CISSP Certification: Become a Certified Information Systems Security Professional in 2026

8 minutes
Roman Dvorkin Avatar

The CISSP is the credential that separates people who manage cybersecurity from people who operate it. It’s issued by ISC2, the International Information System Security Certification Consortium, and it requires five years of paid work experience across at least two of its eight domains before you’re eligible to certify. That’s not a bureaucratic hurdle. It’s a signal that CISSP is designed for professionals who have been doing this work at a meaningful level and want credentials that reflect it.

This guide covers what the CISSP actually tests, who it’s for, how to study effectively, what it costs, and what career impact it realistically delivers in 2026.

What Is the CISSP Certification?

Who issues it and what it validates

ISC2 issues the CISSP as part of its professional certification portfolio. The CISSP validates competence across eight domains of information security, from risk management and cryptography to software security and incident management. It tests a manager-level understanding of security rather than the deep technical execution skills tested by certifications like OSCP. You won’t be asked how to execute a specific attack. You will be asked how to design a program that addresses the risk an attack represents, how to communicate that risk to a board of directors, and how to budget for mitigation.

Who CISSP is designed for — and who it isn’t

CISSP is designed for security managers, architects, directors, and Chief Information Security Officers. It’s the right certification if you are managing a security team, designing enterprise security programs, advising executives on security posture, or working toward a CISO or Security Director role. It is not the right first certification for someone entering cybersecurity. The experience requirement exists because the exam tests judgment developed through years of practice, not just knowledge that can be studied from a book in a few months.

CISSP Requirements: Do You Qualify?

The 5-year experience rule and domain coverage

You need five years of cumulative, paid work experience in two or more of the eight CISSP domains. The experience can be from any combination of roles across your career. Part-time work counts proportionally. Volunteer work does not count. Your work experience is verified through an endorsement from another ISC2 member in good standing, who confirms the experience you claim is accurate. The endorsement process can take several weeks, so factor that into your timeline when planning your exam date.

Degree and credential waivers — April 2026 changes

ISC2 allows one-year experience waivers for a four-year college degree or a regional equivalent, or for a credential from ISC2’s approved waiver list. As of the April 2026 update to the waiver list, ISC2 added several newer credentials and removed some older ones. The practical impact: if you hold a relevant degree, you need four years of work experience rather than five. Review the current approved waiver list on the ISC2 website before assuming your specific credential qualifies, as the list changes periodically.

The Associate of ISC2 pathway for those without experience

If you want to sit the CISSP exam but don’t yet have five years of qualifying experience, you can become an Associate of ISC2. You pass the same exam, but you have six years to accumulate the required work experience before formally certifying as a CISSP. This is useful for people who are building toward senior security roles and want to demonstrate that they’ve passed the CISSP exam while continuing to accumulate experience. Entry-level professionals considering this path should note that the CISSP exam is genuinely difficult and most candidates need substantial study time even with the Associate pathway available.

CISSP Exam Format and Structure

Computerized Adaptive Testing (CAT): how it works

The CISSP exam uses Computerized Adaptive Testing for English-language candidates. CAT means the exam adapts to your responses: if you answer correctly, the next question is harder; if you answer incorrectly, it gets easier. The exam is trying to determine your competence level with statistical confidence. Once it has enough data to determine whether you are above or below the passing threshold, the exam ends. This means you can pass in as few as 125 questions or continue up to 175. The experience of not knowing whether you’ve passed until the exam ends is disorienting for many candidates, but the format is designed to produce more precise results than a fixed-length exam.

Question count, time limit, and pass/fail determination

The adaptive exam runs between 125 and 175 questions over four hours. The passing standard is determined by the exam algorithm based on your demonstrated competence level, not by a fixed raw score. ISC2 expresses this as a scaled score of 700 out of 1000 as the minimum passing standard, but because the exam adapts, that score reflects a consistent competence level regardless of which specific questions you saw. You receive your pass/fail result immediately at the testing centre.

