Search in ISMS Guides


Wednesday, August 29, 2007

Certified Information Systems Security Professional (CISSP)

Certified Information Systems Security Professional (CISSP) is a vendor-neutral certification governed by the non-profit International Information Systems Security Certification Consortium (commonly known as (ISC)²). The (ISC)² has certified over 49,000 information security professionals in more than 120 countries.[1] CISSP was the first certification to earn the ANSI accreditation to ISO/IEC Standard 17024:2003, a global benchmark for assessing and certifying personnel. It is formally approved by the U.S. Department of Defense (DoD) in both their Information Assurance Technical (IAT) and Managerial (IAM) categories.[2] The certification is also endorsed by the U.S. National Security Agency (NSA) as the benchmark for information security[3]

Common Body of Knowledge domains

The CISSP curriculum covers a wide range of subject matter in a variety of Information Security topics. The CISSP examination is based on ten domains which comprise the (ISC)² Common Body of Knowledge® (CBK), which are generally accepted as a compendium of industry best practices for information security, including:

* Access Control
* Application security
* Business Continuity and Disaster Recovery Planning
* Cryptography
* Information Security and Risk Management
* Legal, Regulations, Compliance and Investigations
* Operations Security
* Physical (Environmental) Security
* Security Architecture and Design
* Telecommunications and Network Security


Candidates for the CISSP must meet several requirements.

* They must have a minimum of four years of professional experience in information security. One year may be waived for having either a four-year college degree or a Master's degree in Information Security. Another year may be waived for possessing one of a number of other certifications from other organizations[4].

* They must attest to the truth of their assertions regarding professional experience and accept the CISSP Code of Ethics.[5].
* They must attest to lack of criminal history and related background.[5]

* They must pass the CISSP exam with a scaled score of 700 points or greater. The exam consists of 250 questions to be answered over a period of six hours[6].

* They must have their qualifications endorsed by another CISSP or other qualified professional. The endorser attests that the candidate's assertions regarding professional experience are true to the best of their knowledge, and that the candidate is in good standing within the information security industry.[6]

Specialized concentrations

Highly experienced information security professionals with an (ISC)² credential in good standing, can progress to meet requirements for (ISC)² Concentrations to demonstrate their acquired rigorous knowledge of select CBK® domains. Passing a concentration examination demonstrates proven capabilities and subject-matter expertise beyond that required for the CISSP or SSCP credentials.

Current concentrations for CISSPs include the:

* ISSAP, Concentration in Architecture
* ISSEP, Concentration in Engineering
* ISSMP, Concentration in Management

Ongoing certification

The CISSP credential is valid for only three years, after which it must be renewed. The credential can be renewed by re-taking the exam, however the more common method is to report at least 120 Continuing Professional Education (CPE) credits since the previous renewal. CPEs can be earned through several paths, including taking classes, attending conferences and seminars, teaching others, undertaking volunteer work, professional writing, etc., all in areas covered by the CBK. Most activities earn 1 CPE for each hour of time spent, however preparing (but not delivering) training for others is weighted at 4 CPEs/hour, published articles are worth 10 CPEs, and published books 40 CPEs[7].

Effective 1 October 2007, professional work experience requirements for the CISSP® will increase from four to five years, and direct full-time security professional work experience will be required in two or more of the ten CISSP® CBK® domains. A new endorsement policy will also be in effect, requiring anyone who passes a CISSP, CAP®, or SSCP® exam to have their qualifications endorsed by another (ISC)² credential holder. These changes will not affect those who sit for an examination on or before 30 September 2007. For more information, please refer to the Experience Requirement Change FAQs.


IT professionals with the CISSP credential are in high demand. In 2005, CertMag surveyed 35,167 IT professionals in 170 countries on compensation and found the following.

“For the first time, the Salary Survey’s top five certification programs all reported average salaries of more than $100,000. Two programs from the International Information Systems Security Certification Consortium (ISC)2 led the list, with the Certified Information Systems Security Management Professional (CISSP-ISSMP) program drawing $116,970 annually and the Certified Information Systems Security Architecture Professional (CISSP-ISSAP) earning $111,870.”[8]

[edit] Criticisms of the CISSP examination

Some critics have raised the issues below concerning the CISSP examination, its contents, and its processes.

* The CISSP exam questions are difficult and unfair. The fact that there is so much knowledge crammed in a 250 question test makes the exam extremely difficult to pass in the time allotted, especially the questions and cases are not always straight forward enough to understand.
* Critics say questions assume too much technical knowledge, requiring extensive knowledge of formulas, focus on obscure facts, or involve complex calculations.
* Critics say the CISSP exam covers information security topics "a mile wide, and an inch deep"[9] meaning the test has insufficient depth.
* The exam sometimes includes outdated information. Critics say that although organizations still use legacy technology, the exam should focus only on current technologies.
* Some questions on CISSP tests and information in the CBK® may be technically inaccurate or incomplete.
* The exam questions are US / Canada centric and even unique American sources like the Orange Book are included. ISC have a policy of not employing non-USA staff which doesn't help.[citation needed]
* The CISSP test is formulated so that candidates are asked to choose the best answer from among a group of correct answers. Some feel these are "trick" questions that unnecessarily distract capable candidates.


  1. ^ Member Counts (2007-04-11). Retrieved on 2007-06-04.
  2. ^ U.S. Government, DoD 8570.01-M. Retrieved March 23, 2007.
  3. ^ NSA PARTNERS WITH (ISC)² TO CREATE NEW INFOSEC CERTIFICATION (2003-02-27). Retrieved on 2007-06-04.
  4. ^ CISSP® Professional Experience Requirement. ISC2. Retrieved on 2007-04-27.
  5. ^ a b CISSP® Applicant Requirements. ISC2. Retrieved on 2007-04-27.
  6. ^ a b How To Certify. ISC2. Retrieved on 2007-04-27.
  7. ^ CPE Credit Requirements. (ISC)2. Retrieved on 2007-04-27.
  8. ^ Sosbe, Tim; Emily Hollis, Brian Summerfield, Cari McLean (December 2005). "CertMag’s 2005 Salary Survey: Monitoring Your Net Worth". Retrieved on 2007-04-27.
  9. ^ Harris, Shon (2002). Mike Meyers' CISSP(R) Certification Passport, Mike Meyers' Certification Passports. McGraw-Hill, xxi. ISBN 0072225785.
Article Source :

No comments: