The CISSP Certification Exam

The need for professionalism was a serious topic among computer security practitioners for many years. Professionalism was viewed as the way to upgrade this often ill-defined and poorly understood craft to that of a recognized and disciplined profession.

By the mid-1980s, a number of professional societies in North America concluded that a certification process attesting to the qualifications of information security personnel, would enhance the credibility of the computer security profession. Through the societies' cooperative efforts, the International Information Systems Security Certification Consortium, or (ISC)² , was established in mid-1989 as an independent, nonprofit corporation whose sole charter is to develop and administer a certification program for information security practitioners. Now firmly established in North America, the program is quickly gaining international acceptance.

The CISSP Examination:

The eligibility requirements to sit for the CISSP examination are completely separate from the eligibility requirements necessary to be certified as a CISSP.

The CISSP Examination Structure:

The CISSP Certification examination consists of 250 multiple-choice questions. Candidates have up to 6 hours to complete the examination. Eight CISSP information systems security test domains are covered in the examination pertaining to the Common Body of Knowledge:

Currently, the CISSP certification covers the following eight domains:

  • Security and Risk Management.
  • Asset Security.
  • Security Architecture and Engineering.
  • Communications and Network Security.
  • Identity and Access Management.
  • Security Assessment and Testing.
  • Security Operations.
  • Software Development Security.

To sit for the CISSP examination, a candidate must:

  • Submit the examination application with the required fee by registering with Pearson VUE
  • Assert that he or she possesses a minimum of five years of professional experience in the information security field or four years plus a college degree. Or, an Advanced Degree in Information Security from a National Center of Excellence accredited college or a regional equivalent that can substitute for one year towards the five-year requirement.
  • Complete the Candidate Agreement, attesting to the truth of his or her assertions regarding professional experience and legally commit to adhere to the CISSP Code of Ethics.
  • Successfully answer four questions regarding criminal history and related background.

To become certified as a CISSP, a candidate must:

  • Pass the CISSP exam with a scaled score of 700 points or greater.
  • Meet the CISSP experience eligibility requirements.
  • Submit a properly completed and executed Endorsement Form.
  • If the candidate is selected for audit, they must successfully pass that audit of their assertions regarding professional experience.

The Endorsement Process:

  • A candidate applying for certification must be endorsed by another (ISC)² certified professional in good standing before the credential can be awarded.
  • A candidate receiving a pass letter informing the candidate that he or she has passed the certification examination will also receive a blank endorsement form.
  • The form must be completed and signed by an (ISC)² certified CISSP in good standing.
  • If you cannot find a certified individual to act as an endorser, (ISC)² will act as an endorser for you in consideration of which, (ISC)² will require the same documentation that is submitted by a candidate who is randomly selected to be audited.

The (ISC)² certified professional is anyone who:

  • Is able to attest to the candidate's professional experience
  • Is an active (ISC)² credential holder in good standing
  • The endorser will attest that the candidate’s assertions regarding professional experience are true to the best of the endorser’s knowledge, and
  • That the candidate is in good standing within the information security industry.

(ISC)² Services staff will review the form upon receipt to ensure that it is properly completed and executed. If so, (ISC)² Services will mail you your certificate.

Please note:A percentage of the candidates who pass an (ISC)² examination and submit endorsements will be randomly subjected for audit and required to submit additional information, as required, for verification.

What happens if you get audited?

  • A percentage of the candidates who pass the CISSP examination and submit endorsements will be randomly subjected to audit and required to submit a resume for formal review and investigation.
  • If audited (subject to results), the credential will be awarded within seven business days and notification sent via e-mail.
  • Naturally, there may be some delays due to mail service or the number of forms received.
  • Also, audits may require additional time for verifying information and/or contacting references.

Post Certification: Now that you are a CISSP

Once an individual has successfully passed an (ISC)² credentialing examination, continuing education is required to maintain their certification in good standing.

Continuing Professional Education Credits:

In addition to paying an annual maintenance fee and subscribing to the Code of Ethics, a CISSP must earn continuing professional education credits every three years - or retake their certification examinations.

CPE credits are earned by performing activities largely related to the information systems security profession including, but not limited to, the following:

  • Educational courses or seminar attendance.
  • Association chapter membership and meeting attendance - Like ISSA, ISACA, etc.
  • Security conference attendance.
  • Vendor presentations.
  • Providing security training.
  • Publishing security articles or books.
  • Self-study courses that are related to the industry.
  • Volunteer work, including serving on (ISC)² volunteer committees.