(ISC)²Professional Level2026 Updated

Certified Information Systems Security Professional

Updated May 1, 202612 min readWritten by Certsqill experts

Quick facts — CISSP

Exam cost

$749 USD

Questions

100–150 adaptive (CAT)

Time limit

Up to 4 hours

Passing score

700/1000

Valid for

3 years (CPE required)

Testing

Pearson VUE

Who this exam is for

The Certified Information Systems Security Professional certification is designed for professionals who work with or want to work with (ISC)² technologies in a professional capacity. It is taken by cloud engineers, DevOps practitioners, IT administrators, and technical professionals looking to validate their expertise.

You do not need extensive prior experience to attempt it, but you will benefit from hands-on familiarity with the subject matter. The exam tests applied knowledge and architectural judgment, not just memorization. If you can reason about trade-offs and real-world scenarios, structured practice will handle the rest.

Domain breakdown

The CISSP exam is built around official domains, each with a fixed percentage of the question pool. This distribution should directly inform how you allocate your study time.

Domain

Weight

Focus areas

Security & Risk Management

15%

Governance, compliance, legal & regulatory issues, professional ethics, risk management concepts, threat modeling, and business continuity planning fundamentals.

Asset Security

10%

Data classification, ownership, privacy protection, asset retention policies, and data security controls throughout the asset lifecycle.

Security Architecture & Engineering

13%

Secure design principles, security models (Bell-LaPadula, Biba), cryptography, physical security, and vulnerabilities in enterprise architectures.

Communication & Network Security

13%

Network architectures, secure communication channels, network attacks, and implementing secure network components (firewalls, VPNs, SDN).

Identity & Access Management

13%

Identification, authentication, authorization, accountability, identity federation, SSO, MFA, and access control models (DAC, MAC, RBAC).

Security Assessment & Testing

12%

Assessment strategies, vulnerability scanning, penetration testing, log reviews, security audits, and software testing methods.

Security Operations

13%

Investigation types, incident management, disaster recovery, patch management, change management, physical security operations, and personnel safety.

Software Development Security

11%

Secure SDLC, software development methodologies, security controls in development environments, code review, and software security effectiveness.

Note the domain with the highest weight — many candidates under-invest here because it feels conceptual. In practice, this is where the exam is most precise, with scenario-based questions that test specifics.

What the exam actually tests

This is not a memorization exam. Questions require applied judgment under constraints. Almost every question includes a scenario with explicit requirements and asks you to select the most appropriate solution.

Here are examples of the question types you will encounter:

Best Answer (Managerial)

A new regulation requires your organization to implement data residency controls. As the CISO, what is your FIRST step?

CISSP always favors the managerial, risk-based response. "Conduct a gap analysis" almost always beats "implement controls immediately."

Cryptographic Concept

Which asymmetric algorithm provides both encryption and digital signature functionality and is based on the discrete logarithm problem?

Know RSA, DSA, Diffie-Hellman, ECC, and their mathematical bases. Common trap: confusing DH (key exchange only) with RSA (encryption + signing).

Policy & Governance Scenario

An employee is found accessing files outside their job role. No policy exists prohibiting this. What should management do FIRST?

CISSP tests whether you respond to missing policies by creating/updating policies rather than taking disciplinary action without a framework.

How to prepare — 4-week study plan

This plan assumes one hour per weekday and roughly 30 minutes of lighter review on weekends. It is calibrated for someone with some relevant experience. If you are starting from zero, add an extra week before Week 1 to familiarise yourself with the basics.

Week 1: Risk, Governance & Asset Security

Master Domains 1 & 2: risk frameworks (NIST RMF, ISO 27005), asset classification, and data lifecycle
Study CIA triad, authentication factors, and business continuity vs disaster recovery distinctions
Complete 100 practice questions focused on policy, governance, and risk management scenarios
Review all major compliance frameworks: SOX, HIPAA, GDPR, PCI-DSS at a conceptual level

Week 2: Architecture, Cryptography & Networking

Study Domain 3: security models (Bell-LaPadula, Biba, Clark-Wilson), trusted computing, and cryptographic algorithms
Cover Domain 4: OSI model security per layer, network protocols (TCP/IP, BGP, OSPF), and firewall/IDS/IPS types
Practice 150 adaptive questions on cryptographic math, PKI, and certificate lifecycle
Build a reference sheet for symmetric (AES, 3DES) vs asymmetric (RSA, ECC) algorithms and key sizes

Week 3: IAM, Testing, Operations & Software Security

Study Domains 5 & 6: federated identity, Kerberos, SAML, OAuth, and assessment methodologies
Cover Domains 7 & 8: incident response phases, forensic investigation types, and SDLC security integration
Complete 2 full-length timed mock exams and review all incorrect answers
Focus on software vulnerabilities: buffer overflow, injection attacks, and secure coding practices

Week 4: Final Review & Exam Strategy

Review all 8 domains using a condensed notes sheet; focus on areas with <70% practice score
Complete 200 additional adaptive practice questions emphasizing managerial judgment scenarios
Practice CAT exam pacing: 150 questions in 4 hours means ~96 seconds per question
Rest 48 hours before exam; review only your reference sheets and domain weight breakdown on exam day

Common mistakes candidates make

These patterns appear repeatedly among candidates who resit this exam. Knowing them in advance is worth several percentage points.

Studying vendor-specific technologies

CISSP is completely vendor-neutral. Questions about firewalls, IDS, or VPNs are conceptual. If you are memorizing Cisco or Palo Alto specifics, you are wasting study time.

Thinking like a technician instead of a manager

CISSP tests senior management judgment. When given a problem, the correct answer is almost always the one that involves policy, risk assessment, or governance — not a technical fix. Ask yourself: "What would a CISO do first?"

Ignoring cryptographic math fundamentals

Many candidates skip cryptography because it feels abstract. The exam regularly tests key lengths, algorithm weaknesses, and when to use symmetric vs asymmetric. Budget at least 8 hours on Domain 3 cryptography.

Choosing the most technically correct answer

CISSP answer choices are often all technically valid. The distinguisher is the managerial or ethical lens. "Implement AES-256 immediately" loses to "conduct a risk assessment to determine appropriate controls."

Is Certsqill right for you?

Honestly: Certsqill is built for candidates who have already done some studying and want to convert knowledge into exam performance. If you have never touched the subject, start with a foundational course first — then come to Certsqill when you are ready to practice.

Where Certsqill is strong: question depth, AI-powered explanations, and domain analytics. Every question is mapped to the exam blueprint. When you get something wrong, the AI tutor explains why the right answer is right and why each wrong answer fails under the specific constraints in the question.

Where Certsqill is not a replacement: video courses and hands-on labs. Use Certsqill to test and sharpen — not as your first exposure to a topic you have never encountered.

Ready to start practicing?

1,580 CISSP questions. AI tutor. 10 mock exams. 7-day free trial.