Work requirements for CISSP?

I have switched careers and been 100% information security and compliance for the past two years, 20 years of IT / tech ops experience and managed IT directly for several years but there was a gap in time between. Certainly enough for 5 years worth.

How does ISC2 measure this? Do they check references?

I would like to take the CISSP exam this year but question the criteria for experience.

Find more posts tagged with

Comments

SteveLavoie

You need 5 years experience in 2 of the domain, not have a title with "security" for 5 years. Map your experience to the 8 domain of CISSP. I would assume that you can easily map 5 years of experience in Dom 4: Communication and Networking.

I have 16 years of mixed IT / Networking/Sec / consulting experience, and it was a no-brainer to have the experience required. You just have to highlight the security aspect of your experience.

In my case, I have been at the same company for 16 years, they asked for a letter from my superior to confirm my employment.

adamj2281

So I have the same question - I worked for one contractor for 12 years, and just started at a new position in the past 3 months.

What do I need to provide and when will they ask for it?

mbarrett

Whatever information that you provide to support your application, assume that they will want to verify it.

beads

A great deal of discussion has happened over this topic over the years but never anything that has moved the needle one way or another. The ISC(2) certainly has more than enough money to actually investigate backgrounds and qualifications but chooses not to at this time.

Basically, you can claim anything you want both pre and post certification. In OPs case you likely have more than enough experience to qualify, just a matter of applying the information in a resume friendly format both pre and post certification.

- b/eads

nevermore

It was recommended to me by Eric Conrad that if you pass the CISSP to create a separate resume for the purpose of ISC2 endorsement and really focus mapping your skills and experience to the domains. Your resume may have other content is not relevant which if phased-out and replaced with content that is more supportive.

I used his advise for both the CISSP and CISSP-ISSMP endorsement process.

NHStudent

Well, I have a background that may look messy but grew to managing 9 teams and close to 100 people so I think I may have a good reason? My experience includes development / qa / suppport / IT / services (have even been in marketing/product management). I'm an IT mut? Began in QA > created a group > built and facilitated a installation and deployment group > created a security testing team and then began to acquire managing our IT team. Refit that and built a small but efficient team / designed and built the needed systems and infrastructure to support web hosting with a multi-tier data center and later into the cloud. Always owned the security function with our software and performed, trained on, and managed web vulnerability and penetration testing. Also owned everything in the way of compliance and directly supported these including HIPAA, PCI, SOC, and other standards. Certified one of our products with PA-DSS and helped many clients with PCI for their websites.

As time went on, I felt I was doing too much, too wide spread, and wanted to refocus back down to QA and Dev Ops and did just that giving up IT, services, and anything not directly related to Quality and operations for our delivery.

However, it was not until about 2 years ago, I shifted completely towards a title and career in information security including compliance for the entire company. Text book CISSP and ISO 27001 work.

I'm sure I can adjust my resume so that what needs to stand out will be easier to find. My employer I'm sure would also vouch for me.

veritas_libertas

beads wrote: »

A great deal of discussion has happened over this topic over the years but never anything that has moved the needle one way or another. The ISC(2) certainly has more than enough money to actually investigate backgrounds and qualifications but chooses not to at this time.

Basically, you can claim anything you want both pre and post certification. In OPs case you likely have more than enough experience to qualify, just a matter of applying the information in a resume friendly format both pre and post certification.

- b/eads

I'm don't think this is true. I've heard more than once of individual being audited.

SteveLavoie

You almost did the right thing, just separate different stage in your career and assign all applicable CISSP domain to it. Your experience is relevant, you can map many years in domain 8 (Software dev), and some in domain 7 (Sec testing). It should be easy to get the endorsement.

beads

There has always been a mandatory random 10 percent audit over the years. Basically, 10 percent of all applicants and renewals are kicked for automatic audit. Nothing horrid about the experience its generally handled with some basic verification. I am up for my third renewal come February and have more than enough evidence to back up my claim that I have been a good boy and done more than the needed 40 + 40 + 40 and 30 hours necessary.

As far as the new candidate is concerned its also a light to non-existent touch with the investigator contacting the audited for some more information or contact information, usually a boss, W-2 or similar. Again, no big deal its just part of the overall program. After reading comments over the years concerning the background investigation you'd think the FBI were doing the background investigations and the process was involved - it's not.

So, is there an audit? Yes, its part of any certifications own audit cycle - somewhere in the ISO family but I haven't run across in that exact program in years.

b/eads

tkreagan

1. You definitely want to recreate your app in a format that specifically outlines the domains you handled in each role.
2. You only need 4 years if you have a college degree, so that makes it easier.

ITSec14

I'm having ISC2 act as my endorser and from everything I've heard from people at my office, it's a pretty straight forward process. They verify your job history and experience from the contacts you provide. I've even heard if you submit employment verification letters they will accept that and not even contact your references. I guess it depends on how many applications they have to process in a given time.