New Requirements for CISSP.

Dear (ISC)2 Member,

The (ISC)2 board of directors has approved new experience requirements for the CISSP certification, effective 1 October, 2007. While these changes will not affect current holders of the CISSP or those scheduled to take the exam by 30 September 2007, we wanted you to be aware of them.

It is the responsibility of the (ISC)2 board of directors to continually review the entire spectrum of the consortium’s education and certification programs to ensure that (ISC)2 continues to provide the "gold standard" of professional certification in the information security industry. The board believes these new requirements will assure organizations worldwide that CISSPs have demonstrated they can meet the challenges of an ever-increasing threat environment, while you as an (ISC)2 member can be assured that the rigorous standards of the CISSP are being maintained in a maturing profession.

The new requirements include the following components:

The minimum professional experience requirement for CISSP certification will be 5 years of relevant work experience in two or more of the 10 domains of the CISSP CBK, or four years of work experience with an applicable college degree or a credential from the (ISC)2-approved list. The current requirements for the CISSP call for four years of work experience in one or more of the 10 domains of the CISSP CBK, or three years of experience with an applicable college degree or a credential from the (ISC)2-approved list.
Candidates for any (ISC)2 credential will be required to obtain an endorsement of their candidature exclusively from an (ISC)2-certified professional in good standing. The professional endorsing the candidate can hold any (ISC)2 certification – CISSP, SSCP or CAP. Currently, candidates can be endorsed by an officer from the candidate’s organization if no CISSP endorsement can be obtained. The board believes that only an (ISC)2-credentialed professional bound by its Code of Ethics should provide a candidate endorsement.

Find more posts tagged with

Comments

sprkymrk

Any word on the % of test passers that were audited? I understand if that's proprietary information.

Would making the audit process mandatory rather than random be a viable solution? Rather than create a work overload, maybe there is a way that current CISSP's in good standing could be required to help in the audit process, like maybe once a year or whatever? Create a documented guideline for the audit process, a check list, and maybe a 1 day seminar or online CBT on how to perform a simple audit of this nature? Then if the CISSP that performed the audit has any doubts he can flag that applicant for the ISC2 board (or whomever) to review and make the final call.

That way everyone gets audited, applicants know they WILL be audited and are less likely to fudge their experience, the questionable ones are brought to the attention of the board members, and the board members only have to deal with a small number of candidates and those are likely the ones that need to be checked anyway rather than a random sample.

I think that those who hold a CISSP are intelligent enough to learn how to perform a simple (as opposed to extensive) audit of someone's claimed experience and wouldn't have to devote a large amount of time to be required to do this once a year or so.

JDMurray

sprkymrk wrote:

Rather than create a work overload, maybe there is a way that current CISSP's in good standing could be required to help in the audit process, like maybe once a year or whatever?

This would be a violation of privacy. Getting a CISSP doesn't mean that you work for the (ISC)2. Although CISSP-certification requires being bound by the (ISC)2 code of ethics, such a person would have no legal liability to maintain the confidentiality of private information in the CISSP audit materials. I'd prefer that one day my CISSP audit be performed by someone professionally employed by the (ISC)2 whose is both ethically and legally bound to keep my private information under strict control.

But, with your statement about the capacity of the (ISC)2 to perform audits, I think you hit the nail on the head. With thousands of CISSP exams being passed every year, and that number growing, the (ISC)2 may have been gradually reducing the percentage of candidates audited to keep its costs down. Opening up the CISSP worldwide also added problems in performing a thorough audit of a person originating/residing/working in a foreign county. Some additional method(s) of insuring candidate quality were certainly needed, and tasking its CISSP-certified members to provide an additional level of control is a clever way to do it..

sprkymrk

JDMurray wrote:

sprkymrk wrote:

Rather than create a work overload, maybe there is a way that current CISSP's in good standing could be required to help in the audit process, like maybe once a year or whatever?

This would be a violation of privacy.

Not if a candidate had to agree to his information being disclosed to another member for the purpose of the audit. I doubt any more information would need to be provided than when one posts a resume on monster or dice, and not many people seem to have a problem with that. With the information provided in a standard resume a current CISSP could contact the applicant for a short interview, his current/past employer to see what kind of job responsibilities and tasks(with examples) were performed. This kind of information is hardly an invasion of privacy.

JDMurray wrote:

Some additional method(s) of insuring candidate quality were certainly needed, and tasking its CISSP-certified members to provide an additional level of control is a clever way to do it..

In what way? Control, yes. Quality, not necessarily.

