New Requirements for CISSP.

keatronkeatron Member Posts: 1,213 ■■■■■■□□□□
Dear (ISC)2 Member,

The (ISC)2 board of directors has approved new experience requirements for the CISSP certification, effective 1 October, 2007. While these changes will not affect current holders of the CISSP or those scheduled to take the exam by 30 September 2007, we wanted you to be aware of them.

It is the responsibility of the (ISC)2 board of directors to continually review the entire spectrum of the consortium’s education and certification programs to ensure that (ISC)2 continues to provide the "gold standard" of professional certification in the information security industry. The board believes these new requirements will assure organizations worldwide that CISSPs have demonstrated they can meet the challenges of an ever-increasing threat environment, while you as an (ISC)2 member can be assured that the rigorous standards of the CISSP are being maintained in a maturing profession.

The new requirements include the following components:
  • The minimum professional experience requirement for CISSP certification will be 5 years of relevant work experience in two or more of the 10 domains of the CISSP CBK, or four years of work experience with an applicable college degree or a credential from the (ISC)2-approved list. The current requirements for the CISSP call for four years of work experience in one or more of the 10 domains of the CISSP CBK, or three years of experience with an applicable college degree or a credential from the (ISC)2-approved list.
  • Candidates for any (ISC)2 credential will be required to obtain an endorsement of their candidature exclusively from an (ISC)2-certified professional in good standing. The professional endorsing the candidate can hold any (ISC)2 certification – CISSP, SSCP or CAP. Currently, candidates can be endorsed by an officer from the candidate’s organization if no CISSP endorsement can be obtained. The board believes that only an (ISC)2-credentialed professional bound by its Code of Ethics should provide a candidate endorsement.
«134

Comments

  • WebmasterWebmaster Admin Posts: 10,292 Admin
    When I noticed the topic I was expecting (secretly hoping) the opposite, but 'that' of course wouldn't be fair to current CISSPs. icon_wink.gif
    keatron wrote:
    or a credential from the (ISC)2-approved list
    Is that a publicly available list?

    I think the second change shouldn't be a problem for most candidates. Besides protecting the value of the certification, it encourages candidates to network to both 'offline' (conferences) and online.

    I can imagine some people won't be happy with this news, but all-in-all I think it's good for the CISSP (and hence also those who want to and will become one in the future).
  • drakhan2002drakhan2002 Member Posts: 111
    Webmaster wrote:
    Is that a publicly available list?

    Yes. It is listed on the ISC2 web site.
    It's not the moments of pleasure, it's the hours of pursuit...
  • JDMurrayJDMurray Admin Posts: 13,021 Admin
    I was under the impression that an (ISC)2-certified sponsor was already required in order to become CISSP-certified.

    In any case, I think the new changes in the requirements will have a beneficial effect on the credibility of the CISSP certification.
  • pr3d4t0rpr3d4t0r Member Posts: 173
    I knew that this was going to happen...

    My CEO is one of the persons who approve the questions for the exam. Actually he gave the idea for these new requirements last year icon_lol.gif
  • SlowhandSlowhand Mod Posts: 5,161 Mod
    It's good to see a set date, finally. I talked to the booth-rep from (ISC)2 at the RSA conference this year, and I she was telling me about these new requirements for the CISSP. I spent quite a good deal of time at the booth actually, but I couldn't get a date, (nor could I get a timeframe for the new requirements becoming active. icon_cool.gif )

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • silentc1015silentc1015 Member Posts: 128
    I'm glad I already have my CISSP. The second change would have been a problem for me. My career has been fairly short and at small companies, so, I don't know any CISSP's well enough for them to feel comfortable endorsing me.
  • WebmasterWebmaster Admin Posts: 10,292 Admin
    Keatron [or anyone else of course] do you think this will make the Associate option more popular?

    For example, those who are close to meeting the old requirements, could go for the Associate CISSP exam, and then still get the certification in a year. (and years seems to fly by as fast as weeks these days). I was thinking this may be a good idea for those who are currently actually preparing for this exam (but haven't scheduled to take it before the end of September).
  • darkuserdarkuser Member Posts: 620 ■■■□□□□□□□
    maybe that's what their going for ... a certification path ...being a sscp first gaining experience
    then you're "ready" for cissp.

    kurt
    #30711
    rm -rf /
  • keatronkeatron Member Posts: 1,213 ■■■■■■□□□□
    Webmaster wrote:
    Keatron [or anyone else of course] do you think this will make the Associate option more popular?

    For example, those who are close to meeting the old requirements, could go for the Associate CISSP exam, and then still get the certification in a year. (and years seems to fly by as fast as weeks these days). I was thinking this may be a good idea for those who are currently actually preparing for this exam (but haven't scheduled to take it before the end of September).

