Certified Information Systems Security Professional Exam
Computerized adaptive test with 100-150 multiple-choice and advanced item questions.
- Type
- Written
- Delivery
- In person
- Duration
- 180 min
- Questions
- 150
Passing score: 700 Scaled score out of 1000
Exam sections
Security and Risk Management
The Security and Risk Management section covers governance structures, risk ownership, control selection, compliance evidence, policy alignment, audit readiness, and the way assurance activities support defensible management decisions. For Certified Information Systems Security Professional, this domain is normally tested through professional security judgment: candidates need to connect terminology with risk, architecture, control effectiveness, governance, and operational consequences across realistic enterprise environments.
Question notes
Weight: about 16% of the exam content for this certification. ISC2 questions commonly use scenario-based wording and may require choosing the most appropriate, most complete, or best-risk-aligned answer from several plausible options. For Security and Risk Management, expect governance, risk, compliance, audit, and assurance scenarios, with questions that may blend this objective with neighboring exam areas instead of isolating it as a standalone topic.
Preparation tips
When preparing for Security and Risk Management, use the official ISC2 exam outline as the checklist, then study enough surrounding context to explain why a control, design, policy, or operational action is appropriate in a specific scenario. Practice tracing a requirement from policy or regulation through risk assessment, control design, implementation evidence, monitoring, reporting, and management sign-off. Spend extra time on applied scenarios, because higher-level questions usually reward judgment, sequencing, and tradeoff analysis.
Asset Security
The Asset Security section covers information and asset classification, ownership, handling requirements, retention, privacy, protection levels, and the controls used to keep sensitive assets managed throughout their lifecycle. For Certified Information Systems Security Professional, this domain is normally tested through professional security judgment: candidates need to connect terminology with risk, architecture, control effectiveness, governance, and operational consequences across realistic enterprise environments.
Question notes
Weight: about 10% of the exam content for this certification. ISC2 questions commonly use scenario-based wording and may require choosing the most appropriate, most complete, or best-risk-aligned answer from several plausible options. For Asset Security, expect asset classification, information handling, ownership, privacy, retention, and protection-level scenarios, with questions that may blend this objective with neighboring exam areas instead of isolating it as a standalone topic.
Preparation tips
When preparing for Asset Security, use the official ISC2 exam outline as the checklist, then study enough surrounding context to explain why a control, design, policy, or operational action is appropriate in a specific scenario. Practice assigning asset owners, classifications, handling rules, retention expectations, and protection controls, then explain how those choices affect confidentiality, integrity, availability, and compliance. Spend extra time on applied scenarios, because higher-level questions usually reward judgment, sequencing, and tradeoff analysis.
Security Architecture and Engineering
The Security Architecture and Engineering section covers architecture principles, design constraints, dependency analysis, secure patterns, technology tradeoffs, resilience requirements, and the ability to justify design choices for business and operational needs. For Certified Information Systems Security Professional, this domain is normally tested through professional security judgment: candidates need to connect terminology with risk, architecture, control effectiveness, governance, and operational consequences across realistic enterprise environments.
Question notes
Weight: about 13% of the exam content for this certification. ISC2 questions commonly use scenario-based wording and may require choosing the most appropriate, most complete, or best-risk-aligned answer from several plausible options. For Security Architecture and Engineering, expect architecture and design scenarios with competing business, security, and operational constraints, with questions that may blend this objective with neighboring exam areas instead of isolating it as a standalone topic.
Preparation tips
When preparing for Security Architecture and Engineering, use the official ISC2 exam outline as the checklist, then study enough surrounding context to explain why a control, design, policy, or operational action is appropriate in a specific scenario. Compare several possible designs and explain why one better satisfies security, scalability, cost, maintainability, resilience, and compliance requirements. Spend extra time on applied scenarios, because higher-level questions usually reward judgment, sequencing, and tradeoff analysis.
Communication and Network Security
The Communication and Network Security section covers network design, segmentation, secure communications, traffic control, monitoring, remote connectivity, and the way infrastructure choices affect confidentiality, availability, and response capability. For Certified Information Systems Security Professional, this domain is normally tested through professional security judgment: candidates need to connect terminology with risk, architecture, control effectiveness, governance, and operational consequences across realistic enterprise environments.
Question notes
Weight: about 13% of the exam content for this certification. ISC2 questions commonly use scenario-based wording and may require choosing the most appropriate, most complete, or best-risk-aligned answer from several plausible options. For Communication and Network Security, expect network security and secure communications scenarios, with questions that may blend this objective with neighboring exam areas instead of isolating it as a standalone topic.
Preparation tips
When preparing for Communication and Network Security, use the official ISC2 exam outline as the checklist, then study enough surrounding context to explain why a control, design, policy, or operational action is appropriate in a specific scenario. Review diagrams and incident scenarios, then identify trust boundaries, exposed services, monitoring points, and controls that reduce attack paths without breaking operations. Spend extra time on applied scenarios, because higher-level questions usually reward judgment, sequencing, and tradeoff analysis.
