ISC2 Certification

CISSP

Certified Information Systems Security Professional

ISC2 | 8 domains · 84 modules | Available

The CISSP is the gold standard in information security. Covering eight domains, it validates your ability to design, implement, and manage a best-in-class cybersecurity program. This track teaches you to think at the broad, managerial level ISC2 expects — connecting concepts across domains rather than memorizing each in isolation.

Exam Details

Detail CISSP
Format CAT adaptive, 100–150 questions
Time 3 hours
Cost $749 USD
Passing Score 700 out of 1000
Experience 5 years in 2+ of 8 domains, or 4 years + relevant degree/cert
Renewal 40 CPE credits/year, annual fee $125

What You’ll Learn

  • Develop the managerial thinking ISC2 expects for security decisions
  • Build breadth across all eight CISSP domains without sacrificing depth
  • Prepare for the CAT exam format with targeted strategy
  • Use domain-level readiness assessments to identify and close gaps
Let's Get Started →
Domain 1 — Security and Risk Management (16%)

Professional ethics, security governance principles, legal and regulatory compliance, business continuity, risk management concepts, threat modeling, supply chain risk, and security awareness programs.

Section A — Governance and Legal

  1. 1 Professional Ethics and ISC2 Code Not Started
  2. 2 Core Security Concepts Not Started
  3. 3 Security Governance Principles Not Started
  4. 4 Legal, Regulatory, and Compliance Not Started
  5. 5 Investigation Types Not Started
  6. 6 Security Policy Development and Implementation Not Started
  7. Section A Review: Governance and Legal Not Started

Section B — Risk and Continuity

  1. 7 Business Continuity Requirements and BIA Not Started
  2. 8 Personnel Security Policies Not Started
  3. 9 Risk Management Concepts and Frameworks Not Started
  4. 10 Threat Modeling Methodologies Not Started
  5. 11 Supply Chain Risk Management Not Started
  6. 12 Security Awareness and Training Programs Not Started
  7. Section B Review: Risk and Continuity Not Started

Domain 1 Review

  1. Capstone Review: SECURITY AND RISK MANAGEMENT Not Started
Domain 2 — Asset Security (10%)

Information and asset classification, handling requirements, secure provisioning, data lifecycle management, asset retention, and data security controls and compliance.

Section A — Classification and Provisioning

  1. 13 Information and Asset Classification Not Started
  2. 14 Asset Handling Requirements Not Started
  3. 15 Secure Asset Provisioning and Inventory Not Started
  4. Section A Review: Classification and Provisioning Not Started

Section B — Data Lifecycle and Controls

  1. 16 Data Lifecycle Management Not Started
  2. 17 Asset Retention Not Started
  3. 18 Data Security Controls and Compliance Not Started
  4. Section B Review: Data Lifecycle and Controls Not Started

Domain 2 Review

  1. Capstone Review: ASSET SECURITY Not Started
Domain 3 — Security Architecture and Engineering (13%)

Secure design principles, security models, control selection, system security capabilities, vulnerability mitigation, cryptographic solutions, cryptanalytic attacks, site and facility security, and information system lifecycle.

Section A — Design Principles and Models

  1. 19 Secure Design Principles Not Started
  2. 20 Security Models Not Started
  3. 21 Security Requirements and Control Selection Not Started
  4. 22 Information System Security Capabilities Not Started
  5. Section A Review: Design Principles and Models Not Started

Section B — Vulnerabilities and Cryptography

  1. 23 Vulnerability Mitigation Not Started
  2. 24 Cryptographic Solutions and Lifecycle Not Started
  3. 25 Cryptanalytic Attacks Not Started
  4. Section B Review: Vulnerabilities and Cryptography Not Started

Section C — Physical Security and System Lifecycle

  1. 26 Site and Facility Security Principles Not Started
  2. 27 Facility Design Controls Not Started
  3. 28 Information System Lifecycle Management Not Started
  4. Section C Review: Physical Security and System Lifecycle Not Started

Domain 3 Review

  1. Capstone Review: SECURITY ARCHITECTURE AND ENGINEERING Not Started
Domain 4 — Communication and Network Security (13%)

Secure network architecture design, secure network component implementation, and secure communication channels.

