Randomly Selected for Audit for the CISSP

Hello TE,

The objective of this post is to have a discussion and share your ISC2 audit experience for those that went through an audit by them. This thread is needed because most Google search results are discussions that are over 4 years old or for people that took the exam in Asia and especially Malaysia. I am aware that there was always a possibility of an audit since you have to agree to that before taking the exam. I am just more worried/frustrated because I am hoping to be officially certified ASAP as I have a possible job opportunity in the near future but the CISSP is mandatory for that position.

I took the exam in the US and am dual citizen: USA & Canada. I received noticed that I am being audited almost exactly 4 weeks after my endorser submitted my endorsement. Here is the email I received (I omitted emails/numbers/address to reduce spam and protect ISC2):

To protect the integrity of our certification process and your credential, we randomly audit and verify a certain number of certification applications every year. We are writing to let you know that your application was selected for audit. We realize this is an extra step you hadn’t counted on, but we will try to make this as painless as possible for you so you can proceed through the rest of the certification process and begin enjoying the benefits of (ISC)² membership!
At your earliest convenience, please forward the following items to the address listed below.

1. Candidate Consent & Release Form (available at www.isc2.org/releaseforms).

2. A current resume or curriculum vitae (CV). Please include the following information:

· Company name and address for each employer.
· Contact name/supervisor and phone number for each position held. If the position was located outside of the United States, please include an email address.
· Position held - title with dates (including month and year).
· Detailed description of your duties as they pertain to the domains of the CISSP^® CBK^®.

3. A copy of your college degree/diploma, if applicable.

Please mail, fax or email these items to:

[ISC2's ADDRESS]

The process takes approximately 15 business days. We’re happy to answer any questions you may have about this audit process. Just send us an email at [ISC2's EMAIL].

We will watch for your audit documents. In the meantime, we are standing by to assist you throughout the rest of the certification process and look forward to welcoming you to the (ISC)² family!

Sincerely,
(ISC)² Endorsement Services

I do believe the primary reason for my audit is because my endorser forgot to check two important check boxes on the form. I caught the error after he already sent it in so he corrected the endorsement form and sent it a few days later. It is possible ISC2 has the original form only and the updated/revised was never updated or added to my application/record. The other reason could be that I have a middle eastern name, which I really hope is not the case but let's be realistic it is a possibility in this day and age.

I have been getting crazy anxiety over this audit. I am usually a very calm and relaxed person but I have been even having trouble sleeping sometimes. I guess that is another reason for this post is to vent. I studied my butt off, paid them $600 and $100 for study material... what else do they want!? I keep thinking what if there is some crazy technicality where I don't pass the audit. I have NEVER been arrested, convicted, sued, or fired/laid off so have a squeaky clean background, near perfect credit score and will be fully debt free hopefully by the end of the year. Everything on my resume is 100% honest as well.

Just to be on the safe side, I did call all of my previous supervisors again to give them an update that I am being audited for sure. It was so great to hear that every single one of them have my back 100% and some even flat out said they miss me. I also technically received a job offer from one but it was a role I was not interested in but felt great to know that I still have solid reputation. I always truly give it my all at every job I have ever had, it's just a part of who I am.

In the response email to ISC2 about the audit notice, I sent them the same resume, my college degree proof from a highly reputable university (also my CEH and Security+ certs just in case) and the signed release form. I also typed up a full reference list in Word with all of my previous supervisors and also 5 of my top clients (all business owners) for when I was self employed. I included their personal cell numbers, office numbers and emails (with prior approval of course!). I also told ISC2 that they have to follow 3 simple rules when they speak to my contacts:

Please Be: #1 Respectful, #2 Polite and #3 Brief.

