Certified Information Systems Security Professional (CISSP)
About CISSP
The Certified Information Systems Security Professional (CISSP) is the most globally recognized certification in the information security market. CISSP validates an information security professional's deep technical and managerial knowledge and experience to effectively design, engineer, and manage the overall security posture of an organization.
The broad spectrum of topics included in the CISSP Common Body of Knowledge (CBK) ensure its relevancy across all disciplines in the field of information security. Successful candidates are competent in the following eight domains:
Candidates must have a minimum of five years cumulative, full-time experience in two or more of the eight domains of the current CISSP Exam Outline. Earning a post-secondary degree or an additional credential from the ISC2 approved list may satisfy up to one year of the required experience. Part-time work and internships may also count towards the experience requirement.
A candidate that doesn't have the required experience to become a CISSP may become an Associate of ISC2 by successfully passing the CISSP examination. The Associate of ISC2 will then have six years to earn the five years required experience.
Accreditation
CISSP was the first credential in the field of information security to meet the stringent requirements of ANSI/ISO/IEC Standard 17024.
Job Task Analysis (JTA)
ISC2 has an obligation to its membership to maintain the relevancy of the CISSP. Conducted at regular intervals, the Job Task Analysis (JTA) is a methodical and critical process of determining the tasks that are performed by security professionals who are engaged in the profession defined by the CISSP. The results of the JTA are used to update the examination.
CISSP Examination Information
Length of exam
3 hours
Number of items
100 - 150
Item format
Multiple choice and advanced innovative items
Passing grade
700 out of 1000 points
Exam language availability
Chinese, English, German, Japanese, Spanish
Testing center
ISC2 Authorized PPC and PVTC Select Pearson VUE Testing Centers
Domains
1.1 - Understand, adhere to, and promote professional ethics
ISC2 Code of Professional Ethics
Organizational code of ethics
1.2 - Understand and apply security concepts
Confidentiality, integrity, and availability, authenticity, and nonrepudiation
1.3 - Evaluate and apply security governance principles
Alignment of the security function to business strategy, goals, mission, and objectives
Risks associated with the acquisition of products and services from suppliers and providers (e.g., product tampering, counterfeits, implants)
Risk mitigations (e.g., third-party assessment and monitoring, minimum security requirements, service level requirements, silicon root of trust, physically unclonable function, software bill of materials)
1.12 - Establish and maintain a security awareness, education, and training program
Methods and techniques to increase awareness and training (e.g., social engineering, phishing, security champions, gamification)
Periodic content reviews to include emerging technologies and trends (e.g., cryptocurrency, artificial intelligence (AI), blockchain)
Program effectiveness evaluation
2.1 - Identify and classify information and assets
Data classification
Asset classification
2.2 - Establish information and asset handling requirements
2.3 - Provision information and assets securely
Information and asset ownership
Asset inventory (e.g., tangible, intangible)
Asset management
2.4 - Manage data lifecycle
Data roles (i.e., owners, controllers, custodians, processors, users/subjects)
Data collection
Data location
Data maintenance
Data retention
Data remanence
Data destruction
2.5 - Ensure appropriate asset retention (e.g., End of Life (EOL), End of Support)
2.6 - Determine data security controls and compliance requirements
Data states (e.g., in use, in transit, at rest)
Scoping and tailoring
Standards selection
Data protection methods (e.g., Digital Rights Management (DRM), Data Loss Prevention (DLP), Cloud Access Security Broker (CASB))
3.1 - Research, implement, and manage engineering processes using secure design principles
Threat modeling
Least privilege
Defense in depth
Secure defaults
Fail securely
Segregation of Duties (SoD)
Keep it simple and small
Zero trust or trust but verify
Privacy by design
Shared responsibility
Secure access service edge
3.2 - Understand the fundamental concepts of security models (e.g., Biba, Star Model, Bell-LaPadula)
3.3 - Select controls based upon systems security requirements
3.4 - Understand security capabilities of Information Systems (IS) (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)
3.5 - Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
Client-based systems
Server-based systems
Database systems
Cryptographic systems
Industrial Control Systems (ICS)
Cloud-based systems (e.g., SaaS, IaaS, PaaS)
Distributed systems
Internet of Things (IoT)
Microservices (e.g., API)
Containerization
Serverless
Embedded systems
High-Performance Computing systems
Edge computing systems
Virtualized systems
3.6 - Select and determine cryptographic solutions
Cryptographic life cycle (e.g., keys, algorithm selection)
7.8 - Operate and maintain detective and preventative measures
Firewalls
Intrusion detection/prevention systems
Antivirus/anti-malware
7.9 - Implement and support patch and vulnerability management
Patch management
Vulnerability management
Remediation
7.10 - Understand and participate in change management processes
Change management procedures
Change control board
Change documentation
7.11 - Implement recovery strategies
Backup and restore
Disaster recovery
Business continuity
7.12 - Implement disaster recovery processes
Disaster recovery planning
Disaster recovery testing
Disaster recovery execution
7.13 - Test disaster recovery plans
Testing methodologies
Test frequency
Test documentation
7.14 - Participate in business continuity planning and exercises
Business continuity planning
Business continuity exercises
Business continuity documentation
7.15 - Implement and manage physical security
Physical access controls
Environmental controls
Physical security monitoring
7.16 - Address personnel safety and security concerns
Personnel security policies
Security awareness training
Security incident reporting
8.1 - Understand and integrate security in the software development lifecycle (SDLC)
Development methodologies (e.g., Agile, DevOps, Waterfall)
Secure coding practices
Application programming interfaces (APIs)
Software assurance and validation
Software supply chain
8.2 - Identify and apply security controls in development environments
Development environment security
Version control
Build processes
8.3 - Assess the effectiveness of software security
Static and dynamic analysis
Software testing
Code review
8.4 - Assess security impact of acquired software
Software acquisition process
Third-party software security
Open source software security
8.5 - Define and apply secure coding guidelines and standards
Secure coding standards
Code quality tools
Code review processes
Additional Examination Information
Supplementary References
Candidates are encouraged to supplement their education and experience by reviewing relevant resources that pertain to the CBK and identifying areas of study that may need additional attention.
ISC2 recommends that CISSP candidates review exam policies and procedures prior to registering for the examination. Read the comprehensive breakdown of this important information at www.isc2.org/register-for-exam.
Exam Preparation
Preparation for the CISSP exam can be intensive. ISC2 provides a variety of resources including review manuals, online training, and interactive exam preparation resources. Candidates are encouraged to join study groups and participate in training sessions to enhance their preparation. Engaging in practical exercises and scenario-based questions is crucial for success on the exam. Additionally, using the WannaPractice platform can enhance your preparation with interactive practice questions and scenarios that are specifically tailored to the CISSP domains.