CISSP certification updates for 2024: Exam cost, requirements and recommended learning resources

Carl Ballenger, CISSP -

The Certified Information Systems Security Professional ‘gold standard’ certification demonstrates your skills, testifies to your experience, and opens career advancement opportunities, including higher salary.

What is the CISSP?

Certified Information Systems Security Professional (CISSP) is an advanced certification for IT and cybersecurity professionals that demonstrates their ability to design, implement, and manage an enterprise cybersecurity program.

The CISSP is offered by the International Information System Security Certification Consortium ISC2, a nonprofit focused on certification and training for cybersecurity professionals. The most widely known certification offered by ISC2 with more than 20 years of history behind it, CISSP is perennially among the most valuable IT certifications.

To achieve this certification, candidates must build up relevant industry experience and demonstrate competence across a range of technical areas, as well as management.

Who should get a CISSP?

CISSP has been called the “gold standard” of security certifications. Many cybersecurity jobs list CISSP is a prerequisite, or at least highly recommended. For those interested in a career path in the US federal government, CISSP certification is of particular benefit. Because of the broad technical knowledge required for CISSP certification, it’s the mark of an advanced infosec generalist who would be useful in many roles.

CISSP, however, isn’t for everyone. The technical depth and work experience it requires means it isn’t a cert for early career professionals, for whom a CompTIA Security+ certification might be more appropriate. The CISSP exam also covers management skills as well as technical know-how — another reason you’ll need some experience under your belt before you embark on your CISSP journey.

Benefits of CISSP certification

Earning a CISSP credential can have several beneficial impacts on your career, including:

  • Career advancement and recognition: CISSP certification validates your prowess as a cybersecurity professional and can open up opportunities to higher-paying positions with greater responsibilities and increased prominence in the organization.
  • Improved job candidacy: CISSP certification signals to potential employers your prowess with and commitment to the craft of cybersecurity. The fact that the CISSP requires five years of hands-on experience will also help you stand out in your job search.
  • Increased knowledge and skills: The training process involved in achieving CISSP certification will expose you to a wide range of technical skills, thereby elevating your knowledge as a security pro, including areas such as security architecture, risk management, and cryptography.
  • Additional job security: By demonstrating your commitment to IT security and validating your skills are up-to-date, CISSP certification can not only make you a more valuable member of your security team but also ensure you are perceived as one, thereby improving your job security longer term.
  • Networking opportunities: By achieving your CISSP and joining the various communities for CISSP certification holders, including the ISC2 community, you will gain access to opportunities for knowledge sharing, collaboration, mentorship, and employment.

CISSP exam cost

Registration for the CISSP is $749 in the United States, and the same price or a close equivalent in local currency elsewhere. ISC2 also charges a reschedule fee of US$50 (or local equivalent), with a cancellation fee of US$100 (or local equivalent). But that is just for the exam. Most study guides and training courses for the CISSP exam are not free and should be considered when weighing whether to pursue the certification.

To maintain their certification, CISSP holders must pay an annual maintenance fee of US$135, due on the anniversary of your certification date. (Those with multiple ISC2certifications pay that fee once per year for all of them.) If you’ve passed the exam but haven’t met the work experience requirement yet, you’re considered an “Associate of ISC2” and pay only US$50 a year until you do achieve the experience requirements.

Is CISSP worth it? CISSP salary

Not all certs are created equal, but the nearly universal assessment is that the not-insignificant costs associated with the CISSP certification will come back to those who are certified in the form of higher compensation. According to ZipRecruiter, CISSPs make on average $112,000 a year. SkillSoft, however, pegs the average salary of a CISSP holder at $156,669 in its IT Skills and Salary Report, among the top 15 for certifications across IT.

Beyond salary, CISSP certification is the most popular certification requirement for cybersecurity job postings, thereby opening avenues of employment to CISSP holders that would otherwise not be available without the credential.

Anecdotally, many CISSP holders feel like the certification validates a career’s worth of hard work, demonstrating not just their knowledge but their experience. Especially if you’re trying to break into infosec from an adjacent field elsewhere in IT, that can go a long way.

CISSP vs. CISM

Because CISSP covers some management-related material, you may be wondering about the difference between it and Certified Information Security Manager (CISM), another popular infosec certification. In a nutshell, a CISSP certification demonstrates in-depth technical knowledge over a broad range of security domains, along with an understanding of managerial responsibilities. CISM, on the other hand, is more strongly oriented towards managers, with an emphasis on understanding infosec incentives from a business point of view.

How to earn CISSP certification

To earn the CISSP, candidates must meet specific work experience requirements and pass the exam. Once the exam has been passed, candidates are qualified to apply for the certification. As part of this process, candidates must have their required work experience endorsed by a CISSP-certified professional in good standing. If they do not know such a person, ISC2 can perform the endorsement instead.

