CISSP Cert a Stretch for IT Auditor?

CV33 · February 2016

Recently, I had decided that the CISSP was going to be my 4th certification. I was discussing that decision with a coworker who is a security practitioner and former IT Auditor.

He felt that it was a stretch for an IT Auditor to go after the CISSP; that is was almost unjustifiable. It confuses me that he would say that because of what I have read online.

Furthermore, I checked a Senior IT Auditor posting for Google and they mentioned CISA and CISSP.

With that said, any thoughts on whether CISSP is unjustifiable for an IT Auditor?

636-555-3226 · February 2016

Look at the CISSP prereqs. Do you meet them? If so, and you're interested, then it's a fit. Also, CISSP is fine for anybody involved in security, so nuts to your coworker, he's just jealous that you're smarter than him

E Double U · February 2016

He said it is a stretch, not impossible. He also said "almost" unjustifiable. The ISC2 requirements determines if you qualify for the exam, not public opinion.

"So you're telling me there's a chance." - Lloyd from Dumb & Dumber

soccarplayer29 · February 2016

Preface: I am a former IT auditor and now a security analyst and have passed both the CISA and CISSP exams.

Like others have said...it might be a stretch but definitely not impossible and the knowledge gained while studying for the CISSP will be extremely valuable to your role as an IT auditor.

I think the CISSP knowledge is very important for an IT auditor in that you'll be interviewing members of technical operations, networking, etc. teams and many of them might have CISSP and therefore you'll have some overlap in knowledge and terminology and be able to digest the information better.

tldr: Knowledge gained by studying for CISSP is valuable for IT auditors especially as they progress in their careers toward senior/management positions.

havoc64 · February 2016

I'd say if you have the background requirements that (ISC)2 dictates, then you are good. How about talking with a local CISSP, someone you might consider for endorsing you and see if they'd feel comfortable with endorsing you if you passed the exam.

Good Luck.

CV33 · February 2016

soccarplayer29 wrote: »

Preface: I am a former IT auditor and now a security analyst and have passed both the CISA and CISSP exams.

Like others have said...it might be a stretch but definitely not impossible and the knowledge gained while studying for the CISSP will be extremely valuable to your role as an IT auditor.

I think the CISSP knowledge is very important for an IT auditor in that you'll be interviewing members of technical operations, networking, etc. teams and many of them might have CISSP and therefore you'll have some overlap in knowledge and terminology and be able to digest the information better.

tldr: Knowledge gained by studying for CISSP is valuable for IT auditors especially as they progress in their careers toward senior/management positions.

That is much more in line with what I have heard outside of work which is why I had decided to take it on.

CV33 · February 2016

I have heard that the CISSP can be mindless memorization; is that true?

cyberguypr · February 2016

Can't be farther from the truth. Yes, you'll need to memorize some minor stuff, but the essence of the test is understanding the concepts and the domains. You will then need the ability to apply them to any given scenario in the test.

TankerT · February 2016

I know several auditors that have their CISSP in addition to the CISA. I would disagree completely with your coworker's assessment. I would think it is a career enhancer, and something to provide you with additional technical knowledge.

I would also agree with cyberguypr. The CISSP is NOT a mindless memorization. You may need to memorize a few things here and there, but most of it is your ability to understand and apply various concepts towards a security management question/scenario.

soccarplayer29 · February 2016

CV33 wrote: »

I have heard that the CISSP can be mindless memorization; is that true?

I wouldn't agree with that. Certainly some things like the ISO layers, terminology/abbreviations, etc. can be memorized. But the questions are difficult and require analysis and shouldn't be viewed as a memorization exam. You need to be well-versed in all domains (think the mile-wide and inch deep moto).

Flash card preparation for the CISSP exam will produce minimal results on the exam as that doesn't account for real-world implementations and scenarios which will be in nearly every exam question.

CV33 · February 2016

By mindless, I mean the questions would present a scenario where you would have to recall the most random facts "memorized" during your study
vs.
oh hey, memorize things and you will be okay.

cyberguypr · February 2016

To the OP's original question, do this: go to Indeed, run a search for IT Auditor. I'll save you some time: out of the first 10 hits at least 7 said "CISSP required or recommended". That is my non-scientific test to see what the market is looking for. Print screen and send to coworker. As stated above, if you satisfy the experience requirements, there's not way anyone can say it doesn't make sense. There's definitive value there.

colemic · February 2016

Like Soccarplayer29, I hold CISSP and CISA (and CISM and a bunch of others), and used to be an auditor.

Having said that, I can confidently say your coworker is full of poo.

Think about it - almost everyone agrees that CISSP is a generalized security certification, and which would you rather have auditing you - someone who can read from a script and panics when it is deviated from, or someone who has good foundational knowledge in a broad range of security concepts, and has the capacity to understand and make decisions and interpretations and assessments based on that knowledge, not a scripted workbook to complete...

Beyond that, almost every IT auditor I have seen, if they have CISA, they have CISSP. Have your coworker go look on the job boards for IT audit roles and count how many say 'CISSP not required' vs 'CISSP required' if they don't think it's beneficial and relevant.

edit: CYBER!Man beat me to it on the point about job postings.

Clm · February 2016

I'm sitting in a class right now for cissp and the instructor is a IT auditor and he loves It and he has been CISSP for the last 10 years. CISSP covers a lot and it till add to your resume.

User2097 · February 2016

Get the cert. It helps regardless. The difficulty of the exam will make other future exams easier, but it's due to your knowledge improving.

dusan985 · January 2018

I'm thinking about going for CISSP. I've been an IT Auditor for 6 years, and that's my only work experience. I'm CISA, CRISC, etc. In my career, I've done many audits which included information security in their scope. Does anybody know, would that work experience be enough to satisfy CISSP requirements?

CISSP Cert a Stretch for IT Auditor?

Comments