It can sometimes be time-consuming at best, and annoyingly frustrating at worst, to navigate an IT certification vendor’s Web site to glean information regarding a particular program. To address this problem, this entry inaugurates a series of blog posts that I call “Just the Facts,” in which I provide you clear and straightforward instructions for attaining your credential of choice. In today’s installment we examine the Certified Information Systems Security Professional (CISSP), sponsored by the International Information Systems Security Certification Consortium, or (ISC)2.
In the name of brevity, I assume that you know what the CISSP title is and why you would want to earn it. If you are unfamiliar with the “whats and whys” of the CISSP, then the CISSP Wikipedia entry is a decent place to start.
Becoming a CISSP involves four distinct phases:
Let us examine each phase in turn.
In order to register for the CISSP certification exam, you must demonstrate that you possess a minimum of five years of professional experience in the information security field. Your work history must show that your skill set embraces at least two of the 10 domains in the (ISC)2 CISSP Common Body of Knowledge (CBK).
You can obtain a one-year waiver in the professional experience requirement if you fall into one of the following categories:
Note that you cannot combine two of these approaches; thus, if I hold a bachelor’s degree as well as the CompTIA Security+ certification, I am allowed only one year off the five-year professional experience requirement.
In order to meet this requirement, you must pass the CISSP certification exam with a score of 700/1000 or greater. You register to take the CISSP directly with the (ISC)2; note that you may have to travel to reach your closest authorized testing location.
Exam pricing for U.S. candidates is either $549 or $599 depending upon whether you choose to do an early registration or a standard registration.
The exam itself is a test of endurance; the pencil-and-paper exam consists of 250 multiple-choice questions in which you are given 6 hours to answer as many of them as you can correctly.
Once you pass the CISSP exam, your work still is not complete. You must ask an active (ISC)2 credential holder who can attest to your industry experience to complete an endorsement form for you. Once the (ISC)2 receives and approves the endorsement, you can finally heave a sigh of satisfaction: You are a real-live CISSP!
It is crucial that you not fudge or cut any corners in your CISSP application process, not the least reason being that the (ISC)2 randomly selects (ISC)2-certified individuals for auditing. If you are found to have falsified any of your application data, consider the revokation of your CISSP title a foregone conclusion. Take-home message: honesty is the best policy (and is a core principle of the (ISC)2 Code of Ethics, which you also must affirm during your application process).
The CISSP certification has a three-year lifespan. Consequently, it is imperative that you make time for at least 120 continuing professional education (CPE) credits within each three-year interval. Of these 120 credits, at least 80 must be Type A, or directly relating to the information security profession. The remaining 40 credits can be either Type A or Type B; Type B credits constitute other forms of professional skills development. The (ISC)2 will provide you with full information on CPEs once you are certified.