New Requirements for CISSP.

13

Comments

  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    You can contact them and discuss your experience. You should have a good idea going into it whether you'll qualify or not. I don't think there's a whole lot of surprises.
  • JDMurrayJDMurray Admin Posts: 13,021 Admin
    billrich88 wrote:
    Do you think this is a responsible manner?
    The (ISC)2 is a private organization; if you want its certs you must play by its rules. Having gone through the process myself, I have no problem with the way they vet candidates. It helps ensure quality by discouraging people who know that they aren't qualified and don't want the "Associate" tag until they are.

    You needed 4-5 years of InfoSec experience to get your CISA. Did ISACA fully vet you before allowing you to sign up for the exam?
  • billrich88billrich88 Member Posts: 6 ■□□□□□□□□□
    That doesn't mean this is a best practice or should be the norm. CISSP is accredited to ISO 17024 which demands a quality system that requires 'review' before 'accept'. May be I should ask ANSI whether this practice conform to the ISO 17024 requirements.
    Learning is a live long task
  • JDMurrayJDMurray Admin Posts: 13,021 Admin
    To save yourself some possible embarrassment, I'd suggest that you fully review ISO 17024:2003 before assuming that it defines and regulates anything to do with the business practices of a certification vendor. You might be surprised how much structure and how little definition there actually is in an ANSI/ISO standard.

    If you can't get a copy of the actual standard, start with the Guidance on ISO 17024:2003 (PDF) document.
  • billrich88billrich88 Member Posts: 6 ■□□□□□□□□□
    The Guidance does not include the I7024 requirements. In 17024 clause 4.4, it demands the certificaton body to operate a management system and there is a note stating that operating an ISO 9001 Quality Management System deems to satisfy this management system requirement and in ISO 9001 7.2.2 requires: 'review' before 'accept'
    Learning is a live long task
  • JDMurrayJDMurray Admin Posts: 13,021 Admin
    The (ISC)2's certification experience requirements have been in existence for years. The (ISC)2's current process has already passed vetting from the ISO in order to be certified. If you are really interested in "taking down the (ISC)2," I suggest approaching it from a business ethics or conflict-of-interest point of view rather than a violation of their ISO certification.

    And why the big vendetta against the (ISC)2 anyway? If you have a CISA then you have the experience for a CISSP as well.
  • billrich88billrich88 Member Posts: 6 ■□□□□□□□□□
    I am in no way taking down (ISC)2 but these are the just the questions in my mind wanting opinions from professional people like you. (ISC)2 is certainly very good and professional in many areas but I think there will always be rooms for improvement in some aspects. Different organizations have different processes, and I agree if one wants to join the party, one has to follow the party's rules. Whether the rules are good or bad is another matter. Todays, corporate social responsibility is a hot topic and this stirrs up many 'rethink' of what a socially responsible organizaiton should be. Thank you so much for your information and opinions.
    Learning is a live long task
  • RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
    I want to point out a couple of things.

    1) People do not blindly register for exams or certifications; unless they are ignorant. Research is typically conducted to determine concepts and material covered, perhaps also on the issuing organization, and most certainly experience or eligibility requirements.

    2) That being said, the paperwork you submit when registering for the CISSP exam asks whether or not you have the necessary experience and even asks you to itemize your experience and provide a resume for review.

    His example of the university scenario doesn't work. You don't jump into a school without researching the school and it's eligibility requirements. Also, it would require the student to lie when asked if they met the requirements before taking the exam.
  • JDMurrayJDMurray Admin Posts: 13,021 Admin
    I hear you, billrich88. I have serious questions myself about the grandfathering practice being used for the (ISC)2's newest cert exams, the CSSLP. Read my thread on this subject and let me know there what you think.
  • JDMurrayJDMurray Admin Posts: 13,021 Admin
    RTmarc wrote:
    2) That being said, the paperwork you submit when registering for the CISSP exam asks whether or not you have the necessary experience and even asks you to itemize your experience and provide a resume for review.
    But these are not requirements for taking the exam. You can have zero InfoSec experience and still take the CISSP or SSCP exams. Upon passing, you will be awarded the Associate designation and not the full cert. The Associate of the (ISC)2 was created for people graduating college that do not have much or any InfoSec experience, but are looking to make some aspect of InfoSec their profession. The exam costs the same, experience or not.
  • hellointerhellointer Member Posts: 1 ■□□□□□□□□□
    OMG, I have to wait for one more year?
  • down77down77 Member Posts: 1,009
    hellointer wrote: »
    OMG, I have to wait for one more year?

