CISSP — Certified Information Systems Security Professional
CISSP is the universal management-tier security credential. It is on the US DoD 8570 / 8140 baseline for IAT III, IAM I/II/III, IASAE I/II and CSSP-Manager roles, and is the most commonly required cert in senior security postings worldwide. CISSP signals you can think across governance, risk, architecture and operations — not that you can hand-craft an exploit. It is the cert that gets you into the room where budget is decided.
The content is broad rather than technically deep, but the 'best answer from a manager's perspective' phrasing and the adaptive (CAT) format make it punishing to pass on a first sitting without disciplined prep.
Cost, hours and exam shape.
- Vendor
- ISC2
- Level
- Expert
- Exam style
- Adaptive multiple-choice (CAT)
- Prep hours (median)
- ~250 hours
- Exam cost (USD)
- $749
- Difficulty
- 4/5
Pursue this if…
- You are moving into or already in security leadership, architecture or GRC.
- You need the credential that gets you into board- and budget-level conversations.
- You have (or are accruing) five years across two-plus CISSP domains.
- You are targeting DoD 8570/8140 IAT III, IAM I–III, IASAE or CSSP-Manager roles.
What you actually sit.
Computer-Adaptive Test (English): 100–150 questions, 3 hours, 700/1000 cut score. Linear format (other languages): 250 questions, 6 hours. Question pool blends multiple-choice with advanced innovative items (drag-and-drop, hotspot).
Where you should be before you book.
- →Five years of cumulative paid full-time work experience in two or more of the eight CISSP CBK domains (one year waivable with an approved degree or cert)
- →Endorsement by an active ISC2 member after passing the exam
- →Agreement to the ISC2 Code of Ethics
What is on the exam.
A study plan you can actually follow.
- Read the official body of knowledge
Work the Sybex CISSP Official Study Guide (9th ed.) cover to cover. CISSP is a mile wide — you cannot skip a domain.
- Reframe how you answer
Practise picking the 'best' managerial answer, not the technically correct one. The Tia Hopkins / Destination Certification 'think like a manager' material is the canonical fix for engineers.
- Grind 2,000+ practice questions
Use Boson ExSim and Pocket Prep until you are consistently above 80%. Review every wrong answer's reasoning, not just the right option.
- Book the CAT exam, then endorse
Pass the adaptive exam (it may stop at 100 questions), then secure endorsement from an active ISC2 member. Without five years' experience you become an Associate of ISC2 while you accrue it.
Where this cert opens doors.
From the operator side of the desk.
Our consulting leads and engagement managers hold CISSP because clients expect it for the people writing their security strategy, reviewing their SOC 2 controls, or briefing their board. We do not require CISSP for hands-on operators — that floor is OSCP — but anyone leading a multi-stream programme (red-team-as-a-service, virtual CISO retainers, M&A diligence) needs the breadth CISSP forces you to cover.
Questions people ask before booking.
How hard is CISSP, really?+
Harder than people expect. It is not about memorising facts — every answer is plausible and you must pick the 'best' answer from a manager's perspective. The CAT format is brutal: it can end at question 100 (pass or fail) and you will not know which. Plan on 200–300 study hours, an official study guide (Sybex CISSP, 9th edition), the Tia Hopkins YouTube series, and at least 2,000 practice questions from Boson or Pocket Prep before booking.
Can I sit the exam without the five years of experience?+
Yes — you take the exam, pass, and become an 'Associate of ISC2' for up to six years while you accrue the experience. Once endorsed by an active ISC2 member with the requisite work history, you become a full CISSP. The exam fee and content are identical.
CISSP vs CISM — which one?+
CISSP is broader, more technical and more globally recognised. CISM is laser-focused on security governance and management, which makes it the preferred cert for CISO and audit-committee-facing roles in some regions. If you are picking one, CISSP opens more doors. Many security leaders hold both — CISSP for breadth, CISM for the governance-only audiences.
Is CISSP useful for a hands-on penetration tester?+
Not for the testing itself — CISSP is governance, risk, architecture and policy. It is useful if you are moving from delivery into consulting leadership, building a security practice, or having board-level conversations about pentest outcomes. Pure operators rarely benefit; senior consultants and practice leads do.
What is the ongoing cost?+
Annual maintenance fee of USD 135 plus 120 Continuing Professional Education (CPE) credits over a three-year cycle (40 per year minimum). Credits come from reading, training, conferences, authoring or chapter activity. Failure to maintain CPEs suspends the credential.
Relevant AxVeil services and field notes.
Sibling certifications worth comparing.
Need a qualified team to deliver the engagement?
We can field operators with CISSP (and the rest of the stack — OSCP, OSEP, CISSP, CISM) on engagements in 5 to 10 working days. Letter of Attestation includes the lead-tester credentials so your auditor can verify.