Certified Information Systems Security Professional


Certified Information Systems Security Professional
CISSP Logo

Certified Information Systems Security Professional (CISSP) is an independent information security certification governed by International Information Systems Security Certification Consortium (ISC)². (ISC)² is a self-declared Nonprofit_organization[1] but is not a Charitable Organization under the applicable Internal Revenue Service Code.

As of September 17, 2011, (ISC)² reports 75,814 members who hold the CISSP certification in 134 countries.[2] In June, 2004, the CISSP was the first information security credential accredited by ANSI ISO/IEC Standard 17024:2003 accreditation, and, as such, has led industry acceptance of this global standard and its requirements.[3] It is formally approved by the U.S. Department of Defense (DoD) in both their Information Assurance Technical (IAT) and Managerial (IAM) categories.[4] The CISSP has been adopted as a baseline for the U.S. National Security Agency's ISSEP program.[5]

Contents

History

In the mid-1980s a need arose for a standardized certification program that provided structure and demonstrated competence. In November 1988, the Special Interest Group for Computer Security (SIG-CS), a member of the Data Processing Management Association (DPMA), brought together several organizations interested in this. The International Information Systems Security Certification Consortium or "(ISC)²" formed in mid-1989 as a non-profit organization with this goal.[6]

Certification subject matter

The CISSP curriculum covers subject matter in a variety of Information Security topics. The CISSP examination is based on what (ISC)² terms the Common Body of Knowledge (or CBK). According to (ISC)², "the CISSP CBK is a taxonomy -- a collection of topics relevant to information security professionals around the world. The CISSP CBK establishes a common framework of information security terms and principles that allow information security professionals worldwide to discuss, debate and resolve matters pertaining to the profession with a common understanding."[7]

The CISSP CBK is fundamentally based on the CIA triad, the core information security and assurance tenets: confidentiality, integrity and availability,[7] and attempts to balance the three across ten areas of interest, which are also called domains. The ten CBK domains are:[8]

Requirements

Candidates for the CISSP must meet several requirements:

  • Possess a minimum of five years of direct full-time security work experience in two or more of the ten (ISC)² information security domains (CBK). One year may be waived for having either a four-year college degree, a Master's degree in Information Security, or for possessing one of a number of other certifications from other organizations.[9] A candidate not possessing the necessary five years of experience may earn the Associate of (ISC)² designation by passing the required CISSP examination. The Associate of (ISC)² for CISSP designation is valid for a maximum of six years from the date (ISC)² notifies the candidate of having passed the exam. During those six years a candidate will need to obtain the required experience and submit the required endorsement form for certification as a CISSP. Upon completion of the professional experience requirements the certification will be converted to CISSP status.[10]
  • Attest to the truth of their assertions regarding professional experience and accept the CISSP Code of Ethics.[11]
  • Answer four questions regarding criminal history and related background.[12]
  • Pass the CISSP exam with a scaled score of 700 points or greater out of 1000 possible points. The exam is multiple choice, consisting of 250 questions with four options each, to be answered over a period of six hours. 25 of the questions are experimental questions which are not graded.[12]
  • Have their qualifications endorsed by another CISSP in good standing. The endorser attests that the candidate's assertions regarding professional experience are true to the best of their knowledge, and that the candidate is in good standing within the information security industry.[13]

Ongoing certification

The CISSP credential is valid for only three years, after which it must be renewed. The credential can be renewed by re-taking the exam; however, the more common method is to report at least 120 Continuing Professional Education (CPE) credits since the previous renewal. Currently, to maintain the CISSP certification, a member is required to earn and submit a total of 120 CPEs by the end of their three-year certification cycle and pay the Annual Membership Fee of US$85 during each year of the three-year certification cycle before the annual anniversary date. With the new changes effective 30 April 2008, CISSPs are required to earn and post a minimum of 20 CPEs (of the 120 CPE certification cycle total requirement) and pay the AMF of US$85 during each year of the three-year certification cycle before the member’s certification or recertification annual anniversary date. For CISSPs who hold one or more concentrations, CPEs submitted for the CISSP concentration(s) will be counted toward the annual minimum CPEs required for the CISSP.[14]

CPEs can be earned through several paths, including taking classes, attending conferences and seminars, teaching others, undertaking volunteer work, professional writing, etc.., all in areas covered by the CBK. This is more easily achieved than it seems since "attending" a webinar qualifies. Most activities earn 1 CPE for each hour of time spent, however preparing (but not delivering) training for others is weighted at 4 CPEs/hour, published articles are worth 10 CPEs, and published books 40 CPEs.[14]

Value

In 2005, CertMag surveyed 35,167 IT professionals in 170 countries on compensation and found that CISSPs led their list of certificates ranked by salary. A 2006 Certification Magazine salary survey also ranked the CISSP credential highly, and ranked CISSP concentration certifications as the top best paid credentials in IT.[15][16]

The CISSP certification exam has been criticized for its vague questions, as well as the amount of study required to become certified. In the past, critics have also cited the way that the exam's questions are focused on the U.S., although (ISC)² took steps to internationalize the questions in the late 2000s.[17]

