Please wait while we load your article...

Home > CISSP

Learn more about "CISSP"

Certified Information Systems Security Professional

'''Certified Information Systems Security Professional''' ('''CISSP''') is an independent information security certification governed by the (ISC)2|International Information Systems Security Certification Consortium (commonly known as (ISC)²). As of October 10, 2008, (ISC)² has reported certifying 61,763 information security professionals in 133 countries. In June, 2004, the CISSP program earned the American National Standards Institute|ANSI ISO/IEC Standard 17024:2003 accreditation, the first IT certification to have done so.(ISC)² Press Release It is formally approved by the U.S. Department of Defense (DoD) in both their Information Assurance Technical (IAT) and Managerial (IAM) categories.U.S. Government, DoD 8570.01-M. Retrieved March 23, 2007. The CISSP has been adopted as a baseline for the U.S. National Security Agency's ISSEP program.

Certification subject matter

The CISSP curriculum covers subject matter in a variety of Information Security topics. The CISSP examination is based on what (ISC)² terms the Common Body of Knowledge (or CBK). According to (ISC)², "''the CISSP CBK is a taxonomy -- a collection of topics relevant to information security professionals around the world. The CISSP CBK establishes a common framework of information security terms and principles that allow information security professionals worldwide to discuss, debate and resolve matters pertaining to the profession with a common understanding.''"Tipton & Henry, ''Official (ISC)² Guide to the CISSP CBK,'' Auerbach Publications, p. xv, ISBN 0-8493-8231-9 The CISSP CBK is fundamentally based on the CIA triad, ''the core information security and assurance tenets: confidentiality, integrity and availability''Tipton & Henry, ''Official (ISC)² Guide to the CISSP CBK,'' Auerbach Publications, p. 5, ISBN 0-8493-8231-9 , and attempts to balance the three across ten areas of interest, which are also called domains. The ten CBK domains arehttps://www.isc2.org/cissp/default.aspx(ISC)² CISSP]:
- Access Control
    - Categories and Controls
    - Control Threats and Measures
- Application security|Application Security
    - Software Based Controls
    - Software Development Lifecycle and Principles
- Business continuity planning|Business Continuity and Disaster Recovery Planning
    - Response and Recovery Plans
    - Restoration Activities
- Cryptography
    - Basic Concepts and Algorithms
    - Signatures and Certification
    - Cryptanalysis
- Information Security and Risk Management
    - Policies, Standards, Guidelines and Procedures
    - Risk Management Tools and Practices
    - Planning and Organization
- Legal, Regulations, Compliance and Investigations
    - Major Legal Systems
    - Common and Civil Law
    - Regulations, Laws and Information Security
- Operations security|Operations Security
    - Media, Backups and Change Control Management
    - Controls Categories
- Physical Security|Physical (Environmental) Security
    - Layered Physical Defense and Entry Points
    - Site Location Principles
- Computer security model|Security Architecture and Design
    - Principles and Benefits
    - Trusted Systems and Computing Base
    - System and Enterprise Architecture
- Telecommunications and Network security|Network Security
    - Network Security Concepts and Risks
    - Business Goals and Network Security

Requirements

Candidates for the CISSP must meet several requirements:
- Possess a minimum of five years of direct full-time security work experience in two or more of the ten ISC² information security domains (CBK). One year may be waived for having either a four-year college degree, a Master's degree in Information Security, or for possessing one of a number of other certifications from other organizations.
- Attest to the truth of their assertions regarding professional experience and accept the CISSP Code of Ethics..
- Answer four questions regarding criminal history and related background.
- Pass the CISSP exam with a scaled score of 700 points or greater. The exam is multiple choice, consisting of 250 questions with four options each, to be answered over a period of six hours.
- Have their qualifications endorsed by another (ISC)² certified professional in good standing. The endorser attests that the candidate's assertions regarding professional experience are true to the best of their knowledge, and that the candidate is in good standing within the information security industry.

Ongoing certification

The CISSP credential is valid for only three years, after which it must be renewed. The credential can be renewed by re-taking the exam, however the more common method is to report at least 120 Continuing Professional Education (CPE) credits since the previous renewal. Currently, to maintain the CISSP certification, a member is required to earn and submit a total of 120 CPEs by the end of their three-year certification cycle and pay the Annual Membership Fee of US during each year of the three-year certification cycle before the annual anniversary date. With the new changes effective 30 April 2008, CISSPs are required to earn and post a minimum of 20 CPEs (of the 120 CPE certification cycle total requirement) and pay the AMF of US during each year of the three-year certification cycle before the member’s certification or recertification annual anniversary date. For CISSPs who hold one or more concentrations, CPEs submitted for the CISSP concentration(s) will be counted toward the annual minimum CPEs required for the CISSP.. CPEs can be earned through several paths, including taking classes, attending conferences and seminars, teaching others, undertaking volunteer work, professional writing, ''etc''., all in areas covered by the CBK. Most activities earn 1 CPE for each hour of time spent, however preparing (but not delivering) training for others is weighted at 4 CPEs/hour, published articles are worth 10 CPEs, and published books 40 CPEs.

Promotion

(ISC)² promotes the CISSP certification as the "international gold standard" against which other security certifications are measured. IT professionals with security expertise are often in high demand, and the CISSP is one metric by which that expertise can be demonstrated. In 2005, CertMag surveyed 35,167 IT professionals in 170 countries on compensation and found that CISSPs led their list of certificates ranked by salary, with the Certified Information Systems Security Management Professional (CISSP-ISSMP) program drawing 6,970 annually and the Certified Information Systems Security Architecture Professional (CISSP-ISSAP) earning 1,870.” A 2006 ''Certification Magazine'' salary survey also ranked the CISSP credential highly at ,070 per year, and ranked CISSP concentration certifications as the top best paid credentials in IT, with CISSP-ISSAPs averaging at 4,210 per year and CISSP-ISSMP at 1,280 per year.. These numbers correlate with compensation advantages enjoyed by IT security professionals in general, as well as with advantages accruing to the seniority and management roles that intersect with the concentration certificates.

Specialized concentrations

Experienced information security professionals with an (ISC)² credential in good standing can progress to meet requirements for (ISC)² Concentrations to demonstrate further knowledge of select CBK domains. A passing score on a concentration examination is intended to demonstrate proven capabilities and subject-matter expertise beyond that required for the CISSP. Current concentrations for CISSPs include the:
- Information Systems Security Architecture Professional (ISSAP), Concentration in Architecture
- Information Systems Security Engineering Professional (ISSEP), Concentration in Engineering
- Information Systems Security Management Professional (ISSMP), Concentration in Management