The reason for this is that most of these contacts are mid and upper level management so are extremely busy. On top of that 4 of the 5 clients are millionaires and super crazy busy. The last thing I want is for these contacts and possible future business opportunities to be messed up due to ISC2. Plus some of the same contacts were used for when I did the self-study of CEH so EC-Council contacted them to verify back in Fall 2015. Also, in the response email I did mention that I had (not sure if it is still active) a US Government Security Clearance at my last job when I was at the Fortune 50 company. I am hoping it will speed up the process. :c)

I always try my best to be positive. The good things that has come from this experience so far is that I feel much better to know my previous bosses and clients have my back 100% and still think of me highly. I have been going through a rut the last 2 weeks with some family drama and a health issue so it really improved my overall attitude.

However, here are my biggest concerns about the audit:

I have a college degree so just need to show 4 years of work experience. I have ~10.6 years of full time IT experience. However, only ~6.6 years of that is from full time W2 across 3 jobs. Then 4 years (that is not overlapped with other jobs) is when I was self-employed with an IT Consulting company. My company was never W2, just some 1099 and other direct payments. All of those jobs in 10.6 years had security related tasks and basically I have done work that fall under 6 of the 8 domains. I hope they will be satisfied once they verify 4 years or if they will call every single freaking contact which is 9 people total. Honestly, I hope they will be happy enough with my last job where I worked exactly 4 years, is a Fortune 50 company, and I performed tasks in 5 different domains at that place. On top of that, I am leaving for vacation at the end of this month for 2 weeks and honestly I don't want to have to babysit my email or phones. I work hard throughout the year, on my vacations I don't want to think about anything related to my career at all.

Right now, looks like all I can do is be patient and wait for 15 business days before I ask for an update. I was thinking to ping them this Friday because that will be 2 weeks since submission in case it would speed things along. To be honest, I am now thinking twice about the higher level CISSP concentrations which I was planning to tackle next year because of this. It's just not worth it unless there is absolute certainty of ROI. I do however plan to tackle the CCSP as it may be needed if this start up grows.

Would love to hear about your audit experience. I will be sure to post updates.

Edit: I passed the audit and am officially certified! Read the rest of the thread for the full updates/details about my experience with the audit process.

Find more posts tagged with

Comments

636-555-3226

ZzBloopzZ wrote: »

Plus some of the same contacts were used for when I did the self-study of CEH so EC-Council contacted them to verify back in Fall 2015.

Sorry mate, can't help you with the ISC2 audit process. The audit process exists to verify experience; as long as you've got it and the people pick up the phone or click the link then I'd say you're gravy. I will say that the most amazing part of your write-up is that EC-Council actually contacted people to verify your experience. I'd like a write up of that process, including seeing the grammar in that email!!!

cyberguypr

Relax. I don't know if you had some irregularity, but I want to believe the words "randomly audit" mean exactly that, random. My colleague passed the test earlier this year and got audited. He took it personal and started badmouthing ISC2 and couldn't understand why they would question his achievements. Something along the lines of "can't you see I've been doing security for years, plus I was in the military. How you dare doubt me". I told him the same thing: chill out, audits help maintain credibility. Trust me, based on what you wrote you have ZERO to worry about. Just spend some time gathering whatever they ask for and then enjoy all the fame, glory, money, and women that you will get thanks to your new official CISSP designation.

My other colleague got his CPEs audited and it wasn't a big deal either.

And please also CC me on the EC COUNCIL emails. I print all their communication and paste them on my walls

Ertaz

The fellow who endorsed me was selected for audit when he got his certification. I laughed when he told me because he's the most organized person I've met in 20 years. He had paperwork to document his paperwork... It's like in high school athletics when they drug test the kids they know are clean because they don't want to know the truth. Good luck on your efforts.

Mike7

My endorsement was done by (ISC)2, which means they audited me.
What they wanted was proof of my work experience. Here is their email

I have received your request for endorsement assistance. I am contacting you because the documentation I received is incomplete. Your submission included your work experience summary but did not include complete proof of your job history for your employers. Please provide these details at your earliest convenience.***The document provided does not indicate your overall time with the company. Please have the HR Department provide a document on letterhead confirming your overall employment dates.

