Talk:Certified Information Systems Security Professional

From Wikipedia, the free encyclopedia
Jump to: navigation, search

Page Moved[edit]

This page has been moved from CISSP. CISSP now redirects here (Certified Information Systems Security Professional). I cleaned up related requests in this talk page. --J Morgan(talk) 21:23, 2 August 2006 (UTC)

Criticism Added[edit]

There are many people who dislike the CISSP for what they feel are legitimate reasons. I've added information about this to help balance this otherwise skewed-positive article. —The preceding unsigned comment was added by (talkcontribs) 21:57, 18 August 2006 (UTC)

Positive skew, no spin/zero spin. What-ever!. <personnal observation> Negative comments, to some people AKA criticism (criticism != critique) do not balance an article </personnal observation>. Luis F. Gonzalez 01:03, 25 December 2006 (UTC)

I added a clarification to the Criticism section regarding the requirement to be sponsored by another CISSP. --Mark Odiorne, CISSP 10:47, 2 December 2006 (UTC)

An anonymous user just tried to delete the entire criticism section. I restored it, because the criticisms are at least somewhat legitimate. They probably need to be toned down a bit or made more factual and less argumentative. Several of them were openly stated in a CISSP review session my local ISSA chapter ran, and some matched my personal (successful) experience on the exam. RossPatterson 04:08, 11 March 2007 (UTC)

After adding the logo I also noted that the criticism section was deleted, yet I thought twice before choosing not to restore the section. Although I have contributed several items to the criticism section, in principle I have come to agree/believe that the section is not appropriate. First, the negative comments of this section originated from an anonymous user who provided no attributions to reliable sources. These kind of attacks, in my experience, largely come from those who fail the exam or who have a motive to discount the CISSP. Second, the tone of the criticisms lacked professionalism. Third, several of the criticisms are clearly contradictory--the test is too general and the test is too detailed.... Like Ross, I have taken the exam (successfully). It is true that it is a difficult test, probably the most challenging in the field. As a 20 year information security professional who holds several credentials, I have practiced in government, academia and industry and seen many standards and certifications come and go. Yet the CISSP is the most enduring and well regarded. It is the benchmark in the profession. It is also well accepted that the CISSP testing meets accepted psychometric standards. I would suggest that the existing section dedicated to "criticism" is negatively biased and unwarranted. At the same time I agree there are legitimate concerns, but would be comfortable with a more objective (and proportionally appropriate) statement in the main entry that acknowledges criticisms that are justifiable and attributed to a reliable, objective source. Let's continue to talk... Michael Carter CISA, CISSP, CNSP, CSA 10:01, 10 March 2007 (MST)

After reading the Wikipedia Neutral Point of View (NPOV) Policy, I am convinced that we need to rework the article to appropriately include the criticisms. The result, in my opinion, would be significant. The NPOV requires that views should be presented fairly, neutrally, analytically without bias or undue weight, etc. The operational principle (simple formulation) is “assert facts, including facts about opinions — but do not assert the opinions themselves.” Michael Carter 12:04, 11 March 2007 (MST)

Yup. The other major Wikipedia policy is Attribution, and some of the "critcism" statements would sit better if cited from published works. I'm pretty sure Shon Harris, among others, has made the "mile wide and an inch deep" claim, and she's certainly a reliable source. Sounds like it's time for a trip to the library! RossPatterson 18:31, 11 March 2007 (UTC)
I happen to have one of the Shon Harris books on my desk. Mike Meyers' Certification Passport: CISSP. ISBN 0-07-222578-5. Page xxi - "[The exam] is commonly referred to as a mile wide and an inch deep." She offers no real criticism at any point in the book, though. -Jzerocsk 17:10, 14 March 2007 (UTC)
I've added this (Shon Harris) book as a reference. Anyone care to offer any insight as to where references for the rest of the criticisms might come from or, better yet, what a reputable way to measure whether or not these criticisms are balanced and representative might be? njan 22:04, 6 June 2007 (UTC)

ISO 17024:2003[edit]

Can someone get more references on this since it does not appear to be an accreditation process as such. E.g. ISO gets on a plane, visits (ISC)2, performs audits and delivers a big thumbs up or down. Luis F. Gonzalez 05:52, 27 December 2006 (UTC)

CISSP was the first certification to earn the ANSI accreditation to ISO/IEC Standard 17024:2003, a global benchmark for assessing and certifying personnel.

Is that technically true? It may have been the first information security certification to be accredited to 17024 but I wonder if other certifications in other fields were accredited before CISSP.

Also, it would be useful to explain what this means. —Preceding unsigned comment added by (talk) 21:25, 31 August 2007 (UTC)


  • I removed subjective and superlative evaluations (the premiere, the standard). These aren't needed. The list of bodies recognizing the CISSP is impressive enough.
  • I removed redundant qualifiers from the list of criticisms and I also removed the rebuttal. They sound like weasel words to me and make the defence less effective.

