Certified Information Systems Security Professional
CISSP (Certified Information Systems Security Professional) is an independent information security certification granted by the International Information System Security Certification Consortium, also known as ISC2.
As of July 2022, there were 156,054 ISC2 members holding the CISSP certification worldwide.<ref name=":0" />
In June 2004, the CISSP designation was accredited under the ANSI ISO/IEC Standard 17024:2003.<ref name="ansi-17024">ANSI Accreditation Services - International Information Systems Security Certification Consortium, Inc. (ISC)2 Template:Webarchive. ANSI</ref><ref>Template:Cite press release</ref> It is also formally approved by the U.S. Department of Defense (DoD) in their Information Assurance Technical (IAT), Managerial (IAM), and System Architect and Engineer (IASAE) categories for their DoDD 8570 certification requirement.<ref>Template:Cite web</ref>
In May 2020, The UK National Academic Recognition Information Centre assessed the CISSP qualification as a Level 7 award, the same level as a master's degree.<ref name="masters">Template:Cite web</ref><ref>Template:Cite web</ref> The change enables cyber security professionals to use the CISSP certification towards further higher education course credits and also opens up opportunities for roles that require or recognize master's degrees.<ref name="masters" />
History
In the mid-1980s, a need arose for a standardized, vendor-neutral certification program that provided structure and demonstrated competence. In November 1988, the Special Interest Group for Computer Security (SIG-CS), a member of the Data Processing Management Association (DPMA), brought together several organizations interested in this goal. The International Information Systems Security Certification Consortium or "ISC2" formed in mid-1989 as a non-profit organization.<ref name="harris"> Template:Cite book</ref>
By 1990, the first working committee to establish a Common Body of Knowledge (CBK) had been formed. The first version of the CBK was finalized by 1992, and the CISSP credential was launched by 1994.<ref>History of (ISC)² Template:Webarchive. (ISC)²</ref>
In 2003 the CISSP was adopted as a baseline for the U.S. National Security Agency's ISSEP program.<ref>Template:Cite web</ref>
Certification subject matter
The CISSP curriculum breaks the subject matter down into a variety of Information Security topics referred to as domains.<ref name="11th_hour_book">Template:Cite book</ref> The CISSP examination is based on what ISC2 terms the Common Body of Knowledge (or CBK). According to ISC2, "the CISSP CBK is a taxonomy – a collection of topics relevant to information security professionals around the world. The CISSP CBK establishes a common framework of information security terms and principles that allow information security professionals worldwide to discuss, debate and resolve matters pertaining to the profession with a common understanding."<ref name="CBK_BOOK">Template:Cite book</ref>
On April 15, 2024, a refreshed exam outline applies. The updates are the result of the Job Task Analysis (JTA), which is an analysis of the current content of the credential evaluated by ISC2 members on a triennial cycle.<ref>Template:Cite web</ref> The impact of the change is limited to the weighting of the domains; the domains themselves did not change.<ref>Template:Cite web</ref>
On 1 May 2021 there was a domain refresh that impacted the weighting of the domains; the domains themselves did not change.<ref>Template:Cite web</ref>
From 15 April 2018, the eight domains covered are :<ref>Template:Cite web</ref>
- Security and risk management
- Asset security
- Security architecture and engineering
- Communication and network security
- Identity and access management (IAM)
- Security assessment and testing
- Security operations
- Software development security
From 2015 to early 2018, the CISSP curriculum was divided into eight domains similar to the latest curriculum above. The only domain to have changed its name was "Security Engineering", which in the 2018 revision was expanded to "Security Architecture and Engineering".<ref>Template:Cite web</ref>
Before 2015, it covered ten domains:<ref>Template:Cite web</ref>
- Operations security
- Telecommunications and network security
- Information security governance and risk management
- Software development security
- Cryptography
- Security architecture and design
- Access control
- Business continuity and IT disaster recovery planning
- Legal, regulations, investigations and compliance
- Physical (environmental) security
Requirements
- Possess a minimum of five years of direct full-time security work experience in two or more of the ISC2 information security domains (CBK). One year may be waived for having either a four-year college degree, a master's degree in Information Security, or for possessing one of a number of other certifications.<ref>Template:Cite web</ref> A candidate without the five years of experience may earn the Associate of ISC2 designation by passing the required CISSP examination, valid for a maximum of six years. During those six years a candidate will need to obtain the required experience and submit the required endorsement form for certification as a CISSP. Upon completion of the professional experience requirements the certification will be converted to CISSP status.<ref>Template:Cite web</ref>
- Attest to the truth of their assertions regarding professional experience and accept the CISSP Code of Ethics.<ref name="ISC2-applicants">Template:Cite web</ref>
- Answer questions regarding criminal history and related background.<ref name="ISC2-howto">Template:Cite web</ref>
