Certified Information Systems Security Professional (CISSP) Certification

  1. CISSP Information

5 Myths of Cloud Computing - HP

7 Deadly Network Security Sins: A Guide for Protection

Best Practices for Making BYOD Simple and Secure

What is the CISSP certification?
The CISSP (Certified Information Systems Security Professional) certification is a high-end, globally recognized information security credential aimed at experienced information systems professionals involved in the day-to-day I.T. security concerns of an organization. The CISSP certification is developed and administered by the not-for-profit (ISC)2 – the International Information Systems Security Certification Consortium. The CISSP certification demonstrates an individual’s competence and ability to professionally develop, administer and manage an organization’s complete security policy. The breadth of knowledge required as well as the minimum amount of work experience is what sets the CISSP certification up as a leading information systems security certification and in many quarters it is considered the gold standard in I.S. security certifications.

As an addition to the CISSP, and in order to address the need of continuous evolution within the broad scope of information security, the (ISC)2 introduced a number of CISSP concentrations for specific professional niches. The CISSP concentrations are:
  • Architecture – CISSP-ISSAP (Certified Information Systems Security Professional – Information Systems Security Architecture Professional)

  • Engineering – CISSP-ISSEP (Certified Information Systems Security Professional – Information Systems Security Engineering Professional)

  • Management – CISSP-ISSMP (Certified Information Systems Security Professional – Information Systems Security Management Professional)
Each concentration requires passing the relevant concentration exam (after already having passed the CISSP) and having a minimum of two years paid work experience for the relevant discipline (i.e. management, architecture or engineering).
Who is the CISSP certification for?
The CISSP certification is for anyone who already has, or anyone interested in, a career in information systems security. CISSP’s are typically responsible for all details of an organization’s IS security setup including I.T. strategy, implementation and management of personnel. Therefore the CISSP certification bridges both I.T. security as well as I.T. management concepts. Communication and leadership skills play a large part in the daily life of a CISSP. Typical job roles for CISSP’s include (but are not limited to):
  • Security Consultant
  • Security Auditor
  • Security Architect
  • Network Architect
  • I.T. Manager
  • Security Analyst
What is a typical CISSP salary?
As with just about any professional position, the salary for the CISSP can vary greatly depending on many factors, such as location, years of experience, job title, market conditions and so on. In fact, surveys of CISSP’s have shown a very large spread in salary earned – anything from mid US$50,000 to mid US$150,000 per annum - but this is perhaps also a reflection of the wide range of professional roles that the CISSP certification lends itself to. The (ISC)2 website cites a study by the Global Information Security Workforce that states that certified information security professionals earn, on average and worldwide, 25% more than their non-certified counterparts.
Are there any prerequisites needed for the CISSP certification?
As a high-end security certification, the CISSP requires that candidates enter the program with a minimum of five years (paid) full-time work experience in two of the ten CISSP exam domains (see the exam section below). Candidates can earn a one-year experience waiver by completing a four-year college degree (or equivalent) or by completing an additional, approved, credential from (ISC)2 which in itself requires four years of relevant full-time professional work experience. The following is the approved list of approved (ISC)2 credentials:
  • CERT Certified Computer Security Incident Handler (CSIH)
  • Certified Authorization Professional (CAP)
  • Certified Business Continuity Professional
  • Certified Computer Crime Prosecutor
  • Certified Computer Examiner (CCE)
  • Certified Forensic Computer Examiner (CFCE)
  • Certified Fraud Examiner (CFE)
  • Certified Information Security Manager (CISM)
  • Certified Information Systems Auditor (CISA)
  • Certified Internal Auditor (CIA)
  • Certified Penetration Tester (GPEN)
  • Certified Protection Professional (CPP)
  • Certified Secure Software Lifecycle Professional (CSSLP)
  • Certified Wireless Security Professional (CWSP)
  • Cisco Certified Internetwork Expert (CCIE)
  • Cisco Certified Network Professional Security(CCNP)
  • Cisco Certified Security Professional (CCSP)
  • CIW – Security Analyst
  • CIW Web Security Associate
  • CIW Web Security Professional
  • CIW Web Security Specialist
  • CompTIA Security+
  • GIAC Certified Enterprise Defender (GCED)
  • GIAC Certified Firewall Analyst (GCFW)
  • GIAC Certified Forensic Analyst (GCFA)
  • GIAC Certified Forensics Examiner (GCFE)
  • GIAC Certified Incident Handler (GCIH)
  • GIAC Certified Intrusion Analyst (GCIA)
  • GIAC Certified UNIX Security Administrator (GCUX)
  • GIAC Certified Windows Security Administrator (GCWN)
  • GIAC Information Security Fundamentals (GISF)
  • GIAC Information Security Professional (GISP)
  • GIAC ISO 2700 Specialist (62700)
  • GIAC Security Essentials Certification (GSEC)
  • GIAC Security Leadership Certification (GSLC)
  • GIAC Systems and Network Auditor (GSNA)
  • Information Security Management Systems Lead Auditor (IRCA)
  • Information Security Management Systems Principal Auditor (IRCA)
  • Master Business Continuity Professional (MBCP)
  • MCITP Microsoft Certified IT Professional
  • Microsoft Certified Server Administrator (MCSA)
  • Microsoft Certified Systems Engineer (MCSE)
  • Systems Security Certified Practitioner (SSCP)
Candidates who do not meet, or are working toward, the required work experience can instead earn the credential of ‘Associate of (ISC)2’ by simply passing the CISSP exam. Candidates then have up to six years to fulfil the work experience requirement to earn their full CISSP credential.
What does the CISSP exam cover?
There are 10 critical security domains tested by the CISSP exam. They are:
  • Access Control
  • Telecommunications and Network Security
  • Information Security Governance and Risk Management
  • Software Development Security
  • Cryptography
  • Security Architecture and Design
  • Operations Security
  • Business Continuity and Disaster Recovery Planning
  • Legal, Regulations, Investigations and Compliance
  • Physical (Environmental) Security
How do I earn the CISSP certification?
The CISSP exam consists of 250 multiple choice questions (including scenario-type questions with more than one group of multiple choice questions), and up to 6 hours to complete them (there is no break time allocated). Not everybody takes the same test, as the questions are drawn from a large bank of questions. There is also a number of non-scored research questions interspersed within the exam and these are not identified as such, so candidates should try to answer all questions as fully as possible.

