The CISSP guarantees that information security leaders have a proper understanding of developing threats, technologies, and standards. The certification exam uses a variety of advanced, innovative questions to provide a better assessment of candidates on a broader scale.
The CISSP guarantees that information security leaders have a proper understanding of developing threats, technologies, and standards. The certification exam uses a variety of advanced, innovative questions to provide a better assessment of candidates on a broader scale. This guide will provide you with a general overview of the exam and the tools to help you achieve the best possible outcome.
The Certified Information Systems Security Professional (CISSP) is a vendor-neutral certification for those looking to deepen their understanding and credibility in the information security field. The CISSP is backed by the International Information System Security Certification Consortium (ISC)² — a nonprofit that focuses on the global safety and security of the cyber world.
To understand the full scope of the process, It is important to learn the backstory of the CISSP exam and the certification process to see how it can be beneficial to your career.
The CISSP exam covers the technical skills & experience of the IT professional as it relates to implementing security programs. #Context
In the late 1980s, it became evident to the professional information technology community that a standardized certification process was needed for professionals in the industry. With a vendor-neutral program, it would also be easy for companies to weed out prospective applicants who may not possess the skills necessary for specific positions.
Here is a timeline of the CISSP, from inception to initiation:
(ISC)² revises the CBK annually to stay up to date, as needs in the security realm are ever-changing.
The CISSP is a globally recognized certification, and earning it can broaden your career skills and earning potential, and open up career advancement opportunities. In addition to work experience, the credential demonstrates that an IT professional has knowledge of the concepts, terms, and principles commonly used in the information security field.
According to Payscale.com, average salary ranges for individuals with CISSP credentials range from $61,304 to $154,965.
An IT specialist with experience can combine it with their CISSP and lay the foundation for a rewarding future. Those with more than 20 years as a professional in IT security have the potential to earn upwards of $127,000, while a person who has been working for less than one year can earn closer to $63,000. [1]
Though the CISSP certification is not a necessary standard for every position in the IT security field, it is considered a requirement for those who aspire to work in specific roles. The following positions require a CISSP credential:
These careers help protect a company’s computer systems, networks, and data. For example, a security analyst will develop information security plans and policies, implement protections such as firewalls and data encryption programs, and monitor for security breaches. Roles like this and the security systems engineer function in a similar capacity and would most likely be part of a company’s IT team reporting to an IT director or chief information security officer.
The CISSP is for seasoned professionals in the field. Here is an overview to help you walk through the certification process:
Professional experience is an important requirement that applicants are expected to have upon entering the program. Ideally, candidates should have five years of experience prior to taking the exam. More specifically, you must have been paid for full-time work in at least two of the CBK domains.
If you only have four years of professional experience, you can still move forward with the process by receiving a one-year experience waiver. The waiver is available to those who have a four-year college degree or an equivalent credential from the list approved by (ISC)².
The other option is to become an associate of (ISC)². You can do this by taking and passing the CISSP exam. From that point, you will be given six years to gain the experience necessary to become officially certified. [3]
When you are prepared for the CISSP, go to Pearson VUE and create an account. Next, you can register for the certification. The exam is offered in a variety of versions including English, Spanish, German, Portuguese, Japanese, French, Korean, Chinese, and Visually Impaired.
Upon scheduling the exam, you will be asked to sign an examination agreement. You will need to review the (ISC)² code of ethics, as the agreement will ask that you attest to following the guidelines laid out by the stated code.
You will also be asked to answer a few questions regarding your background; these questions explore any past felony convictions, criminal hacking, or other information that will vet you as a CISSP candidate. Be prepared, as your answers may prevent you from being eligible for the certification.
Next you will present your professional experience and sign that you have completed the required years in IT security work.
Once everything is complete, the last step is to pay the CISSP exam fee. The full six-hour exam is currently $599.
To pass the exam, you need to have a scaled score of at least 700, where the maximum score is 1,000. Your raw score is converted to a scaled score somewhere between 0 and 1,000. Not everyone takes the same test, so the scaled method allows (ISC)² to directly compare one form to another.
Once you have passed the exam, you will need an (ISC)² professional to endorse you before you are officially presented with the CISSP credential. The endorsement application will need to be signed by this professional, who must be have an active membership and be in good standing.
The (ISC)² professional should be able to vouch for your years of professional experience. If you do not know a member personally, the organization itself can act as your endorser.
You are given nine months to complete this process. If you are unable to meet the nine-month deadline and still want to pursue the CISSP certification, you will need to start over and retake the exam. As mentioned previously, if you still need more time to obtain the necessary professional experience, you may become an Associate of (ISC)². This will give you an additional six years to complete this requirement.