It's best to define the CISSP, to list the bodies that recognize it, to describe the CBK®, and to list criticisms, leaving the article NPOV. It should not be a forum. Cheers! Vincent 09:00, 29 May 2007 (UTC) (CISSP since April this year)

The ANSI accreditation process involves both a review of a paper application and the performance of an assessment (onsite visit) to validate information provided by each applicant. The use of an onsite assessment for accreditation of personnel certification agencies is unique to ANSI. See Also, ANSI accreditation is recognized both nationally and internationally and has become the hallmark of a quality certification program.


The citation currently used in the article actually infers that the CISSP is inadequate for the NSA's purposes, specifically pointing out that the (ISC)2 and NSA have partnered to create the ISSEP as an extension to the CISSP to make up for these shortcomings. The entry should either be reworded to clarify the NSA reference or have the reference updated accordingly. njan 19:27, 5 June 2007 (UTC)

The ISSEP Program existed within the NSA for several years prior to the ISC2 getting on the bandwagon. This curriculum is taught in several other places in an academic setting, see Brennanhay (talk) 19:37, 25 March 2010 (UTC)

Criticism Section[edit]

The criticism section is totally ridiculous. Who are the "some critics" raising those points? Are they credible and/or experienced, or just people upset they failed the examination? Where are the references for those critics/quotes?

You should let the article stand for what it is: a description of the CISSP certification, not a list of complaints "some critics" have about it.

Many critics are coming from academia or industry and have a vested interest in ensuring that high quality training actually certifies skills, not merely ability to pass an exam. Brennanhay (talk) 19:39, 25 March 2010 (UTC)

Many such critics also have a "vested interest" in devaluing any certifications or other credentials that can be acquired outside of the traditional academic system. Even in the absence of such bias, university faculty are often ill-equipped to render opinions regarding the real-world value of any particular form of education, thus the saying "those who can do, those who can't teach." Bonehed (talk) 19:01, 26 May 2010 (UTC)

I will be making an effort to improve the criticism section by identifying peer reviewed sources of criticism for the major points, however currently this article is biased in favor of the certification. Brennanhay (talk) 20:53, 25 March 2010 (UTC)

Criticism: The CISSP is marketed as the top tier security certification to industry and the government *for technical staff.* However only two of the domains are technical in nature. The rest of the domains are business practices many of which are outside an engineers responsibility or authority. Furthermore the proponents of CISSP openly say the material is "an inch deep and a mile wide". How is that a top tier measurement? This is all introductory material that is made challenging due to its volume. Technical skill by nature is in-depth and detail oriented and therefore the assessment is contradictory. While I agree this type of material is exactly what is called for in a management roll it, is in no way a good indicator of a top engineer. /been doing IT Security for 21 years. -GetOffMyGrass — Preceding unsigned comment added by (talk) 05:26, 24 March 2012 (UTC)

Why not have a "criticism" section on every article in Wikipedia? — Preceding unsigned comment added by (talk) 15:37, 3 June 2014 (UTC)

How about a compromise: let the critics have their say on one side, and let CISSPs respond on the other. Every qualification has its pros and cons, open discussion is no bad thing. —Preceding unsigned comment added by (talk) 21:30, 31 August 2007 (UTC)

That's a good point and deserves to be addressed. First, the term "some critics" is considered a weasel word, i.e. wording used as a loop hole to get around the NPOV policy and to hide otherwise questionable material. Second, open discussion is a good thing and it belongs here on the talk page, where you in fact just contributed (correctly I might add!). On the other hand, if a criticism is valid and not original (there's a no original research policy on Wikipedia) it should be attributed, and I'd personally go further and say the critic should be notable enough that his or her criticism mattered. Hope this helps. Vincent 08:03, 3 September 2007 (UTC)
I concur with others who believe the criticism section should be removed. The article should describe the CISSP certification from a neutral point of view, rather than taking positions for or against its value, which constitute opinion and not factual content. Bonehed (talk) 19:01, 26 May 2010 (UTC)

POV dispute[edit]

The CISSP is controversial and is a for-profit (there's something I'm trying to say here, but "for-profit" isn't it) enterprise. For IT professionals, it is somewhat costly to obtain, and is usually acquired to further career and professional esteem, which means virtually anyone with a CISSP editing this article has a potential COI issue.

I found the "criticisms" section of this article in particular not reflective of actual concerns with CISSP. The criticisms of CISSP are not that it is "too hard" --- this is a "criticism" in the vein of the resume chestnut "my worst attribute is that I work too hard".

--- tqbf 02:00, 14 November 2007 (UTC)

Some sourcing for critiques:

The most useful criticisms are in blogs, which can be sourced in WP articles (see WP:WEB, but not without balancing with warnings about WP:RS.