    Have you considered the associate path? This way after successfully passing the exam you can earn the required experience and submit your resume for evaluation again after you have obtained the requirements. May also want to consider the SSCP this year and CISSP next year.
    CCIE Sec: Starting Nov 11
  • borngunnersborngunners Member Posts: 2 ■□□□□□□□□□
    dynamik wrote: »
    I don't know how much it really matters now that they only let you take one year off from EITHER certs or a degree. I would imagine that most people would already have a Security+ or other qualifying cert.

    I am planning to take the CISSP exam, but still not sure whether my masters degree in Information Assurance and a Microsoft Certified Professional certification will be sufficient for me to qualify. I am currently working as an IT Systems Analyst with 2 years experience, but have been in the IT field for close to 7 years now working as a Workstation Engineer, Helpdesk Support Specialist, and as a Technician. I was told I need certain years of experience (5 years) working in the security field, but I honestly don't have that years of experience. Can my masters degree and my certification with the years of experience that I already have substitute for the requirement to take the CISSP exam? Also, if they could substitute for that, what do I need to have in mind to prepare for the exams?

    Thanks
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Welcome to the forums.

    You can take the exam without meeting any of the requirements. If you pass, you'll be an associate and be given six years to fulfill the requirements.

    That masters sounds like something that would qualify, but I'd contact them just to confirm that. If your systems analyst position meets their criteria, you'd be an associate for two more years.

    Good luck!
  • ameyachinu22ameyachinu22 Member Posts: 1 ■□□□□□□□□□
    keatron wrote: »
    Dear (ISC)2 Member,

    The (ISC)2 board of directors has approved new experience requirements for the CISSP certification, effective 1 October, 2007. While these changes will not affect current holders of the CISSP or those scheduled to take the exam by 30 September 2007, we wanted you to be aware of them.

    It is the responsibility of the (ISC)2 board of directors to continually review the entire spectrum of the consortium’s education and certification programs to ensure that (ISC)2 continues to provide the "gold standard" of professional certification in the information security industry. The board believes these new requirements will assure organizations worldwide that CISSPs have demonstrated they can meet the challenges of an ever-increasing threat environment, while you as an (ISC)2 member can be assured that the rigorous standards of the CISSP are being maintained in a maturing profession.

    The new requirements include the following components:
    • The minimum professional experience requirement for CISSP certification will be 5 years of relevant work experience in two or more of the 10 domains of the CISSP CBK, or four years of work experience with an applicable college degree or a credential from the (ISC)2-approved list. The current requirements for the CISSP call for four years of work experience in one or more of the 10 domains of the CISSP CBK, or three years of experience with an applicable college degree or a credential from the (ISC)2-approved list.
    • Candidates for any (ISC)2 credential will be required to obtain an endorsement of their candidature exclusively from an (ISC)2-certified professional in good standing. The professional endorsing the candidate can hold any (ISC)2 certification – CISSP, SSCP or CAP. Currently, candidates can be endorsed by an officer from the candidate’s organization if no CISSP endorsement can be obtained. The board believes that only an (ISC)2-credentialed professional bound by its Code of Ethics should provide a candidate endorsement.
    Dear Friends,

    I have completed by Bachlore of Engg. (B.E) & having 5 yrs of experience in IT.
    Can anyone please help me out to get exact current requirement of CISSP exam.

    Currently I am not holding any security related certification.

    Please suggest.
  • RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
    Dear Friends,

    I have completed by Bachlore of Engg. (B.E) & having 5 yrs of experience in IT.
    Can anyone please help me out to get exact current requirement of CISSP exam.

    Currently I am not holding any security related certification.

    Please suggest.


