SecurITyCerts dot Org

       Navigating Security Certifications

Subscribe to SecurITy, our free newsletter

Certified Information Systems Security Professional (CISSP)

The CISSP certification is the best known security certification, period, in part due to its longevity. It has existed since 1992.

The CISSP certification is also very popular, based on the number of people who hold it. There are approximately 60,000 CISSPs as of October 2008.

Also see:  CISSP Training or Self Study?
               9 Tips for Taking The CISSP Exam
               My Experience taking the CISSP Exam

The CISSP is often described as a "mile wide and an inch thick" and covers an almost dizzying array of topics. Officially, it covers the Common Body of Knowledge (CBK), which consists of ten domains:
Access Control, Application Security, Business Continuity and Disaster Recovery Planning, Cryptography, Information Security and Risk Management, Legal, Regulations, Compliance and Investigations, Operations Security, Physical (Environmental) Security, Security Architecture and Design, Telecommunications and Network Security.

There is no attempt to teach hands on or cutting edge topics; the CISSP for example doesn’t even cover Intrusion Prevention Systems (IPS) currently. The test covers both technical and managerial topics. It has been compared to earning a Master degree; useful, but not concentrating on what’s necessarily the current state of the art in industry.

The CISSP is governed by the International Information Systems Security Certification Consortium, commonly known as (ISC)², and pronounced “I S C squared.”

Nothing about the CISSP is simple!

Even applying online to take the test took me over an hour, including my information being lost once and needing to re-enter it.

You need a minimum of five years of direct full time security work experience in two or more of the ten (ISC)² information security domains, although one year may be waived for having a four-year college degree or "an Advanced Degree in Information Security from a National Center of Excellence or the regional equivalent can substitute for one year towards the five-year requirement."

The CISSP exam is regularly scheduled in inconvenient locations worldwide and depending on where you live, plan on traveling to an exam. I only had to drive about 80 minutes, but it’s not uncommon for people to fly to take the exam.

The CISSP exam is multiple choice, consisting of 250 questions over six hours. It’s taken using paper and pencil, and if you’re late for the exam, you are not allowed admittance, somewhat like the opera. I found many of the questions required picking the "best" answer as they were all correct, or the "least sucky" as the answers were all incorrect.

The certification lasts for three years, and you can renew by retaking the test, something almost no one ever does, or by earning the correct number and types of continuing professional education (CPE) credits – again, it's somewhat complicated.

Oh wait, there is also paperwork and a possible audit AFTER successfully passing the CISSP exam. You'll be told if you passed typically 3-4 weeks after taking the test.

Ted Demopoulos at Caesars Palace
Ted Demopoulos,  Caesars Palace