Security+ proves you understand security controls. CISSP proves you can lead a security program.

A Security+ question asks: “An employee clicks a phishing link. Which control would have prevented credential theft?” A CISSP question asks: “An organisation operates across 12 jurisdictions with conflicting data localisation requirements. The CISO must design a data governance framework that satisfies regulatory obligations without fragmenting the analytics data lake. What framework components address this requirement?” The shift — from selecting the right technical control to designing the governance structures that make an entire security program function — defines the CISSP exam entirely.

CISSP is not an entry-level certification. ISC2 requires candidates to have five years of paid, full-time work experience in two or more of the eight CISSP domains before earning the certification. Candidates who pass the exam without meeting the experience requirement become an Associate of ISC2 and have six years to acquire the necessary experience before converting to full CISSP status. The associate designation is not a lesser credential — it demonstrates exam-level knowledge while the experience is accumulated and is a legitimate path for security professionals earlier in their careers.

The computer-adaptive testing format introduced in 2021 means the exam is dynamic: the CAT engine adjusts question difficulty based on each response, terminating when it can determine with statistical confidence whether the candidate has crossed the passing threshold. The exam ends between 125 and 175 questions; finishing at 125 questions does not signal pass or fail. The 4-hour time limit applies to English-language CAT; candidates who test in other languages sit a linear 250-question exam with a 6-hour limit.

The eight CISSP domains

Domain 1 — Security and Risk Management (~15%)

The highest-weighted domain and the conceptual backbone of the exam. It is intentionally broad — covering governance, ethics, legal, regulatory compliance, risk frameworks, business continuity, and professional ethics — because CISSP tests whether candidates can think as security leaders, not as technical specialists. Core areas:

  • Risk management frameworks: NIST RMF, ISO 31000, COSO ERM. The exam tests the six-step NIST RMF cycle (Categorise, Select, Implement, Assess, Authorise, Monitor) and how each step produces artifacts that feed the next. Risk identification, quantitative analysis (ALE = SLE × ARO, where SLE = asset value × exposure factor), qualitative analysis (probability/impact matrices), and risk treatment options (accept, avoid, transfer, mitigate).
  • Security governance: the relationship between policies, standards, baselines, guidelines, and procedures. Senior management is ultimately responsible for information security; the CISO advises and implements. Board-level security reporting, audit committee relationships, and how security programme objectives align to business objectives.
  • Legal and regulatory frameworks: GDPR (data subject rights, lawful processing bases, DPO requirements, breach notification timelines), HIPAA (PHI, covered entities, business associates), SOX (financial data integrity and IT general controls), PCI DSS (cardholder data environment scoping, the 12 requirements). The exam does not test specific regulation details exhaustively but does test how to navigate conflicting jurisdictional requirements and when to engage legal counsel.
  • Business continuity planning: BIA methodology (identifying critical processes, dependencies, and maximum tolerable downtime), distinguishing BCP (organisational resilience planning) from DRP (technical recovery), RTO vs RPO vs MTBF vs MTTR, and how continuity planning integrates with risk management. The CISSP-level question is about designing the planning process and governance structure, not selecting the correct backup technology.
  • Professional ethics: the ISC2 Code of Ethics (protect society > act honourably > provide competent service > advance the profession) is explicitly testable. The ordering of the four canons matters — protecting society and the common good ranks above client obligations.

Domain 2 — Asset Security (~10%)

Information classification, ownership, data lifecycle management, privacy, and the controls that protect data at rest, in transit, and in use. The domain tests the governance layer of data protection rather than specific encryption implementations.

