CISSP certification – The ultimate guide [updated 2021]
Cybersecurity is a huge consideration in today’s world due to the ongoing rise of cyberthreats, in-house security breaches, phishing attempts and other forms of hacking. The demand for experienced cybersecurity professionals is at an all-time high and will only continue to grow as the gap between supply and demand increases. One of the best ways to get into one of these coveted positions is by becoming a Certified Information Systems Security Professional (CISSP) with a credential that (ISC)² believes can distinguish you as a globally respected security leader.
What is CISSP certification?
A CISSP certification validates that your cybersecurity knowledge and skills in key areas are up to date. It shows you have deep knowledge and understanding of not just existing security threats, but also emerging ones, as well as the skills needed to secure an organization’s critical assets.
In fact, according to the certifications page of the official (ISC)² website, this vendor-neutral credential is for professionals with proven deep technical and managerial competence, skills, experience and credibility to design, engineer, implement and manage an organization’s overall security posture.
To qualify for the CISSP, candidates must pass an exam with questions on the eight “domains” covered in the CISSP critical body of knowledge (CBK):
- Security and risk management
- Asset security
- Security architecture and engineering
- Communication and network security
- Identity and access management (IAM)
- Security assessment and testing
- Security operations
- Software development security
On May 1, 2021, the weighting of domains for the (ISC)² CISSP credential exam was refreshed; domain four now has 1 percent less weight while domain eight’s weight has increased by 1 percent. The weights of all other domains are unchanged. Here’s a brief overview of the current eight CISSP domains.
Note: earning your CISSP certification will require that you have experience (we’ll touch on how much in the requirements section) in at least two of those eight domains.
According to (ISC)², this certification is an ideal option for security consultants, security managers, IT directors and managers, security auditors, security architects, security analysts, security systems engineers, chief information security officers and directors of security and network architects to name a few.
What is (ISC)²?
The International Information Security Certification Consortium, or (ISC)², came into existence in 1989, as a non-profit organization, and has since become famous for providing standardized information security certifications, such as the CISSP credential. Today, the organization has over 147,000 members (as of Jan. 1, 2021) in a wide range of security roles, from cybersecurity to infrastructure security and everything in between.
The rising demand
Not convinced that becoming a CISSP will really help further your career? Consider what Tony Vizza, director of cybersecurity advocacy at APAC says: “the CISSP truly demonstrates that you are at the top of your cybersecurity game in terms of both knowledge and experience. […] The CISSP is often described as ‘a mile wide and an inch deep.’ Yet this enduring description is factually incorrect. The CISSP covers the fundamental elements of the entire cybersecurity field — from security and risk management to communication and network security to security testing and operations. It ensures that a certified professional understands all aspects of information security and, most critically, how the aspects of the information security environment they work on will interact with the overall organizational ecosystem.”
The 2020 (ISC)² Cybersecurity Workforce Study indicated a global cyber workforce shortage of over 3.1 million men and women; most available positions require, however, mission-critical skills, so there is no better time to accelerate your career development with this certification while addressing skills shortages and filling vacancies.
Are you eligible for the certification? To become a credentialed professional, you’ll need to understand the CISSP requirements, of which there are quite a few.
How do I earn the CISSP?
Earning your credentials requires that you meet the current CISSP requirements. There is a lengthy testing process involved, but it goes much deeper than this. You need a significant amount of previous work experience, or you can become an Associate of (ISC)², combined with a little less real-world experience with security work. The overall process will look like this:
- Have the minimum required real-world experience
- If you lack the required years of experience, you can become an Associate of (ISC)²
- If you have a four-year degree you may qualify for a one-year waiver
- Complete the exhaustive CISSP exam with at least a minimum score of 700 out of 1,000 points (Cost of the exam is $749, as of May 1, 202.)
- Complete the endorsement process and agree to the organization’s code of ethics
- Maintain your CISSP certification and recertify every three years
What is the work experience required?
Perhaps the single most difficult requirement for those aspiring to earn their CISSP certification is the work experience needed. You’ll need a minimum of five years of experience working in the real world as a security professional. You must be able to show proof that you worked full time in this role and that you have experience in a minimum of two out of the eight domains highlighted in the (ISC)² CISSP CBK.
However, if you have earned a four-year degree or an accepted additional credential from the list of approved options, you can get a one-year waiver, meaning that you’ll only need to prove that you have four years of real-world, full-time experience as a security professional.
What is the associate of (ISC)²?