    I think it will.
  • silentc1015silentc1015 Member Posts: 128
    darkuser wrote:
    maybe that's what their going for ... a certification path ...being a sscp first gaining experience
    then you're "ready" for cissp.

    kurt
    #30711

    I'm not a big fan of some certification paths. If the certification path allows to you become more specialized in a particular area, that's one thing. But if you have to take a bunch of entry level certs, then imtermediate certs, and so on until you get to the end, I think that's a waste of time and money. What about someone who already has the experience? It's a huge waste of time to go through trivial certifications that you are overqualified for, just to get the one you need or want.
  • keatronkeatron Member Posts: 1,213 ■■■■■■□□□□
    darkuser wrote:
    maybe that's what their going for ... a certification path ...being a sscp first gaining experience
    then you're "ready" for cissp.

    kurt
    #30711

    I'm not a big fan of some certification paths. If the certification path allows to you become more specialized in a particular area, that's one thing. But if you have to take a bunch of entry level certs, then imtermediate certs, and so on until you get to the end, I think that's a waste of time and money. What about someone who already has the experience? It's a huge waste of time to go through trivial certifications that you are overqualified for, just to get the one you need or want.

    If someone already has the experience, then they probably would go straight for the CISSP.
  • silentc1015silentc1015 Member Posts: 128
    keatron wrote:
    darkuser wrote:
    maybe that's what their going for ... a certification path ...being a sscp first gaining experience
    then you're "ready" for cissp.

    kurt
    #30711

    I'm not a big fan of some certification paths. If the certification path allows to you become more specialized in a particular area, that's one thing. But if you have to take a bunch of entry level certs, then imtermediate certs, and so on until you get to the end, I think that's a waste of time and money. What about someone who already has the experience? It's a huge waste of time to go through trivial certifications that you are overqualified for, just to get the one you need or want.

    If someone already has the experience, then they probably would go straight for the CISSP.

    I'm glad you currently can. I was just making the comment that I wouldn't want to see a situation where you're forced to start on a certification path at the very beginning regardless of your circumstances.
  • SlowhandSlowhand Mod Posts: 5,161 Mod
    I'm glad you currently can. I was just making the comment that I wouldn't want to see a situation where you're forced to start on a certification path at the very beginning regardless of your circumstances.

    I don't know how much of a problem it really is. If you're that experienced, then knocking out the entry and mid-level certs shouldn't be a problem. In a lot of cases, especially with high-level certs like CISSP, the company you work for will be the one footing the bill for the exams so you wouldn't really be shelling out the money yourself, and the time would be minimal. If you're doing it on your own, without any company or organization taking care of the exam costs for you, then you'll just have to bite the bullet and take the exams.

    A lot of companies don't force you to go that path, (like Cisco and (ISC)2, for example,) where you have to take entry-level certs and mid-level certs before you can touch the high-level stuff, but I can't really agree that it's only a waste to have to go through due process. It'd be like saying "I'm a good programmer, why can't MIT just have me take a test and then give me a degree?"

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    The second requirement should come with a procedure for opting for an interview (paid by the applicant) aswell as the previous allowance for an officer at your company to recommend you. The new requirements will essentially turn this into a private club more than a valid and open certification that accurately reflects your skills. Personally I neither work with or know any CISSPs, it's a small town - does this mean I lack the experience or skills necessary to gain certification, nope. And encouraging networking is one thing but mandating it as part of a technical certification is just pretentious bs imho. I was thinking of going for this over the summer and could do it before the new conditions but to be honest if the certification body is taking this kind of action I have no interest in being part of it. I'm a Network Admin/Engineer/Security geek, it should only be about what I know not who.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • JDMurrayJDMurray Admin Posts: 13,021 Admin
    Ahriakin wrote:
    Personally I neither work with or know any CISSPs, it's a small town - does this mean I lack the experience or skills necessary to gain certification, nope. And encouraging networking is one thing but mandating it as part of a technical certification is just pretentious bs imho.
    I also do not work with any CISSP-certified people. In order to develop face-to-face networking contacts in the InfoSec community, I joined my local chapter of ISSA (Information Systems Security Association). One day each month I drive to "the big city" and spend two-hours at lunchtime listening to presentations and eating lunch and chatting with a room filled with local CISSP, CISM, CISA, and CCIE-certified people and some government and law enforcement types too. Most people also belong to more than one type of InfoSec organization, and I've been able to see the difference in personalities between the auditors, sysadmins, physical security, investigators, and forensics and pen testers. This experience is more than worth the annual membership fee to me.

