CISSP Exam Guide 2026: Pass the (ISC)² Flagship Security Certification

Introduction

The Certified Information Systems Security Professional (CISSP) is widely considered the most prestigious general security certification in the world. Awarded by (ISC)², it validates enterprise security leadership across eight Common Body of Knowledge (CBK) domains — from cryptography to identity to risk management to software security.

CISSP is management-and-strategy oriented, not hands-on. It’s the credential CISOs, security architects, security managers, and senior security engineers earn to validate broad enterprise security competence.

This guide covers the 2026 CISSP exam logistics, the eight CBK domains, the CAT (Computerized Adaptive Testing) format, experience and endorsement requirements, and a realistic 4–8 month prep plan.

Who CISSP Is For

CISSP is the right exam if you:

• Have or will have 5 years of full-time paid work experience in 2+ of the 8 CBK domains (1 year waiver for college degree or approved certification)
• Are a security manager, architect, principal, or senior IC moving toward strategic security leadership
• Are pursuing CISO, security director, security architect, or governance-focused roles
• Need a senior-level vendor-neutral credential to complement specific certs (AZ-500, AWS Security Specialty, CISA)

If you don’t yet have 4–5 years of qualifying experience, you can still take and pass the exam — you’ll be designated “Associate of (ISC)²” until you accumulate the required experience (up to 6 years to do so).

CISSP Exam Specifications

Attribute	Detail
Exam title	Certified Information Systems Security Professional (CISSP)
Format (English)	CAT (Computerized Adaptive Testing) — 100–150 questions
Format (other languages)	Linear, fixed-length: 250 questions
Duration (English CAT)	3 hours
Duration (linear)	6 hours
Question types	Multi-choice, drag-and-drop, hot-spot
Passing score	700 / 1000 (scaled; not a fixed % of correct answers)
Cost	$749 USD
Languages	English, French, German, Spanish, Japanese, Korean, Portuguese, simplified Chinese
Delivery	Pearson VUE test center (no online proctoring for CISSP)
Validity	3 years (CPE-based renewal)
Endorsement required	Yes — by an existing (ISC)² certified professional

Experience Requirement

• 5 years cumulative, full-time paid work in 2+ of the 8 CBK domains
• 1 year waiver for: 4-year college degree (or regional equivalent), advanced degree in cybersecurity, or one of (ISC)²’s approved certifications (e.g., CompTIA Security+, AWS Security Specialty, AZ-500, CISA, and many others)
• Endorsement by an active (ISC)² certified professional within 9 months of passing

CISSP CBK Domains (Current 2024 Refresh, valid through 2026+)

Domain	Weight
1. Security and Risk Management	16%
2. Asset Security	10%
3. Security Architecture and Engineering	13%
4. Communication and Network Security	13%
5. Identity and Access Management (IAM)	13%
6. Security Assessment and Testing	12%
7. Security Operations	13%
8. Software Development Security	10%

Domain 1: Security and Risk Management (16%)

• CIA triad, IAAA, due care vs. due diligence
• Security governance: policies, standards, procedures, guidelines, baselines
• Compliance: GDPR, HIPAA, PCI DSS, SOX, regional privacy laws
• Risk management: quantitative (ALE, SLE, ARO) and qualitative methods
• BCP/DRP: BIA, RPO, RTO, MTD, WRT
• Personnel security: hiring, NDA, separation of duties, mandatory vacation
• Ethics: (ISC)² code of ethics (heavily tested)

Domain 2: Asset Security (10%)

• Data classification and handling
• Data lifecycle: creation, storage, use, sharing, archive, destruction
• Roles: data owner, custodian, processor, controller, user, administrator
• Data protection: encryption, masking, tokenization, DRM
• Asset retention and secure disposal (cryptographic erasure vs. physical destruction)

Domain 3: Security Architecture and Engineering (13%)

• Secure design principles: defense in depth, least privilege, fail-secure, separation of duties
• Security models: Bell-LaPadula, Biba, Clark-Wilson, Brewer-Nash
• Trusted Computing Base (TCB), security perimeter, reference monitor
• Evaluation criteria: TCSEC, ITSEC, Common Criteria (EAL levels)
• Cryptography: symmetric (AES, 3DES), asymmetric (RSA, ECC, Diffie-Hellman), hashing (SHA-2, SHA-3), PKI, digital certificates, X.509
• Cryptographic attacks: brute force, birthday, replay, MITM, side-channel
• Physical security: fencing, lighting, locks, CCTV, mantraps

