The cybersecurity workforce gap hit 4.8 million unfilled positions globally in 2024, according to ISC2’s workforce research (and employers filling senior roles keep landing on the same credential: CISSP. It’s not the easiest path, and it’s not cheap. But for experienced practitioners targeting leadership, architecture, or governance roles, it’s the closest thing the industry has to a universal signal of senior-readiness.

What Is CISSP Certification?

The Certified Information Systems Security Professional is the flagship credential from ISC2, a non-profit founded in 1989. CISSP launched in 1994 and has grown to more than 165,000 certified professionals worldwide. The exam content was most recently refreshed on April 15, 2024, following ISC2’s standard Job Task Analysis cycle.

What sets CISSP apart isn’t any single domain (it’s the breadth. The credential spans eight domains, from cryptography and network architecture to governance, risk, and software security. That vendor-neutral, enterprise-wide scope is exactly what employers need when hiring Security Architects, CISOs, and Security Managers. It’s also why the DoD requires it under Directive 8140 for IAT Level III and IAM Levels II and III roles (government contractors don’t treat it as optional.

Who Should Get CISSP Certified?

CISSP fits four professional profiles well.

Security engineers moving into architecture or management. If you’ve spent five or more years implementing controls and you’re ready to own the strategy behind them, CISSP validates that transition in language hiring managers recognize.

IT managers inheriting security accountability. As organizations collapse IT and security leadership into single roles, CISSP gives managers the formal credential to back the responsibility they’re already carrying.

Government and defense contractors. DoD 8140 compliance makes CISSP effectively mandatory for several IAT and IAM billets. If you’re working toward those contracts, it’s not optional.

Experienced analysts targeting senior roles. Mid-career professionals with five years across multiple domains who want to accelerate toward CISO, Security Architect, or Senior Consultant tracks will find CISSP opens doors that experience alone doesn’t.

Who shouldn’t pursue it: entry-level candidates who don’t yet meet the five-year requirement, professionals focused purely on hands-on offensive or technical work (OSCP or CASP+ fit better there), and anyone unwilling to sustain the ongoing CPE and annual maintenance commitments.

CISSP Exam Domains and Weights

The CISSP exam covers eight domains (and how you weight your study time matters. Domain 1 (Security and Risk Management) carries the heaviest load at 16%, while four domains sit at 13% each, collectively making up most of the exam. The widget below shows every domain, its weight, and the specific topics you’ll need to understand (including what changed in the 2024 refresh.

CISSP Exam Cost, Format, and Pass Score

The CISSP uses Computerized Adaptive Testing (CAT) for English exams (125 to 175 questions in three hours, with a passing score of 700 out of 1,000. The exam fee is $749 USD (€710 in Europe, £625 in the UK), and retakes cost the same. Add study materials, training, and the $135 annual maintenance fee, and your total investment depends heavily on the prep path you choose. The widget breaks it all down.

CISSP Salary and Job Outlook 2026

The BLS projects information security analyst employment will grow 33 percent from 2023 to 2033 (roughly eight times faster than the average occupation. PayScale data puts the CISSP median at $125,000, with experienced practitioners in senior roles reaching well above $188,000 according to ISC2’s own compensation data. Finance, healthcare, government, and technology lead hiring. The widget maps the full salary landscape by role and industry.

CISSP Requirements: Experience and Eligibility

The five-year minimum is real, and it matters. You need cumulative, paid, full-time experience in at least two of the eight CISSP domains (not adjacent IT work, not internships. ISC2 is specific.

Two substitutions can reduce that to four years. A qualifying four-year degree covers one year. Holding an ISC2-approved credential covers another year (note: ISC2 revised its approved credential list significantly in April 2026, removing several previously accepted certifications (verify the current list directly on ISC2’s site before assuming your credential qualifies).

If you pass the exam before you’ve satisfied the experience requirement, you don’t lose the attempt. You become an Associate of ISC2, with up to six years to accumulate the required experience and earn full certification. That path makes sense for candidates who are one or two years short but want to lock in the exam result.

Be honest with yourself about the experience threshold. Candidates who stretch their domain coverage to qualify often struggle with the exam’s applied reasoning questions (the exam tests judgment built from real practice, and that’s hard to fake.

