People who hold the CISSP certification and know all the domains seem to be a the top when it comes to pay within the Information Security World and that is something we have to note. International Information System Security Certification Consortium (ISC)2 offers CISSP certification to the professionals having technical and managerial skills in the field of Information security. CISSP certification validates the experience and ability of the security professionals to design and manage the security posture (plan) of the organizations. The certification is the first of its kind that meets the ISO/IEC/ANSI Standard 17024. The US Department of Defense also acknowledges CISSP certification in Information Assurance Technical (IAT) and Information Assurance Managerial (IAM) department.
CISSP Fast Facts
- CISSP Was Introduced in 1994
- Department of Defense (DoD) Approved
- Meets ISO/IEC Standard 17024
- Most Required Certification on LinkedIn
- Computerized Adaptive Testing (CAT) introduced in December 2017.
- Exam available in 8 languages in 114 countries
- More than 129,000 CISSP professionals worldwide
- CISSPs working in more than 160 countries
Who Should Earn CISSP Certification
CISSP certification suits to cyber, information, software, and infrastructure security professionals. People working on the following key positions should look for CISSP certification to showcase their technical and managerial skills in IT Security.
- Chief Information Security Officer
- Chief Information Officer
- Security Manager
- Security Auditor
- Security Architect
- Security Consultant
- Security Systems Engineer
- Security Analyst
- Director of Security
- IT Director
- IT Manager
- Network Architect
CISSP Eligibility
Candidates must have at least five years of cumulative work experience to become eligible for CISSP certification. The experience must be in any two of the following eight domains.
Candidates having a four-year college degree in the relevant field get one year wavier in professional experience requirement. Candidates with no work experience can also apply for CISSP exam. Such candidates earn the title of Associate of (ISC)2. The associates get CISSP certification after completing six years of working experience.
CISSP Exam Information
CISSP has two examination formats namely Computerized Adaptive Testing (CAT) and Linear (fixed form) exam. CAT format is used to conduct all English exams. The exams in all other languages are conducted as Liner, fixed form exams.
CAT Examination Format – The Computerized Adaptive Testing (CAT) has the following exam format.
Exam Length: 3 Hours
Exam Questions: 100-150
Questions Format: Multiple Choice Questions (MCQs), Advanced Innovative Questions
Language Options: English
Passing Marks: 700 out of 1000 Points
Testing Centers: (ISC)2 Authorized PPC and PVTC Select Pearson VUE Testing Centers
Linear Examination Format –The Linear examination format has the following exam criteria.
Exam Length: 6 Hours
Exam Questions: 250
Questions Format: Multiple Choice Questions (MCQs), Advanced Innovative Questions
Language Options: German, French, Spanish, Brazilian Portuguese, Japanese, Korean, Simplified Chinese
Passing Marks: 700 out of 1000 Points
Testing Centers: (ISC)2 Authorized PPC and PVTC Select Pearson VUE Testing Centers
Domains Weight –The domains weight for both (CAT and Linear) exams format is similar. Following is a breakdown of each domain weight in the exam questions.
CISSP Domains Information
The domains are the topics one need to master in order to pass the CISSP exam. Based on these domains, (ISC)2 inducts the current security practices and tasks being performed in the IT security industry in the exam to maintain the relevancy of CISSP. The process termed as Job Task Analysis (JTA). Following is a brief description of all the domains that contribute to the CISSP exam.
- Security and Risk Management
- Understanding and applying the concepts of confidentiality, integrity, and availability of data and information.
- Evaluating and applying the security governance principles.
- Determining compliance requirements.
- Understanding the legal and regulatory issues affecting the information security globally.
- Understanding, adhering to, and promoting the organizational code of ethics.
- Developing, documenting, and implementing the security policies, procedures, and guidelines.
- Identifying, analyzing, and prioritizing the Business Continuity requirements.
- Contributing to and enforcing the personal security policies.
- Understanding and applying risk management and threat modeling concepts.
- Establishing and maintaining security awareness programs, education, and training sessions.
- Communication and Network Security
- Implementing the secure design principles in the networks.
- Securing the network components (e.g Transmission media, NAC, content distribution networks).
- Securing the communication channels
- Security Architecture and Engineering
- Implementing and managing the engineering process through secure design implementations.
- Understanding the security models concepts.
- Understanding the Information System’s security capabilities (e.g encryption/decryption).
- Assessing and mitigating the networks vulnerabilities.
- Assessing and mitigating the web-related vulnerabilities.
- Assessing and mitigating the vulnerabilities associated with the mobile systems.
- Assessing and mitigating the embedded devices’ vulnerabilities.
- Applying the Cryptography where required.
- Implementing the security controls to the work sites and facilities (e.g HVAC, server rooms, Media storage facilities).
- Identity and Access Management
- Identification and authentication management of people, services, and devices.
- Controlling the physical and the logical access to the assets (e.g Information, Facilities, Systems, Devices) .
- Integrating the identities as a service (e.g On-premise, Cloud, Federated)
- Implementing and managing the Authorization procedures.
- Managing the access provisioning lifecycle.
- Security Operations
- Understanding the fundamental security operations and applying them where required.
- Understanding different types of investigations (e.g Criminal, Civil, Industrial, Administrative)
- Providing the required support to the investigations.
- Logging activities and monitoring them.
- Provisioning the resources securely.
- Understanding and applying the resource protection techniques.
- Conducting incidents management and response.
- Implementing and supporting patches against vulnerabilities.
- Testing Disaster Recovery Plans and implementing them.
- Implementing and managing the physical security of the assets.
- Security Assessment and Testing
- Designing and validating (internal, external, and third party) assessments and audit strategies.
- Conducting security controls tests.
- Collecting the security related data (e.g administrative and technical data)
- Conducting and supporting the security audits.
- Analyzing test outputs and generating reports.
- Software Development Security
- Understanding Software Development Life Cycle (SDLC) security.
- Applying relevant security controls in development environments.
- Software security assessment.
- Defining and implementing secure code standards and gudilines.
- Asset Security
- Identifying and classifying assets.
- Determining and maintaining the ownership of information and assets.
- Maintaining privacy of data, users, processes etc.
- Implementing asset retention policies.
- Determining the data security controls.
CISSP Renewal Requirements
After availing CISSP certification, the candidates become a member of (ISC)2. All the CISSP members are required to recertify every three years. The recertification requires 40 Continuing Professional Education (CPE) credits annually. The credits are earned by participating in various CPE activities divided into Group A and Group B. The activities conducted in Group A are domain related, while Group B activities are outside the aforementioned domains. A total of 120 CPE credits are required after a period of three years. There is an Annual Membership Fee (AMF) to earn the credits. However, (ISC)2 offers free CPE opportunities by participating in any of the following programs.
- Joining Webinars
- Participating in Reading and Writing Tasks
- Attending (ISC)2 events
- Volunteering (Become (ISC)2 online Ambassador to spread knowledge)