Randomly Selected for Audit for the CISSP
Hello TE,
The objective of this post is to have a discussion and share your ISC2 audit experience for those that went through an audit by them. This thread is needed because most Google search results are discussions that are over 4 years old or for people that took the exam in Asia and especially Malaysia. I am aware that there was always a possibility of an audit since you have to agree to that before taking the exam. I am just more worried/frustrated because I am hoping to be officially certified ASAP as I have a possible job opportunity in the near future but the CISSP is mandatory for that position.
I took the exam in the US and am dual citizen: USA & Canada. I received noticed that I am being audited almost exactly 4 weeks after my endorser submitted my endorsement. Here is the email I received (I omitted emails/numbers/address to reduce spam and protect ISC2):
I do believe the primary reason for my audit is because my endorser forgot to check two important check boxes on the form. I caught the error after he already sent it in so he corrected the endorsement form and sent it a few days later. It is possible ISC2 has the original form only and the updated/revised was never updated or added to my application/record. The other reason could be that I have a middle eastern name, which I really hope is not the case but let's be realistic it is a possibility in this day and age.
I have been getting crazy anxiety over this audit. I am usually a very calm and relaxed person but I have been even having trouble sleeping sometimes. I guess that is another reason for this post is to vent. I studied my butt off, paid them $600 and $100 for study material... what else do they want!? I keep thinking what if there is some crazy technicality where I don't pass the audit. I have NEVER been arrested, convicted, sued, or fired/laid off so have a squeaky clean background, near perfect credit score and will be fully debt free hopefully by the end of the year. Everything on my resume is 100% honest as well.
Just to be on the safe side, I did call all of my previous supervisors again to give them an update that I am being audited for sure. It was so great to hear that every single one of them have my back 100% and some even flat out said they miss me. I also technically received a job offer from one but it was a role I was not interested in but felt great to know that I still have solid reputation. I always truly give it my all at every job I have ever had, it's just a part of who I am.
In the response email to ISC2 about the audit notice, I sent them the same resume, my college degree proof from a highly reputable university (also my CEH and Security+ certs just in case) and the signed release form. I also typed up a full reference list in Word with all of my previous supervisors and also 5 of my top clients (all business owners) for when I was self employed. I included their personal cell numbers, office numbers and emails (with prior approval of course!). I also told ISC2 that they have to follow 3 simple rules when they speak to my contacts:
The reason for this is that most of these contacts are mid and upper level management so are extremely busy. On top of that 4 of the 5 clients are millionaires and super crazy busy. The last thing I want is for these contacts and possible future business opportunities to be messed up due to ISC2. Plus some of the same contacts were used for when I did the self-study of CEH so EC-Council contacted them to verify back in Fall 2015. Also, in the response email I did mention that I had (not sure if it is still active) a US Government Security Clearance at my last job when I was at the Fortune 50 company. I am hoping it will speed up the process. :c)
I always try my best to be positive. The good things that has come from this experience so far is that I feel much better to know my previous bosses and clients have my back 100% and still think of me highly. I have been going through a rut the last 2 weeks with some family drama and a health issue so it really improved my overall attitude.
However, here are my biggest concerns about the audit:
I have a college degree so just need to show 4 years of work experience. I have ~10.6 years of full time IT experience. However, only ~6.6 years of that is from full time W2 across 3 jobs. Then 4 years (that is not overlapped with other jobs) is when I was self-employed with an IT Consulting company. My company was never W2, just some 1099 and other direct payments. All of those jobs in 10.6 years had security related tasks and basically I have done work that fall under 6 of the 8 domains. I hope they will be satisfied once they verify 4 years or if they will call every single freaking contact which is 9 people total. Honestly, I hope they will be happy enough with my last job where I worked exactly 4 years, is a Fortune 50 company, and I performed tasks in 5 different domains at that place. On top of that, I am leaving for vacation at the end of this month for 2 weeks and honestly I don't want to have to babysit my email or phones. I work hard throughout the year, on my vacations I don't want to think about anything related to my career at all.
Right now, looks like all I can do is be patient and wait for 15 business days before I ask for an update. I was thinking to ping them this Friday because that will be 2 weeks since submission in case it would speed things along. To be honest, I am now thinking twice about the higher level CISSP concentrations which I was planning to tackle next year because of this. It's just not worth it unless there is absolute certainty of ROI. I do however plan to tackle the CCSP as it may be needed if this start up grows.
