New Elgibility criteria

me2maverick · October 2007

Hi All,

I am a wannabe CISSP. Have gone through the official site which has left me quite confused.

Facts:

I have done my bachelors in computer science and have exactly 4 years of experience in the security domain.

Queries:

1. As per the new regulations, am I eligible?
2. What exactly does "an applicable college degree " mean? I have degree from a regional college outside the USA. Is it not valid? How do I confirm?

TIA,
Mave

Schluep · October 2007

Hello me2maverick,

Their website is a bit confusing right now as they haven't fully transitioned everything to the new requirements yet.

The list of experience requirements for the CISSP examination are available at https://www.isc2.org/cgi-bin/content.cgi?category=1187. Please note that with the new requirements the experience must be within 2 or more of the 10 Domains and not just 1 or more of the 10 Domains as was previously the case. The experience must be direct full-time verifiable experience that must be endorsed after you pass the examination and is also subject to audit. The specifics of the education waiver are also available here, but are not very specific about individual institutions. It states:

(ISC)2 Professional Experience Requirements wrote:

Candidates can substitute a maximum of one year of direct full-time security professional work experience described above if they have a four-year college degree OR Master’s Degree in information security from a U.S. National Center of Academic Excellence in information Security (CAEIAE) or regional equivalent. If you hold both a four-year degree and a Master’s degree, you may only apply for a one year waiver of experience.

The best way to determine whether your degree is applicable would be to contact (ISC)2 directly through either phone, e-mail, or their web form. This contact information is all available at https://www.isc2.org/cgi-bin/contact.cgi.

If you degree is not applicable you could still meet the experience requirement provided that your four years of experience meets the proper qualifications by adding an "Experience Waiver for Approved Credentials", which equates to having another recognized InfoSec certification. The list of valid certification is available at https://www.isc2.org/cgi-bin/content.cgi?page=1016 and holding any one or more of these certifications allows you to waive 1 year off of the experience requirement. If you do not currently hold any of these certifications, the CompTIA Security+ is probably the easiest to obtain and is also vendor neutral like the CISSP exam will be.

me2maverick · October 2007

Thanks, Schluep. I have dropped in a mail to ISC2 registrar.

JDMurray · October 2007

I was looking at this very thing last night, but for the SSCP exam. The (ISC)2 Web site states:

"... a four-year college degree OR Master’s Degree in information security from a U.S. National Center of Academic Excellence in information Security (CAEIAE) or regional equivalent."

I assume that a four-year degree can be a Bachelors or Masters degree, and that a three-year Bachelors or Masters degree would not be accepted, except for a three-year MSIT in InfoSec degree.

shednik · October 2007

JDMurray wrote:

I was looking at this very thing last night, but for the SSCP exam. The (ISC)2 Web site states:

"... a four-year college degree OR Master’s Degree in information security from a U.S. National Center of Academic Excellence in information Security (CAEIAE) or regional equivalent."

I assume that a four-year degree can be a Bachelors or Masters degree, and that a three-year Bachelors or Masters degree would not be accepted, except for a three-year MSIT in InfoSec degree.

Speaking of the 3 year InfoSec Masters what did you think of the program you went through JD?

I finish my BS this fall and once i get a better job plan to go back when i can afford it again...would you recommend capella?

me2maverick · October 2007

Folks,

This is the reply I got from them:

Unfortunately we do not pre-screen an applicants experience. I will include
below the information from our FAQ. If you have any additional questions,
please let us know.
Applicants must have a minimum of four years of direct full-time security
professional work experience in one or more of the ten domains of the (ISC)²
CISSP CBK .

CISSP professional experience includes:
• Work requiring special education or intellectual attainment, usually
including a liberal education or college degree.
• Work requiring habitual memory of a body of knowledge shared with others
doing similar work.
• Management of projects and/or other employees.
• Supervision of the work of others while working with a minimum of
supervision of one's self.
• Work requiring the exercise of judgment, management decision-making, and
discretion.
• Work requiring the exercise of ethical judgment (as opposed to ethical
behavior).
• Creative writing and oral communication.
• Teaching, instructing, training and the mentoring of others.
• Research and development.
• The specification and selection of controls and mechanisms (i.e.
identification and authentication technology) (does not include the mere
operation of these controls).
• Applicable titles such as officer, director, manager, leader,
supervisor, analyst, designer, cryptologist, cryptographer, cryptanalyst,
architect, engineer, instructor, professor, investigator, consultant, salesman,
representative, etc. Title may include programmer. It may include administrator,
except where it applies to one who simply operates controls under the authority
and supervision of others. Titles with the words "coder" or "operator" are
likely excluded.

