CISSP Certification – The Ultimate Guide


Cybersecurity is a huge consideration in today’s world due to the ongoing rise of cyber-threats, in-house security breaches, phishing attempts and other forms of hacking. However, the number of credentialed security experts is actually decreasing, rather than increasing. That means demand for these pros is at an all-time high and will only continue to grow as the gap between supply and demand increases. The first step in obtaining one of these coveted positions is learning how to become a certified information systems security professional (CISSP).

Really, a CISSP certification proves that you are a cybersecurity leader and that your knowledge and skills in key areas are up to date. It shows that you have a deep knowledge and understanding of not just existing threats, but emerging ones, as well as ways to prevent those threats from affecting a company.

According to (ISC)2, it is a “vendor-neutral credential for those with proven deep technical and managerial competence, skills, experience and credibility to design, engineer, implement and manage their overall information security program to protect organizations from growing sophisticated attacks.”

There are eight “domains” covered in the CISSP CBK (critical body of knowledge), which include the following:

  • Security and risk management
  • Asset security
  • Security engineering
  • Communication and network security
  • Identity and access management
  • Security assessment and testing
  • Security operations
  • Software development security

Earning your CISSP certification will require that you have experience (we’ll touch on how much in the requirements section) in at least two of those eight domains.

According to (ISC)2, this certification is an ideal option for security consultants, security managers, IT directors and managers, security auditors, security architects, security analysts, security systems engineers, chief information security officers, directors of security, and network architects, to name only a few.

What Is (ISC)2?

While many technical certifications are issued by companies, (ISC)2 is actually an international nonprofit organization. It was formed over 25 years ago, and has been instrumental in combating cyber threats.

CISSP certification is the organization’s best-known credential, but it offers others, all of which are “part of a holistic, programmatic approach to security.” Today, the organization has over 115,000 members in a wide range of security roles, from cybersecurity to infrastructure security and everything in between.

The Rising Demand

Not convinced that becoming a CISSP will really help further your career? Consider what David Shearer, CEO of (ISC)2, had to say at the organization’s conference in Orlando in September of 2016. “We have to take a holistic approach to security, so there is more demand for soft skills. The industry needs people that are good at technology, but also good at communication, business, and people. We need to build out the deep specialists to be able to communicate. The CISSP is often criticized as being too broad and I don’t disagree, but the power of CISSP is that you understand the breadth of any information security problem.”

Of course, in order to become a credentialed professional, you’ll need to understand the CISSP requirements, of which there are quite a few.

This is backed up and further explained by an interview that Alan Paller, director of research at the SANS Institute, gave to Ars Technica. “This idea that there’s a shortage is absolutely true,” he stated. “But it’s a focused shortage. The majority of the jobs that are hard to fill are the mission-critical jobs.”

How Do I Earn the CISSP?

Earning your credentials requires that you meet the current CISSP requirements. Yes, there is a lengthy testing process involved, but it goes much deeper than this. You need a significant amount of previous work experience, or you can become an Associate of (ISC)2 combined with a little less real-world experience with security work. The overall process will look like this:

  • Have the minimum required real-world experience.
    • If you lack the required years of experience, you can become an Associate of (ISC)2.
    • If you have a 4-year degree, you may qualify for a 1-year waiver.
  • Complete the exhaustive CISSP exam with at least a minimum score of 700 out of 1,000 points.
  • Complete the endorsement process and agree to the organization’s code of ethics.
  • Maintain your CISSP certification and recertify every three years.

What is the Work Experience Required?

Perhaps the single most difficult requirement for those aspiring to earn their CISSP certification is the work experience needed. You’ll need a minimum of five years of experience working in the real world as a security professional. You must be able to show proof that you worked fulltime in this role, and that you have experience in a minimum of two out of the eight domains highlighted in the (ISC)2 CBK.

If you have earned a four-year degree, or an accepted additional credential from the list of approved options, you can get a one-year waiver, meaning that you’ll only need to prove that you have four years of real-world, fulltime experience as a security professional.

Interested in taking part in a CISSP training program? Check out InfoSec Institute’s training boot camp, or fill out the form below to receive pricing details.

What is the Associate of (ISC)2?

For those who do not have the required work experience, it is possible to become an associate of (ISC)2. To do this, you’ll need to pass the CISSP exam, and then work as a security professional. You have six years from the date that you pass the exam to earn your full CISSP credential. If you are unable to do so during that time, you will need to retake the exam once more after you have completed at least five years of work.

In order to become an Associate of (ISC)2, you’ll need to first determine the path you want to follow (in this case, CISSP, although the organization also offers SSCP, CCSP, HCISPP, CCFP, CAP, and CSSLP certifications). Next, you’ll need to schedule and take the associate exam, as well as complete the examination agreement, which is a legally binding document that requires you to adhere to the organization’s code of ethics.

