Your Guide to (ISC)² Cybersecurity Exams
(ISC)² offers a range of globally recognized cybersecurity certifications, each validated by a specific exam. This page focuses on the details of the exams themselves – exploring their intended candidates, core knowledge areas, structure, and domain weightings. For information on the full certification requirements (including experience), please see our dedicated (ISC)² Certifications page.
Understanding which (ISC)² exam aligns with your experience level and career goals is the first step towards earning a valuable credential. Here's an overview of the primary exams offered by (ISC)², including the specific knowledge domains and their approximate weighting in the exam.
Foundational Level Exam
Certified in Cybersecurity (CC) Exam
This entry-level exam is ideal for individuals starting their cybersecurity careers, including IT professionals seeking to specialize, career changers, and students. It validates foundational knowledge across core cybersecurity concepts, providing a verified baseline understanding of security principles, terminology, and practices.
Exam Domains & Weightings:
| Domain | Weighting (%) |
|---|---|
| 1. Security Principles | 26% |
| 2. Business Continuity (BC), Disaster Recovery (DR) & Incident Response | 10% |
| 3. Access Controls Concepts | 22% |
| 4. Network Security | 24% |
| 5. Security Operations (SecOps) | 18% |
Practitioner & Advanced Level Exams
CISSP: Certified Information Systems Security Professional Exam
Considered the gold standard, the CISSP exam targets experienced security practitioners, managers, and executives. It assesses the broad technical and managerial knowledge required to design, engineer, and manage an organization's overall security posture, demonstrating comprehensive cybersecurity leadership and operational expertise. The English version utilizes Computerized Adaptive Testing (CAT).
Exam Domains & Weightings:
| Domain | Weighting (%) |
|---|---|
| 1. Security and Risk Management | 15% |
| 2. Asset Security | 10% |
| 3. Security Architecture and Engineering | 13% |
| 4. Communication and Network Security | 13% |
| 5. Identity and Access Management (IAM) | 13% |
| 6. Security Assessment and Testing | 12% |
| 7. Security Operations | 13% |
| 8. Software Development Security | 11% |
SSCP: Systems Security Certified Practitioner Exam
The SSCP exam is designed for IT administrators, managers, directors, and network security professionals with hands-on technical experience in operational security. It validates the practical skills needed to implement, monitor, and administer IT infrastructure according to security best practices, policies, and procedures, showing proficiency in the operational aspects of cybersecurity.
Exam Domains & Weightings:
| Domain | Weighting (%) |
|---|---|
| 1. Access Controls | 16% |
| 2. Security Operations and Administration | 15% |
| 3. Risk Identification, Monitoring, and Analysis | 15% |
| 4. Incident Response and Recovery | 14% |
| 5. Cryptography | 9% |
| 6. Network and Communications Security | 16% |
| 7. Systems and Application Security | 15% |
CCSP: Certified Cloud Security Professional Exam
Aimed at experienced IT, information security, and engineering professionals involved in cloud security architecture, design, operations, and service orchestration. The CCSP exam requires strong cloud platform knowledge and assesses advanced technical skills to design, manage, and secure cloud environments, demonstrating expert-level competency.
Exam Domains & Weightings:
| Domain | Weighting (%) |
|---|---|
| 1. Cloud Concepts, Architecture and Design | 17% |
| 2. Cloud Data Security | 20% |
| 3. Cloud Platform & Infrastructure Security | 17% |
| 4. Cloud Application Security | 17% |
| 5. Cloud Security Operations | 16% |
| 6. Legal, Risk and Compliance | 13% |
CGRC: Certified in Governance, Risk and Compliance Exam (Formerly CAP)
This exam targets professionals responsible for authorizing and maintaining information systems within specific frameworks (like RMF, FedRAMP). It assesses expertise in IT risk management, system authorization processes, and maintaining security compliance, validating skills critical for roles focused on governance and adherence to standards.