For those who do not have the required work experience, it is possible to become an associate of (ISC)². To do this, you’ll need to pass the CISSP exam, and then work as a security professional. You have six years from the date that you pass the exam to earn your full CISSP credential. If you are unable to do so during that time, you will need to retake the exam once more after you have completed at least five years of work.
After passing the exam, you’ll have access to ongoing training options, as well as other benefits. You will need to maintain your status, though, which will require that you earn 40 CPE (continuing professional education) credits annually to meet 120 for a three-year total requirement.
While (ISC)² certified members pay a single annual maintenance fee (AMF) of $125 regardless of how many certifications they earn. Associates of (ISC)² pay an AMF of $50 each year upon the anniversary of their certification date.
During this time, you will need to work toward your full CISSP certification and start the endorsement process, which will ultimately turn your associate certificate into a CISSP.
The process looks like this:
- Choose your certification (CISSP in this case).
- Schedule the exam and agree to the code of ethics.
- Take the exam and pass.
- Maintain your status and work toward your CISSP certification. You have six years to complete five years of real-world experience.
The examination questions, format and length
Candidates undergo a three-hour English exam consisting of 100 to 150 questions for the computerized adaptive testing (CAT). Alternatively, they answer 250 questions in a six-hour testing window if taking the linear, fixed-form test administered in all other languages. To pass the exam, they will need to earn a minimum of 700 out of 1000 points.
The exam consists of mixed multiple choice and what the organization calls “advanced innovative” questions. There are drag-and-drop questions, as well as “hotspot questions” that are designed to measure both knowledge and cognitive skills. For instance, you may be presented with a question, and then you must drag all the correct answers from one side of the test into a “correct answers” box that is on the other side of the test.
How does the CISSP endorsement process work?
Once you’ve passed the CISSP test, your work is not yet done. You’ll need to complete the organization’s endorsement process before you can earn your certification. This will require that you have the endorsement form digitally signed by an existing (ISC)² certified professional, who is a member of the organization in good standing.
The endorser must be able to verify that you have professional experience and that your work experience is true to the best of his or her knowledge. Note that you will have to have the member’s certification number when completing the endorsement form. If you do not have a connection with an existing (ISC)² member in good standing, the organization itself can act as an endorser.
It’s also important to understand a couple of other things. First, time is limited when it comes to getting your endorsement. You’ll need to have your endorsement completed within nine months of passing the CISSP exam or you’ll have to retake the test (and pay the fees again).
It pays to think about your connections before taking the test and if you do not know any members of the organization currently, cultivate some contacts within the organization beforehand. In a worst-case scenario, the organization itself can act as your endorser.
You should also understand that the organization regularly audits a random number of those who pass the exam. They have this to say about audits: “A percentage of the candidates who pass an (ISC)² examination and submit endorsements will be randomly subjected for audit and required to submit additional information, as required, for verification. You will be notified via email if your application is selected for audit. CISSP concentrations do not require an endorser. Current members may access the full (ISC)² endorsement policy here.”
What are the candidate background qualifications?
(ICS)² does not allow just anyone to take the examination. There is a rigorous background screening involved, and you’ll need to ensure that you meet these CISSP requirements before you start the process. The organization states that no refunds are given on exam fees or other expenses if you do not meet background requirements and have already taken the test.
There are four questions that you’ll need to pay close attention to during the background screening. Answering “yes” to any of these may make you ineligible for any certification through the organization. However, if you feel that you have been denied without true cause, you can contact them by email to plead your case. The four questions to watch for are as follows:
- Have you ever been convicted of a felony, a crime based on dishonesty (felony or misdemeanor involving lying) or a court-martial in military service or is there a felony charge now pending against you? (Omit minor traffic violations and offenses prosecuted in juvenile court.)
- Have you ever been involved, or publicly identified, with criminal hackers or hacking?
- Have you ever had a professional license, certification, membership or registration revoked? Have you ever been censured or disciplined by any professional organization or government agency?
- Have you ever been known by any other name, alias or pseudonym? (Omit user identities or screen names with which you were publicly identified. Also omit name changes due to marriage or adoption.)
Make sure that you resolve any potential conflicts so that your background check is clean and you do not raise any red flags during this process.
Pursuing the CISSP certification
The CISSP requirements set forth by (ISC)² are designed to be stringent, including five years of real-world experience working as a security professional. However, those requirements are what make the CISSP certification so enticing to employers. Earning a CISSP certification will give you one of the most sought-after credentials by hiring managers around the world looking to add information and cybersecurity professionals to their teams.
- CISSP, (ISC)²