CISSP
Certified Information Systems Security Professional. The gold standard for senior security roles, with a heavy governance and architecture focus across 8 broad domains.
CISSP is highly respected but typically pursued after several years of industry experience. The exam rewards breadth and management-style thinking, not deep technical skill. Without ~5 years of relevant work, the Associate of (ISC)² title is the realistic outcome.
In context
This cert in isolation tells you very little. Here is where it actually sits. The pathways that use it, and the roles it realistically supports.
- Security Manager
- Security Architect
- GRC Lead
- CISO (with additional experience)
CISSP is genuinely worth it for exactly one person: someone with five-plus years of real security experience aiming at GRC, security management or senior architecture. For that person it's a salary bump, a recruiter magnet, and the credential that gets them into rooms. For everyone else it's a £600 exam and 200 hours of study that produces nothing recruiters care about, because they'll see two years of experience next to a five-year-experience cert and assume something's off. The cert isn't the problem. The timing is. Wait until you've earned it, then take it seriously.
Recommended prior knowledge
- 5+ years cumulative paid security experience (2 of the 8 domains)
- Broad exposure across security, networking, and risk
- Comfort with policy / governance concepts
Common misconceptions
- CISSP is technical, it's primarily governance & architecture.
- It's a 'first' senior cert, most pursue with 5+ yrs experience.
What this cert does NOT guarantee
- Hands-on engineering roles
- Management title automatically
Practical skills that matter
- Risk management
- Security architecture
- Policy & governance
- Incident response leadership
- Stakeholder communication
Where this fits
A cert is only useful for some routes. Here's where this one earns its place.
- Security Architect (after 7+ years)
Design the trust boundaries. Pursued after 7+ years of hands-on work, not as a starting lane.
- GRC (Audit, Risk, Compliance)
Governance, risk and compliance. Policy, audit, evidence, frameworks. Biased toward CISA / CRISC / CISM, NOT toward OSCP.
- IT Support → Sysadmin (the honest on-ramp)
The realistic first paid technology job. No shortcuts, but the cleanest gateway into every other world.
- Certifications don't prove competence. They prove direction
The pro-cert and anti-cert camps are both wrong. Certs still matter, but only when you understand what they actually signal in 2026.
- Is CISSP actually worth it in 2026?
Yes, but only for a specific person at a specific moment. For everyone else it's 12–18 months optimising for the wrong thing.
- When everyone passes, nobody differentiates
Exam dumps aren't mainly an ethics problem. They're a signal erosion problem. And that hurts honest candidates too.
The serious next step
A cert is a signal. A Career Verdict tells you whether the signal is worth sending.
A Career Verdict tells you whether this cert earns its place on your specific route, what it won't fix, and what to sit before or after it.
Built on POST's practitioner-authored assessment framework, calibrated by James from twenty years across helpdesk, infrastructure and security. Framework is human-authored; the verdict applies it to your inputs.