CISSP requirements

As noted above, CISSP is a not certification aimed at entry-level IT and cybersecurity professionals, as mandated by ISC2. To receive CISSP certification, you need have five years of full-time work experience in at least two of eight CISSP domains tested in the exam (see below). You may also apply internships and part-time experience toward this requirement, and a college degree or another ISC2-approved certification can substitute for a year of experience. The ISC2 website has the nitty-gritty details. Candidates must also pass the CISSP exam.

Candidates who do not have the requisite work experience can apply to be an Associate of ISC2. Under ISC2’s guidelines, Associates have up to six years to gain the work experience necessary to qualify for the CISSP.

CISSP exam

The CISSP exam covers eight domains from the CISSP Common Body of Knowledge, with the following average exam weights:

  • Security and risk management (16%)
  • Asset security (10%)
  • Security architecture and engineering (13%)
  • Communication and network security (13%)
  • Identity and access management (13%)
  • Security assessment and testing (12%)
  • Security operations (13%)
  • Software development security (10%)

The English-language version of the CISSP exam uses computerized adaptive testing (CAT). In this format, the test is taken on a computer that keeps track of your performance and adjusts the questions it asks you accordingly. In all other languages, the exam is conducted in a linear, fixed form, in which candidates answer the same set of questions no matter how they answer.

  • Exam length: 3 hours
  • Number of questions: 100-150
  • Question format: multiple choice and advanced innovative items
  • Passing grade: 70% (700 of 1000 points)
  • Languages: Chinese, English, German, Japanese, Spanish

Note: “Advanced innovative items” consist of identifying elements of diagrams and dragging-and-dropping answers from one side of a screen to boxes on the other.

ISC2 offers a resource page with practical information about how to schedule your exam, what to expect in terms of formats, and what taking the exam is like. If you’re interested in getting real-world reports of how the test-taking experience played out, you might want to check out this LinkedIn post from Dex Yuan, as well as pseudonymous reports from the ISC2 community forums and Reddit. One great thing about the test: You get a preliminary score at the testing site, so you know whether you passed.

Check out CarlsCloud™ Custom ChatGPT for CISSP training!

ChatGPT - CarlsCloud™ CISSP Exam Prep
Get help with CISSP domain objectives and insights. Efficient, focused study resources for improved exam performance.
ChatGPT

Are you enjoying resources at CarlsCloud™? If so, buy me a coffee to say thanks! https://www.buymeacoffee.com/carlscloud

Official CISSP training courses

If you’re looking for formal training for the CISSP, ISC2offers an official self-paced CISSP training course as well as authorized instructor-led training both online and in classrooms. The self-paced ISC2 options costs $995, giving you access to the course materials for 180 days. ISC2 members received a 20% discount. Online courses come in 5-day intensive and 8-week versions, and are led by an instructor who holds a CISSP. Classroom-based courses are offered in-person as 6-day intensives, taught by an ISC2 authorized instructor. Both online and classroom training options include applied scenarios, interactive exercises, quizzes, and a 180-question post-course assessment with feedback. Pricing for online and classroom training is available through ISC2, but is considerably more than the self-paced option.

Numerous third-party training courses and bootcamps are also available, too many to list here. These range from online MOOCs to in-person classroom training from ISC2 approved training vendors. Popular CISSP instructors online include Thor Pedersen whose courses are available via Udemy, Mike Chapple on LinkedIn Learning, and Kelly Handerhan on Cybrary. Alpine Security provides a guide for figuring out if a CISSP training course is a good fit for you.

How long should I study for the CISSP?

If you’re an infosec pro with lots of experience, you’ll have a wealth of real-world know-how to draw from in answering questions on the CISSP exam. That said, few people will be equally experienced in all the test domains, and just about everyone needs a refresher before taking a big test like this.

The amount of time you’ll need to put into studying for the test will of course depend on your own preparedness and study style. In an essay on LinkedIn, cloud architect Sujith Prasad recommends putting most of your free time towards studying for a few months leading up to the exam. An ISC2 community forums poster said they put in around 150-160 hours in total preparing in the months leading up to the exam. Saaz Rai, writing on Quora, says he passed after studying 6 to 7 hours a day for about three weeks. On the other hand, a poster on the Infosec Institute’s community forums says they passed after studying for a “couple of weekends.”

CISSP study guide

Many test takers will want a guide to structure their preparation. ISC2 puts out an official study guide to help you, but that’s by no means your only option. The CISSP All-in-One Exam Guide is widely beloved, and has a companion set of practice exams. SSI Logic has book with 1,000 practice questions and detailed solutions you can grind your way through.