For every information security professional, one of the aims should be to constantly upgrade the knowledge that they have. The learning strategy can be 70:30 rule, 70% knowledge from experience and rest from formal education and continuous learning. Since the field of information security is very dynamic, we need to be always on our toes for what is new and what we need to learn. On the job, learning is one thing while conventional learning is the other. Certification training is a mix of both and plays a vital role in learning. They provide a guided approach and platform for the aspirants to learn and progress in the field.
Information security has many certifications but there are a few that have gained the elite status out of them. One such certification is CISSP (Certified Information System Security Professional). In this article, we will be discussing what is CISSP, what are the benefits of being a CISSP certified professional, exam related details and what you reap out of it.
CISSP stands for Certified Information System Security Professional. This is one of the certifications that is offered by (ISC) 2: International Information System Security Certification Consortium which is a non-profit organization and specializes in certification for cybersecurity professionals. Unlike some of the other certifications, this is a vendor-neutral certification that deals with focussing on the concept and its practicality to the real world scenarios. This helps the candidate to not only gain the knowledge but also ensures that the knowledge is used to create and design robust systems and processes for the organizations. There are a couple of reasons for why CISSP is over and above other certifications.
It covers all the major aspects of information security when it comes to the exam scope.
Not anyone can get CISSP; you need to have relevant experience to get the letters after your name.
Getting a CISSP is not the final goal. You need to work and earn the credits to ensure that the certification is valid.
A candidate has to show deep managerial and technical skills to get through the exam. This is necessary since they will be dealing with the real world attacks and defenses.
A few pointers:
The certification is universally recognized and sought by many organizations.
The certification has proven its worth with its age, with updated content keeping up with the new technology and methods.
Salary: A CISSP certified candidate will be paid more than other counterparts who do not hold CISSP.
Roles: CISSP has multiple domains and holding the certification proves that you have the knowledge. This opens an opportunity to work across domains.
Various job requirements have documented in the JD that CISSP will be a big Plus or will have an added advantage. This makes your resume one notch up during selection.
You get to become a member of the ISC2 community and hence have access to the updated material and community.
The purpose of the exam is simple, to ensure that the candidates possess a sound knowledge of the Information Security concepts. This is not just limited to the domains that they study but also on how these will be helpful in industrial application. A CISSP certified candidate should be able to audit the existing setup and identify the loopholes. The role is not only restricted to auditing but also to suggest and remediate the issues. This also includes the operations task that a security team or a manager may have to perform. The exam will just take your skills and knowledge one level up and will strengthen you to perform in a more professional and positive way.
CISSP has divided the course into 8 different domains that cover a lot of stuff. Some domains are technical and some are not. This ensures that the candidate is sound in both technical and operational aspects of the field. Below are the 8 domains for the CISSP exam.
Domain 1. Security and Risk Management
Domain 2. Asset Security
Domain 3. Security Architecture and Engineering
Domain 4. Communication and Network Security
Domain 5. Identity and Access Management (IAM)
Domain 6. Security Assessment and Testing
Domain 7. Security Operations
Domain 8. Software Development Security
Previously CISSP had 10 domains that have been reduced to 8. This does not mean that the candidates have less to their plate but this is just a shuffling of the topics. Some domains have just been removed and the topics have been included in other domains. Below are the older 10 domains.
Telecommunications and Network Security
Information Security Governance and Risk Management
Software Development Security
Security Architecture and Design
Business Continuity and Disaster Recovery Planning
Legal, Regulations, Investigations and Compliance
Physical (Environmental) Security
No one can simply signup and get the CISSP certification. The candidate must have 5 years of cumulative paid work experience and should have worked in two of the 8 domains of CISSP.
The 5-year experience can be reduced to 4 if the candidate has a four-year can college degree or equivalent. This will substitute for one year waived off from the work experience requirements. The 1-year wave off can also be granted if the candidate holds certifications that are approved by the ISC2 list. Below is a list of certifications that can help the candidates to get the 1-year wave off.
