(ISC)² CISSP and SSCP Domain Refresh FAQ

Q: Why are changes being made to the CISSP and SSCP exams? 

A: Amidst the changes in technology and the evolving threat landscape occurring in the information security field, (ISC)² has an obligation to its membership to maintain the relevancy of its credentials. These enhancements are the result of a rigorous, methodical process that (ISC)² follows to routinely update its credential exams. This process ensures that the examinations and subsequent continuing professional education requirements encompass the topic areas relevant to the roles and responsibilities of today’s practicing information security professionals.

Q: How is the CISSP exam changing? 

A: The CISSP exam is being updated to stay relevant amidst the changes occurring in the information security field. Refreshed technical content has been added to the Official (ISC)² CISSP CBK to reflect the most current topics in the information security industry today. Some topics have been expanded (e.g., asset security, security assessment and testing), while other topics have been realigned under different domains. The result is an exam that most accurately reflects the technical and managerial competence required from an experienced information security professional to effectively design, engineer, implement and manage an organization’s information security program within an ever-changing security landscape.

As a result of the content refresh, we have updated some of the domain names to describe the topics accurately.

CISSP Domains, Effective April 15, 2015

  • Security and Risk Management (Security, Risk, Compliance, Law, Regulations, Business Continuity)
  • Asset Security (Protecting Security of Assets)
  • Security Engineering (Engineering and Management of Security)
  • Communications and Network Security (Designing and Protecting Network Security)
  • Identity and Access Management (Controlling Access and Managing Identity)
  • Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
  • Security Operations (Foundational Concepts, Investigations, Incident Management, Disaster Recovery)
  • Software Development Security (Understanding, Applying, and Enforcing Software Security) 

Q: How is the SSCP exam changing?

A: The content of the SSCP has been refreshed to reflect the most pertinent issues that security practitioners currently face, along with the best practices for mitigating those issues. Some topics have been expanded (e.g., cloud security, virtual environments), while others have been realigned. The result is an exam that most accurately reflects the technical and practical security knowledge that is required for the daily job functions of today’s frontline information security practitioner.
As a result of the content refresh, we have updated some of the domain names to describe the topics accurately.

SSCP Domains, Effective April 15, 2015

  • Access Controls
  • Security Operations and Administration
  • Risk Identification, Monitoring, and Analysis
  • Incident Response and Recovery
  • Cryptography
  • Networks and Communications Security
  • Systems and Application Security

Q: How does the SSCP now relate to the CISSP?

A: Both credentials reflect knowledge of information security best practices, but from different facets. SSCPs are typically more involved in hands-on technical, day-to-day operational security tasks with competencies in implementing, monitoring and administering IT infrastructure in accordance with information security policies, procedures and requirements that ensure data confidentiality, integrity and availability. CISSPs, while also technically competent, typically design, engineer, implement and manage the overarching enterprise security program.
SSCPs and CISSPs speak the same information security language, yet each have unique perspectives that complement each other across various IT departments and businesses.

Q: When will these changes go into effect?

A: The changes will begin on Wednesday, April 15, 2015 when the English versions of the CISSP and SSCP exams will be available (see below for translated exam availability).

Q: In what languages will the refreshed CISSP and SSCP exams be available?

A: The refreshed CISSP and SSCP exams will be available in the following languages according to this schedule:

CISSP, SSCP English April 15, 2015*


May 15, 2015**
CISSP Japanese,
Simplified Chinese,
July 1, 2015
SSCP Japanese,
July 1, 2015

*Available globally with the exception of China, Japan and Korea. Available in Japan and Korea July 1, 2015.
** CISSP exams will not be available in French, German, Portuguese and Spanish from April 15 – May 14, 2015.

Q: Why will different translations be made available at different times and why will some languages not be made available during certain periods of time?

A: (ISC)² maintains a methodical quality assurance process for translating its credential examinations to ensure accuracy of translated terms from English into local languages around the world. As soon as the refreshed CISSP and SSCP exams are available in English, (ISC)² starts a meticulous translation process to provide candidates with the most current exams in local languages as timely as possible.

