This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here

Jump to navigation

CISSP (Certified Information Systems Security Professional)

On this page:
  • What is CISSP
  • CISSP Courses
  • Studying For Your CISSP Certificate
  • The 10 Domains of the CISSP CBK
  • CISSP Professional Experience Requirements

What is CISSP?

The CISSP (Certified Information Systems Security Professional) certification has become a pre-requisite for anyone looking to make a career in information security. The CISSP certification provides information security professionals with an objective measure of competence and a globally recognised standard of achievement. The CISSP credential suits mid- and senior-level managers who are working towards, or have already attained positions as, CISOs, CSOs or Senior Security Engineers.

CISSP is developed and maintained by (ISC)², the International Information Systems Security Certification Consortium, a not-for-profit organisation that developed an information security common body of knowledge (CBK) which is divided into 10 domains, and a certification programme for information systems security professionals. There are pre-qualification requirements in terms of professional experience.

CISSP Common Body of Knowledge (CBK) 2015

From 15 April 15 2015 the Official (ISC)² CISSP CBK will be refreshed to reflect the significant updates in the technical and managerial competence required to effectively design, engineer, implement and manage an organisation's information security program.

Please note that the CISSP Accelerated Training Programme scheduled on 9-13 Feb will be based on the requirements of the current CISSP CBK (2012 version). From 27 April onwards, all courses will be based on the refreshed CISSP CBK (2015 version).

New CISSP CBK (2015) Knowledge Domains

  • Security and Risk Management (Security, Risk, Compliance, Law, Regulations, Business Continuity)
  • Asset Security (Protecting Security of Assets)
  • Security Engineering (Engineering and Management of Security)
  • Communications and Network Security (Designing and Protecting Network Security)
  • Identity and Access Management (Controlling Access and Managing Identity)
  • Security Assessment and Testing (Designing, Performing, and Analysing Security Testing)
  • Security Operations (Foundational Concepts, Investigations, Incident Management, Disaster Recovery)
  • Software Development Security (Understanding, Applying, and Enforcing Software Security)

Click on a topic to expand the course details and 2015 availability:


CISSP training courses

The CISSP Certification is gained by passing a rigorous official exam. Candidates must register directly with (ISC)2 and select their nearest exam centre.

The most common method of preparing for CISSP certifications is to attend a classroom training course. The CISSP - Accelerated Training Programme provides an intensive, in-depth training course that has consistently achieved a 95% pass rate in the CISSP exam.

Classroom training is not, however, mandatory. Provided the registration requirements described below are met, anyone can sit the CISSP exam. There are a number of training aids, books and online e-learning courses specifically designed to help you pass the exam:

The 10 Domains of the CISSP CBK

CISSP is divided into 10 areas or domains, known collectively as the Common Body of Knowledge (CBK). These domains are:

  • CISSP Domain 1) Security Management Practices
    • Types of Security Controls
    • Security Policies, Standards, Procedures, and Guidelines
    • Risk Management and Analysis
  • CISSP Domain 2) Access Control Systems
    • Identification, Authentication, and Authorization Technologies
    • Discretionary versus Mandatory Access Control Models
    • Rule-based and Role-based Access Control
  • CISSP Domain 3) Telecommunications and Network Security
    • TCP\IP Suite
    • LAN, MAN, and WAN Topologies and Technologies
    • Firewall Types and Architectures
  • CISSP Domain 4) Cryptography
    • Block and Stream Ciphers
    • Explanation and Uses of Symmetric Key Algorithms
    • Explanation and Uses of Asymmetric Key Algorithms
  • CISSP Domain 5) Security Architecture and Models
    • Critical Components of Every Computer
    • Access Control Models
    • Certification and Accreditation
  • CISSP Domain 6) Operations Security
    • Operations Department Responsibilities
    • Personnel and Roles
    • Media Library and Resource Protection
  • CISSP Domain 7) Application and System Development
    • Software Development Models
    • Database Models
    • Relational Database Components
  • CISSP Domain 8) Business Continuity and Disaster Recovery
    • Planning
    • Roles and Responsibilities
    • Liability and Due Care Issues
    • Business Impact Analysis
  • CISSP Domain 9) Law, Investigation and Ethics
    • Privacy Laws and Concerns
    • Complications of Computer Crime Investigation
    • Types of Evidence and How to Collect It
  • CISSP Domain 10) Physical Security
    • Facility Location and Construction Issues
    • Physical Vulnerabilities and Threats
    • Fencing, Lighting, and Perimeter Protection

CISSP Professional Experience Requirements

CISSP candidates must meet the following requirements to qualify to sit for the examination:

  • Subscribe to the (ISC)² Code of Ethics; and
  • Have a minimum five years of direct full-time security professional work experience in two or more of the ten domains of the information systems security CBK® as described above.

CISSP professional experience includes:

  • Work requiring special education or intellectual attainment, usually including a liberal education or college degree.
  • Work requiring habitual memory of a body of knowledge shared with others doing similar work.
  • Management of projects and/or other employees.
  • Supervision of the work of others while working with a minimum of supervision of oneself.
  • Work requiring the exercise of judgment, management decision-making, and discretion.
  • Work requiring the exercise of ethical judgment (as opposed to ethical behaviour).
  • Creative writing and oral communication.
  • Teaching, instructing, training and the mentoring of others.
  • Research and development.
  • The specification and selection of controls and mechanisms (i.e. identification and authentication technology) does not include the mere operation of these controls.
  • Applicable titles such as officer, director, manager, leader, supervisor, analyst, designer, cryptologist, cryptographer, cryptanalyst, architect, engineer, instructor, professor, investigator, consultant, salesman, representative, etc. Title may include programmer. It may include administrator, except where it applies to one who simply operates controls under the authority and supervision of others. Titles with the words "coder" or "operator" are likely excluded.

Waiver of experience: if certain circumstances apply, and with appropriate documentation, candidates are eligible to waive a maximum of two years of professional experience as follows:

  • One year waiver of the professional experience requirement for education.
    Candidates can substitute a maximum of one year of direct full-time security professional work experience described above if they have a four-year college degree or Master’s Degree in information security from a US National Center of Academic Excellence in information Security (CAEIAE) or regional equivalent. If you hold both a four-year degree and a Master’s degree, you may only apply for a one-year waiver of experience.

  • One-year waiver of the professional experience requirement for holding an additional credential on the (ISC)² approved list.

Valid experience includes information systems (IS) security-related work performed as a practitioner, auditor, consultant, investigator or instructor which requires IS security knowledge and involves the direct application of that knowledge. The five years of experience must be the equivalent of actual full-time IS security work (not just IS security responsibilities for a five year period). This requirement is cumulative, however, and may have been accrued over a much longer period of time.

Continuing Professional Education (CPE)

All CISSPs are required to keep their knowledge current. There are a number of methods of doing this, including:


Official (ISC)2 Guide to the CISSP CBK

Buy now


Information Security Qualifications: Fact Sheet

+44 (0) 845 070 1750
live chat support software