Proof of your job history can be numerous things. A letter from your employers showing the date you worked at their company, an employment contract showing dates you worked at the company or any sort of documents on letterhead that shows you worked at the company for the dates and time you specified on your resume would be accepted.

I had HR printed a document on company letterhead listing my job titles (with dates) and signed by my manager. That was enough proof for them.

LionelTeo

No worries about job finding. I suggest to hold off finding jobs till April next year. April to July is a good time because its just right after the financial year; which is the time where big companies push out budgets and open new positions. Aiming to fill up these positions would be better than taking over positions that people had left for.

There are still some sector that had push out budgets and positions from July to December. Or sometimes jobs get vacant because some sector release bonus around this period.

gespenstern

Judging from the content of this post I don't see why to worry about it.

I had my CPEs audited in the past, no big deal, as long as you aren't trying to **** and you are not. They will probably make some calls or emails to your former employers and that's it. Hard to tell why are you really anxious about this audit as what you've described doesn't provide any reason for that.

beads

Audits are pretty rare. In this case your endorser missed a couple of check boxes which clearly puts you in the review pile for no other reason than sloppy paperwork.

I have yet to hear of someone at least reasonably close not passing the audit. Those rare exceptions have been so grossly blaring that it would be hard to miss.

Lastly, its the ISC(2) not the FBI. Basically, if they can get a pulse from a live body they have been satisfied in the past with just that.

- b/eads

ZzBloopzZ

Thank you everyone for the supportive replies. I am feeling better but still can't wait until I get officially certified! :c)

NotHackingYou

Sorry to hear about this. Hopefully it is random and over quickly. I didn't have any trouble with my middle eastern name.

ZzBloopzZ

Mike7 wrote: »

My endorsement was done by (ISC)2, which means they audited me.
What they wanted was proof of my work experience. Here is their email

I had HR printed a document on company letterhead listing my job titles (with dates) and signed by my manager. That was enough proof for them.

Darn, that will be a real PITA as I worked for 5 different employers. One of those does not even exist anymore, luckily the supervisor from that job moved to a different company. The other was really unprofessional and I will probably have to harass them to get a letter from HR which would take 2 months.

I hope they just stick to calling all my supervisors!

ZzBloopzZ

cyberguypr wrote: »

And please also CC me on the EC COUNCIL emails. I print all their communication and paste them on my walls

Surprisingly, the EC-Council Eligibility Verification went butter smooth. Here are the timelines:

July 7 @ 4:09PM - I sent EC-Council my application form, resume and government ID scan. I asked to verify that my form was filled out correctly before I paid the $100 fee.
July 7 @ 8:01PM - Got a response from them that form is filled out properly but I must pay the fee in order to start the process.
July 7 @ 10:32PM - I email them back telling them that I have paid the fee and to please move forward.
July 8 @ 12:07PM - Received the following email:

Dear [APPLICANT],

Greetings to you.

We acknowledge receipt of your completed eligibility application form.

As part of verification process we have contacted your employer/verifier on 07/08/2015

Currently we are waiting for his/her response.

Waiting time for processing of Eligibility Code is approximately 5 working days after receiving the verification from verifier (Verification Complete).

Have a nice day!
EC-Council

Shortly after my old boss forwarded me the EC-Council email that he received on the same day @ 12:07PM:

Dear [Boss's Name],

Greetings from EC-Council.

We have received an Exam Eligibility Application from [APPLICANT] and he/she had named you the verifier of his/her experience in the Information Security field.

Please confirm that [APPLICANT] has at least 2 years of experience in the Information Security field by filling out the attached verification form and return your completed form to [EMAIL].

Your cooperation on this matter is greatly appreciated.

Have a nice day!

EC-Council[/email]

July 8 @ 7:53PM - I received approval to take the CEH exam. Here was the exact email:

Dear [APPLICANT],

We confirm receipt of verification from your employer/ex- employer.

