Exam code: CISSP
The gold standard for security management professionals. CISSP validates your ability to design, implement, and manage a best-in-class cybersecurity program.
$749
CISSP (Certified Information Systems Security Professional) is the world's premier cybersecurity management certification. Maintained by ISC2, it demonstrates expert knowledge across all aspects of information security.
CISSP is often called the "MBA of cybersecurity" because it:
The part nobody warns first-timers about isn't the exam fee, it's the running cost: yes, the exam is still $749 USD (~€690) at Pearson VUE plus regional taxes, but once you pass you're committing to a $135/year Annual Maintenance Fee (or $50 for Associates of ISC2) and 120 CPE credits across every three-year cycle, split 90 Group A and 30 Group B. Plan that into your career budget before you sit. The 8-domain CBK refreshed in April 2024 is still the version on the test in 2026, and the Robert Half 2026 Technology Salary Guide puts US cybersecurity engineers in the $118,500–$190,750 band — the ISC2 2025 Cybersecurity Workforce Study reads that demand for senior CISSP-aligned roles is holding up even where junior hiring has slowed. If you're picking between CISSP and a more practical cert, that "senior" framing is the thing to pay attention to: CISSP is what unlocks the higher band, not the door.
CISSP is designed for experienced security professionals:
Experience requirement: 5 years in 2+ of the 8 CISSP domains. A 4-year degree substitutes 1 year.
The CISSP CAT (Computerized Adaptive Testing) exam:
| Experience Level | Recommended Study Time |
|---|---|
| 5+ years security experience | 8-12 weeks |
| Adjacent IT experience | 16-20 weeks |
| Less experience | Consider Associate of ISC2 path |
CISSP is among the highest-paying IT certifications:
The English CISSP exam uses Computerized Adaptive Testing (CAT), which adjusts question difficulty based on your performance. You will answer between 100 and 150 questions within 3 hours at a Pearson VUE testing center. If the algorithm determines with statistical confidence that you will pass or fail, the exam can end as early as question 100. If the algorithm remains uncertain, it continues to question 150.
Every question counts equally. There is no penalty for wrong answers. You cannot go back to previous questions; once you submit an answer, it is final. This is a critical difference from most certifications. The questions are scenario-based and require you to think like a security manager, not a technician. You must choose the "best" answer from options that may all seem partially correct.
With a maximum of 150 questions in 180 minutes, you have roughly 72 seconds per question. The CAT format means the first 50 to 75 questions are the most critical, because the algorithm is still calibrating your ability level. Resist the temptation to rush. Read each question fully, identify what is actually being asked (the "stem"), eliminate obviously wrong answers, and choose the most managerial, risk-based response.
If a question confuses you, take your best educated guess and move on. Spending 3 minutes on a single question when you cannot return to it is a poor use of time. Many candidates finish in 100 to 125 questions, so if the exam continues past 125, do not panic; the algorithm may simply need more data points.
The number one mistake is answering from a technical perspective rather than a managerial one. CISSP tests whether you can think like a CISO. When a question asks "What should you do FIRST?", the answer is almost never "patch the server" or "run a scan." It is usually "assess the risk," "notify management," or "follow the incident response plan." Think policy before technology, people before tools, prevention before detection.
Another common error is neglecting the "Security and Risk Management" domain, which carries the highest weight (15%) and underpins every other domain.
CISSP requires a fundamentally different study approach than technical certifications. Instead of memorizing facts, you must internalize frameworks, processes, and decision-making methodologies. The recommended path is: (1) read a comprehensive study guide cover to cover, (2) take domain-by-domain practice quizzes to identify weak areas, (3) deep-dive into weak domains, (4) take full-length practice exams, (5) review with a "think like a manager" mindset.
Study Guides:
Video Courses:
Practice Questions:
| Background | Weekly Hours | Duration | Total Hours |
|---|---|---|---|
| 5+ years security experience | 10 to 15 | 8 to 12 weeks | 100 to 150 |
| IT management/adjacent | 15 to 20 | 16 to 20 weeks | 250 to 300 |
| Associate path (less experience) | 15 to 20 | 20 to 24 weeks | 350 to 400 |
CISSP is one of the few certifications where group study significantly improves pass rates. Discussing scenario questions with peers helps you understand different perspectives on "best" answers. Join the ISC2 study groups, local ISSA chapter study sessions, or online communities on Discord and Reddit.
CISSP is the most requested certification for senior security positions globally. Roles that frequently require it include: Chief Information Security Officer (CISO), Security Director, Security Architect, Security Manager, GRC (Governance, Risk, and Compliance) Director, IT Risk Manager, and Senior Security Consultant. Federal agencies and large enterprises often list CISSP as a non-negotiable requirement.
| Region | Before CISSP | After CISSP | Increase |
|---|---|---|---|
| United States | $95,000 | $131,000 | +38% |
| European Union | EUR 70,000 | EUR 95,000 | +36% |
| United Kingdom | GBP 65,000 | GBP 90,000 | +38% |
| Remote (global, senior) | $100,000 | $140,000 | +40% |
For leadership and management positions, CISSP is the gold standard credential. It signals that you have both the breadth of knowledge and the years of experience to make strategic security decisions. Many organizations mandate CISSP for anyone at the Director level or above in their security organization. In consulting, CISSP significantly increases your billing rate and credibility with clients.
