paid, full-time work experience in two or more of the eight domains of the (ISC)² CISSP Common Body of Knowledge (CBK). A one-year experience waiver can be granted if you have a four-year college degree or regional equivalent or an approved credential from the CISSP prerequisite pathway.
The eight domains are: Security and Risk Management, Asset Security, Security Architecture and Engineering, Communication and Network Security, Identity and Access Management (IAM), Security Assessment and Testing, Security Operations, and Software Development Security.
Preparation for the CISSP exam can include a combination of methods such as self-study, instructor-led training, online courses, study guides, practice exams, and using the CBK as a reference.
The exam is a 3-hour long computer adaptive test (CAT) for English language exams, with a maximum of 150 questions. For all other languages, it is a linear, fixed-form test with 250 questions over 6 hours.
The CISSP certification is valid for three years. To maintain it, holders must earn and post a minimum of 120 continuing professional education (CPE) credits within the three-year certification cycle and abide by the (ISC)² Code of Ethics.
While the answer to this question can be subjective, many professionals find the CISSP certification worthwhile. It can help boost your credibility, expand your career opportunities, increase your earning potential, and demonstrate your commitment to the information security field.
Conclusion
If there were only a single professional certification for information security practitioners to consider, and truthfully there are many more, it would be the CISSP. It is the most widely recognized and comprehensive certification available.
By design, the CISSP is challenging to obtain. The level of knowledge and experience required to earn certification is integral to its value to employers. A CISSP is requisite for many high-level security roles and provides a standard by which security leaders are measured.