How to Study for CISSP: Resources and Study Plan

Most successful candidates invest between 150 and 250 study hours (with timelines ranging from two to three months for seasoned practitioners to six or more months for career changers, per ISC2’s exam preparation guidance. The core decision is self-study versus structured training. The resource navigator below filters official and third-party options by format and budget; the study plan builder creates a weekly schedule from your target date.

What Changed in the CISSP 2024 Update

The April 15, 2024 refresh kept the eight-domain structure intact but made targeted content additions that reflect where enterprise security has moved. The biggest changes: Secure Access Service Edge (SASE), microservices and containerization security, quantum key distribution, and an expanded treatment of Zero Trust architecture all entered the curriculum, per ISC2's exam refresh FAQ. Supply Chain Risk Management received broader coverage in Domain 1.

On the removal side, Li-Fi was dropped from Domain 4, and specific authentication protocol listings in Domain 5 were consolidated into broader conceptual frameworks.

Domain weighting shifted slightly: Security and Risk Management moved from 15% to 16%, and Software Development Security dropped from 11% to 10%. For candidates, the practical takeaway is that older study materials from the May 2021 version are mostly still usable for foundational concepts, but you'll want 2024-edition resources for the new content areas. Study materials published before April 2024 won't cover SASE, quantum key distribution, or the updated SCRM content. The next major refresh is anticipated around April 2027.

How AI Is Changing Cybersecurity Careers

AI is automating the routine end of security work (threat log triage, pattern-based detection, initial incident classification. That's real, and it's already happening inside most enterprise SOC environments. What it isn't doing is replacing the judgment required for policy development, risk governance, or architectural decision-making.

For CISSP candidates, the shift actually reinforces the credential's value. As AI handles lower-level detection tasks, employers are moving faster to hire professionals who can manage AI-integrated security programs, interpret AI-generated threat intelligence in business context, and make governance decisions that AI tools can't make. The 2024 curriculum update's emphasis on Zero Trust architecture, SCRM, and cloud-native security reflects exactly this direction.

The concern worth taking seriously is AI-enabled attacks (deepfakes, AI-assisted social engineering, and automated vulnerability exploitation are raising the floor on what "sophisticated threat" means. That's a skills challenge, but it's also a hiring signal: organizations facing those threats need people with CISSP-level strategic expertise, not more automated tooling.

Is CISSP Worth It in 2026?

Yes (for experienced practitioners targeting senior roles. The salary premium, DoD mandate, and global recognition make the ROI case straightforward. CISM is the most direct competitor: it's more management-focused and somewhat less demanding, but CISSP consistently commands higher median compensation. The widget runs a full head-to-head comparison across salary, difficulty, job market demand, and career fit.

How to Get CISSP Certified: Step by Step

1. Confirm you meet the five-year experience requirement across at least two domains (or identify your substitution path).
2. Study with 2024-edition materials (plan 150 to 250 hours depending on your experience gaps.
3. Register for the exam through Pearson VUE via ISC2's site and pay the $749 fee.
4. Pass the CAT exam (125 to 175 questions, 3 hours, 700/1000 passing score).
5. Complete the endorsement process (a current CISSP holder must verify your experience within nine months of passing.
6. Pay the $135 annual maintenance fee and earn 120 CPE credits over each three-year cycle to keep the credential active.

The CISSP isn't a credential you earn and shelve (it's a commitment to staying current in a field that changes constantly. For the right candidate, it's also one of the clearest signals you can send to a hiring manager. Start with the official ISC2 CISSP page and the TechJacks certification hub for deeper resources on every section above.

Reference Resource List

1. ISC2 CISSP Certification Overview
2. ISC2 CISSP Experience Requirements
3. ISC2 CISSP Exam Refresh FAQ (April 2024)
4. ISC2 (30th Anniversary of CISSP Press Release
5. ISC2 CISSP Salary Data
6. ISC2 (All ISC2 Certifications Approved Under DoD 8140
7. ISC2 Cybersecurity Workforce Study 2025
8. ISC2 (Preparing for the CISSP Exam
9. PayScale (CISSP Certified Salary
10. ISC2 Official CISSP Study Guide, 10th Edition (Wiley/Sybex)
11. ISC2 Official CISSP Practice Tests (Wiley/Sybex)
12. Boson ExSim-Max for CISSP
13. Cybrary (Kelly Handerhan CISSP Course
14. ISC2 TV Self-Study Resources
15. ISACA CISM Credential
16. CompTIA SecurityX (CASP+)
17. ISC2 CCSP Certification