CISSP is typically earned mid-career and unlocks the path to executive roles. A common trajectory: Security Analyst/Engineer (pre-CISSP), then Security Manager or Architect (with CISSP), then Director of Security or VP of Information Security, then CISO. CISSP holders who combine it with business acumen (MBA, PMP, or CISM) often reach C-suite positions within 5 to 7 years of certification.
| Item | 2026 Cost |
|---|---|
| CISSP exam fee | ~€690 ($749 USD) |
| Annual Maintenance Fee (full holder) | ~€124/year ($135 USD) |
| Annual Maintenance Fee (Associate of ISC2) | ~€46/year ($50 USD) |
| Study guide (Shon Harris All-in-One, latest edition) | $50 to $65 |
| Practice exams (Boson) | $99 |
| Optional: video course (Udemy, on sale) | $15 to $30 |
| Optional: ISC2 Official Practice Tests | $40 |
| Total (self-study, minimal, year 1) | $933 to $998 |
| Total (comprehensive preparation, year 1) | $1,038 to $1,068 |
CISSP requires ongoing maintenance. You must earn 120 Continuing Professional Education (CPE) credits per three-year cycle (40 credits per year) and pay an Annual Maintenance Fee. The AMF is ~€124 ($135 USD) per year for full CISSP holders and ~€46 ($50 USD) per year for Associates of ISC2. Of the 120 CPE credits, 90 must be Group A credits (directly relevant to the eight CISSP domains) and 30 may be Group B credits (general professional development). CPE credits can be earned through: attending conferences, completing training courses, publishing security research, participating in ISC2 webinars (free), volunteering for ISC2 chapters, and mentoring other professionals. Many activities you already do in your security role count.
With an average salary increase of ~€33,000 ($36,000 USD) per year and a total investment of approximately ~€920 ($1,000 USD) for the exam and materials, CISSP delivers a 3,500%+ return in the first year. Over a 10-year career, the cumulative salary premium attributable to CISSP exceeds ~€330,000. The ongoing renewal cost of ~€124 ($135 USD) per year is negligible compared to the return.
Due to the high value CISSP brings to an organization, many employers will sponsor the exam fee and study materials. Present the case in terms of compliance requirements (many frameworks require certified personnel), reduced risk (CISSP holders make better security decisions), and competitive positioning (clients and partners expect certified leadership). Over 70% of CISSP holders report that their employer paid for the certification.
The 2024 CISSP exam outline (current as of 2026) covers eight domains with the following weight distribution:
| Domain | Weight | Focus |
|---|---|---|
| 1. Security and Risk Management | 15% | Governance, risk frameworks, ethics, BCP, compliance |
| 2. Asset Security | 10% | Information lifecycle, classification, retention, privacy |
| 3. Security Architecture and Engineering | 13% | Secure design principles, cryptography, security models |
| 4. Communication and Network Security | 13% | Network architecture, secure communication channels |
| 5. Identity and Access Management (IAM) | 13% | Identity provisioning, federation, authorisation |
| 6. Security Assessment and Testing | 12% | Testing strategies, audit, vulnerability assessment |
| 7. Security Operations | 13% | Investigations, logging, incident management, BCP/DR |
| 8. Software Development Security | 11% | Secure SDLC, security in development environments |
The exam tests breadth, not depth, in any single domain. Most candidates fail because they over-prepare on technical detail and under-prepare on the strategic, manager-level thinking the exam rewards. The "Think Like a Manager" framing is essential for the long-form scenario questions.
CISSP is a long-term credential, realistic 5 to 7 years after entry into the field once the experience requirement is met. A foundational bootcamp does not replace that experience but accelerates the path significantly. The Unihackers Cybersecurity Bootcamp builds breadth across all eight CISSP domains in concept form:
For most candidates, the realistic path is: Security+ at bootcamp completion, CySA+ or GCIH within twelve months, then CISSP after the five-year experience requirement is met. Read the pre-enrollment pathway for context on how to set up this multi-year arc.
Before scheduling your CISSP exam, you should be able to:
The 5-year requirement is real and enforced during the endorsement process after you pass. You need 5 years of cumulative, paid, full-time work experience in at least 2 of the 8 CISSP domains. A 4-year degree (or ISC2-approved credential like Security+ or CCNA Security) substitutes for 1 year. If you lack the experience, you can still take the exam and hold the Associate of ISC2 designation for up to 6 years while building your experience.
Start studying at least 3 months before your target exam date. Spend months 1 to 2 on content review (one domain per week) and month 3 on intensive practice exams and weak-area review. Schedule the exam for a date you cannot easily postpone to create accountability.
