CISSP experience requirements and endorsement

SBASBA Member Posts: 3 ■□□□□□□□□□
Hello all,

I am an IT auditor with around 4,5 years of external IT audit experience in big fours (ITGCs and IT dependencies audit) as well as nearly a year of IT internal audit experience. I would please like to ask if any of you had an exclusively IT general audit background and passed CISSP ? Also I do not know an ISC member in my current position, does any of you have experience with endorsement process by ISC?

I would please like to be sure I can get the certification with my current experience before investing in the exam costs 

Thanks a lot in advance for your help 

Comments

  • E Double UE Double U Member Posts: 2,227 ■■■■■■■■■■
    edited December 2021
    As an IT auditor, you might have gained enough knowledge to be able to understand the domains just fine. If I had to guess, you would probably feel comfortable with the following domains:

    1: security & risk mgmt
    2: asset security
    6: security assessment & testing

    Keep in mind that you are only required to have experience in two of the eight domains. Reference https://www.isc2.org/Certifications/CISSP/experience-requirements for certification requirements and https://www.isc2.org/Endorsement for the endorsement process. (ISC)2 itself can act as your endorser. 

    Have you considered ISACA credentials? CISA would be a no-brainer if you do not already have it. Plus it can be used to substitute one year of experience. 




    Alphabet soup from (ISC)2, ISACA, GIAC, EC-Council, Microsoft, ITIL, Cisco, Scrum, CompTIA, AWS
  • SBASBA Member Posts: 3 ■□□□□□□□□□
    Thanks for your reply E Double U

    Indeed when I pass through the content I did not find yet blocking points, knowledge is not problem. I have CISA and considered CISM, but I find CISSP also has a technical emphasis which can be certainly valuable in security processes audits.
    What I wonder is whether ISC² accept experience solely as an auditor assessing security risks and controls, or whether they require necessarily hands-on security controls design/implementation/operation experience.
  • E Double UE Double U Member Posts: 2,227 ■■■■■■■■■■
    If no one else here with your background can chime in then I would recommend that you contact (ISC)2 directly. I assume that they will have no problem allowing someone to take their exam as that plus the annual maintenance fees benefits them financially  :)
    Alphabet soup from (ISC)2, ISACA, GIAC, EC-Council, Microsoft, ITIL, Cisco, Scrum, CompTIA, AWS
  • SBASBA Member Posts: 3 ■□□□□□□□□□
    Thanks I agree, they can allow but the problem is they can provide status as "associate of ISC²" (provided annual fee is paid) without the certification, so will check directly with them to know clearly if experience applies
Sign In or Register to comment.