Certified Authorization Professional (CAP)
Certified Business Continuity Professional
Certified Cloud Security Professional (CCSP)
Certified Computer Examiner (CCE)
Certified Cyber Forensics Professional (CCFP)
Certified Ethical Hacker v8 or higher
Certified Forensic Computer Examiner (CFCE)
Certified Fraud Examiner (CFE)
Certified Information Security Manager (CISM)
Certified Information Systems Auditor (CISA)
Certified Internal Auditor (CIA)
Certified Penetration Tester (GPEN)
Certified Protection Professional (CPP) from ASIS
Certified Secure Software Lifecycle Professional (CSSLP)
Certified Wireless Security Professional (CWSP)
Cisco Certified Network Associate Security (CCNA Security)
Cisco Certified Network Professional Security (CCNP Security)
Cisco Cyber Security Specialist Program
CIW – Security Analyst
CIW Web Security Professional
CIW Web Security Specialist
CompTIA Advanced Security Practitioner (CASP)
Cybersecurity Forensic Analyst (CSFA)
GIAC Certified Enterprise Defender (GCED)
GIAC Certified Firewall Analyst (GCFW)
GIAC Certified Forensic Analyst (GCFA)
GIAC Certified Forensics Examiner (GCFE)
GIAC Certified Incident Handler (GCIH)
GIAC Certified Intrusion Analyst (GCIA)
GIAC Global Industrial Cyber Security Professional (GICSP)
GIAC Information Security Fundamentals (GISF)
GIAC Information Security Professional (GISP)
GIAC Mobile Device Security Analyst (GMOB)
GIAC Penetration Tester (GPEN)
GIAC Security Essentials Certificate (GSEC)
GIAC Security Leadership Certification (GSLC)
GIAC Systems and Network Auditor (GSNA)
Healthcare Information Security and Privacy Practitioner (HCISPP)
Juniper Networks Certified Internet Expert(JNCIE-SEC)
Information Security Management Systems Lead Auditor (IRCA)
Information Security Management Systems Principal Auditor (IRCA)
Master Business Continuity Professional (MBCP)
Microsoft Certified IT Professional (MCITP)
Microsoft Certified Solutions Associate (MCSA)
Microsoft Certified Systems Engineer (MCSE)
Systems Security Certified Practitioner (SSCP)
A candidate who doesn’t have the required experience can also write the CISSP exam and can gain the Associate of ISC2 credentials. The candidate then has 6 years to get the relevant 5-year experience. Once the experience is completed, he can upgrade to a full CISSP credential. In both the cases, the waiver can only be reduced by one year max.
The registration of the exam is something which has to be done correctly and after planning.
The candidate can create an account with the global ISC2 exam administrators: Pearson VUE.
Select the certification you plan to go for (Since ISC2 offers multiple certifications). In your case CISSP has to be selected.
Select the training center and test location. DONE! You have just registered for CISSP in 3 steps.
America, Asia Pacific, Middle East, Africa: USD 699
Europe: EUR 650
UK: GBP 560
Duration and Scoring:
The exam is a 6-hour long exam and you will be required to score 700/1000 in order to pass the exam. The exam will have multiple choice question as well as scenario based questions. There can be other innovative question patterns like mix and match so be prepared.
Cost of recertification (CPE requirements)
As discussed earlier, it takes an effort to ensure that the CISSP credentials remain intact with your name. In order to do that you need to ensure that you earn and submit enough CPE credits in 3 years cycle. CISSP has a 3-year cycle to earn and submit the CPE but Associates have an annual cycle to submit the CPE credits. There are various ways through which CPE’s can be earned.
Publishing a book, whitepaper or article.
Attending conferences and seminars
Classroom training and higher certifications
Teaching work related to information security
Voluntary services for Government etc.
Cancellations and rescheduling:
Rescheduling Exam: 50USD/35£/40€
Canceling Exam: 100USD/70£/80€
Taking a retest:
What if you fail in the exam? The point to remember is: plan and then schedule the test. Make sure that you are fully prepared to take the test. You only have 3 chances in a year to attempt the test. If you fail I first attempt, you have to wait for 30 days to take a test. If you fail again the waiting period will be 90 days and 180 days on a subsequent failed attempt.
CISSP is perfect for experienced security professionals at all levels. The credentials will help you prove your credibility. You may not have the experience but then an Associate of ISC2 will be handy. For those who are at higher designations, CISSP will be helpful in ensuring that their practice is in line with the industry best practices and what they can improve upon. The certification will help you irrespective of your role in the organization: from CISO to analyst.
After getting the credentials you may try for various job roles as per your experience. Some of the roles can be:
Chief Information Security Officer (CISO)
Chief Information Officer (CIO)
IT Director and Manager
The certification is just helping you to broader he horizons and ensure that you have enough knowledge to dive into various designations.
With a lot of demand and very few skilled security professionals in the market, the salary has no bar if the candidate has the right skill set and attitude. The credentials will set the salary bar high for the right candidate. I will not be discussing the trends in salary since they will anyway become obsolete in some time. The point is that CISSP is powerful enough to get you a bounce which may not be possible otherwise. You may expect a 50% rise in the jump if you are in the starting years of your career. Good luck with that.
In a nutshell, CISSP is one of the must-have certifications if you are a security professional. If not right now make sure that you have a plan in the future. With the increasing demand, more and more companies are looking forward to CISSP candidates. Since the exam is exhaustive and requires both technical, managerial and hands-on skills the hiring process becomes much simple and narrowed down. In this article we have summed up on what CISSP is, is it really required and how you can get your journey started by registering for the exam. Holding a CISSP will also increase customer trust, company reputation, and ethical conduct. I believe that the article has given enough reasons for why CISSP is important and a must have for a security professional at any level. You may opt to study on your own or through an instructor-led classroom session, depends on your approach. The key point is to get started. Good Luck!