--- tqbf 02:59, 14 November 2007 (UTC)

Blogs aren't acceptable sources on Wikipedia. WP:WEB is about websites, blogs, etc. as the subjects of articles, not as sources for articles. The first sentence after the quotes says "This page gives some rough guidelines which most Wikipedia editors use to decide if any form of web-specific content, being either the content of a website or the specific website itself should have an article on Wikipedia." And as WP:RS says, "Self-published books, personal websites, and blogs are largely not acceptable as sources. They may, in some circumstances, be acceptable when produced by an established expert on the topic of the article whose work in the relevant field has previously been published by reliable third-party publications, but such use is discouraged; see WP:SPS for details." Wikipedia:Verifiability adds "'Blogs' in this context refers to personal and group blogs. See e.g., Wikipedia:Articles_for_deletion/The_Game_(game)_(6th_nomination) for an often-cited example deletion discussion covering this matter. Some newspapers host interactive columns that they call blogs, and these may be acceptable as sources so long as the writers are professionals and the blog is subject to the newspaper's full editorial control. Where a news organization publishes the opinions of a professional but claims no responsibility for the opinions, the writer of the cited piece should be phrasally attributed (e.g. 'Jane Smith has suggested...'). Posts left on these columns by readers may never be used as sources." RossPatterson 03:42, 14 November 2007 (UTC)
If you can cite crticisms from sources that meet Wikipedia:Reliable Sources, by all means add them to the article. Certainly some of the biggest names in security who might otherwise be called pro-CISSP have offered critisms. Go for it! RossPatterson 03:47, 14 November 2007 (UTC)
I do believe you're mistaken: [1]. Blogs are never acceptable sources in bios of living persons. I'd love a solid answer on this. Happy to constrain this to blogs of noted industry experts (Richard Bejtlich's TaoSecurity, listed above, is the blog of a serial author and a security exec at GE). --- tqbf 03:51, 14 November 2007 (UTC)
The first item on that archive page quotes Wikipedia:Reliable sources/Examples saying that blogs aren't acceptable sources. The actual text at WP:RSEX#Are weblogs reliable sources? says "In most cases, no. Most weblogs ('blogs'), especially those hosted by blog-hosting services such as Blogger, are self-published sources; many of them published pseudonymously." It continues with a "yes, but: "Weblog material written by well-known professional researchers writing within their field, or well-known professional journalists, may be acceptable, especially if hosted by a university or employer (a typical example is Language Log, which is already cited in several articles, e.g. Snowclone, Drudge Report). Usually, subject experts will publish in sources with greater levels of editorial control such as research journals, which should be preferred over blog entries if such sources are available.". Certainly Bejtlich qualifies that way, as would Harris, Ranum, Schneier, and others of their ilk - even better if you find their work in more-reputable venues (e.g., Ranum's and Schneier's frequent magazine articles). RossPatterson 04:26, 14 November 2007 (UTC)
Ross, we appear to agree with each other. --- tqbf 04:29, 14 November 2007 (UTC)
I wouldn't have guessed so from the foregoing, but that's good. Now, back to making the article better :-) RossPatterson 04:33, 14 November 2007 (UTC)
You're a CISSP. What's your take on the POV issue? --- tqbf 04:39, 14 November 2007 (UTC)

All that aside (I'm not advocating sourcing from blogs from NN security pundits):

Here's a copy of the article, marked up for POV cleanup. (Please take the copy as a good faith gesture not to crud up the page, not as me being annoying). --- tqbf 04:47, 14 November 2007 (UTC)

