SecProve
ExpertVendor-neutralISO 17024ISC2· issued from US

CISSP

Certified Information Systems Security Professional

Breadth across security engineering, architecture, operations, and governance at senior-IC / manager level. The default senior-generalist signal.

Official page at ISC2↔ Compare with another cert
Exam fee
$749
Ongoing
$135/yr AMF · 40 CPE/yr
Study time
150–300 hrs
Delivery
Test center
Validity
3 yrs (renewal cycle)

› Quality score

28.0 / 40

Four-axis SecProve rubric, each 0–10. SecProve editorial assessment — each axis carries a written justification so you can push back on any single call without dismissing the whole score.

Blueprint rigor
How well-defined and rigorous the exam blueprint is.
Eight published CBK domains, ISO 17024 accredited, refreshed every 3 years. Industry-defining blueprint.
9.0/10
Practical evidence
Hands-on labs / written reports vs pure MCQ.
Pure MCQ / CAT format. The exam tests recognition, not lab skill — a long-running criticism the issuer hasn't addressed.
1.5/10
Currency & upkeep
How aggressively content is kept current with the field.
Domain refreshes on a steady 3-year cadence; current version (2024) folds in cloud and supply-chain content meaningfully.
8.0/10
Market recognition
How often this signal actually moves a hiring decision.
The senior-generalist signal hiring managers actually act on. Often a hard requirement on US federal and large-enterprise listings. [Holders: 190k, 2024-12] [DoD 8140 listed]
9.5/10

› Market signals

public, citable inputs to the recognition score
Holders worldwide
190,000
as of 2024-12 · source
DoD 8140 baseline
Listed
IAT-III, IAM-II, IAM-III

› Built for these roles

Senior Security EngineerSecurity ArchitectInformation Security ManagerDirector of Security / Deputy CISOSecurity Consultant

› Exam format

CAT (Computer Adaptive Test): 100–150 questions, 3 hours, English. Linear test for non-English exams (250 questions, 6 hours). Pearson VUE proctored at a test center.

Passing score
700/1000 (CAT-derived)
Retake policy
Fee: $749 per attempt
Wait: 30d between attempts
Cap: 4 attempts/year

30 days for first retake, 60 for second, 90 for third in a 12-month rolling window.

› Recertification

Maintain by earning 120 CPEs over a three-year cycle (avg 40/yr) and paying the $135/yr Annual Maintenance Fee. Lapse triggers a one-year suspension before re-credentialing.

› 3-year cost of ownership

Exam (1×)
$749
AMF (3×)
$405@$135/yr
Total
$1154

Excludes study materials, training, retake risk, and lost-wage opportunity. Use as a floor estimate.

› NICE Framework work roles

The NIST NICE work-role IDs this cert maps to. NICCS lookup.

OG-WRL-007OG-WRL-010OG-WRL-014DD-WRL-004PD-WRL-002
Recognition
GlobalUSEUUKDACH
Exam languages
enjazhesde

› Core domains covered

The 10 domains this cert is centrally about. Passing the exam demonstrates working knowledge of each.

A1Governance, Risk & Compliance

Risk frameworks (NIST RMF, ISO 31000, FAIR), policy development, audit, regulatory compliance, third-party risk.

A2Network Security

Firewalls, IDS/IPS, network segmentation, DNS security, SD-WAN, VPN, traffic analysis, wireless security.

A3Zero Trust Architecture

Zero trust principles, micro-segmentation, NIST SP 800-207, ZTNA, continuous verification, BeyondCorp.

A4Application Security

OWASP Top 10, secure SDLC, SAST/DAST/IAST, API security, code review, DevSecOps.

A6Identity & Access Management

AuthN/AuthZ, SSO, MFA, PAM, RBAC/ABAC, identity governance, FIDO2/passkeys, plus non-human identity: service accounts, workload identity, agent / plugin identities.

A10Security Operations

SOC operations, SIEM tuning, SOAR playbooks, alert triage, log analysis, runbook development.

A11Detection Engineering & Threat Hunting

SIGMA/YARA/Suricata rule writing, hypothesis-driven hunting, log deep-dives, detection gap analysis.