Section A — Network Architecture and Security

  1. 29 Secure Network Architecture Design Not Started
  2. 30 Secure Network Component Implementation Not Started
  3. 31 Secure Communication Channel Implementation Not Started
  4. Section A Review: Network Architecture and Security Not Started

Domain 4 Review

  1. Capstone Review: COMMUNICATION AND NETWORK SECURITY Not Started
Domain 5 — Identity and Access Management (13%)

Physical and logical access control, identification and authentication strategy, federated identity, authorization mechanisms, access provisioning lifecycle, and authentication systems.

Section A — Identity and Authentication

  1. 32 Physical and Logical Access Control Not Started
  2. 33 Authentication Strategy Design Not Started
  3. 34 Federated Identity with Third Parties Not Started
  4. Section A Review: Identity and Authentication Not Started

Section B — Authorization and Lifecycle

  1. 35 Authorization Mechanisms Not Started
  2. 36 Identity and Access Provisioning Lifecycle Not Started
  3. 37 Authentication Systems Implementation Not Started
  4. Section B Review: Authorization and Lifecycle Not Started

Domain 5 Review

  1. Capstone Review: IDENTITY AND ACCESS MANAGEMENT Not Started
Domain 6 — Security Assessment and Testing (12%)

Assessment and audit strategy design, security control testing, security process data collection, test output analysis and reporting, and security audit facilitation.

Section A — Assessments and Testing

  1. 38 Assessment and Audit Strategy Design Not Started
  2. 39 Security Control Testing Methods Not Started
  3. 40 Security Process Data Collection Not Started
  4. 41 Test Output Analysis and Reporting Not Started
  5. 42 Security Audits Facilitation Not Started
  6. Section A Review: Assessments and Testing Not Started

Domain 6 Review

  1. Capstone Review: SECURITY ASSESSMENT AND TESTING Not Started
Domain 7 — Security Operations (13%)

Investigations and evidence handling, logging and monitoring, configuration management, incident management, detection and prevention, patch and vulnerability management, recovery strategies, disaster recovery, business continuity, and physical security.

Section A — Investigations and Monitoring

  1. 43 Investigation Compliance and Evidence Handling Not Started
  2. 44 Logging and Monitoring Activities Not Started
  3. 45 Configuration Management Not Started
  4. 46 Foundational Security Operations Concepts Not Started
  5. 47 Resource Protection Not Started
  6. 48 Incident Management Lifecycle Not Started
  7. 49 Detection and Preventative Measures Not Started
  8. Section A Review: Investigations and Monitoring Not Started

Section B — Recovery and Continuity

  1. 50 Patch and Vulnerability Management Not Started
  2. 51 Change Management Not Started
  3. 52 Recovery Strategies Not Started
  4. 53 Disaster Recovery Processes Not Started
  5. 54 Disaster Recovery Plan Testing Not Started
  6. 55 Business Continuity Planning Not Started
  7. 56 Physical Security Implementation Not Started
  8. 57 Personnel Safety and Security Not Started
  9. Section B Review: Recovery and Continuity Not Started

Domain 7 Review

  1. Capstone Review: SECURITY OPERATIONS Not Started
Domain 8 — Software Development Security (10%)

Security integration in the SDLC, security controls in development ecosystems, software security effectiveness assessment, acquired software security impact, and secure coding guidelines and standards.

Section A — Secure Development

  1. 58 SDLC Security Integration Not Started
  2. 59 Security Controls in Development Ecosystems Not Started
  3. 60 Software Security Effectiveness Assessment Not Started
  4. 61 Acquired Software Security Impact Not Started
  5. 62 Secure Coding Guidelines and Standards Not Started
  6. Section A Review: Secure Development Not Started

Domain 8 Review

  1. Capstone Review: SOFTWARE DEVELOPMENT SECURITY Not Started

Career Benefits

  • Average salary: $125,000–$175,000 (varies by region)
  • DoD 8570.01-M / 8140 compliance for IAM/IASAE Level III
  • Globally recognized across industries
  • Required or preferred for CISO, Security Architect, Security Director roles

How It Compares

CISSP provides broad security coverage while CISM focuses specifically on security management. If you're already managing security programs, CISM may be more relevant. If you want the broadest credential recognized worldwide, CISSP is the standard. See the full comparison →

Head-to-head comparisons: CISSP vs CISM · CRISC vs CISSP · Security+ vs CISSP