Exam Domains & Weightings:
| Domain | Weighting (%) |
|---|---|
| 1. Information Security Risk Management Program | 13% |
| 2. Scope of the Information System | 11% |
| 3. Selection and Approval of Security and Privacy Controls | 14% |
| 4. Implementation of Security and Privacy Controls | 14% |
| 5. Assessment/Audit of Security and Privacy Controls | 14% |
| 6. Authorization/Approval of Information System | 10% |
| 7. Continuous Monitoring | 24% |
CSSLP: Certified Secure Software Lifecycle Professional Exam
The CSSLP exam is for software developers, engineers, architects, testers, and managers involved in the software development lifecycle (SDLC). It validates the advanced knowledge required to integrate security practices throughout each phase of software development, demonstrating expertise in building secure software and mitigating vulnerabilities.
Exam Domains & Weightings:
| Domain | Weighting (%) |
|---|---|
| 1. Secure Software Concepts | 10% |
| 2. Secure Software Requirements | 14% |
| 3. Secure Software Architecture and Design | 14% |
| 4. Secure Software Implementation | 14% |
| 5. Secure Software Testing | 14% |
| 6. Secure Software Lifecycle Management | 11% |
| 7. Secure Software Deployment, Operations, Maintenance | 12% |
| 8. Secure Software Supply Chain | 11% |
CISSP Concentration Exams
(Note: Passing the CISSP exam is a prerequisite for pursuing these concentrations)
ISSAP: Information Systems Security Architecture Professional Exam
This concentration is for CISSPs working as chief security architects or analysts. The ISSAP exam focuses on advanced architecture competencies like identity management, security operations architecture, and infrastructure security, proving elite skills in designing and developing security architecture programs.
Exam Domains & Weightings:
| Domain | Weighting (%) |
|---|---|
| 1. Architecture for Governance, Compliance, and Risk Management | 16% |
| 2. Security Architecture Modeling | 15% |
| 3. Infrastructure Security Architecture | 19% |
| 4. Identity and Access Management (IAM) Architecture | 17% |
| 5. Architect for Application Security | 15% |
| 6. Security Operations Architecture | 18% |
ISSEP: Information Systems Security Engineering Professional Exam
Aimed at CISSPs in roles like senior systems engineers or information assurance officers, particularly in government/defense sectors. The ISSEP exam covers advanced security engineering principles, including design, implementation, validation, and technical management, validating deep expertise in integrating security into systems engineering.
Exam Domains & Weightings:
| Domain | Weighting (%) |
|---|---|
| 1. Security Engineering Principles | 17% |
| 2. Risk Management | 17% |
| 3. Security Planning, Design, and Implementation | 25% |
| 4. Secure Operations, Maintenance, and Disposal | 20% |
| 5. Systems Engineering Technical Management | 21% |
ISSMP: Information Systems Security Management Professional Exam
Designed for CISSPs in upper management (CISO, CTO, senior security executives). The ISSMP exam assesses high-level management skills, including security leadership, program and risk management, incident response, and business continuity planning, demonstrating strategic cybersecurity management capabilities.
Exam Domains & Weightings:
| Domain | Weighting (%) |
|---|---|
| 1. Leadership and Business Management | 22% |
| 2. Systems Lifecycle Management | 18% |
| 3. Risk Management | 18% |
| 4. Threat Intelligence and Incident Management | 17% |
| 5. Contingency Management | 15% |
| 6. Technical Management | 10% |
General (ISC)² Exam Information
Most (ISC)² exams consist of multiple-choice questions. Some, notably the English CISSP exam, employ Computerized Adaptive Testing (CAT), where question difficulty adjusts based on your performance. The exam duration and the total number of questions vary considerably depending on the specific exam and whether it uses a linear or CAT format. Exams are administered globally through Pearson VUE testing centers, and many are available in multiple languages. Always consult the official (ISC)² website for the most current details for each specific exam.
