Note: This FAQ is veteran-focused, and may mention a few resources that are veteran-specific, but for the most part, anyone curious about the certification may find the information useful. I attempted to avoid the use of military-specific acronyms, in order to make this FAQ more palatable to those outside the Department of Defense (DoD).
The CISSP is the Certified Information Systems Security Professional designation, that is awarded by (ISC)2, the International Information Systems Security Certification Consortium. (ISC)2 has successfully marketed the CISSP to be known as the gold standard in information security certifications.
“If it’s not the CISSP, it may not be the best fit. The Gold Standard in Information Security” Source: https://www.isc2.org/cissppreview/Default.aspx
More general information about the CISSP can be found by downloading the candidate information bulletin: https://www.isc2.org/uploadedFiles/%28ISC%292_Public_Content/Exam_Outlines/CISSP-CIB.pdf
This is a very informal analysis method.. There is no promise on compensation as a result of certification. Compensation can vary based on company, locations, etc. Nevertheless, a quick search on Monster.com (make sure to choose to include salary information), reveals various jobs, none paying less than $57 per hour on the first page: http://jobsearch.monster.com/search/?q=CISSP&sort=sal
Of course, compensation is dependent upon location, skills and experience. Some locations pay less than others. Even within the same geographies, some employers pay less than others. Veterans are usually full of information security skills and experience. (See later in this faq about the domains: a veteran should be somewhat familiar with at least half of them.)
(ISC)2 is considered authoritative on all things CISSP. If one wants to walk into things more slowly, (ISC)2 has some webinars that provide some free information about the program, at this link: https://www.isc2.org/cissppreview/Default.aspx
As waiting through that series of courses may be too slow to get an overview of the exam content, feel free to read the rest of this FAQ, to get more information about the credential.
To earn the credential, one must pass the examination, and complete the endorsement process.
Pass the Exam - Pass the CISSP examination with a scaled score of 700 points or greater. Read the Exam Scoring FAQs at http://www.isc2.org/exam-scoring-faqs.
Complete the Endorsement Process - Once you are notified that you have successfully passed the examination, you will have nine months from the date you sat for the exam to complete the following endorsement process:
- Complete an Application Endorsement Form
- Subscribe to the (ISC)2 code of ethics
- Have your form endorsed by an (ISC)2 member
The credential can be awarded once the steps above have been completed and your form has been submitted.* Get the guidelines and form at http://www.isc2.org/endorsement.
The CISSP exam is based on the following ten domains:
Telecommunications and Network Security
Information Security Governance and Risk Management
Software Development Security
Security Architecture and Design
Business Continuity and Disaster Recovery Planning
Legal, Regulations, Investigations and Compliance
Physical (Environmental) Security
These domains represent the ten areas that (ISC)2 considers to represent the critical topics in security today.
Candidates are required to present a minimum of five (5) years of direct full-time professional security work experience in two or more of the ten domains. One of these years may be waived by obtaining a four-year college degree, or passing a certification on the approved list (of which Security+ is one).
It should be VERY easy for a veteran to meet the domain experience requirements. The author will present two or three domains, so that candidates will have an idea of how their past work fulfills an information security domain. Please consider that services have policies that provide specific punitive prohibitions against NOT performing these measures.
Physical (Environmental) Security – addresses the threats, vulnerabilities and countermeasures that can be utilized to physically protect an enterprise’s resources and sensitive information.
Site/facility design considerations
Every service member’s military occupational specialty may be different, but they will all perform physical security operations during their jobs. What is important here is that it even allows credit to the person who designs the facility.
Business Continuity and Disaster Recovery Planning – addresses the preservation of the business in the face of major disruptions to normal business operations.
Business impact analysis
Disaster recovery process
Military operations are designed to be resilient. Training exercises are conducted. Continuity books are updated. Military personnel have frequent turnover via the reassignment process, but the mission of the organizations must continue, whether or not the same personnel are there. The company, brigade, or division commander could be replaced suddenly, but the mission will continue. Talk about succession planning. This requires a high level of coordination and planning at all levels.
Information Security Governance and Risk Management - the identification of an organization’s information assets and the development, documentation and implementation of policies, standards, procedures and guidelines.
Security governance and policy
Contractual agreements and procurement processes
Risk management concepts
Security education, training and awareness
Certification and accreditation
This addresses several areas. C&A, education, awareness training, personnel security, risk management, contracts and procurement, information classification, and policy. Issues such as information classification and ownership are universal throughout all job levels, and cannot be avoided. Even if one is specifically in charge of trash disposal, there are certain methods for disposing of some information that are not allowed for others. As such, even the lowly E-1 has to comply with information security policy.
