Skip to content
CertiGuard

Search

Type a word like "security+" or "ccna". Search runs on the published site.

ISC2

ISC2 CISSP: Cost, Exam Format, and the 5-Year Experience Requirement

By Mario Bailey, Editor

Facts last verified against official sources: 2026-07-06

ISC2 CISSP costs $749 per exam attempt at ISC2's published price, verified 2026-07-06. Renewal: valid 3 years; 120 CPE credits (90 minimum Group A) plus a mandatory $135/year Annual Maintenance Fee.

Occupation context

$129,180

BLS median, Information Security Analysts (May 2025)

190,650 people employed nationally

Salary figures are U.S. Bureau of Labor Statistics medians for the occupation shown, not a measured premium for holding this certification. No one publishes causal cert premiums; anyone quoting one is guessing.

How to prepare

Recommended resources

Supplementary reference, not a recommendation ranking. Nothing here changes how this certification is scored or described.

Some study-resource and course links are affiliate links. If you buy through them we may earn a commission at no extra cost to you. This never affects which certification we recommend or how we describe it.

CISSP is the credential that shows up as a hard requirement on senior security job postings, and it is also the one most people underestimate on the way in, because the barrier is not the exam itself but the five years of real work experience standing in front of it. This page covers what that experience requirement actually demands, what the exam costs and tests, the exact eight domains and their weights, and what nine years of renewal runs.

Who this cert is actually for

CISSP is aimed at people already deep into a security career: security managers, architects, and senior analysts who need a credential that signals broad expertise across governance, architecture, and operations rather than deep tactical skill in one narrow area. ISC2 requires a minimum of five years of cumulative, full-time, paid experience across two or more of the eight CISSP domains before the certification is awarded, and one of those five years can be waived by an approved four-year degree or another ISC2-approved credential. Part-time work and internships count toward the total under ISC2’s stated rules, but the underlying experience has to be real security work, not adjacent IT experience alone.

If you do not yet have that experience, ISC2 offers the Associate of ISC2 path: pass the CISSP exam now, and you become an Associate of ISC2 with six years to accumulate the required five years of experience and convert to full CISSP status. That path exists specifically so people early in their careers can lock in the exam pass before their skills and study fade, without pretending they already have senior-level experience they do not.

Skip CISSP entirely if you are still early career; the exam content assumes you have already lived the material, and a rushed attempt without the underlying experience tends to fail even for strong test-takers. Build toward it with Security+ or CySA+ first, and treat CISSP as the destination, not a shortcut past the years it is designed to certify; Security+ vs CISSP maps the distance between that starting rung and this one. CISSP holders eyeing a cloud-security or governance specialization can lean on it directly: an active CISSP substitutes for CCSP’s entire experience requirement, and only trims CISM’s by two years; CISSP vs CCSP and CISSP vs CISM cover both moves.

What it costs all-in

The exam is $749 direct from ISC2, the highest single voucher price this site tracks, and there is no discount tier or free retake. A failed attempt costs the same $749 again, which makes CISSP the certification where skipping practice exams is the most expensive mistake available. ISC2 also charges the $135 Annual Maintenance Fee (AMF) the moment your certification activates, even in year one, so the honest first-year cost is closer to $884 before any study materials.

Free and low-cost prep exists but matters more here than for entry-level exams, because the material spans eight broad domains rather than one narrow skill set. ISC2’s own exam outline functions as the syllabus. A well-regarded CISSP study guide runs $40 to $60, a video course from a recognized CISSP instructor runs $20 to $50 on sale, and a dedicated CISSP practice-question bank in the $30 to $60 range is worth the money, since the CAT format punishes candidates who have only read about a domain and never been tested on scenario-based judgment calls within it. A realistic self-study budget is $749 for the voucher plus $100 to $170 in prep, before the AMF. See how that all-in figure compares to every other credential on the ROI Index.

The exam itself

CISSP uses computerized adaptive testing (CAT): the exam serves between 100 and 150 questions over a maximum of 3 hours, and the number of questions you actually answer depends on how the adaptive algorithm calibrates your performance as you go, not a fixed count set in advance. Questions mix standard multiple-choice with ISC2’s advanced interactive item types. A passing result is a scaled score of 700 out of 1,000 points. ISC2 does not publish a pass rate, so any specific percentage circulating in prep forums is not a verified figure.

The exam covers exactly eight domains, and getting the count wrong is an easy mistake to make since some competitor and legacy references describe a different structure. The current weights are: Security and Risk Management (16 percent, the largest single domain and the one covering governance, law, and policy), Asset Security (10 percent), Security Architecture and Engineering (13 percent), Communication and Network Security (13 percent), Identity and Access Management, IAM (13 percent), Security Assessment and Testing (12 percent), Security Operations (13 percent), and Software Development Security (10 percent). Those eight weights sum to exactly 100 percent, and Security and Risk Management’s 16 percent share reflects how much of the exam is governance and risk judgment rather than pure technical configuration, a common surprise for candidates who assumed CISSP would test like a hands-on technical exam.