I think the article is pretty good. It suffers from "pride of place" a bit, like many articles. There are a number of "cheerleading" words or phrases that need toning down a bit, but I'm not aware of any factual errors. Your marked-up version takes a hard line - harder than I think is called for. For example, do you really doubt that (ISC)2 runs the CISSP program or that it is a not-for-profit? Or that the number of CISSPs it claims is accurate? And you flag as "dubious" a claim ("The certification is also endorsed by the U.S. National Security Agency (NSA) as the benchmark for information security") that is referenced. RossPatterson 03:31, 15 November 2007 (UTC)
Check out User_talk:Tqbf/CISSP_POV. --- tqbf 04:13, 15 November 2007 (UTC)
The article keeps to the neutral point of view. It states facts about the certification, not opinions. For example it states the certification is granted by ISC2, there are approx 50,000 people certified, it decribes the Common Body of Knowledge, it describe the formal requirements a candidate must meet, and it lists common criticisms of the CISSP. I don't see any controversy here, except in the Desirability section, which is easily made factual simply by saying (ISC)2 considers the CISSP the gold standard (rather than use the passive tense).
You're taking an excessively hard line. Furthermore the CISSP article compares well with the MSCE article in terms of style.
As for the links you side, they are pure POV. Now, I don't necessarily disagree with these editorials, and POV is fine in an editorial, but I find it ironic that you are using editorial opinion biased against the CISSP to justify calling the article POV. It isn't, I found your revision very biased. Why not simply summarize the articles and add the points that aren't already made to the Criticism section? Vincent 10:00, 15 November 2007 (UTC)
  • Thanks for taking the time to respond. Unfortunately, you didn't actually address any of the POV concerns I brought up in User_talk:Tqbf/CISSP_POV, nor did you in fact read it, because it isn't a "revision" of the article: it's simply a copy of this one, with inline POV tags. It would have been perfectly appropriate for me to simply tag the CISSP article in place; I chose not to as a good faith gesture.
  • So, for instance, "there are approx 50,000 people certified" --- how do you know?
  • Why do I care how the article compares with the MCSE article? I'm concerned with the WP as a whole, not the class of certification articles within it.
  • Obviously, the links I cited are POV. That was the point of providing them. The article as it stands demonstrates only one point of view. It needs to accommodate the others. --- tqbf 13:40, 15 November 2007 (UTC)
You're quibbling.
You should tag it, amend it, correct it, source it. You seem to have a serious bias against the CISSP you're attacking this article's neutrality (there's a stigma associated to the POV label) because it doesn't match your bias.
And the article, as it stood before you tagged it, did address the specific concerns in the article (e.g. being a mile wide but an inch deep). If you don't think that's enough, just expand the criticisms section. But to label the entire article POV is nonsense. It's a fairly well written balanced article.
You should care about the MSCE because it's a similar type of article about a similar topic, hence it makes sense to compare the two.
Please understand I am not keeping you from contributing or adding anything to the article. I just think you can't go and summarily decide this article is POV. Vincent 15:55, 15 November 2007 (UTC)
You are right; I clearly do have a POV about the CISSP program. Although having a WP:COI over an article creates a problem for editing it, having a POV does not --- most people who care enough about an article to contribute to it have some kind of POV. What matters is not what my POV is, but the neutrality of the resulting text. I'm not offended that you're "calling me out" as a critic of the CISSP program, but I do note that it's not a constructive topic of debate. Discuss the content, not the editors.
You clearly share the POV of the current article text. Great! I'm glad we're clear on that. Now, can we respond to the specific concerns I have about this article? I bulleted them for you; if you're right, you should be able to knock them down one by one.
Thank you for pointing out other articles you think I should be concerned about. Perhaps at some point I will become concerned about them. For the time being, this article is my concern, as I am a subject matter expert, have taken the time to review the article content, and have researched the subject. I'm going to politely decline a discussion of the MCSE program, which I know little about.
I'm sorry you think I shouldn't be deciding that the article is POV. Unfortunately, that is precisely what I have done. I think this debate will be far more pleasant for both of us if we can get past that point (I'm not going to let it go, Vincent), and address the substance of my concerns. You will find that after taking the time to do so, I will have far less reason to be obstinate about my changes.
Thanks! --- tqbf 16:24, 15 November 2007 (UTC)
For the record, claiming to be a subject matter expert is an appeal to authority, and Wikipedia's mind isn't made up on whether that's a good thing or a bad thing. In general, it means your opinions don't matter any more or any less than anyone elses, and that both perspectives still need to provide third-party references and avoid original authorship. RossPatterson 00:15, 16 November 2007 (UTC)
Have definitely learned that lesson here already --- I'm not suggesting my POV should prevail, just giving a headsup that I'm not going away. --- tqbf 01:16, 16 November 2007 (UTC)

The POV tag at the start of the page[edit]

... please do not remove it. The POV of this article is indisputably disputed. =)

--- tqbf 13:42, 15 November 2007 (UTC)

... please don't reinsert the POV tag. You're the only one who finds this article POV... Vincent 15:45, 15 November 2007 (UTC)

"You're the only one who finds this POV" is not a valid reason to shut down a POV dispute. Relative to WP as a whole, only a tiny fraction of editors find this article interesting.
You can, of course, continue to revert my edits. The next time you revert, I'm going to mirror in the inline POV tags I made in my private copy of the page, which, given the approach you're taking to this dispute, is what I should have done to begin with.
From appearances, your next move is going to be to revert those. However, those inline tags are a constructive edit to the page. You're simply going to traipse over WP:3RR.
There is no reason we can't resolve this dispute constructively. Until the dispute is resolved, the POV tag at the top of the page improves the article --- it notes an area that the page needs to be improved.
I'm going to respectfully ask that you view this article not as a judgement on the CISSP program, but rather as an encyclopedia article. Article tags are there to improve the Wikipedia. They are not there as value judgements. Address the concerns behind the tag, and then the tag will stop making sense.
Thanks for your attention. It's good to be working on an article with someone who cares deeply about it and has an opposing POV; it's going to improve both our work here. --- tqbf 15:52, 15 November 2007 (UTC)
<sigh> There is no reason we can't resolve this dispute constructively. That's what I'm saying. Edit the article instead of tagging it. Why do you insist on a label? Moving the labels inline makes it worse. Why not expand the criticism section? Vincent 16:01, 15 November 2007 (UTC)
I've now constructively edited the page, so you know precisely where the disputed wording is. I remain available to help create a consensus on neutral wording for each of these. Because I expect any such changes I make to be immediately reverted by you, I'll let you take the lead in doing that.
I don't think any of these issues are hard to resolve. Just remove things like "the international gold standard", lose unaudited numbers as statements of bare fact, and fix the tone of the article. We should be just peachy.
--- tqbf 16:06, 15 November 2007 (UTC)

I wholeheartedly agree that the inline tags are less friendly and more noisy than the simple POV link at the top of the page. That's why I took the time to tag the article in a copy in my userspace. However, the article as it stands is misleading, and one way or another it needs to be tagged to recognize that work needs to be done on it.