Candidates need to score at least 700 points on a scale of 0-1000. This is a scaled score however and therefore does not represent a 70% passing score. For a more detailed explanation of the CISSP scoring system, click here.

Candidates may receive an unofficial exam result at the conclusion of the exam, but the official exam results are typically e-mailed to participants within 6-8 weeks from the exam date. Passing candidates do not receive any type of performance report or passing grade.

All successful candidates must then sign up to the (ISC)2 code of ethics and have their application suitably endorsed before they are awarded the CISSP certification. This must be completed within 9 months of the exam date.
What if I fail?
Candidates who fail the exam will be given a performance report at the conclusion of the exam. This report will go into detail about the candidate’s performance in the various test domain subjects and will serve as a guide to help the candidate focus on areas of weakness before any subsequent attempts to pass the exam.

Candidates may retake the CISSP exam a maximum of 3 times in any one calendar year. After failing the exam the candidate must wait 30 calendar days before attempting the exam again. Candidates must pay the appropriate exam fees for each subsequent attempt.
What does the CISSP exam cost?
The cost of the CISSP exam is US$599 with regional variations for countries outside of the Americas. Check on the official (ISC)2 website for current exam prices.
Where can I take the CISSP exam?
CISSP exams are offered at Peason VUE testing facilities worldwide. It is advisable to check as early as possible with your local Pearson VUE testing facility as to the availability and scheduling of the CISSP exam. The cost of travel to and from the facility is covered by the candidate.
CISSP recertification requirements
CISSP credential holders are required to recertify every three years, with an additional requirement to complete 120 credits of a Continuing Education Program (CPE) also over the three year period (with a minimum of 20 credits per year).

CPE credits are typically earned for ongoing education or professional events that enhance the candidate’s knowledge and experience. It can be anything from self-study courses, professional meetings or events, in-house training, speaking, mentoring, registered courses and the like.

CISSP credential holders are also required to pay an annual fee of US$85 per year.