JDMurray

sprkymrk wrote:

This kind of information is hardly an invasion of privacy.

It would depend on what kind of information is necessary for the CISSP audit, and that I do not know. I would assume that it's more than just what information is on a typical resume.

sprkymrk wrote:

JDMurray wrote:

Some additional method(s) of insuring candidate quality were certainly needed, and tasking its CISSP-certified members to provide an additional level of control is a clever way to do it..

In what way? Control, yes. Quality, not necessarily.

In requiring that a CISSP candidate be endorsed by a certified CISSP, the CISSP would likely perform their own pre-audit of the candidate. As keatron pointed out, if the name of a CISSP whose candidate fails an audit were to be published, it is likely that CISSP would performed their own audit to make sure that the candidate is legit before they submit their application to the CISSP. This is how CISSPs can help audit candidates without receiving any private candidate information from the (ISC)2. I think it's a very clever way to add an additional layer of control. Quality gained is by not adding another ill-qualified person to the ranks of the CISSP.

sprkymrk

JDMurray wrote:

sprkymrk wrote:

This kind of information is hardly an invasion of privacy.

It would depend on what kind of information is necessary for the CISSP audit, and that I do not know. I would assume that it's more than just what information is on a typical resume.

I don't know either, but I can't imagine what kind of information would be needed outside of an employment record. You don't need the candidates home address, home phone, spouse name, mother's maiden name, hobbies, surfing habits, or bank accounts.

JDMurray wrote:

In requiring that a CISSP candidate be endorsed by a certified CISSP, the CISSP would likely perform their own pre-audit of the candidate.

I fail to see the difference then, except that a candidate would get to choose which CISSP to whom he wishes to disclose his work history. So in many cases it will still be a crap-shoot. Using myself for an example, I would have to seek out and find a stranger that holds a CISSP, develop some sort of working/mentoring relationship with him (which in itself could be difficult since you are imposing on his time and good nature), then somehow prove myself and my work background, then hope he trusts me enough to stick his own reputation on the line to sponsor me.

JDMurray wrote:

I think it's a very clever way to add an additional layer of control.

Although I do have the utmost respect for you

, I have to respectfully disagree this time. And unfortunately, it will likely take at least a couple of years to see if this was a wise decision or not.

keatron

People are extremely sensative to the word "privacy" these days. So yes, I think there would be an outcry concerning your proposal Mark.

sprkymrk

keatron wrote:

People are extremely sensative to the word "privacy" these days. So yes, I think there would be an outcry concerning your proposal Mark.

You and JD are probably right.

But two things I am pretty sure I'll be right about are:

1. The CISSP will drop in popularity - that's neither good nor bad, just something I see happening.

2. The pool of candidates from which new CISSP's emerge will become more condensed, less dynamic, and not as diverse as it is now. The requirement to have an existing CISSP sponsor you, and the potential for a good-standing CISSP to lose his own cert if he vouches for someone he is not 100% sure is qualified will tend to make the candidates all come from companies that currently employ CISSP's.

CISSP's should not exist in isolation or in a vacuum. I don't need to BE a teacher to recognize a good one when I see one. I don't need to BE a good leader to be able to elect one. Neither do I think it should take a CISSP to open the door for the next one.

I hope I'm not offending either of my esteemed and respected senior moderators by my comments, but...

Keatron wrote:

Please continue to express how you feel about this decision, negative or positive.

milliamp

What qualifications is a candidate required to meet before Joe CISSP should be willing to grant him an endorsement?

JDMurray

milliamp wrote:

What qualifications is a candidate required to meet before Joe CISSP should be willing to grant him an endorsement?

Is this just "this guy knows his stuff", or is it also "I believe this guy has 5 years of relevant experience"?

If I were a CISSP and someone asked me for an endorsement, I would make sure that he meets the posted (ISC)2 requirements and qualifications for CISSP before I signed any of his/her paperwork. If the candidate ended up failing the audit, I would approach the (ISC)2 as his/her advocate and try to determine exactly what aspect of the candidate's credentials was rejected. And because the CISSP sponsor's reputation is on the line, I assume that there's an appeals process.

