Home > Blogs > CISSP Certification Overview

CISSP Certification Overview

By  May 30, 2008

Topics: Certification

Among vendor-neutral IT security certifications, the Certified Information Systems Security Professional (CISSP) program represents a gold standard in the field, even earning the ANSI ISO/IEC Standard 17024:2003 accreditation in June 2004. Let's learn how the CISSP certification works.

The CISSP certification program is governed by the International Information Systems Security Certification Consortium, or (ISC)². The (ISC)² is a non-profit organization that is based in Palm Harbor, Florida.

According to the (ISC)² Web site, the CISSP certification is aimed at "mid- and senior-level managers who are working toward or have already attained positions as CISOs, CSOs or senior security engineers."

There are a couple elements of the CISSP credential that set it apart from most other vendor-neutral (or vendor-specific, for that matter) programs. For instance, to earn your CISSP you must:

  • Subscribe to the (ISC)² Code of Ethics
  • Have a minimum five years* of direct full-time security professional work experience in two or more of the ten domains of the information systems
  • Pass a written (!) examination

Philosophical Foundations

The knowledge base that is tested by the CISSP program is called the (ISC)² Common Body of Knowledge (CBK). According to the (ISC)² Web site:

"The (ISC)² CBK® is a taxonomy - a collection of topics relevant to information security professionals around the world. The (ISC)² CBK establishes a common framework of information security terms and principles which allows information security professionals worldwide to discuss, debate, and resolve matters pertaining to the profession with a common understanding."

The CBK consists of ten security domains, outlined thus:

  1. Access Control
  2. Application Security
  3. Business Continuity and Disaster Recovery Planning
  4. Cryptography
  5. Information Security and Risk Management
  6. Legal, Regulations, Compliance and Investigations
  7. Operations Security
  8. Physical (Environmental) Security
  9. Security Architecture and Design
  10. Telecommunications and Network Security

The (ISC)² Code of Ethics encompasses four canons, to which you agree to adhere as a CISSP:

  • To protect society, the commonwealth, and the infrastructure
  • To act honorably, honestly, justly, responsibly, and legally
  • To provide diligent and competent service to principals
  • To advance and protect the profession

All of this is interesting stuff to me. Typically IT certification vendors have an "acceptable use" policy which governs their certification programs. However, the CISSP is unique with its requirements that candidates legally agree to uphold a code of ethics.

Demonstrating Real-World Competency

To be eligible to sit for the CISSP exam, you "must have a minimum of five years of direct full-time security professional work experience in two or more of the ten domains of the (ISC)² CISSP CBK."

Read more about the professional experience requirement at the (ISC)² Web site.

What is more that simply informing the (ISC)² that you possess the required amount of IT security experience and passing the written exam do not qualify you as a CISSP.

In addition, you must procure an endorsement from an already certified CISSP; the endorsement process involves a check of your professional references and perhaps a telephone/personal interview with the current CISSP endorser.

Passing the Exam Proper

Finally we arrive at the CISSP examination itself. As previously stated, this exam is a traditional paper-and-pencil exercise that must be physically proctored by an authorized individual.

The current registration fee for U.S.-based CISSP tests is $599.00. Moreover, you register for the exam directly with (ISC)², not with Prometric or VUE.

You should perform a search on the (ISC)² Web site to determine the nearest authorized testing location and next available test date.

The CISSP exam is six hours long, contains 250 (!) multiple-choice questions, and has a passing score of 700/1000. You are mailed your exam results; this definitely comes as unfortunate news for those of us accustomed to the instant gratification (or disappointment) of traditional computer-based exams.

Good luck! Let me know in the comments portion of this post if you have any experience with the CISSP program.