    Career networking is not something that you need to pursue 24/7, but it is definitely worth a few hours a month to force yourself to be social and build face-to-face relationships with people in your profession. Web sites like LinkedIn and TechExams are great for career networking, but they can only do so much for you. For information security professionals to be effective, they must be social within the InfoSec community itself.
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    JDMurray wrote:
    For information security professionals to be effective, they must be social within the InfoSec community itself.

    But....you all suck.... :D (joke in case that isn't obvious).

    I just don't like a social aspect being assigned as a criteria (a recommendation is fine) for a technical certification, it weakens it imho.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    I think Ahriakin has a good point with the "private club" comment. That could cause the certification to stagnate into a "good 'ol boy" priveledge where your brother, father, uncle or best friend has to get you in.

    I'd like to hear more pros and cons on this new requirement.
    All things are possible, only believe.
  • keatronkeatron Member Posts: 1,213 ■■■■■■□□□□
    Well..There's always pros and cons to anything. There were pros and cons to having it the other way (practically anybody could endorse if they were important in your company). Obviously this has been discussed and weighed 20 ways from north before a final decision was made. JD raises a good point. There's no better way to get to know CISSP's and gain the trust of existing CISSP's than to participate in conferences, forums, workshops, etc. Besides, once you become a CISSP you'll HAVE to do these things to keep the certification anyway, so you might as well get into the practice. Part of the strategy is to get potential candidates to be ACTIVE in the security community (which again, is a plus for the industry and for the individual).

    It wasn't that long ago that people who weren't heavily involved in security or at least did it for living, didn't even know what a CISSP was. So if the truth be told, the industry and the CISSP certification has always been kinda fraternal-like. The CISSP is not like the typical MS or CompTIA cert where you simply study, pass the test and have it for life. It requires you to be in the industry and be involved in the industry to get it, and be involved in the industry to keep it. Personally, I can't see how that devalues it in anyway. And I think I've already addressed the "brother endorsing brother" phenomenon by stating the serious risk of losing your own cert by endorsing someone who does not meet the criteria (i.e, can't pass the audit).
  • JDMurrayJDMurray Admin Posts: 13,021 Admin
    sprkymrk wrote:
    I think Ahriakin has a good point with the "private club" comment. That could cause the certification to stagnate into a "good 'ol boy" priveledge where your brother, father, uncle or best friend has to get you in.
    I don't think clubs like the Elks, Kiwanis, Rotary, and Masons have "stagnated" by being fraternal and somewhat exclusive. That's one way they provide quality control for their membership and organization. Besides, with 45,000+ CISSPs worldwide in 70 countries it's not likely that nepotism will be the rule of the "CISSP secret society" anytime soon. icon_wink.gif
  • milliampmilliamp Member Posts: 135
    Sometimes "being involved with the security community" only equates to having bias.
  • JDMurrayJDMurray Admin Posts: 13,021 Admin
    milliamp wrote:
    The security industry is political and bias enough already, now subscribing to the leading party is a prerequisite.
    There is no requirement to get a CISSP certification in order to be a member of the security community. The (ISC)2 is a private organization that by no means controls all aspects of information security on this planet. If you don't like their rules then you are by no means obligated to follow them. And I don't see how you liken the marketing of computer security products to the changes in the requirements for the CISSP certification.
  • milliampmilliamp Member Posts: 135
    JDMurray wrote:
    The (ISC)2 is a private organization that by no means controls all aspects of information security on this planet....And I don't see how you liken the marketing of computer security products to the changes in the requirements for the CISSP certification.

    Don't pretend you missed my points, you didn't.

    All I am saying is that the "networking" requirement with other CISSP's does not necessarily make you a better security professional. It may only accomplish more bias.

    The other point was given as an example to point out that bias is not currently in short supply.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    keatron wrote:
    And I think I've already addressed the "brother endorsing brother" phenomenon by stating the serious risk of losing your own cert by endorsing someone who does not meet the criteria (i.e, can't pass the audit).

    Which begs the question - why does it need to be another ISC2 member to endorse you? An audit is an audit, period. If someone can pass the audit, pass the exam, and agrees to adhere to the code of ethics, why should he be denied certification for not knowing another CISSP that is willing to endorse him?
    JDMurray wrote:
    Besides, with 45,000+ CISSPs worldwide in 70 countries it's not likely that nepotism will be the rule of the "CISSP secret society" anytime soon.