This brings up a good point: what's the benefit for a CISSP to be a sponsor for a CISSP candidate? I understand the punishment factor for recommending a candidate that fails the audit, but what's the reward for one who passes?

garv221

WOW, where the hell have I been? The CISSP is now created by its cult following members like "B" rated horror flicks. I do not know one CISSP (exception: keatron the best CISSP) so I am now forced with a decision to either cram this exam and jeopardize possible long term memory of information to merely pass the exam before Oct 1st or finish studying the exam at normal pace and jeopardize actualy obtaining the certification for lack of knowing a real world CISSP? A pass is a pass right? Or is it?

mengo17

garv221 wrote:

WOW, where the hell have I been? The CISSP is now created by its cult following members like "B" rated horror flicks. I do not know one CISSP (exception: keatron the best CISSP) so I am now forced with a decision to either cram this exam and jeopardize possible long term memory of information to merely pass the exam before Oct 1st or finish studying the exam at normal pace and jeopardize actualy obtaining the certification for lack of knowing a real world CISSP? A pass is a pass right? Or is it?

Endorsement
Once a candidate has been notified they have successfully passed the CISSP examination, he or she will be required to have his or her application endorsed by a CISSP before the credential can be awarded. If a CISSP is not available, another qualified professional with knowledge of information systems or an officer of the candidate's corporation can validate the candidate's professional experience.

The endorser attests that the candidate's assertions regarding professional experience are true to the best of their knowledge, and that the candidate is in good standing within the information security industry.

afhamed

I really appreciate if any one can respond to my question.
I have more than 10 years of experience in Desktop support, I created local accounts, installed smart cards, help users with password and access problems and everything that a desktop support would do. does that count as security experience?

astorrs

afhamed wrote:

I really appreciate if any one can respond to my question.
I have more than 10 years of experience in Desktop support, I created local accounts, installed smart cards, help users with password and access problems and everything that a desktop support would do. does that count as security experience?

I don't think it will meet what they're looking for. Have a look here for more details on the applicable domains: https://www.isc2.org/cgi-bin/content.cgi?category=1187

Also:

Valid experience includes information systems (IS) security-related work performed as a practitioner, auditor, consultant, investigator or instructor, that requires IS security knowledge and involves the direct application of that knowledge. The five years of experience must be the equivalent of actual fulltime IS security work (not just IS security responsibilities for a five year* period); this requirement is cumulative, however, and may have been accrued over a much longer period of time.

JDMurray

The CISSP experience requirement is for work that involves planning, designing, or managing Information Security policies, processes, or systems. Start the CISSP Exam Overview Flash presentation at www.cccure.org and look at sections 6, 7, and 8 to get a better idea of the work experience required for the CISSP.

Paul Boz

The knowledge and experience isn't my problem. I've got five years of telecom infrastructure and network security engineering and I just got a new job doing risk management, risk assessments, pen testing, etc. I'm studying the CISSP resources available to me intensely. My problem is that I do not know any CISSPs and I don't know anyone that can vouch for me. I guess my plan is to sit the exam, pass it, then see what my options are. There are four people working on the CISSP at my new employer including myself, but until someone actually obtains it my company has no one that can vouch and I don't know anyone in a professional sense that holds a CISSP and will go out on a limb to vouch for me either. Now, assuming that a non-CISSP at my company (the CTO for example) can vouch for my experience, I'm fine. But if you actually need a CISSP to vouch for you as proposed, I'm screwed.

dynamik

There are several people here who have offered to endorse candidates.

http://techexams.net/forums/viewtopic.php?t=36120

JDMurray

You can also petition the (ISC)2 for a proxy endorser to be appointed for you. It's on the the (ISC)2 endorsement form.

susanj

keatron wrote:

Dear (ISC)2 Member,

The new requirements include the following components:
The minimum professional experience requirement for CISSP certification will be 5 years of relevant work experience in two or more of the 10 domains of the CISSP CBK, or four years of work experience with an applicable college degree or a credential from the (ISC)2-approved list. The current requirements for the CISSP call for four years of work experience in one or more of the 10 domains of the CISSP CBK, or three years of experience with an applicable college degree or a credential from the (ISC)2-approved list.

Candidates for any (ISC)2 credential will be required to obtain an endorsement of their candidature exclusively from an (ISC)2-certified professional in good standing. The professional endorsing the candidate can hold any (ISC)2 certification – CISSP, SSCP or CAP. Currently, candidates can be endorsed by an officer from the candidate’s organization if no CISSP endorsement can be obtained. The board believes that only an (ISC)2-credentialed professional bound by its Code of Ethics should provide a candidate endorsement.

Does anybody know what exactly it means to have an "an applicable college degree" ?

JDMurray

This has been debated in other threads in this forum, and I'm sure in the forums at www.cccure.org as well.