Would love to hear about your audit experience. I will be sure to post updates.
Edit: I passed the audit and am officially certified! Read the rest of the thread for the full updates/details about my experience with the audit process.
The objective of this post is to have a discussion and share your ISC2 audit experience for those that went through an audit by them. This thread is needed because most Google search results are discussions that are over 4 years old or for people that took the exam in Asia and especially Malaysia. I am aware that there was always a possibility of an audit since you have to agree to that before taking the exam. I am just more worried/frustrated because I am hoping to be officially certified ASAP as I have a possible job opportunity in the near future but the CISSP is mandatory for that position.
I took the exam in the US and am dual citizen: USA & Canada. I received noticed that I am being audited almost exactly 4 weeks after my endorser submitted my endorsement. Here is the email I received (I omitted emails/numbers/address to reduce spam and protect ISC2):
To protect the integrity of our certification process and your credential, we randomly audit and verify a certain number of certification applications every year. We are writing to let you know that your application was selected for audit. We realize this is an extra step you hadn’t counted on, but we will try to make this as painless as possible for you so you can proceed through the rest of the certification process and begin enjoying the benefits of (ISC)2 membership!
At your earliest convenience, please forward the following items to the address listed below.
1. Candidate Consent & Release Form (available at www.isc2.org/releaseforms).
2. A current resume or curriculum vitae (CV). Please include the following information:
· Company name and address for each employer.
· Contact name/supervisor and phone number for each position held. If the position was located outside of the United States, please include an email address.
· Position held - title with dates (including month and year).
· Detailed description of your duties as they pertain to the domains of the CISSP® CBK®.
3. A copy of your college degree/diploma, if applicable.
Please mail, fax or email these items to:
[ISC2's ADDRESS]
The process takes approximately 15 business days. We’re happy to answer any questions you may have about this audit process. Just send us an email at [ISC2's EMAIL].
We will watch for your audit documents. In the meantime, we are standing by to assist you throughout the rest of the certification process and look forward to welcoming you to the (ISC)2 family!
Sincerely,
(ISC)2 Endorsement Services
I do believe the primary reason for my audit is because my endorser forgot to check two important check boxes on the form. I caught the error after he already sent it in so he corrected the endorsement form and sent it a few days later. It is possible ISC2 has the original form only and the updated/revised was never updated or added to my application/record. The other reason could be that I have a middle eastern name, which I really hope is not the case but let's be realistic it is a possibility in this day and age.
I have been getting crazy anxiety over this audit. I am usually a very calm and relaxed person but I have been even having trouble sleeping sometimes. I guess that is another reason for this post is to vent. I studied my butt off, paid them $600 and $100 for study material... what else do they want!? I keep thinking what if there is some crazy technicality where I don't pass the audit. I have NEVER been arrested, convicted, sued, or fired/laid off so have a squeaky clean background, near perfect credit score and will be fully debt free hopefully by the end of the year. Everything on my resume is 100% honest as well.
Just to be on the safe side, I did call all of my previous supervisors again to give them an update that I am being audited for sure. It was so great to hear that every single one of them have my back 100% and some even flat out said they miss me. I also technically received a job offer from one but it was a role I was not interested in but felt great to know that I still have solid reputation. I always truly give it my all at every job I have ever had, it's just a part of who I am.
In the response email to ISC2 about the audit notice, I sent them the same resume, my college degree proof from a highly reputable university (also my CEH and Security+ certs just in case) and the signed release form. I also typed up a full reference list in Word with all of my previous supervisors and also 5 of my top clients (all business owners) for when I was self employed. I included their personal cell numbers, office numbers and emails (with prior approval of course!). I also told ISC2 that they have to follow 3 simple rules when they speak to my contacts:
Please Be: #1 Respectful, #2 Polite and #3 Brief.
The reason for this is that most of these contacts are mid and upper level management so are extremely busy. On top of that 4 of the 5 clients are millionaires and super crazy busy. The last thing I want is for these contacts and possible future business opportunities to be messed up due to ISC2. Plus some of the same contacts were used for when I did the self-study of CEH so EC-Council contacted them to verify back in Fall 2015. Also, in the response email I did mention that I had (not sure if it is still active) a US Government Security Clearance at my last job when I was at the Fortune 50 company. I am hoping it will speed up the process. :c)
I always try my best to be positive. The good things that has come from this experience so far is that I feel much better to know my previous bosses and clients have my back 100% and still think of me highly. I have been going through a rut the last 2 weeks with some family drama and a health issue so it really improved my overall attitude.
