What is CISSP?

ISC2 Official Definition

CISSP is a globally recognised certification that validates expertise in designing, implementing and managing a best-in-class cybersecurity program. Source: isc2.org/certifications/cissp

CISSP is administered by ISC2 and is widely considered the gold standard for senior security professionals. It is not an entry-level certification — it is designed for practitioners who already work in security and want to validate their depth of knowledge across the full security domain.

Unlike technical certifications that test specific tools or platforms, CISSP tests conceptual understanding, risk-based thinking, and the ability to make governance-level decisions. That is what makes it different — and what makes preparation for it different from most other exams.

The 8 CISSP Domains

The CISSP Common Body of Knowledge (CBK) is organised into 8 domains, each covering a distinct area of information security. The exam draws questions from all 8, weighted by importance.

  • Domain 1 — Security and Risk Management (16%) — Governance, risk, compliance, legal frameworks, security policies and ethics
  • Domain 2 — Asset Security (10%) — Data classification, ownership, privacy, retention and handling
  • Domain 3 — Security Architecture and Engineering (13%) — Secure design principles, cryptography, physical security, models and frameworks
  • Domain 4 — Communication and Network Security (13%) — OSI model, TCP/IP, firewalls, VPNs, secure protocols and wireless
  • Domain 5 — Identity and Access Management (13%) — Authentication, authorisation, federation, Zero Trust and access control models
  • Domain 6 — Security Assessment and Testing (12%) — Vulnerability assessments, penetration testing, audit trails and log reviews
  • Domain 7 — Security Operations (13%) — Incident response, forensics, BCP/DRP, monitoring, patch and change management
  • Domain 8 — Software Development Security (10%) — SDLC, secure coding, DevSecOps, APIs and database security

Source: ISC2 CISSP Exam Outline

Who Should Pursue CISSP?

CISSP is designed for experienced security professionals, not beginners. ISC2 specifically lists the following roles as target candidates:

  • Security Consultant
  • Security Manager
  • IT Director / Manager
  • Security Architect
  • Security Analyst
  • Security Auditor
  • Chief Information Security Officer (CISO)

If you are in a role where you need to understand security from a programme management or governance perspective — not just technically — CISSP is likely the right certification for you.

Experience Requirements

To earn the CISSP designation, candidates must meet the following requirements:

  • Minimum five years of cumulative paid work experience in information security
  • Experience must span two or more of the 8 CISSP domains
  • A one-year waiver may apply with a relevant four-year university degree or an approved credential from the ISC2 list
Associate of ISC2

If you pass the CISSP exam but do not yet meet the experience requirement, you become an Associate of ISC2 and have six years to earn the required experience and complete the endorsement process.

Experience must be verified through endorsement by an active ISC2 member who can attest to your professional experience. If you do not know an ISC2 member, ISC2 itself can act as your endorser.

Back to CISSP Hub Preparation Strategy