The CISSP (Certified Information Systems Security Professional) from (ISC)2 is
the most recognized senior-level security certification in the world. The exam
is $749, runs 180 minutes, uses a computerized adaptive format of 100 to 150
questions, and requires 700 out of 1000 to pass. The part most people miss:
you also need 5 years of paid, full-time security work experience to become a
fully certified CISSP. Pass the exam without it and you become an Associate of
(ISC)2 until you earn the years. Most candidates need 3 to 6 months of study.
This is a mile-wide, inch-deep exam that rewards management thinking over deep
technical recall.
The 90-second answer
Take CISSP if you already have several years in security or IT and you're
targeting roles like security manager, security architect, GRC lead, or CISO.
It's the credential that shows up as "required" or "strongly preferred" in
senior security job postings more than any other. If you want one cert that
moves you from technician to leadership track, this is it.
Skip CISSP if you're new to security or you don't yet have the 5 years of
qualifying experience. You can still sit the exam and become an Associate, but
the cert is built around the assumption that you've managed risk in the real
world. Start with Security+ (SY0-701) for fundamentals, get a couple of years
on the job, then come back. Going straight to CISSP from zero security
experience usually means a failed attempt and a $749 retake.
What does the CISSP actually test?
CISSP tests eight domains, known as the Common Body of Knowledge (CBK). The
weights below took effect with the April 2024 refresh and run through the
current exam. Every question maps to one domain.
| Domain | Weight | What it covers |
|---|---|---|
| Security and Risk Management | 16% | Governance, risk management, compliance, legal, ethics, BCP fundamentals |
| Asset Security | 10% | Data classification, ownership, handling, retention, privacy |
| Security Architecture and Engineering | 13% | Secure design, models, cryptography, physical security |
| Communication and Network Security | 13% | Network architecture, secure protocols, segmentation |
| Identity and Access Management (IAM) | 13% | Authentication, authorization, provisioning, federation |
| Security Assessment and Testing | 12% | Audits, vulnerability assessment, pen testing, logging |
| Security Operations | 13% | Incident response, monitoring, forensics, DR, change management |
| Software Development Security | 10% | SDLC security, secure coding concepts, application controls |
The exam is conceptual, not hands-on. You will never configure a firewall or
write a line of code. Instead you get a scenario and you pick the answer a
risk-aware manager would choose. A typical question gives you four technically
correct options and asks for the BEST or FIRST action. The expected answer
almost always favors people and process over technology, and risk reduction
over a quick technical fix.
If you've ever heard "think like a manager, not an engineer," you've heard
someone describe how to pass CISSP.
How hard is the CISSP?
CISSP is a difficulty 4 out of 5. The content itself is not deeply technical,
but the breadth is enormous and the question style trips up strong engineers.
(ISC)2 does not publish a pass rate, but community surveys consistently put
first-attempt pass rates somewhere around 60% to 70%, and many strong
candidates fail the first time.
The hard part is not memorizing facts. The hard part is:
- Breadth: eight domains spanning law, cryptography, networking, software, and governance. Nobody is an expert in all eight.
- The "manager mindset" pivot: technical people instinctively pick the technical fix, which is often the wrong answer on this exam.
- The adaptive format: the test gets harder as you answer correctly, so it never feels like you're doing well. Many people leave convinced they failed.
- Wording precision: "BEST," "FIRST," "MOST," and "MOST effective" each change the correct answer. Misreading the qualifier sinks otherwise-prepared people.
People who fail CISSP usually fail because they studied the technology and
ignored the test-taking pivot, or because they panicked when the adaptive
engine kept feeding them hard questions. The exam is designed to feel
uncomfortable. That is normal, not a signal you're failing.
The most common failure pattern looks like this: a senior engineer with 10
years of hands-on work assumes the exam will reward depth, skims the manager
mindset advice, walks in confident, and keeps picking the "implement the
control" answer when the question wanted "assess the risk first." Build the
mindset shift in week 2, not week 10. Do at least 1,000 practice questions and
read every explanation, even on the ones you got right.
How long should you study for CISSP?
(ISC)2 assumes 5 years of security experience before you sit the exam. That
experience is baked into the question difficulty. On top of that, plan study
time based on your background:
- With 5+ years of broad security experience: 2 to 3 months at 8 to 10 hours per week
- With strong experience in only a few domains: 4 to 5 months, with extra time on your weak domains (usually cryptography, law, and software security)
- Coming from a technical-only background (sysadmin, network, dev): 5 to 6 months to build the governance and risk vocabulary the exam expects
- Coming from GRC or audit with light technical depth: 4 to 5 months, focused on networking, architecture, and cryptography
The biggest waste of study time is re-reading the 1,000-page official study
guide cover to cover. Read it once, then live in practice questions. The exam
is about applying judgment under specific wording, which you only build by
drilling questions and dissecting why the wrong answers are wrong.
A realistic week-by-week pace for a 12-week study plan looks like:
- Week 1: Domain 1 (Security and Risk Management), the heaviest domain
- Week 2: Domain 1 continued plus the manager-mindset pivot and risk formulas
- Week 3: Domain 2 (Asset Security) and data lifecycle
- Week 4: Domain 3 (Security Architecture and Engineering), models
- Week 5: Domain 3 cryptography deep dive (a common weak spot)
- Week 6: Domain 4 (Communication and Network Security)
- Week 7: Domain 5 (Identity and Access Management)
- Week 8: Domain 6 (Security Assessment and Testing)
- Week 9: Domain 7 (Security Operations), incident response, forensics, DR
- Week 10: Domain 8 (Software Development Security) and SDLC
- Week 11: Full-length practice exams, weak-domain cleanup
- Week 12: More timed practice, mindset drills, light review only
Most people underestimate Domain 1. At 16% it's the single largest slice, and
its risk, governance, and legal concepts thread through every other domain. If
you're shaky on Domain 1, you're shaky on the whole exam.