So far, Vincent, all you seem to be doing is reverting my changes and complaining about them on the talk page. Can you make a constructive edit somewhere in the page to demonstrate good faith here? It took time to find criticism links for the CISSP, it took time to read it closely to find POV issues, it took time to copy it, and it's taking time to respond to you here. Can we have something to show for that now?

--- tqbf 16:11, 15 November 2007 (UTC)

Vincent asked me to comment. So here goes, although I hate to get in the middle of someone else's fight.

  • Vincent - I think the article is pretty good, as I said above. But it certainly presents the CISSP in sometimes-too-glowing terms (that "gold standard" line needs to die!). In that, it's POV. And tqbf is right - the way to respond to a POV tag is to deal with its claims, not to revert it.
  • tqbf - I think the article is good enough to stand without the POV tag, but if you disagree then you're within your right to add it and detail your concerns on the talk page. Since you've already got a marked-up version, that shouldn't be hard to do. In fact, it appears you've already done a nice job of fixing them!

RossPatterson 23:13, 15 November 2007 (UTC)

In fairness, Vincent took the time to respond to most of my concerns on my talk page, which made the edits easy. Thanks both of you! --- tqbf 23:18, 15 November 2007 (UTC)

"(ISC)² Associate" program?[edit]

No information on the "(ISC)² Associate" program. It is my understanding it is possible to become a CISSP inside this framework see —Preceding unsigned comment added by (talk) 09:39, 28 November 2007 (UTC)

An associate of the ISC2 does not a CISSP make; there is merely an organizational affiliation. References needed Brennanhay (talk) 20:54, 25 March 2010 (UTC)

The POV tag and more[edit]

It looks like I missed the fun..a lot happening while I was gone. I most certainly think the article is fine the way it is, without POV. This doesn't mean it cannot be improved, however I think that it needs to be done in agreement; glad to see that has happened.

To Anon, the associate designation is not a "framework" necessarily, rather it functions as a "waiting period" for those who lack the required real-world experience in the field of information security. It may be worth mentioning, but extensive coverage may be outside the scope of the article.

To everyone else, I forgot to add that the CBK section can be developed more, like including several sub-headers for each CBK domains so folks get a better idea of what is covered under each domain. Rather than bickering about minor issues we should focus on improving the actual content of the article.

--Virgil Vaduva 16:32, 4 December 2007 (UTC)

Question for Tqbf[edit]

Tqbf - from your edits it appears that you have some sort of beef with (ISC)2 or with the CISSP cert. Did you fail the exam recently by any chance, or what is the issue you are having with this particular article?

I am simply trying to understand why you seem to be so antagonistic to seemingly any and every edit to this article that may reflect the credential in a positive light. I noticed that you rejected even my edit suggesting that (ISC)2 takes a "balanced approach to presenting CIA." To point out, the CIA triad picture is virtually the same picture/image used by (ISC)2 in all their education materials: a triangle with equal sides, presenting confidentiality, integrity and availability as being of equal importance. Why, and how could you possibly object to such a thing, and why do you think that (ISC)2 does NOT balance the three tenets?

--Virgil Vaduva 20:50, 4 December 2007 (UTC)

Virgil: I'm not an an anonymous user. You can get my name from my talk page, then look me up online and draw your own conclusions. Meanwhile, on WP, try to debate the content, not the editors.
Answering your substantive question: you're right. WP doesn't "address topics in a positive light"; it presents a neutral point of view. If you feel my contributions make the article reflect negatively, amend them. Anything you write that you imply the CISSP accomplishes must be sourced, or qualified with "attempts" or "tries" or "intends to", to reasonable limits. I dispute that the CISSP accomplishes anything except hurting my profession, but I'm not arrogant enough to simply write my POV into the article.
Finally, I'm sorry you feel like I'm being antagonistic. You left the article with two back-to-back grafs each defining the same term, "CBK". I felt like the section read better with the list bracketed by the grafs, where the last graf summed up and contextualized the big long list of crap the CISSP talks about. You obviously disagree, and I don't feel strongly. Please regard my edits as copyediting, not a content dispute.

