CISSP or SSCP?

appleman01

I have 6 years of experience in IT (with a 4 years Bachelor's degree as well) with main focus on Identity & Access Management. I have been planning to prepare and take the CISSP certification, but I am not entirely sure if i should go for it as my first Security certification. Would taking the SSCP first be a good idea? 

internutzz

Do you do any security administration in your role where the SSCP might help? You seemingly have the experience to qualify as a CISSP rather than as an Associate so if the SSCP won't help with your current role (or any future roles you're interested in) then go straight for the CISSP.

JDMurray

Get the CISSP on your resume as soon as you are fully qualified for it. You must have professional work experience in at least two of the eight CISSP domains. If you are not confident about earning the CISSP material, getting the SSCP cert first is a good study prep for the CISSP.

SteveLavoie

Your experience seem right, just make sur you have enough enough in 2 domain. Also getting your SSCP reduce by 1 year the number of experience required. Finally, SSCP is a nice certification it can be compared to Sec+, but at least if you do both (CISSP and SSCP) it will be easier to track your CPE.  

lucky0977

You appear to have the requisite experience and the degree (If IT related) would knock off a year so you would only need to document 4 yrs or experience. The SCCP is closely related to the SEC+ and provides you with foundational knowledge in the InfoSec field. It's totally up to you if you feel confident enough to take the CISSP but I always preach "baby steps" and gaining knowledge slowly rather than being fed through a fire hose with water going "full blast".

appleman01

Thanks for the suggestions guys! 

What confuses me the most is - "having experience in atleast 2 domains" - how is this experience calculated or validated? My primary experience is only in "Identity and Access Management" as that is what I was working on since the last 6 years. But.... I do have a little experience in some topics within "Security Operations" like separation of duties, privileged account management, etc. Will that be enough?

And I understand that the CISSP certification would be quite difficult and REAL knowledge is required. Maybe I will take some time and study for myself first and then start preparing and studying for the test. 

bigdogz

@appleman01

You can call (ISC)2 yourself and talk to someone who can validate your experience. It is also validated after you pass your exam and need to be endorsed by an (ISC)2 member in good standing.

Yes.
If you are in IT as an administrator, you should have a few of the domains covered.

appleman01

@bigdogz Yes I will do that, thanks!

internutzz

Hmmm, not sure you'll be able to speak to someone at ISC2 and ask them to validate your experience as they explicitly say they won't do this on their FAQ: https: // www. isc2. org /Frequently-Asked-Questions#accordion-0bc69c6b254a40f0b4729cd44143dc5d

Q: How do I know if my work experience is relevant and counts towards the required experience of the credential?

A: Please refer to the (ISC)² certification requirements on our website to determine whether the work experience you possess qualifies for your desired credential. (ISC)² currently does not review work experience prior to taking your examination. After taking your examination, if you do not have the required work experience to hold the certification, you can become an Associate of (ISC)² until you attain the required experience.

My advice is to check the exam outline and look at the tasks/subtasks associated with each domain. Do you have any experience of any of those tasks/subtasks in at least 2 domains? The 5 years requirement is cumulative, so you don't need 5 years of experience in both of the 2 domains. e.g. You could have 4 years doing just 1 of the subtasks in 1 domain combined with 1 year of doing just 1 subtask in another domain to qualify. As said before your degree will likely qualify for a 1 year waiver as well, so you only need to find 4 years now.

internutzz

Hmmm, not sure you'll be able to speak to someone at ISC2 and ask them to validate your experience as they explicitly say they won't do this on their FAQ:

Q: How do I know if my work experience is relevant and counts towards the required experience of the credential?

A: Please refer to the (ISC)² certification requirements on our website to determine whether the work experience you possess qualifies for your desired credential. (ISC)² currently does not review work experience prior to taking your examination. After taking your examination, if you do not have the required work experience to hold the certification, you can become an Associate of (ISC)² until you attain the required experience.

My advice is to check the exam outline and review if you have experience with any of the tasks/subtasks associated with at least 2 of the domains. The 5 years requirement is cumulative so even if you have 4 years of experience doing 1 of the subtasks in 1 of the domains combined with 1 year of experience doing 1 of the subtasks in another domain then you will qualify. As said before your degree will likely qualify for a 1 year waiver so you only really need to find 4 years of experience.

stryder144

If you have an (ISC)2 chapter near you, go to one of their meetings or reach out to them.  They tend to be very helpful.  I spoke with one of the Denver reps and one of the topics was on experience needed.  She listened to me recount my experience and said it sounded like I met the requirements and shouldn't have any problems getting endorsed.  That was probably six years ago.  If that doesn't work for you, find an (ISC)2 certified person near you and invite them to coffee so that you can talk about your experience and see if they have any advice. 

appleman01

@internutzz
Wow, okay. Well I do have 100% experience in 1 domain and maybe 30-40% in another domain.. and a little bit here and there in the rest..
Definitely not 100% in 2 or more domains (each). And I don't think it will be possible to start working in different domains suddenly in my current job to get the relevant experience for ISC2. That is why I wanted to know who/how/where the experience is validated?

@stryder144
Yes, maybe I will try to find some meetup groups related to ISC2 or CISSP in my area, that is a good suggestion, thanks!

internutzz

appleman01 said:

@internutzz
Wow, okay. Well I do have 100% experience in 1 domain and maybe 30-40% in another domain.. and a little bit here and there in the rest..
Definitely not 100% in 2 or more domains (each). And I don't think it will be possible to start working in different domains suddenly in my current job to get the relevant experience for ISC2. That is why I wanted to know who/how/where the experience is validated?

@stryder144
Yes, maybe I will try to find some meetup groups related to ISC2 or CISSP in my area, that is a good suggestion, thanks!

So it sounds like you do have enough experience. i.e. 6 years working across at least 2 domains is more than enough!

stryder144

To my (limited) knowledge, you don't have to have 100% experience in each of the subdomain areas, just be able to demonstrate/point out the responsibilities that tied to some of the subdomains.  If anyone else who has recently gone through the endorsement process can chime in on that, please do so.  I am just now finishing up my studying  and will soon be taking the exam, and hopefully, going through the endorsement process soon.

lucky0977

You do not require 100% experience in every single topic listed in each domain. If you can list duties performed in at least any two of the eight domains, you'll be good to go. 

bigdogz

After talking to ISC2 some time ago, I discovered that they would like some experiences in all domains. You just need experience in 2 of the domains.

That being said, the exam is more difficult to try to weed out the cheaters. It seems like these folks would do anything (not good) to pass this exam.

MrNetTek

I agree with the others here---get your CISSP; I believe it's more recognizable and respected.

-MrNetTek at your service-