If you’re pursuing CISSP certification, the associate exam will consist of 250 questions. Note that the actual CISSP exam is much more exhaustive. After passing the exam, you’ll have access to ongoing training options, as well as other benefits. You will need to maintain your status, though, which will require that you earn 15 CPE (continuing professional education) credits every year and pay a $35 annual fee.

During this time, you will need to work toward your full CISSP certification and start the endorsement process, which will ultimately turn your associate certificate into a CISSP certificate.

The process looks like this:

  • Choose your certification preference (CISSP in this case).
  • Schedule the exam and agree to the code of ethics.
  • Take the exam and pass.
  • Maintain your status and work toward your CISSP certification. You have six years to complete five years of real-world experience.

The Examination: Questions/Format/Length

The actual exam consists of 250 questions and you’ll have six hours to complete them. They are mixed multiple choice and what the organization calls “advanced innovative” questions. These are drag-and-drop questions, as well as “hotspot questions” that are designed to measure both knowledge and cognitive skills. For instance, you may be presented with a question, and then you must drag all the correct answers from one side of the test into a “correct answers” box on the other side of the test (tests are done on computers, not on paper).

Multiple choice questions are based on many factors. A couple of examples can be found below:

  • Which one of the following is the MOST important security consideration when selecting a new computer facility?
    • Local law enforcement response times
    • Adjacent to competitors’ facilities
    • Aircraft flight paths
    • Utility infrastructure
  • Which one of the following describes a SYN flood attack?
    • Rapid transmission of Internet Relay Chat messages
    • Creating a high number of half-open connections
    • Disabling the domain name service (DNS) server
    • Excessive list linking of users and files

How does the CISSP Endorsement Process Work?

Once you’ve passed the CISSP test, your work is not yet done. You’ll need to complete the organization’s endorsement process before you can actually earn your certification. This will require that you have the endorsement form digitally signed by an existing (ISC)2 certified professional, who is a member of the organization in good standing.

The endorser must be able to verify that you have professional experience and that your work experience is true to the best of his or her knowledge. Note that you will have to have the member’s certification number when completing the endorsement form. If you do not have a connection with an existing (ISC)2 member in good standing, the organization itself can act as an endorser.

It’s also important to understand a couple of other things. First, time is limited when it comes to getting your endorsement. You’ll need to have your endorsement completed within nine months of passing the CISSP exam or you’ll have to retake the test (and pay the fees again).

It pays to think about your connections prior to taking the test and, if you do not know any members of the organization currently, cultivate some contacts within the organization beforehand. In a worst-case scenario, the organization itself can act as your endorser.

You should also understand that the organization regularly audits a random number of those who pass the exam. They have this to say about audits. “A percentage of the candidates who pass an (ISC)2 examination and submit endorsements will be randomly subjected for audit and required to submit additional information, as required, for verification.” You will be notified via email if your application is selected for audit.

What is the Candidate Background Required?

(ICS)2 does not allow just anyone to take the examination. There is a rigorous background screening involved and you’ll need to ensure that you meet these CISSP requirements before you start the process. The organization states that no refunds are given on exam fees or other expenses if you do not meet background requirements and have already taken the test.

There are three questions that you’ll need to pay close attention to during the background screening. Answering “Yes” to any of these may make you ineligible for any certification through the organization. However, if you feel that you have been denied without true cause, you can contact them by email to plead your case. The three questions to watch for are as follows:

  • Have you ever been convicted of a felony, a crime based on dishonesty (felony or misdemeanor involving lying), or a court martial in military service, or is there a felony charge now pending against you? (Omit minor traffic violations and offenses prosecuted in juvenile court.)
  • Have you ever been involved, or publicly identified, with criminal hackers or hacking?
  • Have you ever been known by any other name, alias or pseudonym? (Omit user identities or screen names with which you were publicly identified. Also omit name changes due to marriage or adoption.)

Make sure that you resolve any potential conflicts so that your background check is clean and you do not raise any red flags during this process.

In Conclusion

Meeting these CISSP requirements and passing the exam will give you one of the most sought-after credentials by hirers around the world looking to add information and cybersecurity professionals to their teams. While the CISSP requirements set forth by (ISC)2 are stringent, they can be met. The most important of these is five years of hands-on, real-world experience working as a security professional. Even with a four-year college degree, you only qualify for a one-year experience waiver, so make sure you’ve done your time in the field before applying for this certification.


Read more…

Anastasis Vasileiadis

PC Technical || Penetration Tester || Ethical Hacker || Cyber Security Expert || Cyber Security Analyst || Information Security Researcher || Malware analyst || Malware Investigator || Reverse Engineering

SC ProDefence SRL - Cyber Security Services