Renewal math over 9 years

CISSP is valid for three years, so nine years covers three renewal cycles. Each cycle requires 120 CPE (continuing professional education) credits, with a minimum of 90 of those from Group A (domain-specific activity) and up to 30 from Group A or B combined (Group B covering broader professional development). ISC2 recommends pacing that at roughly 40 CPEs a year so the requirement never becomes a year-three scramble.

The AMF is the fixed cost that runs regardless of how efficiently you gather CPEs: $135 a year, every year, which is $405 per three-year cycle and $1,215 across nine years. Unlike CompTIA, where earning a higher certification can auto-renew a lower one and waive its fee, ISC2 charges one AMF total across all ISC2 certifications you hold, so stacking additional ISC2 credentials does not multiply the fee, but it also does not reduce it below $135 a year. Budget the full $1,215 in AMF over nine years as a fixed cost of holding this credential, separate from and in addition to whatever CPE-gathering activities you pursue for free or for a fee.

Nine-year cost of ownership: about $1,964 before prep, the $749 exam plus $1,215 in Annual Maintenance Fees across nine years, the highest true cost of ownership on this site. Unlike CompTIA or Cisco, no higher credential erases the AMF; it bills $135 a year regardless of what else you hold. Add $100 to $170 in prep and the honest first-decade total runs $2,064 to $2,134. Certification renewal costs explained sets that against every other credential.

What it does for the occupation you are entering

CISSP maps to the information security analyst occupation (BLS code 15-1212), though in practice CISSP holders often work in roles the BLS occupational structure does not break out separately, such as security architect or CISO-track management. The panel on this page shows the current national median wage and headcount for the broader occupation; read that as a description of the field CISSP sits atop, not a specific salary this certificate pays out. The Bureau of Labor Statistics projects the information security analyst occupation to keep growing much faster than average, and CISSP’s role in that growth is as a screening credential: it clears keyword filters on senior postings and signals to a hiring committee that a candidate has both the tested knowledge and the verified experience the title demands. What it does not do is set your pay; that depends on the specific role, region, and experience you bring beyond the certificate.

Common mistakes

Attempting the exam before the experience exists. CISSP’s content assumes lived experience across multiple domains, and candidates who cram the material without having done the work tend to struggle with the judgment-based scenario questions even when they know the definitions cold. The Associate of ISC2 path exists for exactly this situation; use it rather than waiting or over-claiming experience you do not have.

Underestimating Security and Risk Management. At 16 percent, the largest domain is policy, law, ethics, and governance, not the hands-on technical material many candidates expect to dominate a security exam. Study time should roughly track the domain weights, not just personal interest in the technical domains.

Ignoring the AMF until a lapse notice arrives. At $135 a year with no grace period built into the fee itself, letting the AMF go unpaid can put a hard-earned certification into suspended status. Pay it on the anniversary date it is due, and log CPEs steadily across the three-year cycle rather than in a last-month rush.

Pay less for this exam

The legitimate ways to pay under list price for ISC2 CISSP, verified in the discounts guide. No coupon codes, no gray-market vouchers.

  • Served in the military? The GI Bill reimburses approved certification tests up to $2,000 per test (check the VA's approved list before booking), and VR&E can cover costs directly for eligible veterans.
  • Employed? Ask about certification reimbursement before you pay anything; many employers cover the exam outright or on a pass, and some cover renewals.
  • Vendors announce price increases ahead of time and vouchers stay valid for months, so a ready candidate can buy at the old price; increases land in the price watch as we verify them.

Check which discounts you qualify for →

Quick answers

How much does ISC2 CISSP cost?
ISC2 CISSP costs $749 per exam attempt at ISC2's published price. Legitimate ways to pay less are covered in the pay-less section on this page.
Does ISC2 CISSP expire?
Per ISC2's published terms: valid 3 years; 120 CPE credits (90 minimum Group A) plus a mandatory $135/year Annual Maintenance Fee.
How do you renew ISC2 CISSP?
The verified renewal terms: valid 3 years; 120 CPE credits (90 minimum Group A) plus a mandatory $135/year Annual Maintenance Fee. The renewal-costs guide compares what each model costs over nine years, and the true-cost calculator prices this certification over your own horizon.
How long is the ISC2 CISSP exam?
ISC2's published format: 100 to 150 questions (CAT), 3 hours, multiple-choice + advanced item types; pass scaled at 700/1000.
What is the ISC2 Annual Maintenance Fee (AMF) for CISSP?
US $135 per year, due on the anniversary of your certification date. ISC2 charges one combined AMF across all of its full certifications, so adding CCSP or another ISC2 credential does not add a second fee. The AMF is mandatory and separate from the 120 CPE credits each 3-year cycle requires.

Every figure above comes from the verified facts panel on this page; see the true-cost calculator for multi-year math and renewal costs explained for the four renewal models.

General information, not career or financial advice

CertiGuard documents costs, exam mechanics, and public salary data. Whether a certification pays off for you depends on your market, employer, and experience. Treat this as a starting point, not a promise.

Official sources

Cite this page