  • Data classification: government systems use Unclassified / Sensitive But Unclassified / Confidential / Secret / Top Secret. Commercial systems typically use Public / Internal / Confidential / Restricted. The classification level determines the handling requirements — labelling, storage media controls, transmission encryption requirements, and destruction standards (NIST SP 800-88 for media sanitisation: Clear for repurposed media, Purge for highly sensitive, Destroy for end-of-life).
  • Data roles: Data Owner (executive responsible for classification and access decisions, not the technical custodian), Data Custodian (IT department responsible for implementing the controls the owner specifies), Data Processor (processes data on behalf of the controller under GDPR), Data Subject (the individual the data describes). These role distinctions appear across multiple exam domains — getting them wrong in Domain 2 causes cascading errors in Domain 5 (IAM) questions.
  • Privacy frameworks: the OECD Privacy Principles, the Fair Information Practice Principles (FIPPs), and how they map to regulatory requirements. Data minimisation (collect only what is necessary), purpose limitation (use data only for its stated purpose), and storage limitation (retain no longer than necessary) as design constraints, not compliance checkbox items.
  • Retention and destruction: legal hold requirements that suspend normal retention schedules, chain of custody for evidence, and the difference between data deletion (removing references), data clearing (overwriting), data purging (degaussing or secure erase), and physical destruction (shredding, incineration). The exam tests which method is appropriate for which media type and sensitivity level.

Domain 3 — Security Architecture and Engineering (~13%)

Enterprise security architecture models, cryptography, physical security, and the security principles that guide system design. This domain contains the most technically dense content in the exam.

  • Security models: Bell-LaPadula (confidentiality model: no read up / no write down — the “Simple Security Property” and “Star Property”), Biba (integrity model: no read down / no write up), Clark-Wilson (integrity via well-formed transactions and separation of duties), Brewer-Nash (“Chinese Wall” model for conflict-of-interest prevention in financial services). The exam tests which model applies to which requirement, not their mathematical formulations.
  • Cryptography fundamentals: symmetric encryption (AES for bulk data, DES/3DES now deprecated), asymmetric encryption (RSA for key exchange and digital signatures, elliptic curve cryptography for equivalent security at smaller key sizes), hashing (SHA-256 and SHA-3 for integrity; MD5 and SHA-1 deprecated), digital signatures (hash the message → encrypt the hash with the sender’s private key), PKI (CA hierarchy, certificate revocation via CRL and OCSP, certificate pinning). The exam tests the purpose and limitations of each primitive, not implementation details.
  • Cryptographic attacks: birthday attacks (hash collision exploitation proportional to √N outputs), meet-in-the-middle (attacks on double encryption), man-in-the-middle (certificate validation prevents this at the PKI layer), side-channel attacks (timing analysis, power analysis, fault injection — mitigated by constant-time implementations, not software patches).
  • Enterprise architecture frameworks: SABSA (security-focused, business-attribute driven), TOGAF (enterprise-wide, four architecture domains: Business, Data, Application, Technology), Zachman Framework (matrix of what/how/where/who/when/why across stakeholder perspectives). The exam tests which framework is appropriate for a given governance objective, not implementation details of any single framework.
  • Physical security: defence-in-depth across perimeter (fencing, lighting, guards, CCTV), facility (mantraps, access control, badge readers), and internal (clean desk policy, cable locks, tailgating prevention). The CISSP-level question is about designing the layered physical security programme, not selecting a specific lock type.

Domain 4 — Communication and Network Security (~13%)

Network architecture, secure protocols, transmission security, and remote access. The domain tests the network layer of an enterprise security architecture — not deep packet inspection or routing protocol internals, but the security design decisions that govern how networks are segmented, monitored, and protected.

