Should I get CISSP Certified?

The focus of CISSP is purely Information Security. Having said that, its a very big field. CISSP’s reputation as a certification is for being ‘a mile wide and an inch deep’. In fact it’s so wide that rather like the Great Wall of China, you can probably see it from space.

That, and not technical depth, is what makes it hard. That’s a limitation too - CISSP means you understand something, but not that you know how to do it. And that does make sense, because it is extremely wide and you can’t possibly be an expert in everything.

However, it is not an auditor-specific qualification so it is complementary to CISA rather than an alternative to it. It’s a demanding, well thought out, and well manged certification that commands considerable respect, in some quarters more so than CISA and CISM (though I’m not sure that’s fair), and much as with these others if you see it as a learning experience rather than a rubber stamp, you’ll get a huge amount out of it.

How can I obtain a CISSP qualification?

You need to pass an exam and evidence 5 years of relevant experience, then get an endorsement. Sounds straightforward? Perhaps, but the exam is a six-hour marathon consisting of a vast array of intentionally confusing questions covering everything from the obvious to the extremely obscure. The field is covers – review the CBK or ‘common body of knowledge’ maintained by ISC2 – is vast and detailed.

There are lots of reasons not to do this exam. You can study for ages, but not know whether you know enough to pass. You can know everything, but not like their take on multiple choice questions – or you can just be a but too slow. For some the biggest reason not to do it is the sheer length of the exam, for others the breadth of the syllabus. A few have complained that food and water was not available – I’m told this is better now. For others still, it’s the fact that good people do fail.

ISC2 really should look at splitting the syllabus into several shorter hour exams to do it justice. But all in it is a good test.

Once you’ve done it you haven’t proved your a good IT auditor or Information Security practitioner, but you’ve proved you know your stuff.

The exam is not impossible or unreasonable – if you know the material you could even say it’s not particularly difficult – it just requires you to understand what you’re doing, as well as know what you’re doing. As it should, after all. Whilst it’s a 6 hour exam, you don’t need to use all the time and I did it in just over 3 hours, including checking over my work. That said, I know people who are just as technically capable as I am, if not more so, and took close to the full time allowed. Take the time you need, it’s a marathon not a sprint.

The experience is easier, if it takes a little longer – 5 years experience in information security, with 1 year off for a degree. There are no extra years off for other qualifications, but really don’t do CISSP unless you’ve been doing something relevant for the last five years as you probably won’t pass the exam anyway. If you’re light on experience you may wish to consider ISC2’s slightly lighter SSCP.

What does CISSP cover?

The syllabus is governed by the ISC2 CISSP CBK – it’s a lot of letters to describe a lot of content, and pretty comprehensive. If you’re a business policy wonk, be preapred to understand the underlying principles of networking and cryptography. If you’re a network monkey, be prepared to understand business, governance and risk.

The areas covered are:

1. Security and Risk Management

2. Asset Security

3. Security Architecture and Engineering

4. Communication and Network Security

5. Identity and Access Management (IAM)

6. Security Assessment and Testing

7. Security Operations

8. Software Development Security

There were 10 domains when I did it, but that doesn’t mean it’s any easier.

What does CISSP cost?

The exam is around $500 (assuming you enrol well in advance), but the main cost is training. Unless you’re supremely confident or just enjoy resitting exams, it’s definitely worth investing in a training course. Don’t accept anything under 5 days, and be sure to do the homework – a course that long can’t possibly teach you everything you need to know, so see it as a revision course and read around the syllabus in your weaker areas beforehand.

Be prepared also for travel costs unless you live in a major city, and keep an eye on exam dates as they often get booked up well in advance. You could do a lot worse than to sign up for a course that ends with the exam – the knowledge will be fresh, even you you might be tired! As for the cost of course – expect to pay between £300 ($400) and £600 ($800) a day in fees for most courses, plus VAT or sales tax, along with accommodation and travel costs. To a large extent you get what you pay for, but do your research and ask for referrals from friends or colleagues for course providers and specific tutors – it makes a big difference to how much you learn.

How long will CISSP take?

It varies depending on you and the time you have, but allow at least 3 months from registration to sitting the exam and allocate some time teach week to go through each area of the syllabus. If you have information security or IT audit experience, good IT knowledge and a strong background in business, a one week training course followed by the exam may be enough.. If there are gaps in your knowledge or you’re relatively new to the profession (less than 5 years proper experience leading audits or managing an Information security team), you will need more time and might want to consider doing something like SSCP, CISA or CISM first. You will want to take relevant courses, read up in weak areas, and spend a few months preparing for the exam. If you’re weaker in one area, it might be worth doing a course in that area first, or trying to get some on the job experience that covers it to make it easier to understand where the examiners are coming from.

Add several months if you have to resit. If you’ve done a six hour exam once, you definitely won’t want to do it three times.

Do I get letters after my name?

Yes, you can use the letters CISSP, as long are you keep your certification up to date. The letters are worth a fair bit on the recruitment market, particularly if combined with CISA for auditors, CISM for security managers, or good technical qualifications.

Do I need to do CPD to retain my CISSP qualification?

Yes. You need 120 CPD points over three years, and at least 20 each year. Because of the way it’s calculated it’s quite a lot and recording it is a nuisance, and for the privilege of doing this you get to pay an annual fee. However as the alternative is to resit the exam, I recommend the CPD option – strongly.

Is CISSP appropriate for me?

Yes, if you’re an experienced professional looking to demonstrate general business competence and identify any critical gaps in your knowledge. Rightly or wrongly, CISSP is the one ‘must have’ IT security qualification from a recruitment perspective, and everyone will learn something be doing it.

No, though, if you’re new to IT audit or Information Security, even if you already have some IT experience. It’s the closest there is to a gold standard, but it’s not easy for newbies. If you’re new to Information Security or IT audit or looking to move in that direction from a relevant IT or operational field, maybe pass on CISSP for now and look at CISA or CISM as a qualification with a slightly narrower remit that will be easier to grasp, then follow up - CISSP just doesn’t make much sense without supporting real life experience.

How do I get started with a CISSP certification?

Visit the CISSP pages on the ISC2 web site and join, then pick a training provider.

Should I take a course, who with, and where can I do it?

There are lots of options. A good one is to do a one week boot camp course that leads up to the exam on the final day. Find out about my experience of CISSP training here.