The need for professionalism was a serious topic among computer security practitioners for many years. Professionalism was viewed as the way to upgrade this often ill-defined and poorly understood craft to that of a recognized and disciplined profession. By the mid-1980s, a number of professional societies in North America concluded that a certification process attesting to the qualifications of information security personnel would enhance the credibility of the computer security profession. Through the societies’ cooperative efforts, the International Information Systems Security Certification Consortium, or (ISC)2, was established in mid-1989 as an independent, nonprofit corporation whose sole charter is to develop and administer a certification programs for information security practitioners. Now firmly established across the globe, the program is quickly the premier certification internationally for security professionals. (ISC)2 membership benefits includes networking with other (ISC)2 credential holders through world-wide local ‘chapters’, members-only meetings during various security conferences, annual (ISC)2 sponsored security conferences, savings on conference attendance, a job board, and (ISC)2 members can save money on other items such as hotels, travel, other household items (Member Perks new to members in 2017).
The United States Department of Defense defines the CISSP commercial certification in Directive 8570.1M as meeting the highest level of qualifications of IAM and IAT level III.
“Directive 8570.1 requires every full- and part-time military service member, defense contractor, civilian and foreign employee with “privileged access” to a DoD system — regardless of job series or occupational specialty — to get a commercial certification credential that has been accredited by the American National Standards Institute (ANSI).”
Here are some of the most frequently asked questions about the CISSP certification:
Q: What does the CISSP exam consist of?
A: The CISSP exam is a 250 question examination, delivered via on-line testing facilities. (e.g. Pearson VUE) Candidates are given 6 hours to complete the exam although most complete it in about 4 hours.
Q: What do the questions cover?
A: Examination questions cover all eight domains in the Common Body of Knowledge (CBK). To validate that candidates are knowledgeable across a broad spectrum of security disciplines. Questions are “scrambled” on the examination; they are not presented in domain order.
The domains are:
* Security and Risk Management
* Asset Security
* Security Architecture and Security Engineering
* Communication and Network Security
* Identity and Access Management
* Security Assessment and Testing
* Security Operations
* Software Development Security
Q: Are the pre-test questions identified?
A: No. They are scrambled into the examination along with the scored items.
Q: What types of questions are there?
A: All test questions are multiple choice and advanced innovative questions (drag and drop). They are designed to test a candidate’s knowledge of information security facts and concepts and their application.
Q: How hard is the examination?
A: The candidates are expected to have 3-5 year cumulative experience, such as a security analyst, network architect, systems engineer, etc. It is designed to test for the minimum level of competency acceptable for someone to be certified as an information systems security professional. A knowledgeable candidate should not find the examination difficult.
Q: If the examination isn’t particularly difficult, why don’t more people pass it?
A: What makes the examination difficult is the expansive knowledge base it covers. It’s difficult to develop expertise in all eight domains.
Q: Are the questions in the Study Guides really representative of examination questions?
A: The study guides questions are good examples of the format and type of questions you would see on the exam but are not necessarily representative of the difficulty.
Q: Which domains are the hardest?
A: The domains that are not commonly used in everyday security management such as cryptography, system architecture and physical security usually score the lowest.
Q: How current is the examination?
A: Each year between 100 and 150 new questions are added to the question pool, many are based on new security technologies. You can expect to find questions on current technologies, practices, and standards.
Q: Are there questions on NT or UNIX?
A: The CISSP examination is not a vendor or commercial product specific. There are questions on the security models and methodologies used by these systems but only security products that are commonly used and freely available (i.e., SATAN) are acceptable for examination questions.
Q: What’s the passing score?
A: The cut score for each question is calculated by equating the scoring values associated with each question. Passing score is a 700 out of a possible 1000 points. Less than 8% of those tested achieve scores higher than 85%.
Q: How detailed are the questions, what depth of knowledge is being tested
A: The CISSP examination is designed to evaluate the ability of a security manager, engineer or architect to properly evaluate, select, deploy and assess security measures. A candidate should have a detailed enough knowledge of security designs, measures, vulnerabilities, etc. to successfully accomplish these tasks.
Q: Does the CISSP certification expire?
A: Yes, the CISSP certification expires 3 years after successfully passing the exam, passing the endorsement review process and agreeing to the (ISC)2 Code of Ethics. In order to maintain the CISSP certification beyond the 3 years without having to retake the exam; (ISC)2 maintains a Continuing Professional Education (CPE) program where during each 3 year cycle, if members pay an Annual Maintenance Fee (AMF) and submitting a minimum 120 CPE’s (required 40 CPE’s annually) for review the certification is extended for another 3 years. Types of CPE’s allowed are:
> Type A: Domain-related Activities
* Reading a magazine
* Attending a conference, educational course, seminar or presentation
* Volunteering for government, public sector, and other charitable organization
* Publishing an article, book or whitepaper
* Etc.
> Type B: Professional Development Knowledge Sharing (i.e. not pertaining to one of the CBKs)
* A Higher academic course
* Obtaining additional non-technical professional certifications
* Etc.
Q: Does passing the test mean the candidate automatically obtains the CISSP membership?
A: No, once successfully passing the CISSP exam candidates must complete Online Endorsement Application and have an (ISC)2 credential holder in good standing recommend the candidate for membership. Candidates must also have a minimum of 5 years of experience in 2 or more of the eight domains of the CISSP CBK. (ISC)2 will require a current resume showing the relevant work experience for the endorser and (ISC)2 to review for compliance. Until the candidate meets this requirement they are considered an Associate of (ISC)2 and still meet all the CPE requirements