How to Become a CISSP Certified Information Systems Security Professional

If you’re looking to take your cybersecurity career to the next level, you may have come across information about the CISSP in the past. Despite more than 150,000 individuals holding this credential, it’s still widely misunderstood in the IT sector.

What exactly is this credential, and who is it designed for? How can it advance your career? And how do you maximise your chances of exam success?

Read on to learn the answers to these questions and more!

What is CISSP?

CISSP stands for Certified Information Systems Security Professional. The certification shows that you are equipped to lead information security for an organisation.

The focus on leadership is what makes the CISSP different from other professional certifications you may be familiar with. It shows that you’re able to build security systems, engineer solutions for particular problems, and spot ways to protect against novel threats.

Unlike the GRE or MCAT, the CISSP certification exam is designed to be an experiential one. It’s not a test you can study for in a traditional sense – the questions aim to assess the knowledge you’ve acquired over years in the industry.

A CISSP certification means that you’re at the top of the IT field and capable of developing and leading your cybersecurity strategies. There are very few credentials that can get you higher.

Who Administers The CISSP?

The International Information System Security Certification Consortium - also called ISC2 - administers the CISSP. ISC2 is a non-profit established out of the need to have one primary and vendor-neutral certification system for IT security professionals.

ISC2 is recognised as an accrediting body by both the ISO (International Organisation for Standardisation) and ANSI (American National Standards Institute).

In addition to the CISSP, the ISC2 administers several other IT professional certifications. If the CISSP isn’t a good fit for you right now, another cybersecurity certification might be!

What Does it Cover?

The CISSP covers eight domains that relate to key parts of cybersecurity. Each domain is then further broken down into skills that exam takers are expected to have. ISC2 provides a handy outline that shows you exactly what skills and principles are tested.

We’ll go into the domains in more detail a bit later on, but they are:

• Domain 1 – Security and Risk Management
• Domain 2 – Asset Security
• Domain 3 – Security Architecture and Engineering
• Domain 4 – Communication and Network Security
• Domain 5 – Identity and Access Management
• Domain 6 – Security Assessment and Testing
• Domain 7 – Security Operations
• Domain 8 – Software Development Security

Who Recognises the CISSP?

The CISSP designation is accredited by both ANSI and the ISO. It’s also approved by the US Department of Defence – a CISSP fulfils directive 8570.1.

In the UK, a CISSP is considered a Level 7 award equivalent to a master’s degree.

When is the CISSP Certification Exam Changing?

The CISSP is the premiere certification in a complex and fast-changing industry. It shouldn’t be surprising that the exam is constantly changing to better reflect current cybersecurity challenges.

The biggest change to the exam in 2023 was the addition of a computer adaptive test alongside the standard linear one. This means the questions you receive depend on your previous answers - the exam will get harder if you get a question right and easier if you get a question wrong. You’re already familiar with adaptive testing if you’ve taken the GRE or many other computer-based exams.

From April 15th, 2024, the CISSP certification exam will be based on a refreshed exam outline. This includes adjusted weighting percentages for each of the domains. You can see the update here.

Do I Need a CISSP?

Not for beginners

If you’re just starting in IT, the CISSP is not for you. It isn’t just an exam. You also have to have five years of industry experience, have an industry sponsor, and pass a security check. The expense and time to keep your CISSP current doesn’t make sense unless you have a higher-level job.

If you’re new to IT, you should take a look at the lower-level certifications awarded by ISC2.

Top IT jobs

A CISSP is an absolute must for many top-level IT jobs, including:

• Chief Information Officer
• Director of Security
• Network Architect
• IT Director

Mid-career IT professionals (those with 5+ years of experience) typically earn 26% more if they have a CISSP. IT job postings that require a CISSP also have higher salaries.

The average CISSP salary in the US is about $112,000 a year. With a growing shortage of cybersecurity professionals, that number is only going to get higher.

Independent security consulting

If you’re thinking of moving into independent security consulting, a CISSP is an absolute must. It shows that you’re a knowledgeable and credible cybersecurity professional.

ISC2 also provides plenty of networking opportunities to its members. It’s a great place to meet and learn from other cybersecurity professionals.

8 Domains of CISSP

In 2015, the CISSP certification exam changed from having ten categories to only 8. These eight domains aim to cover both the depth and breadth of information security.

1. Security and Risk Management

As an IT professional, you’re already familiar with a certain amount of risk management. It’s all about analysing and applying a monetary amount to various risks and then using those calculations to make security recommendations.

