Certified Information Systems Security Professional
Certified Information Systems Security Professional (CISSP) is an independent information security certification governed by International Information Systems Security Certification Consortium also known as (ISC)².
As of January 2013[update], (ISC)² reports 85,285 members hold the CISSP certification world wide, in 143 countries.[1] In June 2004, the CISSP obtained accreditation by ANSI ISO/IEC Standard 17024:2003 accreditation.[2][3] It is also formally approved by the U.S. Department of Defense (DoD) in both their Information Assurance Technical (IAT) and Managerial (IAM) categories for their DoDD 8570 certification requirement.[4] The CISSP has been adopted as a baseline for the U.S. National Security Agency's ISSEP program.[5]
History
In the mid-1980s a need arose for a standardized, vendor-neutral, certification program that provided structure and demonstrated competence. In November 1988, the Special Interest Group for Computer Security (SIG-CS), a member of the Data Processing Management Association (DPMA), brought together several organizations interested in this. The International Information Systems Security Certification Consortium or "(ISC)²" formed in mid-1989 as a non-profit organization with this goal.[6]
By 1990, first working committee to establish Common Body of Knowledge (CBK) has been formed. Work of the working committee has resulted in first version of CBK being finalized by 1992, with CISSP credential launched by 1994.[7]
Certification subject matter
The CISSP curriculum covers subject matter in a variety of Information Security topics. The CISSP examination is based on what (ISC)² terms the Common Body of Knowledge (or CBK). According to (ISC)², "the CISSP CBK is a taxonomy – a collection of topics relevant to information security professionals around the world. The CISSP CBK establishes a common framework of information security terms and principles that allow information security professionals worldwide to discuss, debate and resolve matters pertaining to the profession with a common understanding."[8]
Currently, the CISSP certification covers the following ten domains:
- Access control
- Telecommunications and network security
- Information security governance and risk management
- Software development security
- Cryptography
- Security architecture and design
- Operations security
- Business continuity and disaster recovery planning
- Legal, regulations, investigations and compliance
- Physical (environmental) security
(ISC)² is now releasing the Third Edition Official Guide to the CISSP CBK one domain at a time on iTunes and for the Kindle.[9] The entire book is also now available in hard copy.
Requirements
Candidates for the CISSP must meet several requirements:
- Possess a minimum of five years of direct full-time security work experience in two or more of the ten (ISC)² information security domains (CBK). One year may be waived for having either a four-year college degree, a Master's degree in Information Security, or for possessing one of a number of other certifications from other organizations.[10] A candidate not possessing the necessary five years of experience may earn the Associate of (ISC)² designation by passing the required CISSP examination. The Associate of (ISC)² for CISSP designation is valid for a maximum of six years from the date (ISC)² notifies the candidate of having passed the exam. During those six years a candidate will need to obtain the required experience and submit the required endorsement form for certification as a CISSP. Upon completion of the professional experience requirements the certification will be converted to CISSP status.[11]
- Attest to the truth of their assertions regarding professional experience and accept the CISSP Code of Ethics.[12]
- Answer four questions regarding criminal history and related background.[13]
- Pass the CISSP exam with a scaled score of 700 points or greater out of 1000 possible points. The exam is multiple choice, consisting of 250 questions with four options each, to be answered over a period of six hours. 25 of the questions are experimental questions which are not graded.[13]
- Have their qualifications endorsed by another CISSP in good standing. The endorser attests that the candidate's assertions regarding professional experience are true to the best of their knowledge, and that the candidate is in good standing within the information security industry.[14]
Training
Several options exist for CISSP training. (ISC)² offers online and in person prep course. Several universities such as University of California at Berkeley[15] and Villanova University[16] offer training courses for the CISSP certification exam.
Ongoing certification
The CISSP credential is valid for three years. The credential can be renewed by re-taking the exam, but most certificate holders renew by submitting Continuing Professional Education (CPE) credits. To maintain the CISSP certification, a certificate holder is required to earn and submit a minimum of 20 CPEs each year and 120 CPEs by the end of their three-year certification cycle. They are also required to pay an annual fee of US$85.
