CISSP domain requirements for software developers

certtaker34

I have some general questions about CISSP experience requirements. I don't know any CISSPs and we do not have any at my current workplace, so here goes.

- I have a graduate degree in software engineering
- I have 4.5 years of software development experience over 3 companies. During these 4.5 years I also did some freelancing/independent contracting, which hopefully would count as part-time experience, if needed.
- My exerpeince primarily ranges from Defense application and web site, enterprise tools, mobile apps, and e-commerce web sites.

The CISSP experience requirements are here. Does anyone with a CISSP know if my experience qualifies for any of the two domains? Is there a way to know before hand prior to wasting time studying only to find out I don't meet the domain requirements?

Also somewhat related, how can I get someone to endorse me (assuming I pass the exam)? Can I just convince any ole random person on linkedin? Is this such a big deal for the endorser as to make people not want to do it? How would this process go normally? Just tell them your experience or resume or ???

emerald_octane

I'm not an expert on all the information so i'll leave that stuff alone but for what its worth, you can take the CISSP exam for the Associate of ISC2 designation (as I have) which has no experience requirements and affords you six years to get the required experience.

Point is don't bother putting off your studies while trying to figure out if you have enough experience because you have plenty of time to get it . I know your full time experience will count for something but your part time experience won't.

beads

You need five years in at least two domains to qualify for the CISSP. Sounds like you have a good initial background in at least one domain. Question is what is your second domain and will you also have the five years to sit for the exam in six months? Lots to choose from, here.

- beads

JDMurray

Your degree will knock one year off the professional experience requirements, as would having any one of a couple of dozen different certifications.

You professional work experience must be directly related to Information Security work. Just being a software engineer--even if working on security-centric software--won't qualify. I had this problem too. Most of my two decades of professional software development experience alone would not count towards any (ISC)2 cert, even the CSSLP. I had to pull in other security work I had done in IT to qualify.

As emerald_octane points out, you (or anyone) can take the CISSP exam at any time and become an Associate of the (ISC)2. You would then be given six years to acquire the professional InfoSec work experience to become fully CISSP-certified.

certtaker34

Seems like some think having software dev experience = the domain software dev security, and other do not. Is it normal to email ISC2 beforehand and ask them?

Is the five years of experience cumalative or does it have to be five years each in two seperate domains. For instance, does 4 years in domainA and 1 year in domainB count as 5 years experience or do I need 5+5?

JDMurray

It's (at least) four years (plus a degree) of verifiable work experience on your resume that covers (at least) two domains. Split it up any way you like, but the time-length requirement is the same.

And when I last spoke to the (ISC)2 about it, just writing software--even security software--did not count as information security work. And I have to agree with them. I've written a lot of security-oriented software, and those projects were 99% software engineering and <1% security engineering.

certtaker34

JDMurray wrote: »

It's (at least) four years (plus a degree) of verifiable work experience on your resume that covers (at least) two domains. Split it up any way you like, but the time-length requirement is the same.

And when I last spoke to the (ISC)2 about it, just writing software--even security software--did not count as information security work. And I have to agree with them. I've written a lot of security-oriented software, and those projects were 99% software engineering and <1% security engineering.

So I contacted ISC2 about this and they said it is entirely up to the person endorsing you, not ISC2. They said the endorser does a "a 20 minute interview, in which the member will ask you about your background and afterwards will decide whether or not to endorse".

I think that sounds right, imo, because from what I can tell, except for auditing, ISC2 has nothing to do with the verifcation of the experience and only deals with issuing the certificate based on exam results (just like most certification companies). Anyway, regardless, I just need to find an endorser other than JDMurray. ;-] I've also seen several blogs where people are "network engineers" who have taken the certification because they have "network security" experience from performing their normal job duties.

JDMurray

When I endorse someone, I usually have lunch with them and we end up talking for an hour hour or so about everything they've done in InfoSec. If they have the experience, a candidate can talk about InfoSec like it sports. They could just talk for hours about operations and incidents, and research, and projects and such. Before our meeting, I look over their resume and check references and do some Googling. I usually know the person beforehand too.

The (ISC)2 use to do this for every certification candidate. They created the endorser program to help speed things up by moving the vetting out of their offices and into the membership. This has been the standard policy for years now, so I assume it is working satisfactorily.