- Pass the multiple choice CISSP exam (three hours, between 100 and 150 questions, in a computer adaptive test) with a scaled score of 700 points or greater out of 1000 possible points, you must achieve a pass in all eight domains.<ref name="ISC2-howto"/>
- Have their qualifications endorsed by another ISC2 certification holder in good standing.<ref name="ISC2-endorsement">Template:Cite web</ref>
Member counts
Number of CISSP members as of July, 2022 is 156,054.<ref name=":0">Template:Cite web</ref>
| # | Country (Top 15) | Count |
|---|---|---|
| 1 | United States | 95,243 |
| 2 | United Kingdom | 8,486 |
| 3 | Canada | 6,842 |
| 4 | China | 4,136 |
| 5 | Japan | 3,699 |
| 6 | India | 3,364 |
| 7 | Australia | 3,305 |
| 8 | The Netherlands | 2,983 |
| 9 | Singapore | 2,963 |
| 10 | Germany | 2,856 |
| 11 | Korea | 2,090 |
| 12 | Hong Kong | 1,968 |
| 13 | France | 1,277 |
| 14 | Switzerland | 1,127 |
| 15 | Spain | 847 |
Further specializations
Holders of CISSP certifications can earn additional certifications in areas of speciality. These specializations used to be known as CISSP concentrations, but have been made accessible for every applicant who meets the requirements. There are three possibilities as listed below.<ref>Template:Cite web</ref>
Information Systems Security Architecture Professional (ISSAP)
It is an advanced information security certification issued by ISC2 that focuses on the architecture aspects of information security. The certification exam consists of 125 questions covering six domain areas:
- Identity and Access Management Architecture
- Security Operations Architecture
- Infrastructure Security
- Architect for Governance, Compliance, and Risk Management
- Security Architecture Modeling
- Architect for Application Security
As of July, 2022, there were 2,307 ISC2 members holding the ISSAP certification worldwide.<ref name=":0"/>
Information Systems Security Engineering Professional (ISSEP)
It is an advanced information security certification issued by ISC2 that focuses on the engineering aspects of information security across the systems development life cycle.<ref name="auto1">Template:Cite web</ref> In October 2014 it was announced that some of its curricula would be made available to the public by the United States Department of Homeland Security through its National Initiative for Cybersecurity Careers and Studies program.<ref>Template:Cite web</ref> Both ZDNet and Network World have named ISSEP one of tech's most valuable certifications.<ref>Template:Cite web</ref><ref>Template:Cite web</ref> The certification exam consists of 125 questions covering 5 domain area:
- Security Engineering Principles
- Risk Management
- Security Planning, Design, and Implementation
- Secure Operations, Maintenance, and Disposal
- Secure Engineering Technical Management
As of July, 2022, there were 1,382 ISC2 members holding the ISSEP certification worldwide.<ref name=":0" />
Information Systems Security Management Professional (ISSMP)
It is an advanced information security certification issued by ISC2<ref>Template:Cite web</ref> that focuses on the management aspects of information security.<ref name="auto1"/> In September 2014, Computerworld rated ISSMP one of the top ten most valuable certifications in all of tech.<ref>Template:Cite web</ref> The certification exam consists of 125 questions covering 6 domain areas:
- Leadership and Business Management
- Systems Lifecycle Management
- Risk Management
- Threat Intelligence and Incident Management
- Contingency Management
- Law, Ethics, and Security Compliance Management
As of July, 2022, there were 1,458 ISC2 members holding the ISSMP certification worldwide.<ref name=":0"/>
Fees and ongoing certification
The standard exam costs Template:Currency as of 2021.<ref>Template:Cite web</ref> On completion of the exam, to gain certification you need to complete an endorsement process to evidence at least five years experience within a mix of the domains. A dispensation can be claimed for one year with the relevant academic qualification. The final step is payment of the annual maintenance fee of $135 (as of 2024).
The CISSP credential is valid for three years; holders renew either by submitting 40 Continuing Professional Education (CPE) credits per year over three years or re-taking the exam.
CPE credits are gained by completing relevant professional education.
Value
In 2005, Certification Magazine surveyed 35,167 IT professionals in 170 countries on compensation and found that CISSPs led their list of certificates ranked by salary. A 2006 Certification Magazine salary survey also ranked the CISSP credential highly, and ranked CISSP concentration certifications as the top best-paid credentials in IT.<ref>Template:Cite journal</ref><ref>Template:Cite journal</ref>
In 2008, another study came to the conclusion that IT professionals in the Americas holding the CISSP (or other major security certifications) and at least 5 years of experience had salaries of up to 26% higher than IT professionals with similar experience levels who did not have such certificates.<ref name="brodkin2008">Brodkin, Jon (2008-06-11). Salary boost for getting CISSP, related certs. Network World, IDG, 11 June 2008. Retrieved from https://www.networkworld.com/article/807166/lan-wan-salary-boost-for-getting-cissp-related-certs.html.</ref> Note that any actual cause-and-effect relationship between the certificate and salaries remains unproven.Template:Fact
ANSI certifies that CISSP meets the requirements of ANSI/ISO/IEC Standard 17024, a personnel certification accreditation program.<ref name="ansi-17024"/>
See also
- CISM (Certified Information Security Manager)
References
External links
Template:Computer Security Certifications Template:Authority control