A12Data Security, Privacy & Protection

Data classification, encryption-at-rest/in-transit, DLP, tokenization, privacy-by-design, plus the regulatory stack (GDPR, CCPA, HIPAA) that sets the bar.

A15Cryptography

Symmetric/asymmetric, PKI, TLS/SSL, hashing, post-quantum cryptography, key management.

A25Security Architecture & Engineering

Reference architectures, control frameworks (NIST SP 800-53, CIS Controls), secure-by-design patterns, threat modeling, trust-boundary design, technology standards.

› Also touched

Present in the blueprint but not the primary focus — you’ll be introduced but shouldn’t expect depth.

A5Cloud Security

AWS/Azure/GCP security controls, IAM policies, CSPM, container security, shared responsibility model.

A13Supply Chain Security

SBOM, vendor risk assessment, software supply chain attacks, dependency management.

A18Security Leadership

Cyber risk quantification, board communication, security program development, budget & ROI.

A9Penetration Testing & Red Teaming

Methodology (OSSTMM, PTES), web/network/mobile pentesting, social engineering, purple teaming.

A7Incident Response & Forensics

IR playbooks, memory/disk/network forensics, chain of custody, malware analysis.

› Known coverage gaps

Domains this cert does not meaningfully address. Plan follow-up learning here if your role touches any of them.

A14OT/ICS SecurityA21Malware Analysis & Reverse EngineeringB1AI-Powered Threat DetectionB2AI-Driven Security AutomationB3AI for Vulnerability ManagementC1Adversarial Machine LearningC2LLM-Specific AttacksC5AI Red TeamingC11Agentic AI SecurityD2Post-Quantum Cryptography

› Prerequisites

Experience

Five years of paid work experience across two or more CISSP domains (one year can be waived with a qualifying degree or cert).

Knowledge assumed
  • Security engineering fundamentals across the 8 CISSP domains
  • Networking, OS, and application architecture
  • Risk management and audit concepts

› Progression

requiredrecommended

Where this cert fits in the typical learning path. Required edges are vendor-gated; recommended edges reflect de facto industry progression.

Required prereqs (0)

No vendor-gated prereqs.

Recommended priors (2)
Security+CompTIACySA+CompTIA
CISSP
ISC2
Required by (4)
CISSP-ISSAPISC2ISSAPISC2ISSMPISC2ISSEPISC2
Recommended next (5)
CCSPISC2CISMISACACSSLPISC2CSA CZTCloud Security AllianceCCISOEC-Council

› Study materials

Curated starting points. Not exhaustive — vet each against your learning style and the current exam version.

Official guides

› Version & lifecycle

Current version
2024 CBK refresh
Released
2024-04

ISC2 refreshes the CBK on a ~3-year cadence; next refresh expected 2027.

› Salary signal

Senior security engineer / architect, US, 5+ years experience.

$130K$200K
median $155K
+12% reported cert premium

ISC2 Cybersecurity Workforce Study + Robert Half Salary Guide · 2024 · US base only · p25–p75 range

› How it compares

vs
CISM

Manager-track focus on security program management vs CISSP's broader senior-IC + architecture coverage.

↔ Compare side-by-side
vs
CCSP

Cloud-deep specialization vs CISSP's vendor-neutral breadth across all eight CBK domains.

↔ Compare side-by-side
vs
CASP+

Vendor-neutral senior-IC alternative without AMF, but lower hiring-manager recognition outside DoD.

↔ Compare side-by-side

› Careers that commonly pursue this cert

Security Engineer

Design, build, and maintain security infrastructure. The architects of an organization's defensive posture.

CISO / Security Leader

Lead security strategy, communicate risk to the board, and build security programs. Executive-level cybersecurity leadership.

Quantum Security Specialist

Prepare for the post-quantum era. Understand quantum threats and lead cryptographic migration efforts.

Security Architect

Senior design role — defines how pillar A components fit together across identity, crypto, network, cloud, and data — and, increasingly, how pillar C bolts into it.

See this cert’s domains highlighted on the interactive map, or compare it against the rest of the catalog.

Highlight on the domain mapBrowse all certifications