--- tqbf 20:58, 4 December 2007 (UTC)

You missed my point. My initial writeup simply said that (ISC)2 "balances the CIA triad" in the CBK. To you, that statement seems to be a "positive light" on the entire article. The truth is that it's a factual statement regarding the CBK and the education materials presented by (ISC)2; i.e. see my previous remark about the CIA triad picture. The instructors and materials make a conscious effort to balance the three tenets in all the domains. You replaced my statement with "attempts to balance," which clearly implies that (ISC)2 falls short of reaching a balance while "trying" to do so. Now, I would like for you to point out where (ISC)2 fails to balance CIA tenets in its education or exam materials?
Also thanks for being honest about the credential hurting your career. What you see as a "long list of crap," we (the CISSPs) see as developments necessary in today's business world. Being bitter or jealous about failed exams will not help your career, and honestly you should put the time into studying the material, understanding the (ISC)2 approach to security and focusing on security from that perspective. Yes, that's my "long list of crap" advice, coming from a CISSP that teaches, speaks and writes on these topics. --Virgil Vaduva 21:17, 4 December 2007 (UTC)
The CISSP hurts my profession. My career's doin' fine, but thanks for the concern.
As I said, in neutral language, in an article with a clear POV dispute, anything you say the CISSP accomplishes --- for instance, contriving of a single certificate that balances the fundamentals of confidentiality, integrity, and availability --- must either be (a) sourced or (b) written in neutral language which does not imply success. The CISSP is profoundly unsuccessful.
Per WP:CIVIL, I emphatically request that you stop implying that I failed an exam of some sort, Virgil. You've been here since 2005, and you should know the rules. --- tqbf 21:21, 4 December 2007 (UTC)
As far as I can see, you are the only one thinking that this article has a POV dispute. Secondly, my initial statement did not claim anything about the certification "acomplishing" anything. The statement claimed that (ISC)2 materials offer a BALANCE between confidentiality, integrity and availability; this is a statement regarding the curriculum, and education materials, not the certification. It has nothing to do with the certification or the credential. So again, I need to ask, can you please show us where (ISC)2 fails to balance the CIA triad in their materials? A book, reference or a quote?
It's an interesting twist on WP:V you have there: article content doesn't need sourcing, but challenges do. Believe it or not, that's actually backwards from the official policy of the encyclopedia. --- tqbf 22:58, 4 December 2007 (UTC)
Regarding your emphatic request, I am sorry you were offended, but I asked you about it in all honesty and you did not answer. I have seen people failing CISSP exams and then going on a vendetta mission against (ISC)2 online, offline and in all situations I can think of; my question was asked in that context, so I have no idea if you are on some sort of mission here, or what. I do not think that I need to apologize for observing that you are upset or even bitter about "something" - whatever that may be, and this "something" seemingly affects your attitude and approach to editing this article. Do I have the right to make that observation, or do I need to apologize for noticing that too? :) --Virgil Vaduva (talk) 21:47, 4 December 2007 (UTC)
Virgil, I've been up front about what my POV is. I don't want you to apologize. I want you to stop talking about who you think I am, and start talking about the content. I shouldn't have to ask. My POV isn't going anywhere, so let's either (a) agree that the wording on the article as it stands is fine, and we're "arguing" about nothing, or (b) work to figure out neutral wording for things. --- tqbf 21:50, 4 December 2007 (UTC)

Tqbf's edits[edit]

I want to appeal to the community regarding Tqbf's edits. He reverted my recent changes in which I supplied specific references to Tipton & Henry, which is the official guide to the CISSP CBK, under the excuse that "it's copyrighted material from ISC2's website." This is the official book which defines the CBK, it's purpose and it's goals, not a website. It obviously serves as the ultimate authority on the nature of the CISSP certification and the nature of the CBK. If Tqbf thinks it's not an appropriate source, he needs to explain himself and provide another source that he thinks it's more appropriate. I already asked him for sources and references three times so far to support his assertions and he failed repeatedly to provide them. --Virgil Vaduva (talk) 01:12, 6 December 2007 (UTC)