However, here are my biggest concerns about the audit:
I have a college degree so just need to show 4 years of work experience. I have ~10.6 years of full time IT experience. However, only ~6.6 years of that is from full time W2 across 3 jobs. Then 4 years (that is not overlapped with other jobs) is when I was self-employed with an IT Consulting company. My company was never W2, just some 1099 and other direct payments. All of those jobs in 10.6 years had security related tasks and basically I have done work that fall under 6 of the 8 domains. I hope they will be satisfied once they verify 4 years or if they will call every single freaking contact which is 9 people total. Honestly, I hope they will be happy enough with my last job where I worked exactly 4 years, is a Fortune 50 company, and I performed tasks in 5 different domains at that place. On top of that, I am leaving for vacation at the end of this month for 2 weeks and honestly I don't want to have to babysit my email or phones. I work hard throughout the year, on my vacations I don't want to think about anything related to my career at all.
Right now, looks like all I can do is be patient and wait for 15 business days before I ask for an update. I was thinking to ping them this Friday because that will be 2 weeks since submission in case it would speed things along. To be honest, I am now thinking twice about the higher level CISSP concentrations which I was planning to tackle next year because of this. It's just not worth it unless there is absolute certainty of ROI. I do however plan to tackle the CCSP as it may be needed if this start up grows.
Would love to hear about your audit experience. I will be sure to post updates.
Edit: I passed the audit and am officially certified! Read the rest of the thread for the full updates/details about my experience with the audit process.
Comments
Sorry mate, can't help you with the ISC2 audit process. The audit process exists to verify experience; as long as you've got it and the people pick up the phone or click the link then I'd say you're gravy. I will say that the most amazing part of your write-up is that EC-Council actually contacted people to verify your experience. I'd like a write up of that process, including seeing the grammar in that email!!!
My other colleague got his CPEs audited and it wasn't a big deal either.
And please also CC me on the EC COUNCIL emails. I print all their communication and paste them on my walls
What they wanted was proof of my work experience. Here is their email
I had HR printed a document on company letterhead listing my job titles (with dates) and signed by my manager. That was enough proof for them.
There are still some sector that had push out budgets and positions from July to December. Or sometimes jobs get vacant because some sector release bonus around this period.
I had my CPEs audited in the past, no big deal, as long as you aren't trying to **** and you are not. They will probably make some calls or emails to your former employers and that's it. Hard to tell why are you really anxious about this audit as what you've described doesn't provide any reason for that.
I have yet to hear of someone at least reasonably close not passing the audit. Those rare exceptions have been so grossly blaring that it would be hard to miss.
Lastly, its the ISC(2) not the FBI. Basically, if they can get a pulse from a live body they have been satisfied in the past with just that.
- b/eads
Darn, that will be a real PITA as I worked for 5 different employers. One of those does not even exist anymore, luckily the supervisor from that job moved to a different company. The other was really unprofessional and I will probably have to harass them to get a letter from HR which would take 2 months.
I hope they just stick to calling all my supervisors!
Surprisingly, the EC-Council Eligibility Verification went butter smooth. Here are the timelines:
July 7 @ 4:09PM - I sent EC-Council my application form, resume and government ID scan. I asked to verify that my form was filled out correctly before I paid the $100 fee.
July 7 @ 8:01PM - Got a response from them that form is filled out properly but I must pay the fee in order to start the process.
July 7 @ 10:32PM - I email them back telling them that I have paid the fee and to please move forward.
July 8 @ 12:07PM - Received the following email:
Shortly after my old boss forwarded me the EC-Council email that he received on the same day @ 12:07PM:
July 8 @ 7:53PM - I received approval to take the CEH exam. Here was the exact email:
I was surprised how quick it took them... less than 24 hours! What I never realized until now, I spent $100 for EC-Council to just send a email (which was probably just a template they use changing names) to my boss with a filled out PDF form for him to verify, comment, sign and send back... so literally less then 10 minutes total of work. Anybody want to start a new Security certification company with me?
At least now it makes sense why the audit is taking so long. They are basically waiting to hear back from my employers. I am now going to call my old supervisors to give them a heads up! I feel much better now that they are at least verifying employment and not just sitting around.