    While that looks like an impressive number JD, the fact is that most of us don't know a CISSP well enough for him/her to endorse us. I only know 1 myself (the best one - Keatron) and honestly he has no real idea what I do on a daily basis for him to risk endorsing me were I to even ask (which I am not BTW icon_wink.gif ). I do attend several security related training events and/or conferences every year across the country including SANS, Symantec Training, DefCon, DoD Cyber Crime, etc. but I don't have any CISSP associates.

    While I didn't have any immediate plans on pursuing CISSP, I just think that the exclusiveness might not be a good idea, nor do I think it will serve to strengthen the reputation or integrity of the certification. I just don't see how it can. If people were failing their audits, then the audit requirement was obviously successful in weeding out those who didn't meet the standards. I see this new endorsement policy as a way only to reduce the number of applicants, but not actually raising any standards of skill or professionalism.
    All things are possible, only believe.
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    It's really a question of intent vs. human nature. The intent (I hope) is to ensure that those who are accredited have someone of known good standing attest to their character and suitability. It's kind of a PKI of professional attitude and aptitude, previously Managers and existing CISSPs were trusted CAs, come October it's only the latter. But PKI works because there are a number of competitive trusted organisations out there that provide ready access to those who are willing to go through the expense and steps necessary to prove their identity, how different would it be if Microsoft changed windows to only Trust their own CAs? Okay stretching the metaphor a bit but you get the picture.

    Sprkymrk made a point I was going to in that how can an existing CISSP you don't necessarily have regular contact with possibly know your or your work better than than your Manager? ISC are basically saying they no longer trust the people who employ you (rely on and pay good money for you) and place more trust in a member with whom (as JD pointed out) you may just have conversations/share meeting space with 1-2 hours a month.
    So, if all goes to plan the existing CISSPs will be very careful about who they endorse. How many companies will have multiple CISSPs on staff full time, i.e. how many will get the kind of exposure to a candidate's work that this ideal caution should demand? In lieu of that the vast majority will either refuse to endorse a candidate based on lack of knowledge (as they are supposed to do) or human nature being what it is be eager enough to please or fit in that they endorse someone based on their popularity - say what you like but that IS the nature of the beast and the single greatest flaw in a system like this.

    In short a great deal of perceived value is placed on the exclusivity of a certification. These changes move that exclusivity from being technical to socially bound (and being lucky enough to have regular contact with a CISSP, not easy when there isn't a single chapter of any professional IS organisation in your entire state...yes you could start one but who has the time when you're meant to be studying in your spare time). It's kind've like going to college, acing your exams but not being granted your full degree until you successfully rush a fraternity and get their approval.
    On the other side it will increase the prevalance of CISSP 'shops' of consultancy firms where part of your job will be approving candidates your company has hired and paid a lot of money to train (and you know that will happen, business is business). The CISSP community will become inbred and stagnant over time - again I'm looking at human nature, you can't just posit from the ideal.

    I was planning to do the CISSP this summer before moving on to the CCIE Sec., I have the experience/accepted certs/management approval and ability (from what I've seen of the material) to get it done in the next few months). But now I won't. IMHO, the direction they are taking will devalue the cert. to the point where it's not worth the time for me.

    Anyway, it's a good argument and no matter what I've said I respect the opinions raised so far in support of the policy, I just wholeheartedly disagree. I haven't missed your points about being active in the IS community and I commend it. I'm not a mushroom, I do actually like communicating and recognize it's value. It definitely helps you as a professional in expanding your knowledge and the opportunities that will be presented by those you get to know - but that ineraction does not define or reflect your capabilities and should not be an unavoidable criteria.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    JDMurray wrote:
    sprkymrk wrote:
    I think Ahriakin has a good point with the "private club" comment. That could cause the certification to stagnate into a "good 'ol boy" priveledge where your brother, father, uncle or best friend has to get you in.
    I don't think clubs like the Elks, Kiwanis, Rotary, and Masons have "stagnated" by being fraternal and somewhat exclusive. That's one way they provide quality control for their membership and organization. Besides, with 45,000+ CISSPs worldwide in 70 countries it's not likely that nepotism will be the rule of the "CISSP secret society" anytime soon. icon_wink.gif

    I guess here's my fundamental problem. There is a whole 'fraternity' mentality in the states that either doesn't exist or has minimal influence (depending on the nature of the club/fraternity) just about anywhere else in the world. And as you stated the CISSP is worldwide....
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • JDMurrayJDMurray Admin Posts: 13,021 Admin
    Ahriakin wrote:
    There is a whole 'fraternity' mentality in the states that either doesn't exist or has minimal influence (depending on the nature of the club/fraternity) just about anywhere else in the world.
    The "fraternity mentality" in the USA was inherited from our ancestral ties with Britain and Western Europe. If you look closely, you will see that in every society in the world--in every government, in every church, in every militia, and in every township--there are fraternal brotherhoods of one sort or another. It's a very normal and human condition that--like anything else--can be used for great good or for great evil.