Linear exam option for non-English speakers

Candidates who choose to sit the exam in a language other than English take a fixed-form linear exam of 250 questions over six hours. The linear format is available in Chinese (Simplified), French, German, Japanese, Korean, Portuguese, and Spanish. For German candidates who prefer to sit in German, this is an option, though the community consensus among German candidates is that studying in English and sitting in English produces better results, since study materials and terminology are overwhelmingly English-language. 

The 8 CISSP Domains: What You Need to Know

Domain 1: Security and Risk Management (16%)

Security and Risk Management is the largest domain at 16% of the exam and covers the foundational governance and risk concepts that drive security program design. Topics include security governance principles, legal and regulatory compliance, professional ethics, risk management frameworks, business continuity planning, and personnel security policies. This domain is where the ‘think like a manager’ mindset is most directly tested. Questions ask about how to design appropriate policies and manage risk at an organisational level, not how to execute specific technical controls.

Domain 2–4: Asset Security, Architecture & Engineering, Communications

Asset Security (10%) covers data classification, ownership, privacy protection, and retention requirements. Security Architecture and Engineering (13%) tests knowledge of security models, cryptographic systems, physical security, and vulnerability assessment of security architectures. Communication and Network Security (13%) covers network protocols, secure transmission technologies, and network attack and defence. These three domains together represent 36% of the exam and require solid technical grounding alongside the governance concepts from Domain 1.

Domain 5–8: IAM, Security Assessment, Operations, Software Security

Identity and Access Management (13%) covers identification, authentication, authorisation, and identity federation. Security Assessment and Testing (12%) addresses audit strategies, vulnerability assessments, penetration testing oversight, and log analysis. Security Operations (13%) covers investigations, incident management, disaster recovery, and physical and environmental security. Software Development Security (10%) covers secure coding practices, software vulnerability assessment, and security in the software development lifecycle. Collectively, these domains test your ability to manage security across the operational lifecycle of an organisation.

How to Study for CISSP: Strategy and Resources

Recommended study hours (250+) and timeline

Most passing candidates report 250-350 hours of dedicated study time. At 10 hours per week, that’s 25-35 weeks, or six to eight months. At 20 hours per week, you can prepare in three to four months. The timeline assumes you have the required work experience and are studying to demonstrate what you already know in an exam context. Candidates who are studying topics they haven’t worked with directly need more time.

The ‘Think Like a Manager’ mindset — why it matters

The most common reason candidates fail CISSP is applying technical thinking to managerial questions. The exam frequently presents situations where a technical control would solve a problem, but the correct answer involves a governance, policy, or risk management approach instead. Understanding why you’re being asked to ‘think like a manager’ helps you pattern-match correctly. When an exam question asks what you should do first when a security incident occurs, the CISSP answer is usually to contain the damage and preserve evidence, not to immediately call law enforcement or shut down the system.

Best books, courses, and practice exams

The CISSP Official Study Guide by Mike Chapple and David Seidl is the standard reference material. Destination CISSP by Lou Hablas is particularly strong for the managerial mindset. For video instruction, Thor Pedersen’s course has strong community reviews. Practice exams from Boson, Sybex, and the official ISC2 practice tests are all worth working through. The standard advice is to take at least 3,000 practice questions before sitting the real exam, with a focus on understanding why wrong answers are wrong rather than memorising correct ones.

CISSP Cost: Exam, Maintenance, and Total Investment

Exam fee (~$749 USD) and endorsed application

The CISSP exam costs approximately €690 as of 2026. After passing, you submit an endorsement application supported by an ISC2 member who verifies your work experience. The endorsement process can take four to six weeks. There is also an annual maintenance fee.

Annual maintenance fee and CPE requirements

CISSP certification must be maintained through 120 Continuing Professional Education (CPE) credits per three-year cycle, with a minimum of 40 CPEs per year. CPEs can be earned through training, conference attendance, writing, volunteering, and other professional activities relevant to information security. The annual maintenance fee is $115 USD. If you let the certification lapse, you must retake and pass the full exam to recertify.