Q: Will this change the number of questions or the format of the CISSP and/or SSCP exam?

A: No. Both the CISSP and SSCP exams are computer-based with the same number of questions, and the time requirement to take either exam will remain the same. 

The CISSP exam contains 250 questions, which include multiple choice and Innovative Drag & Drop and Hotspot questions. Candidates are given 6 hours to complete the CISSP exam and the passing grade is 700 out of 1000 points. 

The SSCP exam contains 125 multiple choice questions. Candidates are given 3 hours to complete the SSCP exam and the passing grade is 700 out of 1000 points.

Q: Since the CISSP has changed from 10 to 8 domains, was some content deleted?

A: No. Content was not removed from the exam and/or training material, but rather refreshed and reorganized to include the most current information and best practices relevant to the global information security industry.

Q: Will I find out if I passed the exam immediately after I take it?

A: In some instances, real time results may not be available. A comprehensive statistical and psychometric analysis of the score data is conducted during every testing cycle before scores are released. A minimum number of candidates are required to take the exam before this analysis can be completed. Depending upon the volume of test takers for a given cycle, there may be occasions when scores are delayed for approximately 6-8 weeks in order to complete this critical process. Results will not be released over the phone. They will be sent via email from (ISC)² as soon as the scores are finalized. If you have any questions regarding this policy, you should contact (ISC)² prior to your examination.

Q: Do these updates affect the experience requirements for the CISSP and/or SSCP?

A: No. For the CISSP, a candidate is required to have a minimum of 5 years of cumulative paid full-time work experience in 2 out of the 8 domains (experience in 2 out of the total number of domains) of the CISSP CBK.

No. For the SSCP, a candidate is required to have a minimum of 1 year of cumulative paid full-time work experience in 1 or more of the 7 domains of the SSCP CBK.

Q: How can I verify that I have the experience to qualify for the CISSP or SSCP before taking the exam?

A: Download the certification's exam outline and review each of the domains and subdomains. Be sure that you can map your paid full-time work experience to 2 of the 8 domains for the CISSP certification or 1 of the 7 domains for the SSCP certification.

Q: I already hold the CISSP and/or SSCP. How will these changes affect my CPE submissions?

A: Beginning April 15, 2015, all global CISSPs and SSCPs will be required to submit their continuing professional education (CPE) credits in alignment with the refreshed 8 domains of the CISSP and 7 domains of the SSCP.

Q: What impact do these changes have on (ISC)² training materials?

A: Official (ISC)² CISSP and SSCP training materials, aligned to the refreshed domains, will be available according to the following schedule:

Official (ISC)² Training Seminars Now Available
Official (ISC)² Guide to the CISSP CBK Textbook Now Available
Official (ISC)² Guide to the SSCP CBK Textbook Q2 2015
Official (ISC)² Practice Tests Mid-2015

Q: What study materials does (ISC)² recommend?

A: (ISC)² only endorses Official (ISC)² Training and Education.  

Q: How can I be sure that a training provider provides Official (ISC)² CBK Training?

A: Official (ISC)² CBK Training Seminars are available throughout the world at (ISC)² facilities and through (ISC)² Official Training Providers. Find your nearest official training provider.  

Q: Are there any practice questions that cover the refreshed domains? 

A: The practice test questions are scheduled to launch in mid-2015. The Official (ISC)² Guide to the CISSP CBK, fourth edition, includes review questions at the end of each domain chapter. The textbook is available in hardcover, Kindle, or iTunes. Once available, the Official (ISC)² Guide to the SSCP CBK, third edition, will also include review questions at the end of each domain chapter.

Q: If I have been studying for the 10 domain CISSP exam with material that focuses on the 10 domains, will I be sufficiently prepared to take the 8 domain exam without additional study?

A: (ISC)² exams are experience-based that include experience-based questions that cannot be learned by studying alone. If you have the experience in the 10 domains and feel like you have sufficiently studied those 10 domains, you should feel confident that you are qualified to take the 8 domain exam and pass it. (ISC)² cannot guarantee you will pass the exam.

>>Watch the webinar on the CISSP Domain Refresh to learn more