My previous employer finally responded to ISC2 this morning with a filled out employment verification form. He said he sent it at 9:38AM. Then at 1:45PM I received the official congratulations that I have been oficially certified!
For those interested, here are more details about the audit.
1. ISC2 only reached out to my current employer (been there ~11 months now) and my last employer (Fortune 50 Company, worked there 4 years). FYI, I just needed to show 4 years of experience since 1 year was waived from my college degree. They did not reach out to the 2 employers prior to the Fortune 50 job nor any of my clients for when I was self-employed. Honestly, I am glad about that since they just need to verify 4 years at the end of the day.
2. The way they reached out to my employers was through a professional/brief email and a PDF form attached to fill out. The PDF form instructs the Supervisor to fill in:
- The supervisor's name and job title.
- The applicant's (me) name, job title, start and end dates, total months worked and if they were Full-Time or Part-Time.
- Business Address / Phone Number
- Are you able to verify his/her work experience as specified above? Yes / No
- How long have you known the applicant professionally?
- Is there any reason the applicant should not be certified? Yes / No, If No, explain:
- Then the supervisor must attest that the information is true and correct to the best of their knowledge blah blah
- Supervisor's signature and date (they can just digitally sign, which is great!)
Then once filled/signed to email the form back to the auditor.
My main complaint with the audit process is that they should have updates with what supervisors were contacted and when such as how EC-Council does it. Also, they should have ISC2 in the from or at last subject. My current boss thought the email was spam at first but then checked it out anyway and then realized what it was. Had I not known the auditors name through him I would still be stuck in audit because my previous employer skipped the email as he did not recognize the name. He gets literally over 300 emails per day. I had him just search the auditor's name and boom, he found it right away. He apologized like 3x for missing the email and begged if I could endorse him someday when he passes the CISSP. I said absolutely and already sent him a detailed email few weeks ago on how I prepared for the exam.
Overall, I am happy that I am certified and proud of it! It is the only certification I really dreamed about obtaining (honestly for over 4 years now) and is my second biggest goal of the year. I do plan to tackle a few more certs but nothing major. Glad I got this before I hit 30 in the next few months.
They did request the college diploma, which is at my Mom's house and not close to get to. She is not technically savy so to get her to send a photo, fax, or email to me would be extremely difficult. I attached my GSEC certification which should be sufficient for that 1 year waiver, I hope. I gave my 2 supervisors within the last 5 years a heads up they might get contacted. The one before that I have no idea the contact phone number of the supervisor as he is no longer there. I gave the company HR phone number though.
Hopefully my audit goes as well as yours did!
GSEC is on the approved list so that's all you need to get the 1 year waiver. I would also show them the GISP that you have. Basically, I gave them more information then they could do with. College degree, cert proofs, told them about my security clearance etc. As long as you can show 4 years of experience with your 2 supervisors within last 5 years your good.
I passed my exam end of May. Can't remember the date anymore but I think it was the 24th. Good luck!
Congrats on finally becoming official! You mentioned that your endorser missed some check boxes, can you tell me which boxes they were? The reason I ask is b/c my endorser didn't mark any of the check boxes on pages 4 and 5 "Endorser's Guidelines".
I passed the exam on the June 6th.
Sent the endorsement to endorser on June 8th.
Got it back June 23rd.
Sent to ISC2 immediately.
Got the confirmation on June 24th.
I have not heard anything ever since.
Thank you
Sure, on page 3 he forgot to check the following:
- The candidate has not been suspected, charged, indicted, or convicted of any crime.
- The candidate is competent to render professional service to principals without supervision.
Good luck!
Did they email or call your last supervisors?
EZ
I am a Sr. Architect working with one of the reputed large size (>1.5 lac employees) technology consulting company in India and have over 17 years experience. I work in the integration area, not directly dealing with IT security.
Can you guys please let me know your expertise. Are all of you directly working in the IT security area?
The CISSP site mentions that the following steps:
1. Obtain the Required Experience. Candidates must have a minimum of 5 years cumulative paid full-time work experience in 2 or more of the 8 domains of the CISSP CBK. ...
2. Schedule the Exam.
3. Pass the Exam.
4. Complete the Endorsement Process.
5. Maintain the CISSP Certification.
What is endorsement process? After one has passed the exam, does ISC2 send email for sending credentials, or is it needed before one appears for the exam?