It is well-known that the CISSP credential requires that one be “endorsed” by a CISSP in good standing, prior to receiving the certification officially from (ISC)2. The obvious question is how can one obtain endorsement, if he/she does not know a current CISSP that could vouch for their experience? In this case, (ISC)2 has the ability to serve as an endorser for a candidate, by requiring the same documentation that would be submitted in cases of an audit.
See this link for additional details: https://www.isc2.org/endorsement-form.aspx
Recertification is required every three years, with ongoing requirements to maintain your credentials in good standing. This is primarily accomplished through earning 120 Continuing Professional Education (CPE) credits every three years, with a minimum of 20 CPEs earned each year after certification. If the CPE requirements are not met, CISSPs must retake the exam to maintain certification. CISSPs must also pay an Annual Maintenance Fee (AMF) of US$85.
- Pass the CompTIA Security+ first. The CompTIA Security+ is regarded as “entry-level”. Interestingly enough, it provides a solid basis for the items that one will be tested on for the CISSP. Look at the Security+ as Round 1 of preparation, and the CISSP preparation run as Round 2 of testing preparation. More information about the Security+ can be found at http://certification.comptia.org/getCertified/certifications/security.aspx
- The (ISC)2 Exam Outline for CISSP, available at https://www.isc2.org/exam-outline/Default.aspx. The outline can be used to provide a template of areas the prospective test taker should study. The test taker needs to obtain, at the minimum, a beginner to intermediate level understanding of all of the topics presented. (ISC)2 provides a recommendation for a few resources that may be read, but the most reliable method is to review the exam blueprint, and review topics until one has an intermediate level of understanding them. This can be gained either by reviewing the books serially presented, or however the candidate learns best. Take all studies with the mindset that they are going to increase one’s preparation toward the test objectives.
- Training courses. There are a lot of training providers out there. Some of them may even accept the GI Bill to fund their courses. The author recommends against taking a training course. One can prepare for this course just fine via self-study. Even the best training courses are designed to be the “finishing touches” on a preparation course, and cannot be comprehensive, due to the broad nature of the exam’s domains. Keep in mind that one must show up to a training course prepared, and may be able to hash out particular pain points, but one will not be able to receive a “recipe to pass” simply by attending a five-day course.
- The FED VTE course library provides a virtual training environment. If one has maintained access to a .mil e-mail address, one should be able to register, here: https://www.fedvte-fsi.gov/Vte.Lms.Web
Here is a list of the courses available from FED VTE https://www.fedvte-fsi.gov/files/FedVTE-CourseList.pdf>
- Safari Books Online. Through the DoD MWR libraries, one can obtain unfettered access to the entire Safari library of books and course content. It requires a .mil e-mail address, in order to register.
More information about the DoD agreement with Safari Books Online can be found at this link: http://www.safaribooksonline.com/press-release/us-department-defense-renews-contract-safari-books-online
Air Force URL: http://techbus.safaribooksonline.com/?uicode=dodairforce
- The CISSP All-In-One Exam Guide, by Shon Harris http://www.amazon.com/CISSP-All-One-Guide-Edition/dp/0071781749. Please note that the Shon Harris Exam Guide, as well as practice test questions, and many other materials, are available via safaribooksonline.
- Skillport. The DoD provides access to skillport, provides access to a library of technical course content for Information Technology, Business, Leadership, and Personal Development. Included within all this are courses for the CISSP domains.
Unfortunately, the author is unable to locate the Air Force URL at this time. These URLs are subject to change. Please logon to the service’s education portal, for the appropriate link. (Please note that these links may appear under skillport or skillsoft.)
- Books 24x7. As part of the skillsoft access, one also gains access to Books 24x7. Access to books 24x7 is obtained after logging into skillport, and clicking on the links for books 24x7. The access appears to be via single sign-on, after gaining access through the skillport portal for your branch. Logging directly onto http://www.books24x7.com may or may not be possible.
Please note that if one cannot obtain access to Skillport via DoD e-mail address (for whatever reason) one can sometimes obtain access to the resources via their current employer. One might even obtain skillport access through a recruitment company, such as Robert Half Technology. Even though someone has never performed work through Robert Half, she has retained their skillport access as long as she remains a candidate within Robert Half’s system. This is a viable option to gain access to training material.
For more suggested preparation sources, please see http://www.techexams.net. TechExams is a great resource for certification exam preparation. One will receive practical advice from other IT industry pros who are also working hard at certifications, education, and experience, in their efforts to get ahead in their respective career fields. There is a sub-forum dedicated to information security certifications, at http://www.techexams.net/forums/infosec/. Registration is free.
Please avoid brain dumps. Due to the nature of the questions and the rumored mammoth size of the test bank, as well as the cost to sit each exam, one would be best served to prepare thoroughly and take the exam with confidence.
Please use CertGuard, at http://www.certguard.com to check any sites prior to using them as a preparation resource.