To maintain your certification and keep your name in good standing with (ISC)², you will need to renew your certificate every three years. A large part of the renewal process is the accumulation of continuing professional education (CPE) credits. Each year, you will be expected to earn 40 CPE credits. By the time your certificate needs to be renewed, you should have 120 CPE credits altogether.
You will also need to pay an annual $85 maintenance fee. The final requirement for maintaining your CISSP credential is observing the (ISC)² Code of Ethics.
The sitting time for the exam is six hours. You may take short breaks, but they are restricted. If you have to use the restroom, you may be escorted. During these breaks, the test time continues to count down and will not pause or stop for you.
The exam consists of 250 questions, of which 25 will not be graded, but these are not disclosed ahead of time. The questions are a mix of multiple choice and innovative questions. To answer these, you either drag and drop your choices into the correct location, or click on specific hotspots.
Advanced questions measure a wider range of skills and offer greater insight into real-world applications. These also measure knowledge at higher cognitive levels, as well as allow for more coverage of content.
The CISSP exam covers eight domains:
Each domain is weighted differently and covers a broad range of topics underneath each domain umbrella. Here they are in more detail:
Each weighted at 16% of the exam, Security and Risk Management and Security Operations are the highest valued sections. This domain in particular will focus on the basics of security and risk management, such as confidentiality, compliance law, security governance principles, ethics, policies, procedures, and legal issues.
Each weighted at 10% of the exam, Asset Security and Software Development Security are the lowest valued sections. Just because they are worth less does not mean they should be discounted. Together, they still make up 20% of the test. This section will cover topics such as ownership, privacy, asset classification, and data security controls.
This section is weighted at 12% and covers topics such as engineering processes, fundamental concepts, security designs, vulnerabilities of mobile and web-based systems, and cryptography.
Also weighted at 12%, the Communication and Network Security section will cover topics such as network attacks, network architecture design such as IP/non-IP protocols, and secure network components.
This section is the third largest part of the exam with the content weighted at 13%. It will cover the elements of how to control access and manage identity. Topics include authentication of identity, cloud identity, and physical and logical assets control.
This section makes up 11% of the exam, covering everything that has to do with security testing. Questions will address topics such as security control testing, assessment strategies, and automated and manual test outputs.
This section is an important one, weighing in at 16% of the exam. It covers a large breadth of information, from basic security operations to incident management. Other topics include disaster recovery, personnel safety, monitoring activities, business continuity planning, and resource protection techniques.
Accounting for 10% of the test, Software Development Security is a pretty straightforward section. It will cover the ins and outs of software security. Topics include effectiveness, environment security controls, and software security impact.
There are so many resources available to help you study for the CISSP. In fact, a good number of them can be found on the (ISC)² website. The organization itself has the official textbook, study guide, practice tests, and links to the mobile application versions.
It is recommended to spend half of your time studying CISSP materials and the other half on the practice exams. In addition, the organization offers the book CISSP for Dummies as a reference source. The website also offers interactive flashcards, the exam outline, and access to training seminars.
Here are more helpful resources that can prepare you for the CISSP exam:
As with any big test, the more time you give yourself to prepare, the better off you will be. There is no way you will be successful trying to cram a six-hour test’s worth of information into your brain last minute. Pace yourself; take each domain and master it before moving on to the next section.
Use the practice tests to your advantage by testing your knowledge at the end of each section. You should always strive to get the highest score possible, so do not move on until you have scored at least an 80%. An above average score for all sections will ensure that you are able to process the material successfully and ultimately apply it on the exam and moving forward in your career.
If you know other people who are also taking the exam, it would be a great idea to join a study group. Nothing sets information into the brain better than practicing with others. Repeating the material out loud and testing others will go a long way in reinforcing the concepts for your own benefit.
Additionally, if you are struggling with any domain or topic, it is likely that someone else in your group has a firm grasp on it and would be happy to help you. This can save you time and energy that can be spent preparing for your exam.
The CISSP is an essential component for professionals desiring career growth in the IT field. Not only does the certification equip you for the evolving challenges of IT security, but it can also help you explore avenues of career opportunity. With your renewed knowledge of the CISSP, study tactics, and resources, you will emerge more prepared to earn your certification and help shape a safe future for the IT industry.
[1] Average Salary for Certification: Certified Information Systems Security Professional (CISSP) (2017) by PayScale (Website)
[2] Certified Information Systems Security Professional (2017) by TechTarget (Website)
[3] How to Get Your CISSP Certification (2016) by (ISC)2 (Website)
[4] CISSP – Certified Information Systems Security Professional (2016) by (ISC)2 (Website)
[5] Average CISSP Salary (2017) by Infosec Institute (Website)