Most people in the cybersecurity biz will know about the Certified Information Systems Security Professional (CISSP) certification. Many call it the ‘gold standard’ of cyber certifications. It’s asked for a lot on job listings and also well respected among peers. Getting it though is quite the ordeal.

Before you attempt this certification, you should consider the following requirements (as of 2024):

1. Have at least 5 years of paid work experience related to information security. You can waive up to 1 year of this requirement with a relevant college degree or approved cybersecurity certification.

2. Have an existing CISSP holder willing to endorse you. You can also have the issuing company, ISC2, endorse you under extra scrutiny.

3. Pass a grueling 100-150 question multiple choice in-person exam. This test is a Computer Adaptive Test (CAT), meaning it will track how well you are doing in certain subjects and double down on identified weaknesses (yes, whoever invented this style of testing was a sick individual)

If you go through all of that and then wait 4-6 weeks for ISC2 to review your application, you will possibly earn this:

So why am I talking about this other than to show off my sweet, sweet piece of paper? Well, before I started on this grind I was wondering what the passing rate of the CISSP exam was. Seems like a logical thing to know before diving in. Enter Google:

20%!? That is insanely low. You’re telling me about 4 out of 5 people that attempt this exam fail it? I’ll acknowledge this exam has quite the reputation, but that number seems too low to believe. How exactly is this website, ‘Sprintzeal.com’, arriving at this number?

Pass CISSP Exam in first attempt in 2024 (UPDATED)

CISSP Exam Preparation and Strategy to Help you Pass the CISSP Exam in First Attempt in 2024. Read this Guide to Know about Best CISSP Exam Practices.

https://www.sprintzeal.com/blog/pass-cissp-exam-in-2020

There are no sources listed on that claim, so I guess you have to take their word for it. Google certainly loves promoting that bit of info regardless. Don’t you just love the internet?

After doing some more research, I found this other article that provides a different number range:

CISSP Pass Rate & What to Do to Pass CISSP in First Attempt

CISSP Pass Rate: Find out the details on CISSP Pass Rate and how to pass the CISSP in first attempt | CISSP Preparation Tips | CISSP Exam Tips

https://www.knowledgehut.com/blog/security/cissp-pass-rate

Also no source. Based on all the stories I’ve heard both in-person and on Reddit and my own personal experience, that number feels much more accurate though. I’ll acknowledge my criteria for ‘accuracy’ here isn’t the best, but I feel it beats unqualified statements any day.

Which brings us to the point of this article. What is the most accurate number I can get for the passing rate for the CISSP exam? Let’s put on our investigative journalist hats and try to figure it out.

First step: check with the company that offers the certification and administers the exam, ISC2. They would objectively be the group with the most accurate information here. I couldn’t find any information on their website or social media about this number, so I emailed them about it:

Darn. No dice. They did give me a link though to the ISC2 annual report so let’s check that out. ISC2 is a non-profit organization, so it should include some good stuff.

Corporate Management | Annual Reports | ISC2

ISC2 day-to-day operations are led by an insightful and innovative group of Corporate Officers and Directors who are at the top of their field and dedicated to upholding and promoting the organization’s vision to inspire a safe and secure cyber world.

https://www.isc2.org/about/leadership

Let’s take a look through the 2023 annual report there for relevant info. I’ll paste the juicy bits in here

OK, so that’s some interesting data. Let’s do some basic math.

If we add up all the active ISC2 certification holders in 2023, that gives us 252,449. If we divide the number of active CISSP holders in 2023, 168,642, by that number and multiply by 100 we get about 67%. That means that approximately 67% of active ISC2 certification holders have the CISSP in 2023.

Taking this a step further, we know there were 116,942 ISC2 exams administered in 2023. Of these, 76,915 of them were for the CC. We can subtract those two numbers and get that 40,027 non-CC exams were administered in 2023. We can then assume (perhaps a big assumption, it’s a bit unclear) that approximately 67% of these remaining 40,027 exam attempts were for the CISSP. That means there were approximately 26,739 CISSP exams administered in the year 2023.

OK, so what? We know that approximately 26,739 CISSP exams were administered in 2023, but how many passed? We’re missing just one more piece of information.

Let’s check out the report for the year 2022. It’s on the same page as before:

Now we need just one number from this report, the number of active CISSP holders as of 2022. Lucky for us, here it is:

OK, so home stretch. If we subtract the number of active CISSP holders in 2023, 168,642, by active holders in 2022, 162,002, we get 6,640. So between the ends of 2022 and 2023 6,640 people got CISSP certified.

Here comes the big reveal. If we divide 6,640 by our number from before, 26,739, and multiply by 100 that should give us our final percentage on how many people passed this exam in 2023:

That is an unironic Surprised Pikachu. 24.83%!. The ‘bullcrap’ Google number from before was actually more accurate than my educated guess. I’ll admit defeat, I was wrong.

For anyone that has skipped ahead, here is my final ‘derived’ estimate for the passing rate of the CISSP exam in the year 2023:

24.83%

Please keep in mind, this is essentially another educated guess. My biggest stretch was assuming that 67% of non-CC exams taken in 2023 were for the CISSP. I don’t have confirmation on that, and it doesn’t appear like ISC2 is going to share that number. It’s an assumption, I’m doing the best I can with the information provided. If any data scientists want to review the annual report info and get back to me, please do.

Anyway, that does it for this article. I’ll end on a positive note: don’t let any stupid number deter you. I think it’s important to know what you are getting into, sure, but whether you pass or fail is way more dependent on yourself and your abilities rather than statistics.

If you are considering taking the CISSP, expose yourself to as many practice questions as you can. Any you get wrong, read the explanation about the correct answer and try to fully understand it. Crash courses and study guides can be helpful, but in my opinion practice questions can’t be beat for this test.

Also, you need to understand the ‘manager mindset’ for the CISSP exam. I won’t explain what that is here, I’ll let Kelly Handerhan do that in her video (definitely watch this video multiple times, it helped me greatly):

Why you will pass the CISSP

https://www.youtube.com/watch?v=v2Y6Zog8h2A

Have a good day, and good luck to any CISSP exam takers.