CISSP Cert a Stretch for IT Auditor?

CV33CV33 Member Posts: 22 ■□□□□□□□□□
Recently, I had decided that the CISSP was going to be my 4th certification. I was discussing that decision with a coworker who is a security practitioner and former IT Auditor.

He felt that it was a stretch for an IT Auditor to go after the CISSP; that is was almost unjustifiable. It confuses me that he would say that because of what I have read online.

Furthermore, I checked a Senior IT Auditor posting for Google and they mentioned CISA and CISSP.


With that said, any thoughts on whether CISSP is unjustifiable for an IT Auditor?

Comments

  • 636-555-3226636-555-3226 Member Posts: 976 ■■■■■□□□□□
    Look at the CISSP prereqs. Do you meet them? If so, and you're interested, then it's a fit. Also, CISSP is fine for anybody involved in security, so nuts to your coworker, he's just jealous that you're smarter than him
  • E Double UE Double U Member Posts: 1,747 ■■■■■■■■■□
    He said it is a stretch, not impossible. He also said "almost" unjustifiable. The ISC2 requirements determines if you qualify for the exam, not public opinion.

    "So you're telling me there's a chance." - Lloyd from Dumb & Dumber
    Alphabet soup: CISSP, CCSP, CISM, CISA, GDSA, GPEN, GCIA, GCIH, GCCC, CEH, Azure Fundamentals, Azure Security Engineer Associate, ITIL 4 Foundation, and more.

    2020 goals: AZ-900, AZ-500, GDSA, ITILv4

    "You tried your best and you failed miserably. The lesson is, never try." - Homer Simpson
  • soccarplayer29soccarplayer29 CISSP, CISA, PMP Member Posts: 230 ■■■□□□□□□□
    Preface: I am a former IT auditor and now a security analyst and have passed both the CISA and CISSP exams.

    Like others have said...it might be a stretch but definitely not impossible and the knowledge gained while studying for the CISSP will be extremely valuable to your role as an IT auditor.

    I think the CISSP knowledge is very important for an IT auditor in that you'll be interviewing members of technical operations, networking, etc. teams and many of them might have CISSP and therefore you'll have some overlap in knowledge and terminology and be able to digest the information better.

    tldr: Knowledge gained by studying for CISSP is valuable for IT auditors especially as they progress in their careers toward senior/management positions.
    Certs: CISSP, CISA, PMP
  • havoc64havoc64 Member Posts: 213 ■■□□□□□□□□
    I'd say if you have the background requirements that (ISC)2 dictates, then you are good. How about talking with a local CISSP, someone you might consider for endorsing you and see if they'd feel comfortable with endorsing you if you passed the exam.

    Good Luck.
  • CV33CV33 Member Posts: 22 ■□□□□□□□□□
    Preface: I am a former IT auditor and now a security analyst and have passed both the CISA and CISSP exams.

    Like others have said...it might be a stretch but definitely not impossible and the knowledge gained while studying for the CISSP will be extremely valuable to your role as an IT auditor.

    I think the CISSP knowledge is very important for an IT auditor in that you'll be interviewing members of technical operations, networking, etc. teams and many of them might have CISSP and therefore you'll have some overlap in knowledge and terminology and be able to digest the information better.

    tldr: Knowledge gained by studying for CISSP is valuable for IT auditors especially as they progress in their careers toward senior/management positions.

    That is much more in line with what I have heard outside of work which is why I had decided to take it on.
  • CV33CV33 Member Posts: 22 ■□□□□□□□□□
    I have heard that the CISSP can be mindless memorization; is that true?
  • cyberguyprcyberguypr Senior Member Mod Posts: 6,899 Mod
    Can't be farther from the truth. Yes, you'll need to memorize some minor stuff, but the essence of the test is understanding the concepts and the domains. You will then need the ability to apply them to any given scenario in the test.
  • TankerTTankerT Member Posts: 132
    I know several auditors that have their CISSP in addition to the CISA. I would disagree completely with your coworker's assessment. I would think it is a career enhancer, and something to provide you with additional technical knowledge.