What does the CISSP cost?
The exam itself is $749 USD in the Americas. Beyond that, real total cost
depends on your study path:
| Component | Range | Notes |
|---|---|---|
| Exam fee | $749 | One attempt. Retakes cost the same $749 each. |
| (ISC)2 annual maintenance fee | $135/year | Required once certified, plus CPE credits |
| Study guide / OSG | $0 to $60 | The Official Study Guide and "Sybex" practice tests |
| Practice questions | $0 to $80 | NerdExam has 1536 CISSP questions if you want a free option |
| Optional bootcamp | $0 to $3,500 | Most self-studiers skip this entirely |
| Total realistic spend | $750 to $900 | Cheapest viable path: exam plus a single study guide |
Retakes are not cheap and the policy is strict: you wait 30 days after a first
fail, 60 days after a second, and 90 days after a third, with a maximum of
four attempts in any 12-month period. That waiting structure is the real
reason to over-prepare rather than gamble on a borderline first attempt.
What salary can you expect?
CISSP is one of the highest-paying security certifications, partly because it
gates senior roles. 2026 salary data from US job boards shows:
- National average for CISSP holders: $135,000 to $165,000 base
- Security architect and security manager roles: $150,000 to $180,000
- Top US metros and senior IC roles: $180,000 to $200,000+
- Director and CISO-track roles with CISSP: $200,000 to $300,000+ total comp
The cert alone doesn't deliver these numbers. The 5-year experience
requirement means every certified CISSP already has a real track record, which
is exactly why the credential correlates with senior pay. The CISSP is the
filter that gets your resume past the keyword screen for security leadership
jobs. The experience is what gets you hired.
A practical negotiation tip: if you earn CISSP while employed, time the
conversation with your manager before your review cycle, not after. Many
security teams have a formal pay band for CISSP holders because client
contracts and compliance frameworks sometimes require a certain number of
certified staff. That makes you measurably more valuable to bill out. Internal
moves with a fresh CISSP historically clear 8 to 15% base bumps. External
moves into a senior security role clear far more.
What study resources actually work?
The candidates who pass on the first attempt use a consistent stack:
- One primary text for breadth. The Official (ISC)2 CISSP Study Guide (the "OSG") or Eleventh Hour CISSP for a faster pass. Read once, do not memorize.
- A heavy diet of practice questions with full explanations. This is the single highest-return activity for CISSP. Drill the wrong-answer reasoning, not just the right answer.
- A concept-anchoring resource for the manager mindset. Free YouTube walkthroughs of "BEST vs FIRST" question logic are widely available and close the gap engineers struggle with.
- The official exam outline (free from (ISC)2). Map every study session to a domain and weight so you spend time proportional to the exam.
- At least two full-length timed practice exams in the final two weeks. Treat them like the real thing. If you're below 75% on the second, push your exam date.
Skip the expensive bootcamps unless your employer pays. The CISSP body of
knowledge is stable and well-documented, and a self-study stack covers the
same ground for under $100. Reddit's r/cissp has the most current
crowd-sourced advice on which resources are working this quarter.
For the practice question portion, NerdExam has 1536 enriched CISSP questions
with full explanations. Start practicing CISSP questions
to see the question style before you commit to a study plan. The free
explanations show you the "think like a manager" reasoning pattern the exam
expects, which is the hardest thing to learn from a textbook and the easiest
thing to learn by doing questions.
Who should NOT take CISSP?
The cert is wrong for these candidates:
| You are | Take instead |
|---|---|
| New to security entirely | CompTIA Security+ (SY0-701) first |
| A hands-on pentester or red teamer | OSCP or GPEN for the technical track |
| A cloud security engineer | CCSP (also (ISC)2) or a cloud-vendor security cert |
| An IT generalist with no security experience | Security+ now, CISSP in 2 to 3 years |
| Someone without the 5 years of experience | Sit it as Associate if you want, but know the cert is provisional until you earn the years |
The path matters more than the cert. CISSP is a leadership and governance
credential. If your career is heading deep into offensive security or cloud
engineering, a technical cert serves you better. Chasing CISSP too early
wastes months and risks a failed attempt on an exam built for people with a
decade of context.
What's next after CISSP?
Once CISSP is in hand, a few paths open up depending on direction:
- Management track: CISSP concentrations like ISSMP (management) or the CISM from ISACA. Natural fits for security managers and aspiring CISOs.
- Architecture track: the ISSAP concentration, which goes deeper on secure design and is built specifically for security architects.
- Cloud track: CCSP from (ISC)2 pairs cleanly with CISSP and is the obvious next move as workloads keep migrating to cloud.
- Audit and governance track: CISA from ISACA, which complements CISSP for GRC and audit-heavy roles.
Most people don't rush the next cert after CISSP. The credential carries
weight on its own for years. Use the time to ship real security leadership
work and earn the CPE credits you need to keep CISSP active. The cert pays off
when hiring managers see it alongside a real track record, not when it's the
only line on your resume.
Ready to start? Practice with real CISSP questions on NerdExam
or jump straight into the free per-question explanations.
The official exam outline from (ISC)2 is also worth reading first if you
haven't: review the CISSP exam outline here.
Top comments (0)