    CISSP Education & Certification
    The Certification That Inspires Utmost Confidence
    If you plan to build a career in information security – one of today’s most visible professions – and if you have at least five full years of experience in information security, then the CISSP® credential should be your next career goal.

    The CISSP was the first credential in the field of information security, accredited by the ANSI (American National Standards Institute) to ISO (International Standards Organization) Standard 17024:2003. CISSP certification is not only an objective measure of excellence, but a globally recognized standard of achievement.

    For your CISSP credential, your professional experience has to be in two or more of these 10 (ISC)² CISSP domains:
    • Access Control
    • Application Development Security
    • Business Continuity and Disaster Recovery Planning
    • Cryptography
    • Information Security Governance and Risk Management
    • Legal, Regulations, Investigations and Compliance
    • Operations Security
    • Physical (Environmental) Security
    • Security Architecture and Design
    • Telecommunications and Network Security

    (ISC)² Security Transcends Technology
    Do you have the proper experience for your CISSP® credential?
    You must have a minimum of five years of direct full-time security work experience in two or more of these 10 domains of the (ISC)² CISSP CBK®:
    • Access Control
      Concepts, terms of subjects and objects, implementation of authentication techniques
    • Application Security
      Security and controls of the systems development process, life cycle, application controls, change controls, data warehousing, data mining, knowledgebased systems, program interfaces, and concepts used to ensure data and application integrity, security, and availability
    • Business Continuity and Disaster Recovery Planning
      Preservation of the business in the face of major disruptions to normal business operations
    • Cryptography
      Business and security requirements for cryptography, principles of certificates and key management, secure protocols
    • Information Security and Risk Management
      Identification of an organization’s information assets and the development, documentation, and implementation of policies, standards, procedures and guidelines that ensure confidentiality, integrity, and availability
    • Legal, Regulations, Compliance and Investigations
      Computer crime laws and regulations, the investigative measures and techniques which can be used to determine if a crime has been committed, methods to gather evidence if it has, as well as the ethical issues and code of conduct for the security professional
    • Operations Security
      Identify the controls over hardware, media, and the operators with access privileges to any of these resources
    • Physical (Environmental) SecurityThreats, vulnerabilities, and countermeasures that can be utilized to physically protect an enterprise’s resources and sensitive information
    • Security Architecture and DesignConcepts, principles, structures, and standards used to design, implement, monitor, and secure, operating systems, equipment, networks, applications, and those controls used to enforce various levels of confidentiality, integrity, and availability
    • Telecommunications and Network Security
      Structures, transmission methods, transport formats, and security measures used to provide integrity, availability, authentication, and confidentiality for transmissions over private and public communications networks and media
    Note that if certain circumstances apply and with appropriate documentation, candidates are eligible to waive one year of professional experience:
    • One year waiver of the professional experience requirement based on a candidate’s education Candidates can substitute a maximum of one year of direct full-time security professional work experience described above if they have a four-year college degree OR Advanced Degree in information security from a U.S. National Center of Academic Excellence in information Security (CAEIAE) or regional equivalent.

      OR
    One-year waiver of the professional experience requirement for holding an additional credential
    on the
    (ISC)² approved list
    Valid experience includes information systems security-related work performed as a practitioner, auditor, consultant, investigator or instructor, that requires Information Security knowledge and involves the direct application of that knowledge. The five years of experience must be the equivalent of actual fulltime Information Security work (not just Information Security responsibilities for a five year period); this requirement is cumulative, however, and may have been accrued over a much longer period of time.
  • AmcoAmco Member Posts: 73 ■■□□□□□□□□
    How often is the CISSP given a year?
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    It is scheduled throughout the year, it is not like ISACA which is only 2x/yr. Check the ISC(2) site for testing dates and locations.
    Working on: staying alive and staying employed
  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    colemic wrote: »
    It is scheduled throughout the year, it is not like ISACA which is only 2x/yr. Check the ISC(2) site for testing dates and locations.

    Good to know, ty
    Decide what to be and go be it.
  • djyoxdjyox Member Posts: 21 ■□□□□□□□□□
    How do you prove your work experience? Do you just give them like a resume? Or do they call your employers?