This is the largest domain covered in the CISSP, and it represents 15% of the exam (16% after 4/15/24). Expect the test to go beyond merely discussing the basics, like the risk management cycle – the CISSP requires you to demonstrate a holistic and high-level understanding of the topic. Subtopics include:

• Codes of ethics
• Evaluating principles of security governance
• Determining compliance
• Legal and regulatory issues about information security
• Requirements for various kinds of investigations, including regulatory, civil, and criminal
• Business continuity requirements
• Supply chain risk management
• Threat modelling concepts
• Establishing security training programs

2. Asset Security

Assets are anything an organisation defines as valuable, including information, systems, and software. The second domain of the CISSP exam is all about how to protect them – you can expect 10% of the exam questions to be on this topic.

The first part of asset security is classifying assets based on their value. Questions will cover how to assign asset values, determine asset owners, and the proper steps of asset classification.

You’ll also be questioned on labelling (making security attributes readable for your information systems) and marking (making security attributes readable for humans)

The exam also covers:

• Various methods for destroying and sanitising data
• How to deal with data that remains in the cloud
• Data archiving processes and considerations
• Onion networks and protecting data in transit
• Digital rights management
• Data loss protection

3. Security Architecture and Engineering

The CISSP doesn’t just test your ability to understand and follow best practices for cybersecurity. It also tests your ability to build the security system itself. Approximately 13% of the questions cover this domain.

The CISSP exam covers the basic principles of security design and architecture, including:

• Secure defaults
• Zero trust
• Privacy by design
• Trust but verify

You can also expect the test to cover the major models of security architecture. The models you should know include:

• Layer-based models like Bell-Lapadula and Biba
• Rule-based models like Clark-Wilson, Brewer-Nash, and Graham-Denning

You’ll also be expected to understand system vulnerabilities and how they can be mitigated in security design. Some questions will drill in on design flaws related to emanating devices (devices that put out light, sound, radio waves, etc.) and mobile devices.

Finally, you’ll be tested on your knowledge of cryptography, including the potential flaws in various cryptographic systems, the most common cryptographic attacks and how to manage them.

4. Communications and Network Security

Domain 4 is one of the most technical on the CISSP exam, and it represents 13% of the material. If domain 3 focuses on how well you understand the big picture of information security, domain 4 is about the nitty-gritty of getting info from point A to point B securely.

Your understanding of secure network components, authentication protocols, safe transmission of data over WiFi, and the most common kinds of network security attacks is crucial to succeed.

Further subtopics include:

• Implementing different types of secure communication lines,
• Understanding the different parts and components of a secure network
• Understanding different security protocols and how to incorporate them into a network design

5. Identity and Access Management

The fifth domain is all about ensuring that data is only used by the correct people. That means making sure people on the network are who they say they are, as well as providing different kinds of security access to different users.

This domain is 13% of the questions on the CISSP exam. You need to know the basics of access control - the basic principles, applicability, and how to incorporate those into a manageable system.

A big chunk of the material the exam covers is on designing identification and authentication structures. This includes subtopics like:

• Different kinds of authentication, like MFA and password-less
• Federated identity services, both on-site and third-party
• Credential management systems
• Managing user sessions

Finally, you’ll have to show that you can manage the “access provisioning lifecycle.” This means that you can build a system that handles certain things with ease:

• Onboarding employees
• Removing employees from the IT system
• Escalating and de-escalating user privileges

6. Security Assessment and Testing

Represents 12% of the exam, domain 6 is about how to properly test whether a computer system is secure. If you’re into ethical hacking, you may do quite well in questions in this domain!

The first subsection is on designing audit, assessment, and test strategies as well as determining when those strategies are effective. Security professionals need to develop strategies tailored to the unique threats an organisation may face. One size does not fit all when it comes to cybersecurity.

Using different test types and techniques can bring about different outcomes, so it is essential to know how to conduct security tests. You should know how to run spot checks like regression and compliance testing.

Finally, you’ll be tested on how to interpret the data you receive from testing. Subtopics will focus on:

• How to assess key risk indicators (KRIs) alongside key performance indicators (KPIs)
• How to remediate vulnerabilities
• How to assess possible exceptions to security vulnerabilities
• What your ethical responsibilities are when you find a significant software flaw
• How to conduct and perform security audits

7. Security Operations

This domain counts for 13% of the CISSP exam and covers the “disaster management” part of cybersecurity. Think: developing and leading the response to a hacking attack, assisting regulators in an investigation, or implementing a patch to cover a software flaw.

The principles of digital forensics are a significant part of this domain. You’ll learn how law enforcement and regulators use digital forensics, as well as what you might use to investigate a security failure.

Another major section in Domain 7 is on business continuity. These are the practices for keeping a business up and running after a major incident, like a natural disaster or hacking incident. As you can imagine, cybersecurity is often at the heart of a continuity strategy.

You'll need to demonstrate how you participate in IT continuity planning and tabletop or simulation testing.