Domain 4: Communication and Network Security (13%)

• OSI and TCP/IP models with security mappings
• Secure protocols: TLS, IPSec, SSH, SFTP, HTTPS
• Network attacks: DoS/DDoS, MITM, ARP poisoning, DNS attacks, VLAN hopping
• Firewalls, IDS/IPS, proxies, WAFs, NAC
• Wireless security: WPA2/WPA3, 802.1X
• Microsegmentation, software-defined networking, zero trust

Domain 5: Identity and Access Management (13%)

• Identification, authentication, authorization, accountability
• Authentication factors: type 1 (know), type 2 (have), type 3 (are), type 4 (do), type 5 (location)
• MFA, SSO, federation (SAML, OAuth, OIDC), Kerberos
• Access control models: DAC, MAC, RBAC, ABAC, rule-based
• Identity lifecycle: provisioning, deprovisioning, access reviews
• Privileged access management (PAM)

Domain 6: Security Assessment and Testing (12%)

• Test strategies: vulnerability scanning, penetration testing, log review, code review, synthetic transactions
• Penetration testing phases: planning, discovery, attack, reporting
• Disaster recovery testing: checklist, walkthrough, simulation, parallel, full interruption
• KPIs and KRIs
• Auditing: internal vs. external, SOC 1/2/3, ISAE 3402

Domain 7: Security Operations (13%)

• Incident response: preparation, detection, containment, eradication, recovery, lessons learned
• Forensics: chain of custody, evidence collection, preservation
• Logging and monitoring: SIEM, SOAR, log retention
• Business continuity and disaster recovery
• Patch and change management
• Physical security operations

Domain 8: Software Development Security (10%)

• SDLC models: waterfall, agile, DevOps, DevSecOps
• Secure coding practices: input validation, output encoding, parameterized queries
• OWASP Top 10 (current)
• Software security testing: SAST, DAST, IAST, SCA
• Application security frameworks: CSA STAR, BSIMM, SAMM
• API security and microservices considerations

How CAT (Computerized Adaptive Testing) Works

For English CISSP, the exam is CAT, not linear:

• 100–150 questions delivered in 3 hours
• The exam adapts difficulty to your demonstrated ability
• After question ~100, the exam ends when it has high statistical confidence in your pass/fail status (positive or negative)
• You cannot go back to previous questions
• A “harder” question after a correct answer is a good sign; an “easier” question may indicate you got the previous one wrong

You can pass at question 100 or fight to question 150. The result is the same on your certificate.

What Makes CISSP Hard

1. Mile wide, inch deep — but the inch is sharp. You need recognizable familiarity with everything in 8 domains.
2. “Think like a manager, not an engineer.” The right answer is usually the most strategic or policy-aligned one, not the most technical.
3. (ISC)² code of ethics is tested directly and as embedded ethical scenarios.
4. No going back in CAT. First instinct matters; train it.
5. 3 hours of focused testing. Endurance matters.

”Think Like a Manager” — The CISSP Mindset

CISSP rewards strategic answers over technical ones:

• Wrong (engineer instinct): “Patch the server immediately.”
• Right (CISSP instinct): “Follow the established change management process.”

Train this mindset throughout your study. When you see two technically valid answers, ask: which one a senior security manager would choose, knowing they answer to executives and auditors.

Recommended 4–8 Month Study Plan

CISSP is a marathon, not a sprint. Plan 400–600 hours of study time spread over 4–8 months.

Month 1: Domains 1 + 2 (Risk Management + Asset Security)

• Read these domains in detail
• Memorize the (ISC)² code of ethics
• Drill risk management math (ALE, SLE, ARO)

Month 2: Domains 3 + 4 (Architecture + Networks)

• Cryptography deep dive
• Security models (Bell-LaPadula, Biba, Clark-Wilson)
• Network protocols and attacks

Month 3: Domains 5 + 6 (IAM + Assessment)

• Authentication and authorization models
• Penetration testing phases
• Audit frameworks (SOC 1/2/3)

Month 4: Domains 7 + 8 (Operations + Software)