    If they call your employers, I might have a problem because of a major falling out with one company. This company is very unhonest, and would lie to screw me over (they did in court anyhow, so I doubt it would stop there.)
    Taking:
    Network+ - 6May2011
    2011/2012 Goals:
    CCNA / CISSP
    Books & Videos:
    CBT Network+
  • ibcritnibcritn Member Posts: 340
    djyox wrote: »
    How do you prove your work experience? Do you just give them like a resume? Or do they call your employers?

    If they call your employers, I might have a problem because of a major falling out with one company. This company is very unhonest, and would lie to screw me over (they did in court anyhow, so I doubt it would stop there.)

    They can call employers, but no telling if they will or not. I think they are less likely if you have another person with CISSP sponsor you.
    CISSP | GCIH | CEH | CNDA | LPT | ECSA | CCENT | MCTS | A+ | Net+ | Sec+

    Next Up: Linux+/RHCSA, GCIA
  • djyoxdjyox Member Posts: 21 ■□□□□□□□□□
    ibcritn wrote: »
    They can call employers, but no telling if they will or not. I think they are less likely if you have another person with CISSP sponsor you.
    Hmm, maybe I should have the military help me out there... I've got 3 years experience from just army, but I would need the last 2 from this crap box employer. The army always seems to get you what ever they think you need. Now I just got to sell it that I really need this cert... lol
    Taking:
    Network+ - 6May2011
    2011/2012 Goals:
    CCNA / CISSP
    Books & Videos:
    CBT Network+
  • [Deleted User][Deleted User] Member Posts: 0 ■■■□□□□□□□
    The user and all related content has been deleted.
  • Jedi_bJedi_b Registered Users Posts: 2 ■□□□□□□□□□
    Hi All.

    Apologies if this has been asked before.

    I am a MCITP and MCSA with the security elective.

    I have worked in IT for 10 years, in no specfic domain, as it where - i have experience in most if not all of the domains required, and i have someone ( i think ) who will certify my work who is already a CISSP.

    Is this all i require to book my exam?

    Sorry, and thanks in advance.
  • xenodamusxenodamus Member Posts: 758
    There are no requirements to take the exam (except $$$). The requirements are for endorsement. Without the experience, a pass will make an "Associate of ISC2 for CISSP".

    It sounds like your experience should be fine, though.
    CISSP | CCNA:R&S/Security | MCSA 2003 | A+ S+ | VCP6-DTM | CCA-V CCP-V
  • Jedi_bJedi_b Registered Users Posts: 2 ■□□□□□□□□□
    xenodamus wrote: »
    There are no requirements to take the exam (except $$$). The requirements are for endorsement. Without the experience, a pass will make an "Associate of ISC2 for CISSP".

    It sounds like your experience should be fine, though.

    Thanks - so i have someone lined up willing to certify me, i can be a full CISSP and then book the exam?

    without the certifiable knowledge, i will be an associate.

    Thanks again.
  • Kong239Kong239 Member Posts: 6 ■□□□□□□□□□
    How do they define physical security? I worked at a job for many years that part of my responisbility was to manage employees who handled the physical security of the building and what was inside. Would this count as years worked?
  • heterodynedheterodyned Member Posts: 5 ■□□□□□□□□□
    Hey Folks!

    Is there any eligiblity thread we could all concise our questions to? I would like to undertake CISSP Exam sometime soon, I have been working as a System Administrator for about 3 years now (General responsibilities do cover monitoring for security threats/attacks etc and remediation to an extent). I also have a Masters degree in Telecommunication (with a course in Network Security). Should this suffice for CISSP Eligibility?
  • broli720broli720 Member Posts: 394 ■■■■□□□□□□
    Just go on the ISC2 website and look up the details. Judging by what you said, you do qualify but you could have come to that conclusion if you put in a little effort and looked. Sorry if I sound kinda mean but the information is out there...
  • heterodynedheterodyned Member Posts: 5 ■□□□□□□□□□
    Hmmmm.. As I saw mixed opinions on the endorsement process for CISSP, I had posted on this forum. Some of the folks mentioned that with 'System Administrator' profile, ISC can endorse you for an 'Associate level' not necessarily CISSP.
This discussion has been closed.