Preparing for Your (ISC)² Exam
Effective preparation is crucial for passing your chosen (ISC)² exam. Leverage official resources such as (ISC)² Study Guides and Training (both instructor-led and self-paced options are often available). Utilize official practice exams to assess your readiness and pinpoint areas needing more focus. Make sure to thoroughly review the specific exam outline, paying attention to domain weighting as shown in the tables above. Engaging with study groups or online communities can also provide valuable support and shared knowledge.
Disclaimer: Exam details, including domain names and weightings, format, length, and question counts, are subject to change by (ISC)². The percentages listed above are based on information available at the time of writing and should be verified. Always refer to the official (ISC)² website for the most up-to-date and accurate information before registering for an exam.
- Foundational Level Exam
- Certified in Cybersecurity (CC) Exam
- Practitioner & Advanced Level Exams
- CISSP: Certified Information Systems Security Professional Exam
- SSCP: Systems Security Certified Practitioner Exam
- CCSP: Certified Cloud Security Professional Exam
- CGRC: Certified in Governance, Risk and Compliance Exam (Formerly CAP)
- CSSLP: Certified Secure Software Lifecycle Professional Exam
- CISSP Concentration Exams
- ISSAP: Information Systems Security Architecture Professional Exam
- ISSEP: Information Systems Security Engineering Professional Exam
- ISSMP: Information Systems Security Management Professional Exam
- General (ISC)² Exam Information
- Preparing for Your (ISC)² Exam
Frequently Asked Questions
The Certified in Cybersecurity (CC) exam is specifically designed as the entry-level option. It's ideal for those starting their careers, changing fields, or needing to demonstrate foundational cybersecurity knowledge without prior experience requirements for the exam.
The CISSP exam targets experienced cybersecurity professionals, managers, and executives, covering a broad range of strategic and operational security domains from a leadership perspective. The SSCP exam focuses on the hands-on, technical skills needed by practitioners who securely implement, monitor, and administer IT infrastructure. Think of CISSP as broader and more strategic, while SSCP is more technical and operational.
You generally do not need work experience to sit for most (ISC)² exams (like CISSP, SSCP, CCSP, etc.). However, to earn the full certification after passing the exam, you will need to prove you have the required relevant, paid work experience and complete the endorsement process. The CC certification is an exception, requiring no experience to become certified. The CISSP concentration exams (ISSAP, ISSEP, ISSMP) require you to have already held the CISSP certification. Always check the specific certification requirements on our (ISC)² Certifications page or the official (ISC)² website.
Difficulty is subjective, but (ISC)² exams are generally considered challenging and comprehensive, designed to validate significant knowledge and skills. The CISSP exam is widely regarded as one of the most rigorous cybersecurity exams due to its breadth, depth, and the adaptive testing format (CAT) used for the English version. Success typically requires dedicated study and often relevant professional experience. Other exams like SSCP, CCSP, and CGRC are also demanding within their respective focus areas. Preparation is key.
CAT is an exam format used for the English language CISSP exam (and potentially others). Instead of a fixed number of questions, the computer algorithm adjusts the next question's difficulty based on your previous answer. If you answer correctly, you may get a harder question; if incorrect, an easier one. The exam ends when the system is confident (to a 95% statistical level) whether you are above or below the passing standard. CAT exams typically have a variable number of questions and time limits compared to linear exams.
Exam fees vary depending on the specific exam and sometimes the region. For example, the CISSP exam fee is different from the CCSP or SSCP fee. Prices are subject to change. You should always check the official (ISC)² website for the current exam pricing before registering.
(ISC)² exams are administered globally through Pearson VUE testing centers. You will need to schedule your exam appointment through the Pearson VUE website after obtaining authorization from (ISC)².
Passing the exam is the first major step! After receiving notification that you've provisionally passed, you typically need to:
- Complete the Endorsement Process: Have your application endorsed by an existing (ISC)² certified professional in good standing who can attest to your experience (not required for CC).
- Agree to the (ISC)² Code of Ethics.
- Pay your first Annual Maintenance Fee (AMF) (not required for CC). Once these steps are completed, you officially earn the certification. See our (ISC)² Certifications page for more details on the post-exam process.