Employer sponsorship — over 70% have fees paid

In Germany, employer sponsorship for CISSP is common among larger organisations and consulting firms, particularly those with formal professional development budgets. If you’re targeting CISSP as part of a career progression, raising it as a development goal in your next performance review or with your HR department is often enough to get it covered. 

CISSP Career Impact: Salary and Jobs

Roles CISSP holders fill: CISO, Security Architect, Director

CISSP holders work as Chief Information Security Officers, Security Architects, Security Directors, IT Risk Managers, and senior Information Security Managers. These are the roles that set security strategy, manage security teams, and represent security to executive leadership. The certification signals to executive hiring committees that a candidate has both the technical breadth and the governance depth to operate at that level.

Average CISSP salary and uplift vs. non-certified peers

CISSP holders in Germany earn between €90,000 and €150,000 depending on role, industry, and organisation size. CISOs at DAX companies earn above that range. The salary uplift compared to peers without CISSP in equivalent roles is consistently reported at 15-20% in German market surveys. For a full breakdown of cybersecurity salaries by role and experience level, see the cybersecurity salary guide.

The April 2026 waiver list changes and what they mean for you

ISC2 updated its approved credential waiver list in April 2026. The update added several newer credentials, including some cloud security certifications, and removed a handful of older credentials that ISC2 determined no longer represent equivalent domain knowledge. If you have credentials that you expected to qualify for the one-year experience waiver, verify your specific certifications against the current ISC2-approved list before submitting your application. The waiver only reduces the experience requirement from five years to four. It does not change the exam content, the passing standard, or the endorsement requirement.

How hard is the CISSP exam?

The CISSP has a reputation as one of the most challenging professional certifications in information security. The CAT format means you never know exactly where you stand, and the ‘think like a manager’ framing trips up technically skilled candidates who default to operational answers for governance questions. Pass rates are not publicly disclosed by ISC2. Most community estimates put the first-attempt pass rate around 60-70%. With 300+ hours of structured study, solid work experience across the domains, and extensive practice exam work, most well-prepared candidates pass. The exam is hard but not unpredictable.

How long does it take to prepare for CISSP?

Six to eight months at 10 hours per week is the most commonly reported preparation timeline for working professionals. Candidates who can study 20 hours per week can prepare in three to four months. The preparation time assumes you already have the qualifying work experience and are studying to demonstrate what you know in exam format. Candidates without direct experience in certain domains take longer because they’re learning the concepts rather than reviewing them.

What is the difference between CISSP and CISM?

CISM (Certified Information Security Manager) is issued by ISACA and focuses on information security management, risk management, and governance. CISSP is broader and covers more technical depth across its eight domains. CISM requires five years of work experience in information security with three years in management. Both are recognised at the senior level, and both carry salary premiums. CISSP is more widely recognised globally and particularly in the US. CISM is stronger in European markets, especially in financial services and government sectors. For most senior security roles in Germany, either credential is respected, and some senior professionals hold both.

Conclusion

The CISSP is the right certification if you have the experience to qualify and you’re targeting senior management, architectural, or executive roles in information security. It’s not a starting point, it’s a destination. Getting there requires five years of qualifying experience across the domains, 250-350 hours of focused preparation, and the ability to approach exam questions with a manager’s perspective rather than a technician’s. The career return is real: CISSP holders earn 15-20% more than non-certified peers in equivalent roles and hold positions that shape how organisations approach security. If you’re earlier in your career and building toward that level, start with the entry-level certification guide and the Cybersteps full-time program to build your technical and practical foundation.

Roman Dvorkin Avatar

CEO & Co-founder of Cybersteps

Aviram Rispler is a cybersecurity expert with 10+ years of training and leadership experience. Aviram specializes in Cloud and Network security and has led multiple training programs around the world for juniors entering the cybersecurity space.

Ready to Build a Career in Cybersecurity?

Join our next cohort