I know, after getting a message about the invading barbarian hordes of edit warriors from another interested editor, you've been placed on the defensive. But I assure you, I'm not out to get you, Virgil; I reverted your content once, with an explanation in the edit summary; you then simply undid my change without a similar explanation. You obviously care passionately about this excerpt of ISC2 promo material. Bless you for it. I'll take another stab at the now-unwieldy section later, when I have something more constructive to say.
In the meantime, the only change I've imposed on the article is to remove the jargon term "CBK" from the subhed. If that's a controversial change to you, reconsider whether you're too close to this subject to write about it. --- tqbf 01:19, 6 December 2007 (UTC)
You did not address any of my concerns I raised above. I have no problem with header names or titles as they are, so if you think CBK is "jargon" then don't use it all, although I am not sure what rule you were invoking when you made that change. The CBK introduction will stay the way it is; it's the best and most accurate definition given by the people who created the materials. The references are included so please challenge the book if you have a problem with it.
Which concerns did I not address? I'll try again to address them. Also, I may be misreading you, but you may want to consult WP:OWN regarding what sections of this article will or won't be. Sorry if that sounds pedantic. If you're interested, WP:JARGON is in the manual of style. I'm obviously not objecting to using the term CBK (though it needs to be defined at first use) --- I'm objecting to the first use of the term being an article subhed. --- tqbf 01:39, 6 December 2007 (UTC)
I forgot to ask why you are making an allusion to "being on the defense?" Apparently you see this exchange of some sort of war. Why is that? I thought the purpose of Wikipedia was to work together to create better and accurate content. Why would you want to put me or anyone else on the "defense?" --Virgil Vaduva (talk) 01:38, 6 December 2007 (UTC)
What a strange thing to write. Have you considered whether this disagreement is in fact simply a huge misunderstanding? Re-read the talk page, as well as the messages you've been exchanging with your friend; I'm not using the word "war", you are. Sorry if the standard WP 3RR template confused the issue. --- tqbf 01:40, 6 December 2007 (UTC)
Regarding the specific matter of the quote from the Tipton & Henry book, wouldn't it be more appropriate copyright-wise to cook up an overview of the CBK based on, and citing this work as opposed to using the quote?
It looks to me like the key point of contention is the use of the qualifiers "intended as" and "attempts to." The latter one is currently still in the text so I guess that one is essentially resolved. In the current version, "According to ISC2..." seems fair as well - ISC2 intends the CBK to be a taxonomy. As I read it, it does not make an endorsement as to whether the CBK really is or is not complete/definitive/canonical/etc, but indicates simply what ISC2 says the CBK is. So perhaps having a paraphrased description along with both the citation and the qualifier might be a good compromise. Hope this helps... Jzerocsk (talk) 18:36, 6 December 2007 (UTC)
Since I'm the only one objecting to Virgil's change, it's worth pointing out: I just don't care all that much, although again I think it's clumsy and un-encyclopedic to (a) describe something concisely in an article and (b) precede that description with a graf consisting almost entirely of a promotional excerpt. There's really less of a dispute here than it seems, though; the only non-starter for me is putting the term "CBK" in a subhed. --- tqbf 18:51, 6 December 2007 (UTC)
Just to clarify, I agree that the quote should be replaced, but I think that the references to the Tipton/Henry book are valuable, so perhaps this could be a way to flesh out the CBK overview more than it was before without having the direct quote.
Also, I agree about the subheading for sure. Jzerocsk (talk) 20:47, 6 December 2007 (UTC)

See Also section[edit]

I am not quite sure why there is a link to CyberEthics in the See Also section. It seems to be common that similar/competing/complementary qualifications are listed in a See Also section but I am not sure about the relevance of the CyberEthics link. Unless anyone particularly objects I intend to remove it. Wordwizz (talk) 20:20, 29 May 2008 (UTC)

Criticism section[edit]

This has been discussed before, but it doesnt look like anyone has found suitable citations to back up the criticisms - it remains 'some critics say' without saying who the critics are. I will try to add some sources if I can find them, otherwise this section may need completely rewriting. Wordwizz (talk) 20:35, 2 July 2008 (UTC)

I have removed the 'criticism' that some say it is a mile wide and an inch deep, as I dont think the source supported this as a criticism, more as a point of view of the material which is extremely wide but doesnt necessarily expect you to be an expert - which is what the Shon Harris book states. I dont know if it is valid in this kind of article to have a specific criticism section or not, but I myself have not been able to find any published criticism beyond peoples personal experience, so I question having this section at all. Perhaps if the rest of the article is balanced enough we dont need a specific criticism section? Comments? Wordwizz (talk) 19:52, 21 August 2008 (UTC)


so now there are criticisms present at all? it seems the vast majority of 'subject matter experts' here actually have the certificate. the one dissenter who was present was accused multiple times of having failed the test to get his CISSP. that there are no criticisms present seems very odd, given this certificate is highly criticized amung infosec professionals. the final edit occurred as i was reading the talk page - the last entry i read talked about the one criticism i just read being removed.

before accusations that this random IP address failed his/her CISSP exam - i haven't taken it, and have no intentions of taking it (although i would if an employer forced me to, I would not suffix my name with ", CISSP").

i would say a highly respected certification that doesn't necessarily mean you are an expert (in anything) *is* a criticism, and a stinging one. the fact that the quote came from a supporter of the certification is only more damning.

i haven't followed the long list of links of critiques that was listed here (apparently none are 'authorities'), but i find it perplexing that given that any hint of controversy or critique has been edited out that anyone can find this 'balanced'.

if indeed the CISSP material is 'a mile wide and an inch deep' and that possession of one doesn't imply one is an expert, then it seems apparent that this certification would be of dubious use to an employer.

i don't get into an edit war and try to counter the small army of CISSP holders and those that deny the credentials of any of its critics - you have won. i do hope that at some point someone will take up the challenge of turning this into a NPOV article, and link to points of view that hold the opinion that the credential is harmful to the industry. good luck. —Preceding unsigned comment added by (talk) 00:05, 22 August 2008 (UTC)

