Certified Information Systems Security Professional
Validates expertise across eight domains of information security including security and risk management, asset security, security architecture, network security, identity management, security assessment, security operations, and software development security. Requires five years of paid work experience and targets experienced practitioners in leadership roles such as CISOs, security architects, and security managers. The premier cybersecurity certification globally, accredited under ISO/IEC 17024 and approved by the U.S. DoD under DoDM 8140.03.
Exam domains
- Security and Risk Management16%
Understand, adhere to, and promote professional ethics (ISC2 Code of Ethics, organizational code of ethics). Understand and apply security concepts (confidentiality, integrity, availability, authenticity, non-repudiation). Evaluate, apply, and sustain security governance principles (alignment with business strategy, organizational processes, organizational roles and responsibilities, due care and due diligence). Determine compliance and other requirements (contractual/legal/industry standards/regulatory requirements, privacy requirements). Understand legal and regulatory issues that pertain to information security in a holistic context (cybercrimes and data breaches, licensing and intellectual property requirements, import/export controls, transborder data flow, privacy). Identify, analyze, assess, prioritize, and implement Business Continuity (BC) requirements (BIA, develop and document scope and plan). Contribute to and enforce personnel security policies and procedures (candidate screening, employment agreements, onboarding/transfers/termination, vendor/consultant/contractor agreements, compliance policy requirements, privacy policy requirements). Understand and apply risk management concepts (risk frameworks - NIST RMF SP 800-37, NIST SP 800-30 risk assessment, ISO 27005; risk identification/analysis/evaluation; countermeasure selection; applicable types of controls - preventive, detective, corrective, deterrent, recovery, compensating; control assessments - SCA; monitoring and measurement; reporting - risk register; continuous improvement - risk maturity model; risk frameworks). Understand and apply threat modeling concepts and methodologies (STRIDE, PASTA, DREAD, attack trees). Apply Supply Chain Risk Management (SCRM) concepts (risks associated with hardware/software/services; third-party assessment and monitoring; minimum security requirements; service-level requirements; SBOM). Establish and maintain a security awareness, education, and training program.
- Security Operations13%
Sources
Questions are grounded in 150 references from official and authoritative materials.
- SP 800-123, Guide to General Server Security | CSRC
- SP 800-55 Vol. 1, Measurement Guide for Information Security: Volume 1 — Identifying and Selecting Measures | CSRC
- SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations | CSRC
- SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems | CSRC