  • Network segmentation: VLANs for logical separation within a switch domain, DMZ architecture (screened subnet placing internet-facing services between two firewall layers), network access control (NAC) for device posture verification before network admission. Zero trust network architecture (ZTNA): every connection is untrusted by default, authorisation is granted per-session based on identity, device health, and context — not network location.
  • Secure protocols: TLS 1.3 (forward secrecy via ephemeral Diffie-Hellman, removal of weak cipher suites), IPsec (transport mode encrypts payload; tunnel mode encrypts entire packet including headers — used for VPNs), SSH (replaces Telnet and rlogin for remote administration), HTTPS, SFTP/FTPS, DNSSEC. The exam tests when each protocol is appropriate and what security properties it provides — not configuration syntax.
  • Wireless security: WPA3 (mandatory for modern deployments, SAE replaces PSK handshake, eliminates offline dictionary attacks), EAP-TLS (certificate-based mutual authentication, strongest enterprise Wi-Fi authentication), RADIUS for centralised wireless authentication. Evil twin attacks, rogue access points, and the WIDS (wireless intrusion detection system) controls that detect them.
  • Traffic analysis and monitoring: network flow data (NetFlow/IPFIX) for baseline behaviour and anomaly detection without capturing payload content; full packet capture for incident investigation (legal and regulatory considerations apply); IDS (detection and alerting) vs IPS (detection and blocking) and their placement relative to firewalls. The CISSP question is about designing the monitoring architecture, not configuring SNMP community strings.

Domain 5 — Identity and Access Management (~13%)

IAM governance, authentication factors, access control models, federation, and privileged access management. The largest practical surface area for security incidents after misconfiguration.

  • Access control models: Mandatory Access Control (MAC — government/military environments, classification labels enforced by the OS, not the user), Discretionary Access Control (DAC — resource owner grants access, flexible but risky: malware inherits owner’s permissions), Role-Based Access Control (RBAC — permissions assigned to roles, users assigned to roles, scales with user population), Attribute-Based Access Control (ABAC — policy engine evaluates multiple attributes at runtime, enables fine-grained context-aware decisions). The exam presents a scenario and asks which model is appropriate — not which to implement technically.
  • Authentication factors: Type 1 (something you know: passwords, PINs), Type 2 (something you have: hardware tokens, smart cards, OTP apps), Type 3 (something you are: biometrics — evaluated on FAR vs FRR crossover point, the CER). Multi-factor authentication requires factors from at least two different categories. Passwordless authentication (FIDO2/WebAuthn, passkeys) eliminates phishing-susceptible shared secrets.
  • Federation and SSO: SAML 2.0 (XML-based, enterprise federation, IdP-initiated vs SP-initiated flows), OAuth 2.0 (authorisation delegation, not authentication), OpenID Connect (authentication layer on top of OAuth 2.0, issues ID tokens as JWTs). The exam tests the purpose of each standard and when each is appropriate — SAML for enterprise B2B federation, OIDC for consumer identity, OAuth for API authorisation delegation.
  • Privileged Access Management: just-in-time (JIT) access that grants elevated permissions only when needed and revokes them after the session, privileged account vaulting (secrets management for shared administrative credentials), session recording for audit trails, and the separation of duties that prevents a single administrator from both creating accounts and approving access.
  • Identity lifecycle management: provisioning (joiner workflow), modification (mover workflow — role changes must update access rights promptly to prevent access accumulation), deprovisionng (leaver workflow — access revocation must precede exit, not follow it). Access reviews (periodic recertification) and the principle of least privilege as an ongoing process, not a one-time configuration.

Domain 6 — Security Assessment and Testing (~12%)

Security testing strategies, vulnerability management, penetration testing, audit processes, and metrics. The domain tests how security programmes verify that controls are working as intended.