• Incident response phases
• DR testing types
• SDLC and secure coding

Months 5–6: Practice exams and review

• 5+ full-length mocks from Sailor.sh’s CISSP mock exam bundle
• Re-study weakest domains
• Train the “manager mindset” through scenario practice

Months 7–8 (optional buffer):

• Final mock exams
• Light review of low-confidence areas
• Schedule the exam at month 4–8 depending on score consistency

Resources

• (ISC)² Official CISSP Study Guide (Sybex, current edition) — the canonical book
• (ISC)² Official Practice Tests (Sybex)
• “CISSP All-in-One Exam Guide” by Shon Harris / Fernando Maymí (most recent edition)
• Pete Zerger / Destination Certification CISSP MasterClass (YouTube, free)
• Mike Chapple LinkedIn Learning CISSP courses
• Sailor.sh CISSP mock exam bundle — realistic, CBK-aligned practice questions

Salary Impact

CISSP is consistently ranked among the top 5 highest-paid IT certifications globally:

• US average: $130K–$200K for “Security Manager / Architect + CISSP”
• UK average: £75K–£120K
• India average: ₹20L–₹45L

CISSP holders often earn 15–25% more than equivalent non-CISSP security professionals — and CISSP is frequently a requirement (not just preference) for CISO, security director, and senior security architect roles.

CISSP vs. Other Senior Security Certs

Certification	Provider	Cost	Format	Validity	Focus
CISSP	(ISC)²	$749	CAT 100–150 Q / 3h	3 years	Broad security management
CISA	ISACA	$760	150 Q / 4h	3 years	Audit and assurance
CISM	ISACA	$760	150 Q / 4h	3 years	Security management
CCSP	(ISC)²	$599	125 Q / 4h	3 years	Cloud security
Security+	CompTIA	$392	~90 Q / 90 min	3 years	Entry security

CISSP is the most-required senior security cert worldwide. CISA is preferred for audit-focused roles; CISM for purely managerial roles.

Most Common Reasons People Fail

1. Engineer-mindset answers. CISSP rewards strategic, manager-level thinking.
2. Skipping or underweighting ethics. Ethics questions are direct and tested.
3. Cramming. CISSP rewards months of slow absorption, not weekend cramming.
4. Practice exams from unofficial / unverified sources. Many CISSP dumps are inaccurate or test the wrong mindset.
5. Booking too early. Wait until you score 85%+ on multiple full-length mocks.

Renewal: 120 CPEs Over 3 Years

CISSP requires 120 Continuing Professional Education (CPE) credits over the 3-year cycle, plus an Annual Maintenance Fee ((ISC)² changed AMF structure recently — verify current amount). CPEs come from conferences, courses, articles, podcasts, and contributions to the profession.

After You Pass

Strong next moves:

• CCSP (Certified Cloud Security Professional) — (ISC)²’s cloud-specific senior credential
• CISM — managerial focus
• CISA — audit focus
• Cloud-specific: AZ-500, AWS Security Specialty, GCP Professional Cloud Security Engineer

Frequently Asked Questions

Q: Can I take CISSP without 5 years of experience? A: Yes. You’ll receive Associate of (ISC)² status until you accumulate the required experience (up to 6 years).

Q: Is CISSP harder than CISM? A: CISSP is broader; CISM is more management-narrow. Most candidates find CISSP harder.

Q: How long should I study for CISSP? A: 400–600 hours over 4–8 months is typical.

Q: Can I take CISSP online? A: No — CISSP requires a Pearson VUE test center. There is no online proctoring.

Q: What if I run out of questions on the CAT exam? A: If you complete 150 questions, the system evaluates based on those. Most candidates end between question 100 and 130.

Q: Are practice exams worth the investment? A: Yes — but only quality ones aligned to the current CBK. Sailor.sh’s CISSP mock exam bundle provides realistic scenario-based practice with manager-mindset answer explanations.

Ready to Start?

CISSP is one of the highest-ROI long-term investments in cybersecurity. Spend 4–8 months absorbing the CBK, training the “think like a manager” mindset, and drilling realistic practice questions until both your knowledge and your instincts are consistently aligned with (ISC)²’s expected reasoning.

Take a free CISSP practice test on Sailor.sh to identify your weakest CBK domain, then work the full CISSP mock exam bundle until you consistently score 85%+ across all eight domains.