    I would also agree with cyberguypr. The CISSP is NOT a mindless memorization. You may need to memorize a few things here and there, but most of it is your ability to understand and apply various concepts towards a security management question/scenario.
  • soccarplayer29soccarplayer29 CISSP, CISA, PMP Member Posts: 230 ■■■□□□□□□□
    CV33 wrote: »
    I have heard that the CISSP can be mindless memorization; is that true?

    I wouldn't agree with that. Certainly some things like the ISO layers, terminology/abbreviations, etc. can be memorized. But the questions are difficult and require analysis and shouldn't be viewed as a memorization exam. You need to be well-versed in all domains (think the mile-wide and inch deep moto).

    Flash card preparation for the CISSP exam will produce minimal results on the exam as that doesn't account for real-world implementations and scenarios which will be in nearly every exam question.
    Certs: CISSP, CISA, PMP
  • CV33CV33 Member Posts: 22 ■□□□□□□□□□
    By mindless, I mean the questions would present a scenario where you would have to recall the most random facts "memorized" during your study
    vs.
    oh hey, memorize things and you will be okay.
  • cyberguyprcyberguypr Senior Member Mod Posts: 6,899 Mod
    To the OP's original question, do this: go to Indeed, run a search for IT Auditor. I'll save you some time: out of the first 10 hits at least 7 said "CISSP required or recommended". That is my non-scientific test to see what the market is looking for. Print screen and send to coworker. As stated above, if you satisfy the experience requirements, there's not way anyone can say it doesn't make sense. There's definitive value there.
  • colemiccolemic Member Posts: 1,568 ■■■■■■■□□□
    Like Soccarplayer29, I hold CISSP and CISA (and CISM and a bunch of others), and used to be an auditor.

    Having said that, I can confidently say your coworker is full of poo.

    Think about it - almost everyone agrees that CISSP is a generalized security certification, and which would you rather have auditing you - someone who can read from a script and panics when it is deviated from, or someone who has good foundational knowledge in a broad range of security concepts, and has the capacity to understand and make decisions and interpretations and assessments based on that knowledge, not a scripted workbook to complete...

    Beyond that, almost every IT auditor I have seen, if they have CISA, they have CISSP. Have your coworker go look on the job boards for IT audit roles and count how many say 'CISSP not required' vs 'CISSP required' if they don't think it's beneficial and relevant.

    edit: CYBER!Man beat me to it on the point about job postings.
    Working on: CCSP, definitely, maybe. On the twitters: @mcole1008
  • ClmClm CISSP | CCSP | CCSK | AWS x 4 | ITIL | PCEP Member Posts: 444 ■■■■□□□□□□
    I'm sitting in a class right now for cissp and the instructor is a IT auditor and he loves It and he has been CISSP for the last 10 years. CISSP covers a lot and it till add to your resume.
    I find your lack of Cloud Security Disturbing!!!!!!!!!
    Connect with me on LinkedIn https://www.linkedin.com/in/myerscraig

  • User2097User2097 Member Posts: 41 ■■□□□□□□□□
    Get the cert. It helps regardless. The difficulty of the exam will make other future exams easier, but it's due to your knowledge improving.
    Cert Goals: CISSP-ISSAP (May 2016) | CISM (2016) | GSEC (2016) | OSCP (2017)
    College: MBA Project Management (2012) | Bachelors IT Management (2010)
    Experience: Cyber Security, Information Assurance, and IT Management Officer
  • dusan985dusan985 Member Posts: 15 ■□□□□□□□□□
    I'm thinking about going for CISSP. I've been an IT Auditor for 6 years, and that's my only work experience. I'm CISA, CRISC, etc. In my career, I've done many audits which included information security in their scope. Does anybody know, would that work experience be enough to satisfy CISSP requirements?
Sign In or Register to comment.