    If this sort of realization weirds-you-out, try not to read any news articles with the word "Bilderberg" in the title. icon_eek.gif
  • keatronkeatron Member Posts: 1,213 ■■■■■■□□□□
    milliamp wrote:
    Sometimes "being involved with the security community" only equates to having bias.

    Example someone says to you "I need a security solution to do X and X, what should I do?"

    You being "involved" now have a CISSP friend that works for a company that sells a product to do exactly that. Which product do you recommend?

    Obviously you /should/ recommend the best product for the job, but is this what actually happens? No, especially if said CISSP endorsed you so that you could sit the exam. It becomes a game of "I scratch your back, you scratch mine".

    Look also at how most security products for Windows are scareware, they seem more concerned with scaring the user into spending more money than educating them to make more informed choices in the future. The same concepts apply elsewhere too. What else do you expect when you enlist the help of a company that profits on fear?

    The security industry is political and bias enough already, now subscribing to the leading party is a prerequisite.

    There are always what if's. And it would be naive to think this doesn't already happen in every arena of business. You're not describing a CISSP problem, you're describing a general concept and general business problem. You're basically giving a "what if" scenario of something that can't be controlled by ISC2 or any CISSP.
  • keatronkeatron Member Posts: 1,213 ■■■■■■□□□□
    What I find strange is that in any other conversation other than this one, most people in IT make the claim that their upper management "does not understand their work" and "has no idea what they do", but then when it comes to this we're supposed to believe the opposite? I'm not so sure about that especially considering our audits have in large proved it to be more true than not true (at least concerning people going for the CISSP).

    Trying to make a comparison between this and a frat rush being a requirement to get a college degree makes no sense to me. I'm a member of a fraternity, I am a college graduate, and I am a CISSP and I don't see any connection between the three (at least in the context that you're attempting to make one in) It is simply a move to try and maintain integrity. MCSE, and MCSD, MCT was once the top Microsoft certifications. The world got flooded with paper MCSE's. The top cert is now MCA and you will certainly get to know one before you obtain this certication. You will go through interviews, and to top it off, you will spend a LOT of money. And again, I think the primary motivations were to maintain integrity at the top. I know there are a lot of people here who think that was strictly a money move, but I'm not 100% convinced of that. I'm convinced that if ISC2 had made a move like that, then the same people would be saying it's a money move. If anything, this takes money out of their pockets (ISC2).

    Don't be surprised to see a CISSP mentorship program kicking off where you apply, are introduced to a CISSP in your general neck of the woods, meet with him on somewhat of a regular basis (in a group setting) and be "under his wing" for a certain amount of time, maybe take a class (or something like a class), do a few real world assignments over a period of time, then be cleared to sit the exam and obtain the certication via that mentorship. (Don't forget you heard it here first icon_wink.gif ). I've already proposed it (yesterday) and submitted a rough draft of the program. I agree 100% that anybody who wants to earn the certification and willing to put the work in to get it should be allowed to do that, but having anyone who holds an important title in a company be the person attesting to the experience was never the best policy in my opinion.

    The anology that because someone pays you a lot of money means they can attest to your security experience is flawed as well. Again, a big salary does not mean you have a clue about any one of the 10 domains of the CISSP.

    I certainly and respectfully appreciate all the comments for and against and I truely hope you guys keep them coming. I can promise you that people at the very top of the CISSP chain will get to read these posts and hear directly from my mouth your concerns. Please continue to express how you feel about this decision, negative or positive.

    Keatron.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Keatron - I really appreciate the heads-up and comments you provide. Thank you.

    I guess my main question is this:

    With the current audit process in place and apparently working, why is there a need for the change in policy?
    All things are possible, only believe.
  • keatronkeatron Member Posts: 1,213 ■■■■■■□□□□
    sprkymrk wrote:
    Keatron - I really appreciate the heads-up and comments you provide. Thank you.

    I guess my main question is this:

    With the current audit process in place and apparently working, why is there a need for the change in policy?

    The problem is the fact that they're not sure it is even working. Because not everybody is audited. So one of the biggest concern was this; If so many people who were randomly audited failed the audit misearbly, then there's concern about the much larger percentage who didn't get audited. So yes the audit process is working, it's working so well that it's showing some serious problems with honesty and integrity in some regards. So as a result of the audit process being successful, moves were made to address these serious issues. So the audit process itself is not changing, just the requirements to even get to the audit point in the first place is changing.
This discussion has been closed.