CISSP
Certified Information Systems Security Professional
Breadth across security engineering, architecture, operations, and governance at senior-IC / manager level. The default senior-generalist signal.
› Quality score
Four-axis SecProve rubric, each 0–10. SecProve editorial assessment — each axis carries a written justification so you can push back on any single call without dismissing the whole score.
› Market signals
public, citable inputs to the recognition score› Built for these roles
› Exam format
CAT (Computer Adaptive Test): 100–150 questions, 3 hours, English. Linear test for non-English exams (250 questions, 6 hours). Pearson VUE proctored at a test center.
30 days for first retake, 60 for second, 90 for third in a 12-month rolling window.
› Recertification
Maintain by earning 120 CPEs over a three-year cycle (avg 40/yr) and paying the $135/yr Annual Maintenance Fee. Lapse triggers a one-year suspension before re-credentialing.
› 3-year cost of ownership
Excludes study materials, training, retake risk, and lost-wage opportunity. Use as a floor estimate.
› NICE Framework work roles
The NIST NICE work-role IDs this cert maps to. NICCS lookup.
› Core domains covered
The 10 domains this cert is centrally about. Passing the exam demonstrates working knowledge of each.
Risk frameworks (NIST RMF, ISO 31000, FAIR), policy development, audit, regulatory compliance, third-party risk.
Firewalls, IDS/IPS, network segmentation, DNS security, SD-WAN, VPN, traffic analysis, wireless security.
Zero trust principles, micro-segmentation, NIST SP 800-207, ZTNA, continuous verification, BeyondCorp.
OWASP Top 10, secure SDLC, SAST/DAST/IAST, API security, code review, DevSecOps.
AuthN/AuthZ, SSO, MFA, PAM, RBAC/ABAC, identity governance, FIDO2/passkeys, plus non-human identity: service accounts, workload identity, agent / plugin identities.
SOC operations, SIEM tuning, SOAR playbooks, alert triage, log analysis, runbook development.
SIGMA/YARA/Suricata rule writing, hypothesis-driven hunting, log deep-dives, detection gap analysis.
Data classification, encryption-at-rest/in-transit, DLP, tokenization, privacy-by-design, plus the regulatory stack (GDPR, CCPA, HIPAA) that sets the bar.
Symmetric/asymmetric, PKI, TLS/SSL, hashing, post-quantum cryptography, key management.
Reference architectures, control frameworks (NIST SP 800-53, CIS Controls), secure-by-design patterns, threat modeling, trust-boundary design, technology standards.
› Also touched
Present in the blueprint but not the primary focus — you’ll be introduced but shouldn’t expect depth.
AWS/Azure/GCP security controls, IAM policies, CSPM, container security, shared responsibility model.
SBOM, vendor risk assessment, software supply chain attacks, dependency management.
Cyber risk quantification, board communication, security program development, budget & ROI.
Methodology (OSSTMM, PTES), web/network/mobile pentesting, social engineering, purple teaming.
IR playbooks, memory/disk/network forensics, chain of custody, malware analysis.
› Known coverage gaps
Domains this cert does not meaningfully address. Plan follow-up learning here if your role touches any of them.
› Prerequisites
Five years of paid work experience across two or more CISSP domains (one year can be waived with a qualifying degree or cert).
- Security engineering fundamentals across the 8 CISSP domains
- Networking, OS, and application architecture
- Risk management and audit concepts
› Progression
requiredrecommendedWhere this cert fits in the typical learning path. Required edges are vendor-gated; recommended edges reflect de facto industry progression.
No vendor-gated prereqs.
› Study materials
Curated starting points. Not exhaustive — vet each against your learning style and the current exam version.
- Official (ISC)² CISSP Study Guide, 10th Ed. (Chapple, Stewart, Gibson) — Sybex / ISC2
- (ISC)² CISSP Official Practice Tests, 4th Ed. — Sybex
› Version & lifecycle
ISC2 refreshes the CBK on a ~3-year cadence; next refresh expected 2027.
› Salary signal
Senior security engineer / architect, US, 5+ years experience.
ISC2 Cybersecurity Workforce Study + Robert Half Salary Guide · 2024 · US base only · p25–p75 range
› How it compares
Manager-track focus on security program management vs CISSP's broader senior-IC + architecture coverage.
↔ Compare side-by-sideCloud-deep specialization vs CISSP's vendor-neutral breadth across all eight CBK domains.
↔ Compare side-by-sideVendor-neutral senior-IC alternative without AMF, but lower hiring-manager recognition outside DoD.
↔ Compare side-by-side› Careers that commonly pursue this cert
Design, build, and maintain security infrastructure. The architects of an organization's defensive posture.
Lead security strategy, communicate risk to the board, and build security programs. Executive-level cybersecurity leadership.
Prepare for the post-quantum era. Understand quantum threats and lead cryptographic migration efforts.
Senior design role — defines how pillar A components fit together across identity, crypto, network, cloud, and data — and, increasingly, how pillar C bolts into it.
› Common exam traps to study
Cybersecurity cert exams reuse the same 25 distractor patterns over and over — category confusion, RTO vs RPO, IDS vs IPS, MD5 vs SHA-256, and more. Once you can name the trap, you stop falling for it. Each archetype page covers what it is, the specific pairs candidates confuse, and how to avoid it.
See this cert’s domains highlighted on the interactive map, or compare it against the rest of the catalog.