Certified Information Systems Security Professional

From Wikipedia, the free encyclopedia
Jump to: navigation, search
CISSP logo

Certified Information Systems Security Professional (CISSP) is an independent information security certification governed by the International Information Systems Security Certification Consortium, also known as (ISC)².

As of June 1st 2015, there are 100,102 (ISC)² members holding the CISSP certification worldwide, in 160 countries.[1] In June 2004, the CISSP obtained accreditation by ANSI ISO/IEC Standard 17024:2003 accreditation.[2][3] It is also formally approved by the U.S. Department of Defense (DoD) in both their Information Assurance Technical (IAT) and Managerial (IAM) categories for their DoDD 8570 certification requirement.[4] The CISSP has been adopted as a baseline for the U.S. National Security Agency's ISSEP program. CISSP is a globally recognized certification in the field of IT security.[5]


In the mid-1980s a need arose for a standardized, vendor-neutral certification program that provided structure and demonstrated competence. In November 1988, the Special Interest Group for Computer Security (SIG-CS), a member of the Data Processing Management Association (DPMA), brought together several organizations interested in this goal. The International Information Systems Security Certification Consortium or "(ISC)²" formed in mid-1989 as a non-profit organization.[6]

By 1990, the first working committee to establish a Common Body of Knowledge (CBK) had been formed. The first version of the CBK was finalized by 1992, and the CISSP credential was launched by 1994.[7]

Certification subject matter[edit]

The CISSP curriculum covers subject matter in a variety of Information Security topics.[8] The CISSP examination is based on what (ISC)² terms the Common Body of Knowledge (or CBK). According to (ISC)², "the CISSP CBK is a taxonomy – a collection of topics relevant to information security professionals around the world. The CISSP CBK establishes a common framework of information security terms and principles that allow information security professionals worldwide to discuss, debate and resolve matters pertaining to the profession with a common understanding."[9]

From 2015, the CISSP curriculum is divided into eight domains:[10]

  • Security and Risk Management
  • Asset Security
  • Security Engineering
  • Communications and Network Security
  • Identity and Access Management
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security

Before 2015, it covered ten similar domains.


  • Possess a minimum of five years of direct full-time security work experience in two or more of the (ISC)² information security domains (CBK). One year may be waived for having either a four-year college degree, a master's degree in Information Security, or for possessing one of a number of other certifications.[11] A candidate without the five years of experience may earn the Associate of (ISC)² designation by passing the required CISSP examination, valid for a maximum of six years. During those six years a candidate will need to obtain the required experience and submit the required endorsement form for certification as a CISSP. Upon completion of the professional experience requirements the certification will be converted to CISSP status.[12]
  • Attest to the truth of their assertions regarding professional experience and accept the CISSP Code of Ethics.[13]
  • Answer questions regarding criminal history and related background.[14]
  • Pass the multiple choice CISSP exam with a scaled score of 700 points or greater out of 1000 possible points. [14]
  • Have their qualifications endorsed by another (ISC)² certification holder in good standing. [15]


Holders of CISSP certifications can earn additional certifications in areas of specialty. There are three possibilities:[16]

1. Information Systems Security Architecture Professional (CISSP-ISSAP)

2. Information Systems Security Engineering Professional (CISSP-ISSEP)

3. Information Systems Security Management Professional (CISSP-ISSMP)

Ongoing certification[edit]

The CISSP credential is valid for three years. It can be renewed by re-taking the exam, but most holders renew by submitting Continuing Professional Education (CPE) credits. To maintain the CISSP certification, a certificate holder is required to earn and submit a minimum of 40 CPEs each year and 120 CPEs by the end of their three-year certification cycle.

For those holding one or more concentrations, CPEs submitted for those concentrations count toward the CPEs required for the CISSP.[17]

CPEs can be earned in several ways, including taking classes, attending conferences and seminars (online and in person), teaching others, undertaking volunteer work, and professional writing. Most activities earn 1 CPE for each hour of time spent, but preparing (but not delivering) training for others is weighted at 4 CPEs/hour, published articles are worth 10 CPEs, and published books 40 CPEs.[17]


In 2005, Certification Magazine surveyed 35,167 IT professionals in 170 countries on compensation and found that CISSPs led their list of certificates ranked by salary. A 2006 Certification Magazine salary survey also ranked the CISSP credential highly, and ranked CISSP concentration certifications as the top best-paid credentials in IT.[18][19]

In 2008, another study came to the conclusion that IT professionals with CISSP (or other major security certifications) tend to have salaries $21,000 higher than IT professionals without such certificates.[20] However, there's no proof that there's any cause-and-effect between the certificate and salaries.

ANSI certifies that CISSP meets the requirements of ANSI/ISO/IEC Standard 17024, a personnel certification accreditation program.[2]


  1. ^ "Member Counts". (ISC)². Retrieved May 5, 2014. 
  2. ^ a b ANSI Accreditation Services - International Information Systems Security Certification Consortium, Inc. (ISC)2. ANSI
  3. ^ "(ISC)² CISSP Security Credential Earns ISO/IEC 17024 Re-accreditation from ANSI" (Press release). Palm Harbor, FL: (ISC)². September 26, 2005. Retrieved November 23, 2009. 
  4. ^ "DoD 8570.01-M Information Assurance Workforce Improvement Program" (PDF). United States Department of Defense. January 24, 2012. Retrieved April 12, 2012. 
  5. ^ "NSA Partners With (ISC)² To Create New InfoSec Certification". February 27, 2003. Retrieved December 3, 2008. 
  6. ^ Harris, Shon (2010). All-In-One CISSP Exam Guide (5 ed.). New York: McGraw-Hill. pp. 7–8. ISBN 0-07-160217-8. 
  7. ^ History of (ISC)². (ISC)²
  8. ^ Conrad; Misenar; Feldman. 11th Hour CISSP. Syngress. ISBN 978-0-12-417142-8. 
  9. ^ Tipton; Henry. Official (ISC)² Guide to the CISSP CBK. Auerbach Publications. ISBN 0-8493-8231-9. 
  10. ^ "(ISC)² CISSP and SSCP Domain Refresh FAQ". (ISC)². Retrieved 15 May 2015. 
  11. ^ "CISSP Professional Experience Requirement". (ISC)². 2009. Retrieved December 3, 2008. 
  12. ^ "How to Become an Associate". (ISC)². 2009. Retrieved November 23, 2009. 
  13. ^ "(ISC)² Code of Ethics". (ISC)². 2009. Retrieved December 3, 2008. 
  14. ^ a b "How To Certify". (ISC)². 2009. Retrieved December 3, 2008. 
  15. ^ "Endorsement". (ISC)². 2009. Retrieved August 2, 2015. 
  16. ^ "CISSP® Concentrations". (ISC)². Retrieved 17 January 2015. 
  17. ^ a b "Maintaining Your Credential". (ISC)². 2009. Retrieved December 3, 2008. 
  18. ^ "Top Certifications by Salary in 2007". Certification Magazine. April 11, 2007. Archived from the original on March 29, 2007. Retrieved October 14, 2007. 
  19. ^ Sosbe, Tim; Hollis, Emily; Summerfield, Brian; McLean, Cari (December 2005). "CertMag’s 2005 Salary Survey: Monitoring Your Net Worth". Certification Magazine (CertMag). Archived from the original on June 6, 2007. Retrieved April 27, 2007. 
  20. ^ Salary boost for getting CISSP, related certs. NetworkWorld

External links[edit]