  • Testing types: vulnerability scanning (automated, non-exploitative, identifies known vulnerabilities against CVE databases) vs penetration testing (human-led, exploitative within defined scope, proves exploitability) vs red team exercises (full adversary simulation with no scope limit, tests detection and response not just prevention). The exam tests when each is appropriate and what each can and cannot prove.
  • Penetration testing phases: reconnaissance → scanning and enumeration → gaining access → maintaining access → clearing tracks → reporting. Rules of engagement must be agreed in writing before testing begins. White box (full information), grey box (partial information), and black box (no information) engagements test different things — black box simulates an external attacker but may miss internal threat vectors.
  • Software testing: unit testing (individual functions), integration testing (component interactions), system testing (end-to-end), regression testing (confirming new changes don’t break existing functionality), UAT (user acceptance), fuzz testing (random or malformed input to find crashes and memory corruption), code review (SAST for static analysis, DAST for dynamic analysis against running applications).
  • Audit and compliance: SOC 1 (financial controls, SSAE 18/ISAE 3402) vs SOC 2 (security, availability, processing integrity, confidentiality, privacy of service organisations) vs SOC 3 (SOC 2 results in publicly releasable form). Type I report tests control design at a point in time; Type II tests control operating effectiveness over a period. The CISSP exam tests which report type answers which business question.
  • Security metrics: KPIs (mean time to detect, mean time to respond, patch compliance rate, vulnerability remediation rate) that drive programme improvement decisions, not just audit compliance. The exam tests how metrics connect to risk management decisions rather than how to collect them technically.

Domain 7 — Security Operations (~13%)

Incident response, digital forensics, disaster recovery, physical security operations, and the continuous monitoring that keeps a security programme functional. This is the domain closest to day-to-day security operations work.

  • Incident response lifecycle: NIST SP 800-61 defines four phases — Preparation (IR plan, playbooks, tooling, training) → Detection and Analysis (alert triage, scoping, log correlation) → Containment, Eradication, and Recovery (isolate affected systems, remove malware, restore from known-good backups) → Post-Incident Activity (lessons learned, plan update, stakeholder reporting). The exam tests which actions belong in which phase and why sequencing matters.
  • Digital forensics: order of volatility (CPU registers and cache > RAM > network connections > running processes > disk > remote logging and monitoring > physical configuration) — collect the most volatile evidence first. Chain of custody documentation for legal admissibility. Write blockers to prevent modifying evidence during acquisition. The distinction between live forensics (volatile data from running systems) and dead-box forensics (disk imaging of powered-off systems).
  • Change and configuration management: the change advisory board (CAB) review process for significant changes, emergency change procedures for critical patches, configuration baselines and deviation management, and how uncontrolled changes are the single largest source of outage in mature environments — not external attacks.
  • Disaster recovery: hot site (fully operational standby, minutes to failover), warm site (partial infrastructure ready, hours to failover), cold site (space and power only, days to weeks to activate). Mobile site and reciprocal agreements as alternative DR approaches. The exam maps RTO/RPO requirements to the correct DR tier — not the specific technology implementation.
  • Personnel security operations: mandatory vacations (detect fraud requiring continuous presence), job rotation (knowledge transfer and fraud detection), separation of duties (no individual can complete a sensitive transaction alone), dual control (two people required simultaneously, e.g., safe combinations), and need-to-know as the operational implementation of least privilege.

Domain 8 — Software Development Security (~11%)

Secure SDLC, application security controls, database security, and the security considerations that apply throughout the software development lifecycle. The domain tests whether candidates can integrate security into development processes rather than bolt it on after the fact.