References

  1. ^ "About (ISC)²". (ISC)². 2009. https://www.isc2.org/aboutus/default.aspx. Retrieved November 23, 2009. 
  2. ^ "Member Counts". (ISC)². https://www.isc2.org/Member-Counts.aspx. Retrieved July 8, 2009. 
  3. ^ "(ISC)² CISSP Security Credential Earns ISO/IEC 17024 Re-accreditation from ANSI" (Press release). Palm Harbor, FL: (ISC)². September 26, 2005. http://www.isc2.org/PressReleaseDetails.aspx?id=2796. Retrieved November 23, 2009. 
  4. ^ "DoD 8570.01-M Information Assurance Workforce Improvement Program" (PDF). United States Department of Defense. December 19, 2005. http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf. Retrieved March 23, 2007. 
  5. ^ "NSA Partners With (ISC)² To Create New InfoSec Certicication". February 27, 2003. https://www.isc2.org/PressReleaseDetails.aspx?id=3334. Retrieved December 3, 2008. 
  6. ^ Harris, Shon (2010). All-In-One CISSP Exam Guide (5 ed.). New York: McGraw-Hill. pp. 7-8. ISBN 0071602178. 
  7. ^ a b Tipton; Henry. Official (ISC)² Guide to the CISSP CBK. Auerbach Publications. ISBN 0-8493-8231-9. 
  8. ^ "CISSP Education & Certification". (ISC)². 2009. https://www.isc2.org/cissp/default.aspx. Retrieved November 10, 2010. 
  9. ^ "CISSP Professional Experience Requirement". (ISC)². 2009. https://www.isc2.org/cissp-professional-experience.aspx. Retrieved December 3, 2008. 
  10. ^ "How to Become an Associate". (ISC)². 2009. https://www.isc2.org/how-to-become-an-associate.aspx. Retrieved November 23, 2009. 
  11. ^ "(ISC)² Code of Ethics". (ISC)². 2009. https://www.isc2.org/ethics/default.aspx. Retrieved December 3, 2008. 
  12. ^ a b "How To Certify". (ISC)². 2009. https://www.isc2.org/cissp-how-to-certify.aspx. Retrieved December 3, 2008. 
  13. ^ "Endorsement". (ISC)². 2009. https://www.isc2.org/endorsement.aspx. Retrieved December 3, 2008. 
  14. ^ a b "Maintaining Your Credential". (ISC)². 2009. https://www.isc2.org/maintaining-your-credential.aspx. Retrieved December 3, 2008. 
  15. ^ "Top Certifications by Salary in 2007". Certification Magazine. April 11, 2007. Archived from the original on March 29, 2007. http://web.archive.org/web/20070329054214/http://www.certmag.com/images/CM1206_salSurveyFig1.jpg. Retrieved October 14, 2007. 
  16. ^ Sosbe, Tim; Hollis, Emily; Summerfield, Brian; McLean, Cari (December 2005). "CertMag’s 2005 Salary Survey: Monitoring Your Net Worth". Certification Magazine (CertMag). Archived from the original on June 6, 2007. http://web.archive.org/web/20070607155757/http://www.certmag.com/articles/templates/CM_gen_Article_template.asp?articleid=1524&zoneid=224. Retrieved April 27, 2007. 
  17. ^ Wil Allsopp (2009), Unauthorised Access: Physical Penetration Testing for IT Security Teams, John Wiley and Sons, p. 271, ISBN 9780470747612, http://books.google.com/books?id=3Q-wPyb2uCUC&pg=PA271 

External links


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Certified Information Systems Security Professional — Der Certified Information Systems Security Professional (CISSP) ist eine Zertifizierung, die vom International Information Systems Security Certification Consortium, Inc. (auch: (ISC)²) angeboten wird. Es handelt sich bei dem Zertifikat um einen… …   Deutsch Wikipedia

  • Certified Information Systems Security Professional — CISSP (en anglais : Certified Information Systems Security Professional), est une certification professionnelle internationale et commercialement indépendante en sécurité des systèmes d information. Le programme de certification est géré par …   Wikipédia en Français

  • Certified Information Systems Security Professional —    Abbreviated CISSP. A certification from the International Information System Security Certification Consortium (ISC) 2designed for system security experts with at least three years of practical experience. The exam covers access control… …   Dictionary of networking

  • Certified Information Systems Auditor — Der Certified Information Systems Auditor (CISA) ist eine weltweit anerkannte Zertifizierung im Bereich Revision, Kontrolle und Sicherheit von Informationssystemen. Seit der Einführung 1978 wurden mehr als 75.000 Personen in 160 Ländern als CISA… …   Deutsch Wikipedia

  • Certified Information Systems Auditor — [1] Certified Information Systems Auditor (CISA) is a professional certification for Information Technology Audit professionals sponsored by ISACA, formerly the Information Systems Audit and Control Association. Candidates for the certification… …   Wikipedia

  • International Information Systems Security Certification Consortium — ((ISC)²) est le nom d une organisation à but non lucratif dont le siège social est situé à Palm Harbor en Floride (aux États Unis d Amérique). Cet organisme est en charge de certifier des professionnels de la sécurité de l information, en… …   Wikipédia en Français

  • Certified Information Security Manager — (CISM) est une certification professionnelle pour les managers en sécurité de l information délivrée par Information Systems Audit and Control Association (ISACA). Sommaire 1 Sujets 2 Voir aussi 3 Références …   Wikipédia en Français

  • Certified Information System Auditor — Certified Information Systems Auditor (CISA) is an audit professional certification sponsored by the Information Systems Audit and Control Association (ISACA). Candidates for the certification must meet requirements set by ISACA.HistoryThe CISA… …   Wikipedia

  • Certified Information Security Manager — (CISM) is a certification for information security managers awarded by ISACA (formerly the Information Systems Audit and Control Association). To gain the certifications, individuals must pass a written examination and have at least five years of …   Wikipedia

  • Information Systems Audit and Control Association — Website: www.isaca.org ISACA is an international professional association that deals with IT Governance. It is an affiliate member of IFAC.[1] Previously known as the Information Systems Audit and Control Association, ISACA now goes by its… …   Wikipedia