CXO

Talking Shop: Just how tough is it to become a CISSP?

Examine the requirements for the Certified Information Systems Security Professional certification


Computer crime has truly become an epidemic, with the number of reported computer security incidents increasing sharply since 1997 (Figure A). Adding to the urgency of the situation, compliance with legislation such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA) is now a serious concern for many organizations in the health care and financial/banking-related industries. My previous article, “Security certs may be mandatory for IT pros in financial and healthcare fields,” looked at the impact of that legislation.

More to come
Future articles by Allen Keele will feature exam preparation methods and aggressive test-taking tips for the CISSP exam.

Today, employers expect current staff to become knowledgeable on security planning and implementation, and they're looking for new hires that bring a desirable combination of security experience and certification. One way for security pros to demonstrate their knowledge is by earning the Certified Information Systems Security Professional (CISSP) certification. Offered by International Information Systems Security Certification Consortium (ISC)², the CISSP is one of the most widely respected security certifications. In this article, we’ll explore the certification prerequisites necessary to pass the CISSP exam.

Figure A


CISSP certification prerequisites
As tests go, the CISSP exam is truly a humdinger. I have been through many professional exams over the past several years, corresponding to more than 20 certifications, and I can say with experience that this was one of the most challenging exams I have ever taken. The exam consists of 250 multiple-choice questions administered over a six-hour period. There are no scheduled breaks, and the restroom is one-at-a-time. The questions on the exam require a great deal of thought and evaluation, which is quite exhausting over such a lengthy exam duration.

Even before you can take this monstrous exam, you must apply and qualify for the privilege. This is not just another technical exam that you can schedule for an appointment at your local Prometric or Vue testing center. All exam locations, times, and admittance are handled by (ISC)². Here are the steps I recommend for registering for your CISSP exam.

Step 1: Review the guidelines
Review the official guidelines for the professional experience requirements. Take note that the experience requirements changed, effective Jan. 1, 2003. In the past, (ISC)² required that candidates possess at least three years of professional experience in at least one of the 10 information security domains of the (ISC)² Common Body of Knowledge (CBK). Now, three years suffices if you can supplement the experience with a four-year college degree. Without the degree, you must have at least four years of professional security experience.

So what is considered “professional” experience? (ISC)² provides a pretty clear picture of what it's looking for in its experience guidelines. As a matter of fact, it even explains what it's not looking for. My only additional advice is to remember that the security domains of the CBK are broad in scope. As a result, it’s not too difficult to meet the experience requirements if you have been in any kind of managerial or professional capacity over the past three or four years.

Did you work in HR managing hiring and employment termination? I bet you implemented prehire practices that enforced security as promoted in the CBK’s Security Management Practices and Operations Security domains. Are you an attorney who has implemented and enforced confidentiality of information through contracts, or have you consulted about copyrights, patents, or trademarks? If so, you probably meet your experience requirements as they relate to the Law, Investigation & Ethics and Security Management Practices security domains. As an IT pro, you probably helped develop access control policies and server recovery policies and procedures, and maybe even made decisions on appropriate physical or logical security for your systems. So long as you make decisions, as opposed to just executing the decisions of others, you most likely meet the experience requirements as described on (ISC)²’s Web site.

Step 2: Register for your test
If you think you meet the certification prerequisites and qualify to take the exam, you will need to register online for your seat by selecting an exam location and date at (ISC)²’s exam schedule page and filling out an application for your exam seat reservation. Be sure to select a date that will allow you plenty of time for preparation. Depending on the preparation method you choose—self-study with books, computer-based-training, or instructor-led classroom training—preparation can take anywhere from seven days to eight months.

The exam currently costs $450 with three weeks advance registration or $550 without the advance registration. You should receive confirmation by e-mail within a couple days of completing the online registration process. Many students who have taken my CISSP training courses report that getting confirmation can sometimes be sporadic, so don’t be shy about contacting (ISC)² yourself if you do not hear from it within a few days of registering online.

Step 3: Prep for the exam
You will need to achieve a score of 700 out of 1,000 points to pass. Exam questions are weighted differently, though, so it is difficult to really determine exactly how many questions you can miss and still succeed. You’ll need to study well and prepare for a grueling six-hour exam. These comments from a former student who went on to achieve his CISSP certification provide some testimony as to the test’s level of difficulty.

Chuck Hede, the director of systems operations for MicroFinancial, said the CISSP exam is not for people who are just starting their careers, but for IT pros with a broad background.

“After the test, there is only one word to describe how I felt: drained!” Hede said. “I had to dig deep to answer some of the questions, and some were so unusual as to their content that I was simply surprised.”

Step 4: Complete your certification
Once you complete your exam, (ISC)² should notify you by e-mail of your success or failure within about seven to 21 days. If you pass, you will be invited to complete your certification process by submitting an endorsement form supplied by (ISC)².

Certified professionals leading the way
With computer crime incidents snowballing, you have a chance to step up to the challenge of improving all facets of security management and execution. Achieving and maintaining exclusive certifications such as the CISSP shows your commitment and participation level in the information security industry.

Sure, the CISSP is hard to earn. But if it were easy, everybody would have it. If you plan to distinguish yourself as having special expertise in information security, it may be time to get the credential that proves it.

Editor's Picks

Free Newsletters, In your Inbox