Other subtopics in the domain include:

• Logging and monitoring activity on a network
• How to apply resource protection concepts in your security operations
• Detecting security breaches
• Responding to and containing security breaches
• Operating protective measures
• Physical security measures
• Ensuring employee awareness of security measures

8. Software Development Security

The last 10% of the CISSP is about software security. This section is more coding-heavy than other parts of the CISSP.

As an IT professional, you’re likely already familiar with the software development life cycle. On the CISSP exam, you’ll be expected to know how you can incorporate security techniques into every phase and how security strategies interact with different development strategies.

Getting into the nuts and bolts of securing a development environment, including the databases that you might need, you’ll also have to show how you can test and determine if a finished program is safe to use.

Other subtopics this domain covers include:

• Assessing the security of third-party software
• Cloud security
• Security with enterprise applications
• Developing security guidelines for coders and developers

How Do I Get the CISSP?

The CISSP is only issued by ISC2. Avoid any organisation that claims to act as a proxy for ISC2 – even cybersecurity pros can wind up getting scammed.

CISSP Requirements

As we’ve discussed before, the CISSP is only relevant to mid- and late-career professionals. You must have a cumulative five years of work experience in at least two of the CISSP domains.

If you have a post-secondary degree in IT, computer science, or a related field, you may use it to substitute for one year of experience.

You can also take the CISSP exam and put your application for the credential on hold while you gain the needed experience.

CISSP Certification Cost

The CISSP exam itself costs $749. That does not include any exam training or prep, nor does it include the $125 annual maintenance fee needed to obtain the credential. The amount cannot be refunded if you fail. There is a $100 cancellation fee and a $50 fee for rescheduling an exam date.

Preparing for the Exam

With exam fees so pricey, it’s only wise you spend some time and energy preparing. ISC2 offers self-paced training courses (along with some free study material), and dozens of companies can also get you ready for the CISSP.

Costs for training programs can vary from a few hundred to a few thousand dollars. Investigate any programme closely to know what you’re getting for the money.

Remember that the CISSP exam is updated frequently – any training materials you use need to be current. That YouTuber you watched may have some great advice… for the 2021 exam. So keep up to date!

Taking the Exam

As of November 2023, the computer adaptive test (CAT) is only available in English. If you’re taking the CISSP exam in Spanish, German, Chinese, Korean, or Japanese, you need to take the standard computer-based exam.

The CAT has a maximum time limit of 4 hours. There’s no minimum time, and you can work at your own pace. The test varies in length from 125 to 175 multiple-choice questions, depending on your answers.

After April 15th, 2024, the maximum time limit will decrease to 3 hours, and the number of questions will go down to 100-150.

All ISC2 exams are scored out of 1,000 points. 700 and above is considered a passing score, and 699 and below is a failing score.

ISC2 doesn’t report how many questions you got correct or which ones you got wrong. But if you fail the exam, you’ll get a report of the percentage of questions you got right in each domain. This can help you study for next time.

Security Assessment

After you pass the CISSP exam, there are still a few more steps to get fully certified. You’ll have to fill out a certification application that specifies an endorser.

An endorser is another ISC2-certified professional (they don’t need to have a CISSP) who can attest to your experience and good standing in the professional community. If you don’t have anyone to endorse you, you can request that the organisation itself endorse you.

There’s a criminal background check, as well. You’ll be asked if you’ve ever been convicted of a crime and if you’ve ever been involved with computer crimes. ISC2 also wants to know if you’ve ever had your professional certifications revoked.

Ethics Agreement

All people certified by ISC2 are bound by the organisation’s code of ethics. These ethics include protecting the profession, acting honourably and legally, and protecting the common good.

If someone is believed to have violated the code of ethics, they can be referred to an ISC2 peer review panel that is empowered to revoke an individual’s certification.

Annual Fees

You’ll be assessed an annual maintenance fee (AMF) to keep your ISC2 certifications current. No matter how many certifications you have, you’ll pay $125 a year.

The AMF due date is the anniversary of your certification. If you have more than one certification, your fee is due on the earliest one in a calendar year.

Continuing Education

Your CISSP certification is valid for three years. After that, you’ll need to renew. You can renew by either retaking the exam or completing 120 Continuing Professional Education (CPE) credits (that’s 40 credits per year).

You can earn CPE credits by taking classes and working on projects in IT areas outside of your job responsibilities. Attending conferences, volunteering in your community, or volunteering for ISC2 are ways to get CPEs, too.

Depending on which CPE credits you pursue, conference fees and class tuition can get quite pricey. Be sure to budget for the full costs of maintaining your CISSP certification.

Become a True Security Professional

If you dream of becoming a CIO or reaching the top of the cybersecurity industry, CISSP is a must when you want to take the next step in your career.

Though the exam isn’t easy, you can study for it and pass it on your first try. Once you have your certification, the sky’s the limit.