  • Secure SDLC models: the waterfall model (sequential phases, security reviews at defined gates), agile (continuous iteration, security must be embedded in each sprint via threat modelling, code review, and automated testing — not deferred to a pre-release gate), DevSecOps (security as a shared team responsibility, automated security tooling integrated into CI/CD pipelines). The Microsoft Security Development Lifecycle (SDL) and NIST SSDF as formal frameworks.
  • Common application vulnerabilities: OWASP Top 10 is explicitly testable — injection attacks (SQL, command, LDAP injection — prevented by parameterised queries and input validation), broken authentication (session fixation, credential stuffing — prevented by MFA and secure session management), XSS (reflected, stored, DOM-based — prevented by output encoding and CSP), IDOR (prevented by server-side authorisation checks), SSRF (prevented by network egress controls and URL allowlists), XXE (prevented by disabling external entity processing in XML parsers). The exam tests the defensive control, not the exploit mechanics.
  • Database security: database activity monitoring (DAM) for privileged user access auditing, polyinstantiation (creating multiple database records at different classification levels to prevent inference attacks in multi-level security environments), database encryption (Transparent Data Encryption for data at rest, TLS for data in transit between application and database), and stored procedure security (preventing direct table access, enforcing business logic at the database layer).
  • Software supply chain security: software bill of materials (SBOM) for tracking third-party component dependencies and CVE exposure, code signing for verifying binary integrity, dependency scanning in CI/CD pipelines (SCA — software composition analysis), and the risk of typosquatting attacks against package repositories. The SolarWinds and XZ Utils supply chain incidents are the canonical exam scenarios for this concept.
The CISSP question that trips the most candidates: the exam is managerial, not technical. When a question asks “what should the CISO do first?” and the options include both a technical action (deploy an IPS) and a management action (conduct a risk assessment), the management action is almost always correct. CISSP tests whether you think at the governance and programme level — not whether you can configure the tool.

The computer-adaptive test format

The CAT format is fundamentally different from a fixed-length exam. The engine selects each question based on the candidate’s estimated ability from prior responses, converging on the passing threshold faster when performance is consistent. Key implications for exam strategy:

For candidates who have sat linear multiple-choice exams throughout their career, the CAT format requires an adjustment in pacing mindset: the goal is not to finish with 20 minutes to spare for review, but to allocate roughly 90 seconds per question across the maximum 175-question window and commit to each answer decisively.

Experience requirement and the Associate of ISC2

The five-year experience requirement is one of the most common barriers for early-career security professionals who pass the CISSP exam. ISC2 requires experience in at least two of the eight domains — not just adjacent IT experience. Security management, security architecture, incident response, vulnerability management, IAM, and application security all qualify. General IT operations without a security focus does not.

The one-year experience waiver is available for candidates who hold a four-year college degree (or a higher-level academic credential), or an approved credential from the ISC2 list of qualifying certifications (which includes Security+, SSCP, and others). This reduces the requirement from five years to four years — not to zero. The waiver applies to the total experience threshold, not to the domain-coverage requirement.

Candidates who pass the exam without sufficient experience automatically become an Associate of ISC2. The Associate designation is active and must be maintained with CPE credits while the experience is accumulated. Once the experience is verified by an ISC2 member in good standing (endorsement), the Associate converts to full CISSP. The endorser confirms the candidate’s experience is genuine and relevant — they are not a character reference.

How CISSP fits the security certification landscape

CISSP occupies a distinct position: it is the only major certification that explicitly tests security leadership and programme management at a strategic level, rather than deep technical expertise in a specific domain. The comparison points:

The three-year CPE maintenance cycle with the $125 annual fee means CISSP is a long-term professional investment. The CPE requirement (120 credits over three years, with a minimum of 40 CPE each year across Group A and Group B categories) is designed to ensure holders stay current with the evolving security landscape rather than resting on a credential earned five years prior. ISC2 offers CPE credits for formal training, conference attendance, writing articles, and volunteering — the requirement is achievable for an active practitioner but creates an ongoing accountability mechanism that passive certificate holders cannot ignore.

Why it matters for cert candidates

CISSP rewards candidates who think in governance terms, not technical terms. The most common exam mistake is selecting the technically correct answer instead of the managerially correct one. When a question offers both an option that solves a technical problem and one that addresses an underlying governance gap, CISSP almost always rewards the governance answer. Prioritise Domain 1 (Security and Risk Management) as your preparation anchor — its risk management framework, business continuity, and governance concepts permeate questions across all eight domains. The official ISC2 candidate information guide contains the authoritative domain weights and exam outline — review it before studying any third-party material.

Test your CISSP knowledge across all eight domains with expert-level practice questions on CertQuests.

Start CISSP Practice Questions →