I took the CISSP a few years ago, and I still remember how it felt walking out of the testing center. Relief, mostly. Also a weird mix of pride and exhaustion. It was one of those exams that makes you feel like you did not just answer questions, but survived something. Since then, I have kept up with the material for CPEs, for work, and because I still like helping other people prepare. That has given me a pretty good view of how the exam has changed, and also what has not changed.
The first thing I would say to anyone who passed the CISSP years ago is this. The exam still feels like the CISSP. It has not turned into a totally different certification. It still expects you to think like a security professional who can balance business, risk, governance, and technology. It still covers the same eight domains. It still rewards judgment more than memorization. But at the same time, it has absolutely been updated to reflect how security work looks now, not how it looked five or ten years ago.
The biggest formal change came with the exam refresh that took effect on April 15, 2024. That refresh was based on ISC2’s Job Task Analysis process, which is basically its way of making sure the exam still reflects real work being done by practicing professionals. That matters, because one of the common complaints people have about certifications is that they freeze in time. To ISC2’s credit, the CISSP does not seem to be doing that. The refresh was meant to bring the exam more in line with what current cybersecurity leaders and practitioners are actually dealing with.
If you took the exam a few years ago, one of the most noticeable changes is the format. The current CISSP exam is now three hours long, with a minimum of 100 questions and a maximum of 150, and it uses Computerized Adaptive Testing for all languages. The passing score is still 700 out of 1000. For people who sat through the older, longer version, this is a meaningful shift. The exam is shorter, but that does not mean easier. Honestly, I would argue it may feel more intense because the adaptive format does not let you settle in the same way. You answer, move forward, and the test adjusts as you go. There is less room to mentally coast.
That shorter format changes the personality of the test a little. The older version had more of an endurance factor. You had to manage fatigue almost as much as content. The current version still demands focus, but now it feels even more like a pure test of consistent judgment. That lines up with what the CISSP has always been trying to measure. It is not a trivia contest. It is not really meant for someone who just crammed vocabulary for a few weeks. It is supposed to measure how you think as a security professional. The newer format seems to push even harder in that direction.
The eight domains are still the backbone of the exam, and that part will feel familiar to anyone who has held the certification for a while. They are still Security and Risk Management, Asset Security, Security Architecture and Engineering, Communication and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations, and Software Development Security. So the structure is recognizable. What has changed is some of the weighting and some of the emphasis inside those domains.
Right now, Security and Risk Management carries the most weight at 16 percent. Asset Security is 10 percent. Security Architecture and Engineering is 13 percent. Communication and Network Security is 13 percent. Identity and Access Management is 13 percent. Security Assessment and Testing is 12 percent. Security Operations is 13 percent. Software Development Security is 10 percent. Those numbers may look minor, but they tell a story. Security and Risk Management getting the highest weight says a lot about what ISC2 thinks matters most today. It is not enough to know controls. You need to understand risk, governance, policy, and how security decisions fit into business reality.
That part feels very true to what the field has become. When I first passed the CISSP, I understood that it was broader than a technical cert, but I do not think I appreciated just how much of security leadership is really about tradeoffs. You are always balancing protection, budget, legal requirements, operations, user friction, and business goals. The updated weighting reflects that world better than some older versions did. If you are advising someone who is preparing now, I would absolutely tell them not to treat governance and risk as the boring section. That is the center of gravity.
Another major update is how newer topics are being worked into the exam. The CISSP has not suddenly become an AI certification or a cloud only certification, but it is clearly adapting to the modern environment. The exam outline and ISC2 materials show that newer issues are now folded throughout the domains rather than treated like side topics. That includes cloud and hybrid environments, federated identity approaches, modern application security practices, and AI related risks and uses.
The AI piece is especially interesting. ISC2 now makes it clear that AI security concepts are spread across the domains. That can include things like governance concerns, data protection issues, model related risks, adversarial attacks, AI assisted monitoring, and security considerations in AI influenced software development. I think this is the right way to do it. Security teams are not dealing with AI in some separate universe. They are dealing with it as part of governance, access control, application security, operations, and risk management. The exam seems to reflect that reality.