There is a code of ethics associated with the CISSP, as well as most professional certification. It would be bad to lose a career certification due to an ethics violation.
Truthfully, this is entirely dependent upon the candidate. The best advice is to study until one is confident that one could answer an essay style question about any of the domains present in the exam. Be reminded that one should not expect direct, simple questions. In the author’s case, he studied for about a month and then cleared the exam. After taking the exam, his opinion was that he answered most questions based upon experience, and few questions based upon the preparation materials. That is, he had enough experience whereby the preparation materials did not help as much. Additionally, the author is of the opinion that military information security experience is particularly well-suited for this exam.
The free questions that can be found at ccure.org are representative of the exam’s difficulty. If one can do well on those, then one should feel comfortable booking the exam.
The sample questions can be found at this link: https://www.cccure.org/modules.php?name=Web_Links&l_op=viewlink&cid=168 (A free registration is required.)
Train as you fight. The exam will be 250 questions long, and one is given six hours to complete it. This provides a maximum of 86.4 seconds per question. If one can answer at least 42 questions per hour, one could complete the exam in time. In order to mimic the exam scenario, one should perform practice exams in the same manner as one takes the actual exam: as quickly as possible! One should practice on 50 to 100 sample questions at a time, and attempt to complete them within an hour.
When practicing, focus on looking for the question first, then looking for suitable answers, then comparing to the text to confirm the result. Prior to submitting an answer, double-check for words such as “not” that can reverse the meaning of a statement.
On the day before the test, go to bed early. Cramming is of limited utility, when one needs to take a “thinking” test. Keeping the mind fresh and alert is of primary concern. Avoid any beverages or foods that may increase your trips to the restroom, in order to manage your time most wisely.
On test day, the best strategy that I can recommend would be to tackle each question thusly:
1. Look for the question mark. Find the question. The test writers may provide an excessive amount of introductory text, such that the actual question may be obscured. Looking for the question allows the test taker to focus.
2. Compare each answer to the question, and look for the BEST answer in the provided text.
3. After choosing an answer, compare it to the question, the other provided answers, and the text and confirm that it is the BEST answer.
4. Keep in mind that simple wording can reverse the meaning of a question or answer. Is it a question of "is" or "is not"? Is it a question of true or false?
If one thoroughly knows the content of the exam outline, test day will be little more than a simple test of reading comprehension.
Keep in mind that there are initial costs, as well as maintenance fees for the certification.
Currently, the initial exam costs $599, with a $50 rescheduling fee and a $100 fee for cancelling the exam. Please see https://www.isc2.org/uploadedfiles/Certification_Programs/exam_pricing.pdf.
In addition, the annual maintenance fee is $85, combined with submitting 120 hours of continuing professional development within a three year period.
(Alternatively, one could just retake the exam to maintain the certification, but considering that it is 250 questions long and $599, doing the continual professional development may be a preferred option.)
The author has saved up the funds to pay for the exam and pay the maintenance fees, but there are some other options:
- GI Bill. "The U.S. Department of Veterans Affairs has approved reimbursement to veterans under the G.I. Bill for the costs of the Certified Information Systems Security Professional (CISSP) ... Please refer to the U.S. Department of Veterans Affairs Website at http://www.va.gov for more details."
- Employer funding. Some employers have an educational assistance benefit, which may be used towards professional certifications. In typical cases, this funding is in the form of a reimbursement upon successfully passing an exam. Also, some employers require an agreement whereby the employee agrees to remain with the organization for a one year period after completing the exam if not, then the employee pays the company back for the expense.
One can register for the test using the Pearson Vue website, at http://www.pearsonvue.com.
- Browse to http://www.pearsonvue.com.
- Click Sign in to access your account.
- Choose "Information Technology (IT)"
- Choose "(ISC)2"
It should be self-explanatory beyond this point. From this point forward, select the test, (CISSP), then choose the testing location. Make sure to confirm that the test is booked. If necessary, one can reach Pearson Vue customer service.
Pearson Vue Americas Region customer service for (ISC)2: http://www.pearsonvue.com/isc2/contact/
After completing the exam, one must still wait for six to eight weeks before (ISC)2 completes checks and makes the results “official”. In the meantime, the candidate can use the title of “Associate of (ISC)2 toward CISSP” in the meantime, so that one can still have the “CISSP” keyword on the resume.
Lewis Lampkin, III is a network security professional. He spends his days examining the security posture of and recommending enhancements to US Army networks. He has extensive private sector experience in network, security, servers, and virtualization. He has served his country in uniform as a senior local area network manager and information technology specialist within the United States Army. He has a master’s degree in information security and several certifications: CISSP, CCNP:R&S, Security+, and others. He enjoys spending his free time worshipping God, studying the Bible, or tinkering in his home lab. If you want to, please contact him at http://www.linkedin.com/in/lewislampkin.