Security professionals around the world recognize the Certified Information Systems Security Professional (CISSP) credential as the field’s premier certification program. CISSP certification is an almost mandatory rite of passage in the career of information security specialists and a prerequisite for many advanced roles in the profession. Earning the credential requires demonstrating a combination of experience and knowledge across a wide range of material.
The International Information Systems Security Certification Consortium, or (ISC)2, administers the CISSP program worldwide. They maintain the common body of knowledge (CBK) that trainers and test developers use as the foundation for CISSP certification programs. (ISC)2 is also responsible for monitoring the professional development of certificants, requiring the ongoing accumulation of continuing education credit hours as a prerequisite to recertification.
If you wish to advance through the ranks of the IT security community, the CISSP credential is a necessary milestone. Holding this credential demonstrates a commitment to the profession and an accumulation of knowledge across a wide variety of topics. It is this breadth of knowledge that makes the CISSP difficult for many candidates.
Most IT professionals with security experience specialize in a few security sub-disciplines and lack knowledge and experience across the breadth of the CISSP program. Earning the credential shows professional colleagues and potential employers that you are committed to the security profession and have the strong knowledge base necessary for success.
Getting Started: The CISSP
The basic CISSP credential is an important achievement for information security professionals. Earning the credential requires mastering of material across the ten domains of information security. The CISSP CBK provides great detail on these domains, which include:
- Access Control
- Telecommunications and Network Security
- Information Security Governance and Risk Management
- Software Development Security
- Security Architect and Design
- Operations Security
- Business Continuity and Disaster Recovery Planning
- Legal, Regulations, Investigations and Compliance
- Physical (Environmental) Security
The CBK encompasses a tremendous range of topics, including the appropriate use of encryption keys, configuration of network intrusion prevention systems and deployment of fire extinguishers. Perimeter security experts who traditionally worked with firewalls will find themselves challenged with questions about a different kind of perimeter security — fence heights! Due to the breadth of material, most CISSP candidates choose to complete a CISSP review course or, at the very least, prepare using two or more different CISSP study guides.
Once you feel that you’ve mastered the CISSP CBK material, you are welcome to register for the exam itself. As with many IT certification exams, you may take the CISSP exam at Pearson VUE examination centers around the world at a time and location convenient to your schedule.
The exam itself is quite lengthy — candidates have six hours to complete a total of 250 questions. These questions are primarily multiple-choice questions with four possible answers but also include a mixture of drag-and-drop questions that require candidates to sort answer choices, indicate a location on a network diagram or perform similar tasks. Passing the exam requires a minimum score of 700 on a 1000-point scale.
Passing the exam is only the first step on the road to CISSP certification. Candidates must also provide evidence that they possess practical experience as an information security professional. You must demonstrate that you have five years of paid full-time experience across at least two of the 10 CBK domains.
Candidates with appropriate educational backgrounds may qualify for a wavier of one of those five years of experience. This wavier applies to candidates who hold a four-year college degree or a qualifying IT certification. The list of certifications that qualify for the wavier is quite long and includes several popular certifications, including:
- Microsoft Certified IT Professional
- Microsoft Certified Server Administrator
- Microsoft Certified Systems Engineer
- SANS GIAC certifications
- Cisco Certified Network Professional
If you don’t yet have the required experience, you may still take the CISSP examination. Once you pass the exam, you will receive the title Associate of (ISC)2. If you maintain your Associate status in good standing, which requires paying annual maintenance fees and completing continuing professional education, you have up to six years to submit the required experience documentation and earn the CISSP credential.
Candidates who successfully earn the CISSP credential may choose to continue in their professional certification journey by completing CISSP concentration programs. These programs are not nearly as popular as the CISSP credential but do allow you to demonstrate advanced knowledge of the field. (ISC)2 offers three concentration programs focusing on architecture, engineering and management.
Architecture Concentration CISSP-ISSAP
The CISSP Information Systems Security Architecture Professional (CISSP-ISSAP) credential demonstrates that a candidate possesses knowledge and experience in the field of security architecture. This includes high-level design and planning of information security programs and requires knowledge of both technology and business practices.
Candidates for the CISSP-ISSAP credential must first earn the CISSP credential through the normal process. They then must complete an examination covering six domains of security architecture:
- Access Control Systems and Methodology
- Communications and Network Security
- Security Architecture Analysis
- Technology Related Business Continuity Planning and Disaster Recovery Planning
- Physical Security Considerations
The exam, offered through Pearson Vue, is three hours long and requires answering 125 multiple choice questions. Candidates who successfully complete the examination must then provide evidence of two years of full-time, paid experience in security architecture before (ISC)2 awards the CISSP-ISSAP designation. Currently, fewer than 1,000 individuals in the United States hold the CISSP-ISSAP credential.
Engineering Concentration CISSP-ISSEP
Information security professionals with deep engineering experience may choose to pursue the Information Systems Security Engineering Professional (CISSP-ISSEP) concentration. Successful candidates in this certification program will demonstrate knowledge and experience incorporating security principles into real-world projects, business processes and information systems.
As with the ISSAP concentration, CISSP-ISSEP candidates must first successfully complete the CISSP certification program. ISSEP candidates then sit for an examination covering the four ISSEP domains:
- Systems Security Engineering
- Certification and Accreditation / Risk Management Framework
- Technical Management
- U.S. Government Information Assurance Related Policies and Issuances
The ISSEP exam is slightly longer than the ISSAP exam, requiring the completion of 150 questions over the same three-hour period. These questions follow the same multiple-choice style used by other (ISC)2 examination programs. After passing the ISSAP exam, candidates must prove two years of full-time paid experience in security engineering. As of December 2014, there are 953 ISSEP certified individuals in the United States.
Management Concentration CISSP-ISSMP
Security professionals who choose to pursue a career in management may find themselves well-prepared for a Chief Information Security Officer (CISO) or even Chief Information Officer (CIO) roles. (ISC)2 offers a certification program designed specifically for individuals who choose to pursue a leadership career track. The Information Systems Security Management Professional (ISSMP) concentration requires CISSP credential holders to demonstrate additional knowledge across five domains:
- Security Leadership and Management
- Security Lifecycle Management
- Security Compliance Management
- Contingency Management
- Law, Ethics and Incident Management
The ISSMP examination contains 125 multiple choice questions administered over a three hour period. Candidates who pass the examination must submit documentation of two years of security management experience before earning the CISSP-ISSMP credential. As of December 2014, there are 759 CISSP-ISSMP certified individuals in the United States.
The CISSP certification program celebrated its twentieth anniversary in 2014 and it remains the most important professional certification program for IT security specialists. As the calendar turned into 2015, over 99,000 IT professionals held CISSP certifications. Will you be the 100,000th CISSP?