What I like about that change is that it keeps the CISSP current without making it trendy. That is a hard line to walk. Certifications can sometimes overreact and suddenly stuff in every buzzword they can find. That does not seem to be what is happening here. Instead, the CISSP still teaches fundamentals, but it expects you to understand how those fundamentals apply in today’s environments. So yes, you still need to know the classic principles. But you also need to understand how those principles show up in cloud adoption, identity federation, automated detection, software pipelines, and AI assisted workflows.
There is also the matter of question style. The CISSP today includes multiple choice and advanced item types. ISC2 says candidates may see more than basic question formats, including things tied to charts, tables, calculations, ordering, hotspot style interactions, and other scenario based formats. That does not mean the exam becomes flashy for the sake of being flashy. It means the test can present information in ways that better reflect real decision making. You may need to interpret rather than simply recall. That is another reason the modern CISSP feels less like a memorization exercise and more like a professional judgment exam.
One thing that definitely has not changed is the experience requirement. The CISSP still expects five years of cumulative paid work experience in two or more of the eight domains, although certain education or approved credentials can waive one year. If someone passes the exam before meeting the experience requirement, they can become an Associate of ISC2 while they work toward full certification. I still think this is one of the reasons the CISSP has kept its reputation. It is not supposed to be an entry level trophy. The exam refresh did not change that philosophy.
For people like me who already hold the certification, I think the changes are actually a good reminder about why CPEs matter. It is easy after passing to treat the CISSP like a checkbox. You got it, you maintain it, you move on. But staying engaged with the material has shown me that the certification is really more useful when you keep revisiting it. The domains hit differently once you have more experience. Risk management feels more real after you have had to justify security decisions to leadership. Security operations feels more real after incidents. IAM feels more real after you have seen how messy access governance gets in the real world. The exam updates reinforce that this is supposed to be a living body of knowledge, not a one time memory dump.
If I were giving advice to someone who took the CISSP years ago and wants to understand what has changed, I would put it this way.
The CISSP still expects the same kind of thinker. It still wants someone who can zoom out, weigh risk, and make the best decision for the organization. But the current version does a better job reflecting the tools, threats, and environments people are actually working with now. It is shorter, more adaptive, more current, and probably a little more focused than the version many of us took.
If I were giving advice to someone studying now, I would say this. Do not over romanticize old CISSP war stories. Yes, the exam has changed. Yes, the format is different. But the real key is still the same. Learn how to think like the person responsible for security, not just the person configuring the tool. Understand why one answer is better for the organization, not just why it is technically possible. The exam has always rewarded that mindset, and the latest updates seem to reward it even more.
Personally, I am glad the CISSP keeps evolving. I would rather maintain a certification that stays relevant than one that just coasts on reputation. The 2024 refresh did not change the soul of the exam. It just modernized the lens. And from where I sit, as someone who passed it years ago but still studies, that is exactly what it should have done.
Sources
ISC2, “CISSP Certification Exam Outline.” Current exam structure, domain weights, CAT format, item count, and passing score.
ISC2, “CISSP Exam Refresh FAQ.” Official explanation of the April 15, 2024 refresh and language format changes.
ISC2, “How to Get Ready, Prepare for Your ISC2 Certification Exam.” Official exam format details and advanced item type information.
ISC2, “Changes to the CISSP Exam Weighting.” Background on the Job Task Analysis and domain weighting updates.
ISC2, “CISSP.” Official certification page covering domains and experience requirements.
ISC2, “CISSP Exam Refresh and Updated Official Training Now Live.” Context on how the refreshed exam reflects current cybersecurity leadership issues.
ISC2, “Computerized Adaptive Testing CISSP Examinations All Languages.” Official note on the shift to CAT in all languages and the related exam changes.
