Yet another experience requirement question

Hey everyone,

I'm going to be taking my CISSP exam in the next 4-6 weeks, but I'm being proactive and documenting all of my experience which will be included in the endorsement process should I pass. As of now, I'm planning on having ISC2 act as my endorser. I have my Sec+ as well as a 4 year degree in Information Systems so I will qualify for the 1 year waiver, but have the remaining years experience in more than 2 domains which should qualify me for the full cert.

Here's my question...

Prior to getting into IT, I worked as a manager in a bank primarily overseeing the operational side of things. This included: conducting audits related to vault access, movement of currency between the vault and tellers through e-reports and physical audits as well as verifying all financial related customer documents were properly filed, secured and retained for X amount of time. I also conducted routine training on branch security and what to do in the event of an incident.

I did this job for about 3 years. Would this be something I can add to my experience toward the CISSP as it relates to physical security, professional ethics, procedures, protecting privacy, retention, personnel safety, auditing, etc.? Wasn't sure if it strictly had to be IT positions.

Would be a nice cushion to add to my 4 1/2 years I already have in IT roles.

Thanks!

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

ITSpectre

Check the following thread for the answer....

http://www.techexams.net/forums/isc-sscp-cissp/75122-cbk-domain-experience-example.html

I would email registrar@isc2.org and ask

ISC2 is the only one that can answer that question. We cannot answer it.

ITSec14

Wonder if that email is still valid. (ISC)2 is pretty vague in their wording, which is probably why a lot of people ask this question.

LordQarlyn

Like ITSpectre says, only the ISC2 can officially confirm that. All we can do is share our own experience in endorsement.
I haven't held an "official" information security position, rather, I've had IT jobs (and non IT jobs for that matter) that involved work in some of the 8 domains.
I asked the ISC2 to endorse me, I submitted my job experience, along with proof of start and end dates with my current and past employers. This was sufficient for the ISC2 to endorse me. I should think your experience would count towards that, but, again, only ISC2 has the final word on that. I would include it if you feel your experience is lacking, I did for one of my non-IT jobs that covered some of the 8 domains.

ITSec14

Did you have to get letters from each of your previous employers verifying employment?

LordQarlyn

I did have to submit my offer letters, with my salary blacked out, and for proof of my end dates, most of my employers used "theworknumber", which tracked both my start dates and end dates, and all my pay periods, which I also redacted. For the employers that weren't on the work number, I did get a letter on company letterhead confirming my start and end dates.

ITSec14

Awesome, appreciate the insight!

LonerVamp

You said you also have 4 years in IT. Did you create or manage accounts (service or user) and passwords at all? Manage permissions or access to resources?

Anyway, just from the actual page guidelines itself (https://www.isc2.org/Certifications/CISSP):

At least five years of cumulative, paid, full-time work experience
In two or more of the eight domains of the (ISC)2 CISSP Common Body of Knowledge (CBK)

And the domains:
1. Security and Risk Management
2. Asset Security
3. Security Engineering
4. Communication and Network Security
5. Identity and Access Management
6. Security Assessment and Testing
7. Security Operations
8. Software Development Security

beads

I have yet to hear of the ISC(2) denying anything but the most absurd of reasoning, still its there call. For the rest of us the organization has rapidly devolved to joke status. Just check out the recent CISSP awardee who ran for election this past go around.

We are the ISC(2) and we take anyone.

- b/eads

ITSec14

Yes, I did a lot of that in my first and second IT jobs, among a lot of other things like managing backups, implementing a new backup solution, SharePoint administration, patching, anti-virus, audits, etc. I've been in my current role (Infosec job) for over a year now and do vulnerability management, policy creation, risk assessments, audits etc. I have a little over 4 years total time in my IT career.

I qualify for the 1 year waiver with my degree and Sec+ cert, so 4 years is all I technically need. As I stated above though, my question about whether my experience prior to entering into IT was really just an inquiry. Obviously I don't expect anyone to be able to answer that 100%, but doesn't hurt to see if anyone else went through something similar.

I even emailed ISC2 and they were of no help.

ITSec14

beads wrote: »

I have yet to hear of the ISC(2) denying anything but the most absurd of reasoning, still its there call. For the rest of us the organization has rapidly devolved to joke status. Just check out the recent CISSP awardee who ran for election this past go around.

We are the ISC(2) and we take anyone.

- b/eads

Honestly at this point, I only want the cert because of job requirement reasons. Kind of sad how certs are used to gauge how qualified someone is for a job these days.

ITSpectre

beads wrote: »

We are the ISC(2) and we take anyone.

- b/eads

its so easy a caveman can do it!