As a CISSP holder for almost ten years now, I completely agree that it's a mile wide and an inch deep. I think that's an accurate criticism--that all a CISSP guarantees is a passing familiarity with ten important domains, rather than mastery of any of them. The real question, however, is whether there is a reliable source who has so criticized (or categorized) the CISSP. If we find one, let's include it, but I haven't personally searched for such a source. Jclemens (talk) 04:38, 22 August 2008 (UTC)
By way of explanation, it was not my intention to remove the criticism section as per my original comment above, but having removed the last comment, it then appeared that the rest of the article was criticism which it plainly wasnt. I certainly dont have the opinion that there shouldnt be criticism - just that it should be sourced, and I have yet found any published reliable sources that we could use. Please if anyone has links then update away! Wordwizz (talk) 08:54, 22 August 2008 (UTC)

This article is obviously bias toward promotion of the CISSP certification. Lacks neutrality, fails to inform the reader of any kind of balanced information on taking or using the certification and should, quite simply have criticisms added/restored. Arguing on the discussions page does not make these criticisms disappear as many Wikipedia users, such as myself, choose to read the discussions page to asses the neutrality of the information given.

1) Removing the criticism section does not make your certification more valuable. 2) CISSP holders do not represent the best of breed, security professionals - by a long shot. Often referred to as 'certification collectors' 3) Obvious bias toward promotion of this certification, actually devalues it! People are just not that dumb! —Preceding unsigned comment added by (talk) 07:09, 20 June 2009 (UTC)

A while back I was called in to fix a Windows WAMP server that had been hacked. The Administrator had left mysql with no root password, phpmyadmin in the obvious place, left remote desktop on and had a password that was six letters long and easily guessable... but he was CISSP. —Preceding unsigned comment added by (talk) 14:37, 27 March 2010 (UTC)

Criticism re-added. It's small, but it's sourced.Winged Cat (talk) 17:32, 3 April 2014 (UTC)

Links removed[edit]

Links to my open source CISSP resources are constantly removed, I wonder WHY as they are definitively relevant. Lately I have try to add a couple links to the CISSP post on Wikipedia. It seems that one of the moderator has his own agenda and is constantly removing my links claiming they are not relevant. The links are: and The first link is pointing to a free quiz engine that has over 2000 relevant questions to help people prepare for the CISSP exam. There is a banner at the top of the page but it is a banner I am giving for free to the person who programmed the quiz engine for free. The second link point to the first ever portal for the CISSP. It has hundreds of study guides, links, tip, tricks, tutorials, and a lot more. If this is what the moderator call irrelant than what is? On the external link list there is a link to the web site which is ONLY a commercial web site. Obviously the person who is removing my links is not familiar with the CISSP exam or has his own commercial agenda. I need help with this. I am sure there are people who have use my site in the past and can vouch for it relevancy and it's content. ISACA, Microsoft, Information Security Magazine, Search Security, and dozens of others are recommending my site as the primary resource for the CISSP exam. Please help me to get my links on the page and help me to keep them there. Thanks Clement Dupuis Owner of the two portals above. You can contact me directly at -REMOVED PERSONAL INFO- if you wish. --J ClementDupuis(talk) 15:24, 24 March 2010(UTC)

I will contact the user Sephiroth storm (talk) 09:47, 27 January 2011 (UTC)


This section is far too small. The only one fighting the good fight here is User:tqbf. I am not friends with him, I work in infosec, I have not failed (nor taken) the CISSP exam. I would never support such a thing. This certification is terrible for the industry, but I lack the patience to deal with CISSPs in real life, let alone fight with them on WP. —Preceding unsigned comment added by (talk) 21:29, 1 April 2011 (UTC)

Merge suggestion[edit]

The following three articles must be merged here. Their contents are exactly same besides the title. Staszek Lem (talk) 23:39, 15 January 2016 (UTC)

External links modified[edit]

Hello fellow Wikipedians,

I have just modified one external link on Certified Information Systems Security Professional. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

When you have finished reviewing my changes, please set the checked parameter below to true or failed to let others know (documentation at {{Sourcecheck}}).

You may set the |checked=, on this template, to true or failed to let other editors know you reviewed the change. If you find any errors, please use the tools below to fix them or call an editor by setting |needhelp= to your help request.

  • If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
  • If you found an error with any archives or the URLs themselves, you can fix them with this tool.

If you are unable to use these tools, you may set |needhelp=<your help request> on this template to request help from an experienced user. Please include details about your problem, to help other editors.

Cheers.—InternetArchiveBot (Report bug) 18:20, 18 November 2016 (UTC)

External links modified[edit]

Hello fellow Wikipedians,

I have just modified 3 external links on Certified Information Systems Security Professional. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

You may set the |checked=, on this template, to true or failed to let other editors know you reviewed the change. If you find any errors, please use the tools below to fix them or call an editor by setting |needhelp= to your help request.

  • If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
  • If you found an error with any archives or the URLs themselves, you can fix them with this tool.

If you are unable to use these tools, you may set |needhelp=<your help request> on this template to request help from an experienced user. Please include details about your problem, to help other editors.

Cheers.—InternetArchiveBot (Report bug) 02:43, 12 December 2017 (UTC)