CISSP and work experience.

AlexGomezAlexGomez Member Posts: 6 ■□□□□□□□□□
Hi all,

I've a question regarding work experience and CISSP. I have a PhD in Cryptography and I've been working as a Identity Management consultant for the past 3 years. I'm thinking of doing the exam in Dec but I have a question regarding the work experience aspect.

During the course of my PhD, I worked in various crypthography based projects where I was the main project officer. Would this count as work experience or would this be considered educational experience since I was doing my PhD at the time? I've posted the same question to the ISC2 guys but I haven't had a reply yet. Any insights or comments would be greatly welcome.



  • RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
    It depends on whether you have experience in any other area of the CISSP CBK. It looks like you definitely have the experience in the Cryptography domain, however, if that is the only thing you have worked in - which I doubt - you will need to gain further experience. I, personally, don't see how you could work in the Cryptographic field without experience in the Telecommunications and Network Security domain; that is unless you focused solely on the mathematics behind the algorithms.

    What else have you done that falls under the CBK?
  • AlexGomezAlexGomez Member Posts: 6 ■□□□□□□□□□
    I've been doing Identity Management stuff for the past 3 years so I deal a lot with Role Based Access Systems (RBAC). So that would fall under the category of Access Control. The nature of my work also means I deal quite a bit with system architectures as well.

    I've also worked quite a bit with WS-Security standards. I'm not entirely sure what category that would fall under but its probably Application Security.

    So basically does it mean that I'm eligible to sit for the exam as long as I have working experience in 2 or more domains? And it doesn't matter if I gained those experience in a PhD context? Cheers.

  • RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
    The actual requirement is 5 years of direct work experience in these domains, however, you are given a one year waiver for advanced degrees or an approved certification. My interpretation of the requirements is that work you have done in association with your degree do not count towards that 5 year (or 4 year in your case) requirement.

    I guess a good litmus test would be whether or not you were paid for your services with Cryptography or any of the experience you have. I tend to think that if you were paid for your time in relation to the CBK domains, it counts. Did that make sense? It sounds better in my head than on here.

    Can you post your resume?
  • AlexGomezAlexGomez Member Posts: 6 ■□□□□□□□□□
    Yes, I get what you mean. Well I was employed in the cryptography projects as a PhD student so I'm not sure what my status is! I did publish a few papers in Security conferences and journals but I'm not sure if this equates to actual working experience (although I did all the work).

    I suppose this is something for the ICS2 guys to sort out. Or I could just wait for another year and gain the 4 year direct work experience I need. The one reason I would like to get myself certified by Dec is because I'd be getting hitched next Feb and I doubt I'd have time to sit down and study! Doubt the missus will let me :).

    Thanks again for your very helpful insight. Cheers.

  • RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
    Check out the Associate of ISC2 designation. It basically allows to go ahead and sit the exam despite not having all of the direct experience. It allows for up to six years to gain the necessary experience; which you won't have a problem with from what you've stated.
  • AlexGomezAlexGomez Member Posts: 6 ■□□□□□□□□□
    Yes, that's probably what I'd have to do. Thanks again for everything!
Sign In or Register to comment.