CISSP is a marathon, not a sprint. The breadth of material can feel overwhelming. Break it into domains and focus on understanding the "why" rather than memorizing the "what." On exam day, remember: you are a security executive making risk-based decisions. When in doubt, choose the answer that a thoughtful CISO would select, not what a system administrator would do. The exam is testing judgment, not recall.
The CAT format means the first 25 questions disproportionately influence your score trajectory. Answer these carefully and deliberately. If you get easy questions early on, it means the algorithm has placed you at a lower ability estimate; each correct answer raises it significantly.
CISSP questions almost never have a purely technical answer. If you find yourself choosing an answer because it is the most technically precise, reconsider. The correct answer is usually the one that involves process, governance, or risk-based thinking.
The exam draws heavily from real-world governance frameworks: NIST, ISO 27001, COBIT, and ITIL. Understanding these frameworks at a conceptual level (not memorizing every control) gives you an enormous advantage.
Schedule for a weekday morning when the testing center is typically quieter. Avoid scheduling during tax season, year-end, or any period when work stress is unusually high. Many successful candidates recommend scheduling for Tuesday or Wednesday at 9:00 AM. The 3-hour exam window plus check-in means you will finish by early afternoon, with time to decompress.
Read the last sentence of each question first; it tells you what is actually being asked. Then read the full scenario. Eliminate answers that are technically focused when the question asks for a management decision. Between two seemingly correct answers, choose the one that addresses the root cause or the broader organizational risk, not the symptom.
Average before
€68,000
$95,000
Average after
€94,000
$131,000
Average increase
€26,000 (+38%)
$36,000
Source: ISC2 Cybersecurity Workforce Study 2024
The CISSP exam fee is ~€690 ($749 USD), payable to ISC2. This covers one exam attempt at Pearson VUE testing centers. Pricing and applicable taxes vary by location of exam administration.
Full CISSP holders pay an Annual Maintenance Fee (AMF) of ~€124 ($135 USD) per year. Associates of ISC2 (those who passed the exam but have not yet completed the 5-year experience requirement) pay ~€46 ($50 USD) per year.
CISSP is considered one of the most challenging security certifications. It requires 5 years of experience and covers 8 broad domains at a strategic level.
Domain 1 is Security and Risk Management (15%). Domain 2 is Asset Security (10%). Domain 3 is Security Architecture and Engineering (13%). Domain 4 is Communication and Network Security (13%). Domain 5 is Identity and Access Management (13%). Domain 6 is Security Assessment and Testing (12%). Domain 7 is Security Operations (13%). Domain 8 is Software Development Security (11%).
Yes, you can pass the exam and become an Associate of ISC2 while gaining the required experience. A 4-year degree in computer science or IT may substitute up to 1 year, and an ISC2-approved credential may substitute another 1 year. The Associate has up to six years to acquire the remaining experience and become a full CISSP.
CISSP holders must earn 120 Continuing Professional Education (CPE) credits per three-year cycle, equivalent to 40 credits per year. Of those, 90 must be Group A credits (directly relevant to the eight CISSP domains) and 30 may be Group B credits (general professional development). Credits can be earned through training, conferences, publications, teaching, and approved volunteer work.
Yes. CISSP holders earn an average base salary of ~€120,000 ($131,000 USD), a 22% to 38% premium over generalist security roles, and the credential is required or strongly preferred for most senior security manager, security architect, and CISO positions.
CISSP is a long-term credential. The 5-year experience requirement means CISSP is realistic 5 to 7 years after entry into the field. A foundational bootcamp like the Unihackers Cybersecurity Bootcamp builds the technical breadth across 8 domains that CISSP later demands at a strategic level. Most pragmatic candidates earn Security+, then CySA+ or GCIH, then CISSP after meeting the experience bar.
Authoritative sources for exam objectives, study guides, and hands-on labs.
Official 8-domain Common Body of Knowledge with weight breakdown.
Eligibility, endorsement process, and current pricing from the issuing body.
Sample questions, flashcards, and recommended texts curated by ISC2.
Reference catalog used in Security Architecture and Risk Management domains.
Annual workforce data on hiring, skills gaps, AI adoption, and CISSP demand signals for 2026.
CSF 2.0 governance, identify, protect, detect, respond, recover functions tested across CISSP Domains 1, 6, and 7.
Authoritative source for current AMF amounts, billing cycle, and CPE submission rules.
Foundation path
CISSP rewards practitioners who already have hands-on defensive or offensive experience. The Unihackers Cybersecurity Bootcamp gives you 360 hours of structured training, CompTIA Security+ as a foundational credential, and the lab depth that makes the next certification realistic to attempt.
CompTIAIndustry-standard entry-level cybersecurity certification validating core security skills. Globally recognized by employers and DoD-approved.
AWSValidate your expertise in securing AWS workloads. The go-to certification for cloud security professionals working with Amazon Web Services.