Identity and Access Management
The Identity and Access Management section covers identity lifecycle controls, authentication strength, authorization models, privilege management, federation, access review, and the operational consequences of weak identity governance. For Certified Information Systems Security Professional, this domain is normally tested through professional security judgment: candidates need to connect terminology with risk, architecture, control effectiveness, governance, and operational consequences across realistic enterprise environments.
Question notes
Weight: about 13% of the exam content for this certification. ISC2 questions commonly use scenario-based wording and may require choosing the most appropriate, most complete, or best-risk-aligned answer from several plausible options. For Identity and Access Management, expect identity, access-control, and privilege-management scenarios, with questions that may blend this objective with neighboring exam areas instead of isolating it as a standalone topic.
Preparation tips
When preparing for Identity and Access Management, use the official ISC2 exam outline as the checklist, then study enough surrounding context to explain why a control, design, policy, or operational action is appropriate in a specific scenario. Work through access-control scenarios from onboarding through role changes, privileged access, reviews, exceptions, monitoring, and deprovisioning. Spend extra time on applied scenarios, because higher-level questions usually reward judgment, sequencing, and tradeoff analysis.
Security Assessment and Testing
The Security Assessment and Testing section covers secure development practices, requirements, design review, implementation controls, testing evidence, release governance, dependency risk, and operational maintenance across the software lifecycle. For Certified Information Systems Security Professional, this domain is normally tested through professional security judgment: candidates need to connect terminology with risk, architecture, control effectiveness, governance, and operational consequences across realistic enterprise environments.
Question notes
Weight: about 12% of the exam content for this certification. ISC2 questions commonly use scenario-based wording and may require choosing the most appropriate, most complete, or best-risk-aligned answer from several plausible options. For Security Assessment and Testing, expect software lifecycle, application security, testing, and deployment scenarios, with questions that may blend this objective with neighboring exam areas instead of isolating it as a standalone topic.
Preparation tips
When preparing for Security Assessment and Testing, use the official ISC2 exam outline as the checklist, then study enough surrounding context to explain why a control, design, policy, or operational action is appropriate in a specific scenario. Follow a feature or application from requirements through design, coding, testing, release, operations, and maintenance, noting security evidence and decision gates at each step. Spend extra time on applied scenarios, because higher-level questions usually reward judgment, sequencing, and tradeoff analysis.
Security Operations
The Security Operations section covers operational monitoring, event interpretation, reliability practices, service health indicators, automation, escalation paths, improvement loops, and the controls needed to keep services stable and secure. For Certified Information Systems Security Professional, this domain is normally tested through professional security judgment: candidates need to connect terminology with risk, architecture, control effectiveness, governance, and operational consequences across realistic enterprise environments.
Question notes
Weight: about 13% of the exam content for this certification. ISC2 questions commonly use scenario-based wording and may require choosing the most appropriate, most complete, or best-risk-aligned answer from several plausible options. For Security Operations, expect operations, monitoring, reliability, and service-health scenarios, with questions that may blend this objective with neighboring exam areas instead of isolating it as a standalone topic.
Preparation tips
When preparing for Security Operations, use the official ISC2 exam outline as the checklist, then study enough surrounding context to explain why a control, design, policy, or operational action is appropriate in a specific scenario. Study how metrics, logs, traces, alerts, runbooks, service targets, and retrospectives connect daily operations with reliability, security, and continual improvement. Spend extra time on applied scenarios, because higher-level questions usually reward judgment, sequencing, and tradeoff analysis.
Software Development Security
The Software Development Security section covers secure development practices, requirements, design review, implementation controls, testing evidence, release governance, dependency risk, and operational maintenance across the software lifecycle. For Certified Information Systems Security Professional, this domain is normally tested through professional security judgment: candidates need to connect terminology with risk, architecture, control effectiveness, governance, and operational consequences across realistic enterprise environments.
Question notes
Weight: about 10% of the exam content for this certification. ISC2 questions commonly use scenario-based wording and may require choosing the most appropriate, most complete, or best-risk-aligned answer from several plausible options. For Software Development Security, expect software lifecycle, application security, testing, and deployment scenarios, with questions that may blend this objective with neighboring exam areas instead of isolating it as a standalone topic.
Preparation tips
When preparing for Software Development Security, use the official ISC2 exam outline as the checklist, then study enough surrounding context to explain why a control, design, policy, or operational action is appropriate in a specific scenario. Follow a feature or application from requirements through design, coding, testing, release, operations, and maintenance, noting security evidence and decision gates at each step. Spend extra time on applied scenarios, because higher-level questions usually reward judgment, sequencing, and tradeoff analysis.