Your Eligibility Application process has been approved for the CEH exam.

Please take note that in order to schedule an exam, you would require an exam voucher.

The CEH exam voucher can be purchased through our website http://store.eccouncil.org/

Please send the payment confirmation code for verification once the payment is done so we can release the exam voucher to you.

Have a nice day !
EC-Council

I was surprised how quick it took them... less than 24 hours! What I never realized until now, I spent $100 for EC-Council to just send a email (which was probably just a template they use changing names) to my boss with a filled out PDF form for him to verify, comment, sign and send back... so literally less then 10 minutes total of work. Anybody want to start a new Security certification company with me?

ZzBloopzZ

Update. My current employer whom is on travel just sent me an email that he received an email from ISC2 July 7 to fill out a form about my employment, then to sign it and then send it back. He said he filled out the form and sent it back the same day on July 7. Funny enough, the email has the auditors name but no ISC2 in the subject or From field. I just let my old boss know and sure enough he searched the auditors name and found it it. He said he will fill it out first thing in the morning. He was on vacation last week so missed the email and did not recognize the senders name so simply ignored it.

At least now it makes sense why the audit is taking so long. They are basically waiting to hear back from my employers. I am now going to call my old supervisors to give them a heads up! I feel much better now that they are at least verifying employment and not just sitting around.

ZzBloopzZ

Final Update:

My previous employer finally responded to ISC2 this morning with a filled out employment verification form. He said he sent it at 9:38AM. Then at 1:45PM I received the official congratulations that I have been oficially certified!

It appears the reason the audit took so long is because they were waiting for the last verification form to come in, which makes perfect sense.

For those interested, here are more details about the audit.

1. ISC2 only reached out to my current employer (been there ~11 months now) and my last employer (Fortune 50 Company, worked there 4 years). FYI, I just needed to show 4 years of experience since 1 year was waived from my college degree. They did not reach out to the 2 employers prior to the Fortune 50 job nor any of my clients for when I was self-employed. Honestly, I am glad about that since they just need to verify 4 years at the end of the day.

2. The way they reached out to my employers was through a professional/brief email and a PDF form attached to fill out. The PDF form instructs the Supervisor to fill in:

- The supervisor's name and job title.
- The applicant's (me) name, job title, start and end dates, total months worked and if they were Full-Time or Part-Time.
- Business Address / Phone Number
- Are you able to verify his/her work experience as specified above? Yes / No
- How long have you known the applicant professionally?
- Is there any reason the applicant should not be certified? Yes / No, If No, explain:
- Then the supervisor must attest that the information is true and correct to the best of their knowledge blah blah
- Supervisor's signature and date (they can just digitally sign, which is great!)

Then once filled/signed to email the form back to the auditor.

My main complaint with the audit process is that they should have updates with what supervisors were contacted and when such as how EC-Council does it. Also, they should have ISC2 in the from or at last subject. My current boss thought the email was spam at first but then checked it out anyway and then realized what it was. Had I not known the auditors name through him I would still be stuck in audit because my previous employer skipped the email as he did not recognize the name. He gets literally over 300 emails per day. I had him just search the auditor's name and boom, he found it right away. He apologized like 3x for missing the email and begged if I could endorse him someday when he passes the CISSP. I said absolutely and already sent him a detailed email few weeks ago on how I prepared for the exam.

Overall, I am happy that I am certified and proud of it! It is the only certification I really dreamed about obtaining (honestly for over 4 years now) and is my second biggest goal of the year. I do plan to tackle a few more certs but nothing major. Glad I got this before I hit 30 in the next few months.

cyberguypr

Glad it all worked out OK.

Ertaz

Congrats man!

Mike7

Congrats

jg372

I got selected for the audit too. I think you and I passed the exam around the same time? I passed mine on 6/3 and sent the endorsement a week after.