The applicant must meet the following requirements to qualify to sit for the
examination: A. Subscribe to the (ISC)² Code of Ethics; and B. Have a minimum
four years* of direct full-time security professional work experience in one or
more of the ten domains of the information systems security CBK® . Waiver of
Experience: If certain circumstances apply and with
appropriate documentation, candidates are eligible to waive a maximum of two
years of professional experience* as follows:
• One year waiver of the professional experience requirement for
education.
Candidates can substitute a maximum of one year of direct full-time security
professional work experience described above if they have a four-year college
degree OR Master’s Degree in information security from a U.S. National Center of
Academic Excellence in information Security (CAEIAE) or regional equivalent. If
you hold both a four-year degree and a Master’s degree, you may only apply for a
one year waiver of experience.
• One-year waiver of the professional experience requirement for holding
an additional credential on the (ISC)² approved list.
Valid experience includes information systems (IS) security-related work
performed as a practitioner, auditor, consultant, investigator or instructor,
that requires IS security knowledge and involves the direct application of that
knowledge. The four years of experience must be the equivalent of actual
fulltime IS security work (not just IS security responsibilities for a four
year* period); this requirement is cumulative, however, and may have been
accrued over a much longer period of time.
*Note: Effective 1 October 2007, professional work experience requirements for
the CISSP will increase from four to five years, and direct full-time security
professional work experience will be required in two or more of the ten CISSP
CBK domains. A new endorsement policy will also be in effect, requiring anyone
who passes a CISSP, CAP, or SSCP exam to have their qualifications endorsed by
another (ISC)² credential holder. These changes will not affect those who sit
for an examination on or before 30 September 2007. For more information, please
refer to the Experience Requirement Change FAQs.

Schluep · October 2007

Well that wasn't particularly helpful. Maybe Keatron knows more about what is acceptable and what is not for the degree since he more involved on the training side of the fence. Perhaps if you posted your university and degree program someone here could try and interpret based upon the description provided by (ISC)2, but it doesn't matter if we all think it qualifies if they do not recognize it.

Clearly as JDMurray stated the Bachelor's Degree must be a 4 year degree. The part that is questionable is since it says a "have a four-year college degree OR Master’s Degree in information security from a U.S. National Center of Academic Excellence in information Security (CAEIAE) or regional equivalent. The "or" statements are what make it difficult to read. Does the four year degree also have to be from a U.S. National CAEIAE or regional equivalent, or just the Master's degree in general. What qualifies as a regional equivalent? I don't know the education world very much, but it is those type of things that will need to be determined.

The safest bet might be to pick up one of those other certifications such as CompTIA Security+. As long as your four years experience qualify as direct full-time IS experience in 2 or more of the 10 domains you would qualify with the certification even if your degree is not accepted.

You could also schedule the exam as testing to be an "Associate of (ISC)2" until you gain another year of experience at which point you will then send in your endorsement and become a CISSP after a potential audit. Currently I am an Associate of (ISC)2 while waiting to get the work experience since none of my work experience qualified when I sat for the exam in September.[/b]

JDMurray · October 2007

The most important part of that FAQ is the changes in the requirements that occurred on October 1st:

*Note: Effective 1 October 2007, professional work experience requirements for
the CISSP will increase from four to five years, and direct full-time security
professional work experience will be required in two or more of the ten CISSP
CBK domains. A new endorsement policy will also be in effect, requiring anyone
who passes a CISSP, CAP, or SSCP exam to have their qualifications endorsed by
another (ISC)² credential holder. These changes will not affect those who sit
for an examination on or before 30 September 2007. For more information, please
refer to the Experience Requirement Change FAQs.

Schluep wrote:

The "or" statements are what make it difficult to read.

I think the idea is that anybody who has only a three-year undergraduate degree and attains a Masters in InfoSec from a program approved by the (ISC)2 will also be awarded a year of experience. In this case, not having a four-year undergrad degree will not penalize you.

ajs1976 · October 2007

The part of the degree requirement that confuses me, is where it mentions in information security. I understand the part about the 4 year undergraduate degree or the Master's in information security, but does the 4 year undergraduate degree have to be in Information security or can it be in anything?

JDMurray · October 2007

ajs1976 wrote:

but does the 4 year undergraduate degree have to be in Information security or can it be in anything?

Where does it say that your degree must be in a specific major? The only requirement written is that it be a four-year college degree. My B.A. in Cultural Anthropology would qualify. You guys are really splitting hairs on this.

keatron · October 2007

4 year degree in anything counts.

Also be careful about the not pre-screening of applications clause. Basically what it means is you can apply, pay the big bucks for the exam, then later be told you don't meet the requirements to hold the certification. I have my personal feelings on this "way of doing things" and I've shared it with "the right people" but I don't see it changing anytime soon.

The "OR Master’s Degree in information security from a U.S. National Center of Academic Excellence in information Security" is referring to degrees like JD's and others who have earned a Masters in Infosec from qualified university.

mattah · October 2007

For the SSCP, does a four year bachelors degree count for the professional experience required? Also my previous experience has been in lecturing, mostly Cisco stuff and at CCNP level, which does include some security. Would this count to some extent?

Ta.

JDMurray · October 2007

mattah wrote:

For the SSCP, does a four year bachelors degree count for the professional experience required?

Here's the SSCP work experience requirement. It looks like both security-related teaching and college degrees are acceptable.

https://www.isc2.org/cgi-bin/content.cgi?category=1195

me2maverick · October 2007

Folks,

I have sent my resume to a CISSP for endorsement although I am yet to take the exam.

Hopefully his response will set things straight....

Will keep you posted.....

New Elgibility criteria

Comments