Should I get CISSP certified?

The focus of CISSP is purely Information Security. Having said that, its a big field. It's a demanding, well thought out, and well manged certification that commands considerable respect, more so than CISA and CISM, and if you see it as a learning experience rather than a rubber stamp, you'll get a huge amount out of it.

How can I obtain a CISSP qualification?

You need to pass an exam and evidence 5 years of relevant experience, then get an endorsement. Sounds straightforward? Perhaps, but the exam is a six-hour marathon consisting of a vast array of intentionally confusing questions covering everything from the obvious to the extremely obscure. The field it covers - review the CBK or 'common body of knowledge' maintained by ISC2 - is vast and detailed.

There are lots of reasons not to do this exam. You can study for ages, but not know whether you know enough to pass. You can know everything, but not like their take on multiple choice questions - or you can just be a bit too slow. For some the biggest reason not to do it is the sheer length of the exam, for others the breadth of the syllabus. A few have complained that food and water was not available - I'm told this is better now. For others still, it's the fact that good people do fail - and sometimes less good people pass.

ISC2 really should look at splitting the syllabus into several 3 hour exams to do it justice. They should also review some of the slightly more unreasonable rules, that add nothing to it's integrity.

All in all though, once you've done it you haven't proved you are Information Security practitioner, but you've proved you know your stuff.

The exam is not impossible or unreasonable - if you know the material you could even say it's not particularly difficult - it just requires you to understand what you're doing, as well as know what you're doing. As it should, after all.

The experience is easier, if it takes a little longer - 5 years experience in information security, with 1 year off for a degree. There are no extra years off for other qualifications, but really - don't bother unless you've been doing something relevant for the last five years as you probably won't pass the exam anyway.

What does CISSP cover?

The syllabus is governed by the ISC2 CISSP CBK - it's a lot of letters to describe a lot of content, and pretty comprehensive. If you're a business policy wonk, be prepared to understand the underlying principles of networking and cryptography. If you're a network monkey, be prepared to understand business, governance and risk.

The areas covered are:

  • Access Control
  • Application Development Security
  • Business Continuity and Disaster Recovery Planning
  • Cryptography
  • Information Security Governance and Risk Management
  • Legal, Regulations, Investigations and Compliance
  • Operations Security
  • Physical (Environmental) Security
  • Security Architecture and Design
  • Telecommunications and Network Security

What does CISSP cost?

The exam is around $400 (assuming you enroll well in advance), but the main cost is training. Unless you're supremely confident (or just enjoy resitting exams) it's definitely worth investing in a training course. Don't accept anything under 5 days, and be sure to do the homework - a course that long can't possibly teach you everything you need to know, so see it as a revision course and read around the syllabus in your weaker areas before hand.

Be prepared also for travel costs unless you live in a capital city or US state capitol, and keep an eye on exam dates as they often get booked up well in advance. You could do a lot worse than to sign up for a course that ends with the exam - the knowledge will be fresh, even though you might be tired! As for the cost of course - expect to pay between £200 ($300) and £400 ($600) a day in fees for most courses, plus VAT or sales tax, along with accommodation and travel costs. To a large extent you get what you pay for, but do your research and ask for referrals from friends or colleagues for course providers and specific tutors - it makes a big difference to how much you learn.

How long will CISSP take?

It varies depending on you and the time you have, but allow at least 3 months from registration to sitting the exam and allocate some time teach week to go through each area of the syllabus. If you have IT audit experience, good IT knowledge and a strong background in business, a one week training course followed by the exam may be enough - but you'll be lucky. If there are gaps in your knowledge or you're relatively new to the profession (less than 5 years proper experience leading audits or managing an Information security team), you will need more time and might want to consider doing something like CISA or CISM first. You will want to take relevant courses, read up in weak areas, and spend a few months preparing for the exam. If you're weaker in one area it might be worth doing a course in that area first, or trying to get some on the job experience that covers it to make it easier to understand where the examiners are coming from.

Add several months if you have to resit. If you've done a six hour exam once, you definitely won't want to do it three times.

Do I get letters after my name?

Yes, you can use the letters CISSP, as long are you keep your certification up to date. The letters are worth a fair bit on the recruitment market, particularly combined with CISA for auditors, or good technical or business qualifications. Just don't use them to convince another infosec pro that you know what you're talking about.

Do I need to do CPD to retain my CISSP qualification?

Yes. You need 120 CPD points over three years, and at least 20 each year. It's quite a lot, and for the privilege of doing this you get to pay an annual $85 fee. However as the alternative is to resit the exam, I'd recommend the CPD option - strongly.

Is CISSP appropriate for me?

Yes, if you're an experienced professional looking to demonstrate confidence and plug any gaps in your knowledge - CISSP is the one 'must have' IT security qualification, and everyone will learn something be doing it.

No, though, if you're new to Information Security, even if you already have some IT experience. It's the closest there is to a gold standard, but it's not easy for beginners. If you're new to Information Security or IT audit or looking to move in that direction from a relevant IT or operational audit field, forget CISSP for now and look at CISA or CISM as a qualification you can do straight away. CISSP just doesn't make sense without experience.

How do I get started with a CISSP certification?

Visit the CISSP pages on the ISC2 web site and sign up.

Should I take a course, and where can I do it?

There are plenty of options, it's now very popular. You can study on line, or you can do a one week course that leads up to the exam on the final day. Find out about my experience of CISSP training here.

  • Access Control
  • Application Development Security
  • Business Continuity and Disaster Recovery Planning
  • Cryptography
  • Information Security Governance and Risk Management
  • Legal, Regulations, Investigations and Compliance
  • Operations Security
  • Physical (Environmental) Security
  • Security Architecture and Design
  • Telecommunications and Network Security