They did request the college diploma, which is at my Mom's house and not close to get to. She is not technically savy so to get her to send a photo, fax, or email to me would be extremely difficult. I attached my GSEC certification which should be sufficient for that 1 year waiver, I hope. I gave my 2 supervisors within the last 5 years a heads up they might get contacted. The one before that I have no idea the contact phone number of the supervisor as he is no longer there. I gave the company HR phone number though.

Hopefully my audit goes as well as yours did!

ZzBloopzZ

jg372 wrote: »

I got selected for the audit too. I think you and I passed the exam around the same time? I passed mine on 6/3 and sent the endorsement a week after.

They did request the college diploma, which is at my Mom's house and not close to get to. She is not technically savy so to get her to send a photo, fax, or email to me would be extremely difficult. I attached my GSEC certification which should be sufficient for that 1 year waiver, I hope. I gave my 2 supervisors within the last 5 years a heads up they might get contacted. The one before that I have no idea the contact phone number of the supervisor as he is no longer there. I gave the company HR phone number though.

Hopefully my audit goes as well as yours did!

GSEC is on the approved list so that's all you need to get the 1 year waiver. I would also show them the GISP that you have. Basically, I gave them more information then they could do with. College degree, cert proofs, told them about my security clearance etc. As long as you can show 4 years of experience with your 2 supervisors within last 5 years your good.

I passed my exam end of May. Can't remember the date anymore but I think it was the 24th. Good luck!

T-Rock

Hey ZzBloopzZ,

Congrats on finally becoming official! You mentioned that your endorser missed some check boxes, can you tell me which boxes they were? The reason I ask is b/c my endorser didn't mark any of the check boxes on pages 4 and 5 "Endorser's Guidelines".

I passed the exam on the June 6th.
Sent the endorsement to endorser on June 8th.
Got it back June 23rd.
Sent to ISC2 immediately.
Got the confirmation on June 24th.

I have not heard anything ever since.

Thank you

ZzBloopzZ

T-Rock wrote: »

Hey ZzBloopzZ,

Congrats on finally becoming official! You mentioned that your endorser missed some check boxes, can you tell me which boxes they were? The reason I ask is b/c my endorser didn't mark any of the check boxes on pages 4 and 5 "Endorser's Guidelines".

I passed the exam on the June 6th.
Sent the endorsement to endorser on June 8th.
Got it back June 23rd.
Sent to ISC2 immediately.
Got the confirmation on June 24th.

I have not heard anything ever since.

Thank you

Sure, on page 3 he forgot to check the following:

- The candidate has not been suspected, charged, indicted, or convicted of any crime.
- The candidate is competent to render professional service to principals without supervision.

Good luck!

jg372

Thankfully I am official now too! They reached out to my last 2 supervisors. Thankfully it's all the same company so I was able to give them both a heads up. Had to verify my work experience and once they both sent it back, I was official that day!

EZstreet

jg372 wrote: »

Thankfully I am official now too! They reached out to my last 2 supervisors. Thankfully it's all the same company so I was able to give them both a heads up. Had to verify my work experience and once they both sent it back, I was official that day!

Did they email or call your last supervisors?

EZ

jg372

The form they had to fill out was via email, which I guess is obvious. I am not really sure how they got their email though as I only provided phone numbers from my documents.

anandmohan06

Hello,
I am a Sr. Architect working with one of the reputed large size (>1.5 lac employees) technology consulting company in India and have over 17 years experience. I work in the integration area, not directly dealing with IT security.
Can you guys please let me know your expertise. Are all of you directly working in the IT security area?

The CISSP site mentions that the following steps:
1. Obtain the Required Experience. Candidates must have a minimum of 5 years cumulative paid full-time work experience in 2 or more of the 8 domains of the CISSP CBK. ...
2. Schedule the Exam.
3. Pass the Exam.
4. Complete the Endorsement Process.
5. Maintain the CISSP Certification.

What is endorsement process? After one has passed the exam, does ISC2 send email for sending credentials, or is it needed before one appears for the exam?