The bottom line is only the (ISC)2 can determine what they consider to be an acceptable college degree. But if you have a 4-year undergrad degree from a mainstream university you are probably good. They may want to limit people with only Associates degrees and degrees from "odd" institutions of learning.

dynamik

I don't know how much it really matters now that they only let you take one year off from EITHER certs or a degree. I would imagine that most people would already have a Security+ or other qualifying cert.

LarryDaMan

For a second I didn't realize this was an old "New CISSP Requirements" thread and I almost started to freak out. But no.

I do know that a major revamp of the CBK is planned for 2009.

If you download the Candidate Information Bulletin (CIB) from the ISC2 website and scroll through the PDF, a new CIB is also attached that takes affect in Jan 2009. XML and SOAP are some new things that jump out, but supposedly big changes lay ahead later in 2009.

Shon Harris is planning AIO v5 for a January 2010 release.

Should be interesting, hopefully I will be long done before then and not on my 4th attempt.

JDMurray

LarryDaMan wrote:

I do know that a major revamp of the CBK is planned for 2009.

The CISSP exam should begin reflecting the updated CBK in the first quarter of 2009. I don't think any changes in the actual requirements for the exam are planned.

And yes, the requirements changed made in 2007 only allows one year to be removed for having either a specific cert, an acceptable undergrad degree, or a Master in InfoSec from an NSA/CAE. It's too bad the Masters degree doesn't count for more than having just a Security+.

mengo17

JDMurray wrote:

And yes, the requirements changed made in 2007 only allows one year to be removed for having either a specific cert, an acceptable undergrad degree, or a Master in InfoSec from an NSA/CAE. It's too bad the Masters degree doesn't count for more than having just a Security+.

I was about to post something similar when I saw your post. This does not make any sense!!!!

JDMurray

mengo17 wrote:

I was about to post something similar when I saw your post. This does not make any sense!!!!

Maybe when the Masters in InfoSec become more common the (ISC)2 will bump the requirements up to six years and allow the MS to exempt a year on its own.

Paul Boz

Hopefully I can get through this in the months before changes start happening. That happened to me with the CCDA and it made me put it off for a year as a result.

JDMurray

Consider the benefits of a CISSP CBK revision. They are likely to drop the Orange Book, older technology, and a lot of pre-2000 InfoSec initiatives from the CBK, leaving CISSP candidates the need to only study more modern InfoSec topics and issues. This revision will further obsolete a lot of CISSP study aides currently available, but it also make it easier to decide on which study materials to use.

Paul Boz

Also, it never hurts to have the knowledge, whether it's tested or not.

billrich88

susanj wrote:

keatron wrote:

Dear (ISC)2 Member,

The new requirements include the following components:
The minimum professional experience requirement for CISSP certification will be 5 years of relevant work experience in two or more of the 10 domains of the CISSP CBK, or four years of work experience with an applicable college degree or a credential from the (ISC)2-approved list. The current requirements for the CISSP call for four years of work experience in one or more of the 10 domains of the CISSP CBK, or three years of experience with an applicable college degree or a credential from the (ISC)2-approved list.

Candidates for any (ISC)2 credential will be required to obtain an endorsement of their candidature exclusively from an (ISC)2-certified professional in good standing. The professional endorsing the candidate can hold any (ISC)2 certification – CISSP, SSCP or CAP. Currently, candidates can be endorsed by an officer from the candidate’s organization if no CISSP endorsement can be obtained. The board believes that only an (ISC)2-credentialed professional bound by its Code of Ethics should provide a candidate endorsement.

Does anybody know what exactly it means to have an "an applicable college degree" ?

I just wonder why (ISC)2 don't get and verify the endorsement first and then accept the application for CISSP exam. They can charge say a small amount of application fee for this. This will prevent confusion and misunderstanding or what one regards as info sec experiences but not in the eyes of (ISC)2? Moreover, it is required to submit the CV together with the exam applicaton. Why don't they just confirm the candidate's eligibility to be a CISSP prior to the exam?

JDMurray

Because if you don't pass the vetting you will still be awarded the Associate of the (ISC)2 designation rather than the full certification. The goal of the (ISC)2 is to have people pay the full amount for the exam, and become a dues-paying member, even if they aren't fully qualified for the certs. I think the Associate designation accomplishes this goal amazingly well.

billrich88

Do you think this is a responsible manner?

This similiar to one admitted to a University for a degree, studied four years and passed all exams and then the University informed him that he did not satisfy the University entry requirements in the first place and awarded him a certificate or diploma.