For CISSPs who hold one or more concentrations, CPEs submitted for the CISSP concentration(s) will be counted toward the annual minimum CPEs required for the CISSP.[17]
CPEs can be earned through several paths, including taking classes, attending conferences and seminars (online and in person), teaching others, undertaking volunteer work, professional writing, etc.., all in areas covered by the CBK. Most activities earn 1 CPE for each hour of time spent, however preparing (but not delivering) training for others is weighted at 4 CPEs/hour, published articles are worth 10 CPEs, and published books 40 CPEs.[17]
Value
In 2005, CertMag surveyed 35,167 IT professionals in 170 countries on compensation and found that CISSPs led their list of certificates ranked by salary. A 2006 Certification Magazine salary survey also ranked the CISSP credential highly, and ranked CISSP concentration certifications as the top best paid credentials in IT.[18][19]
In 2008, another study has came to conclusion that IT professionals with CISSP (or other major security certification) tend to have salaries which are $21,000 higher than IT professionals without such certificates.[20]
It is certified by ANSI that CISSP meets requirements of ANSI/ISO/IEC Standard 17024, a personnel certification accreditation program.[21]
References
- ^ "Member Counts". (ISC)². Retrieved Jan 21, 2013.
- ^ ANSI Accreditation Services - International Information Systems Security Certification Consortium, Inc. (ISC)2. ANSI
- ^ "(ISC)² CISSP Security Credential Earns ISO/IEC 17024 Re-accreditation from ANSI" (Press release). Palm Harbor, FL: (ISC)². September 26, 2005. Retrieved November 23, 2009.
- ^ "DoD 8570.01-M Information Assurance Workforce Improvement Program" (PDF). United States Department of Defense. January 24, 2012. Retrieved April 12, 2012.
- ^ "NSA Partners With (ISC)² To Create New InfoSec Certification". February 27, 2003. Retrieved December 3, 2008.
- ^ Harris, Shon (2010). All-In-One CISSP Exam Guide (5 ed.). New York: McGraw-Hill. pp. 7–8. ISBN 0-07-160217-8.
- ^ History of (ISC)². (ISC)²
- ^ Tipton; Henry. Official (ISC)² Guide to the CISSP CBK. Auerbach Publications. ISBN 0-8493-8231-9.
- ^ (ISC)2 Release Notification
- ^ "CISSP Professional Experience Requirement". (ISC)². 2009. Retrieved December 3, 2008.
- ^ "How to Become an Associate". (ISC)². 2009. Retrieved November 23, 2009.
- ^ "(ISC)² Code of Ethics". (ISC)². 2009. Retrieved December 3, 2008.
- ^ a b "How To Certify". (ISC)². 2009. Retrieved December 3, 2008.
- ^ "Endorsement". (ISC)². 2009. Retrieved December 3, 2008.
- ^ http://inews.berkeley.edu/articles/Jul-Aug2012/CISSP-training
- ^ "CISSP Training". Villanova University.
- ^ a b "Maintaining Your Credential". (ISC)². 2009. Retrieved December 3, 2008.
- ^ "Top Certifications by Salary in 2007". Certification Magazine. April 11, 2007. Archived from the original on March 29, 2007. Retrieved October 14, 2007.
- ^ Sosbe, Tim; Hollis, Emily; Summerfield, Brian; McLean, Cari (2005). "CertMag's 2005 Salary Survey: Monitoring Your Net Worth". Certification Magazine. CertMag. Archived from the original on June 6, 2007. Retrieved April 27, 2007.
{{cite journal}}
:|archive-date=
/|archive-url=
timestamp mismatch; June 7, 2007 suggested (help); Unknown parameter|month=
ignored (help) - ^ Salary boost for getting CISSP, related certs. NetworkWorld
- ^ ANSI Accreditation Services - International Information Systems Security Certification Consortium, Inc. (ISC)2. ANSI