As of July 1, 2020, over 140,000 security professionals hold the CISSP certification. The Certified Information Security Systems Professional (CISSP) Certification was introduced in 1994 by (ISC)², an international, nonprofit membership association and arguably the world’s leading cybersecurity professional organization. It is designed to validate information security work experience and a working knowledge of security principles and practices.
This guide will examine the purpose and value of a CISSP designation by uncovering the certification costs and benefits. The requirements of qualifying for this professional designation are detailed as well.
The CISSP is not suitable for every security practitioner or executive but is one certification that should at least be considered by anyone building a career in information security at any level. For some security roles, such as IT director, security analyst, and chief information security officer, CISSP certification should be considered a requirement.IN THIS GUIDE
What is the Certified Information Security Systems Professional CISSP certification?
The CISSP is one of the most sought after professional certifications available in the security industry. The acronym CISSP stands for Certified Information Systems Security Professional, and it was created to demonstrate that a security professional is able to design, engineer, implement, and run an information security program.
Top salaries and a projected job growth rate far above average make obtaining a CISSP designation a priority for many security professionals.
An arduous exam and rigorous employment experience requirements make the CISSP challenging to obtain, but the popularity of this designation is an indication that obtaining certification is within the capabilities of most security career professionals.
What are CISSP requirements?
CISSP certification requirements include a combination of work experience, peer endorsement, ethics adherence, and successfully pass the CISSP exam. A candidate must have a minimum of five years of direct full-time security work experience. There are provisions whereby one year of work experience may be waived for having either a four-year college degree, a master’s degree in information security, or for possessing one of several other certifications.
In fulfilling their responsibility to build and maintain professionalism within the security industry, (ISC)2 requires candidates to accept the CISSP Code of Ethics and to attest to the truthfulness of their application assertions regarding professional experience and background. That being said, they will, undoubtedly, verify those assertions as well.
The pièce de résistance of the CISSP certification process is a three-hour, 150 question, multiple-choice exam. A candidate must pass this examination with a score of 700 points or more out of 1000 possible points. Last but not least, a candidate must also have their qualifications endorsed by an (ISC)2 certification holder, who ostensibly has accepted the CISSP Code of Ethics.
While (ISC)² does not publish a comprehensive list of what employment experience qualifies as relevant for the CISSP certification, their promotional materials list the following jobs as ideal for holders of this certification:
- Chief information security officer
- Chief information officer
- Director of security
- IT director/manager
- Security systems engineer
- Security analyst
- Security manager
- Security auditor
- Security architect
- Security consultant
- Network architect
FOR MORE DETAILS ON THESE CAREERS CHECK OUT OUR CYBERSECURITY CAREER RESOURCES
Security work experience submitted as part of a CISSP certification application is evaluated by (ISC)2 for elements indicative of educational and professional achievements. Work requiring a college degree, management skills, or regular use of security practices and principles are particularly important.
A CISSP candidate may have worked in a wide variety of security positions but must prove work experience specific to two or more of the eight domains of the (ISC)² CISSP Common Body of Knowledge (CBK).
It is worth noting that a candidate without the required experience to become a CISSP may, after successfully passing the CISSP exam, become an Associate of (ISC)². The Associate of (ISC)² will then have six years to earn the experience needed for CISSP certification.
How much does obtaining a CISSP certification cost?
The total cost of preparing for a CISSP certification will vary depending on the candidate’s knowledge and experience. A candidate with a minimum of applicable knowledge and experience can choose a comprehensive CISSP course to help them prepare for the exam. In contrast, a more seasoned candidate may only need to brush up using a few books or videos.
CISSP courses designed to help candidates pass the test are available in four formats:
Training, seminars, courseware, and self-study aids are available directly from (ISC)² or one of their official training providers. In addition to official training providers, there are a myriad of websites, books, and videos designed to help candidates pass the CISSP exam. Care should be taken when considering unofficial sources for CISSP exam information. The exam format has changed within the last few years and older guides and training materials may be outdated.
Popular official training providers offer self-paced e-learning courses starting from $2,499. These courses include an exam voucher and a number of practice tests. Courses that include an instructor-led component start at around $2,900 and can cost over $4,400 depending on the level of instructor involvement. Some of these courses include an exam pass guarantee.
For candidates more inclined to piece together their own study materials, CISSP reference books and videos are widely available. Books run about $100 and videos about $300. Use the most current material available to avoid receiving outdated information.
Over and above the costs associated with training courses and materials, there are soft costs to be considered as well. Time spent preparing for the exam will require sacrifice and as time is money, those costs should be considered when deciding the overall cost-benefit question. Even so, the higher salaries and increased job opportunities enjoyed by CISSP holders, pursuing the certification will nearly always come out favorable in that equation.
There are also ongoing costs associated with maintaining a CISSP certification. Once certified, a holder must recertify every three years. Recertification is accomplished by earning 120 continuing professional education (CPE) credits over three years and paying a $125 Annual Maintenance Fee (AMF) to support the ongoing development of the program.
Deep dive into the CISSP exam
The CISSP exam cost is $699. A voucher for this fee is sometimes included in commercially available courses. English language tests are administered using Computerized Adaptive Testing (CAT). With this form of computer-administered testing, test items selected to be administered depend on the correctness of the test taker’s responses to previous items. In this way, the test adapts to the examinee’s ability level.
The 100 to 150 test items on the CISSP exam will come from the information covered in one of the eight domains of the (ISC)² CISSP CBK. Each CBK domain is weighted, as shown below:
|DOMAINS OF THE CBK||WEIGHTS|
|Domain 1: Security and Risk Management||15 percent|
|Domain 2: Asset Security||10 percent|
|Domain 3: Security Architecture and Engineering||13 percent|
|Domain 4: Communication and Network Security||14 percent|
|Domain 5: Identity and Access Management (IAM)||13 percent|
|Domain 6: Security Assessment and Testing||12 percent|
|Domain 7: Security Operations||13 percent|
|Domain 8: Software Development Security||10 percent|
The CISSP test is a timed exam. Each candidate has up to three hours to complete the exam. The test items are multiple-choice or advanced innovative questions.
The pass/fail rate for CISSP exam takers is not publicly available. Some commercial training providers claim pass rates above 90 percent, but this information is not readily verifiable. It is widely assumed in the security industry that the CISSP exam pass rate is below 50 percent.
If the exam is failed on the first attempt, a candidate can retest after 30 days. If they don’t pass a second time, they can retest after 60 test-free days or 90 days from their original test date. If they don’t pass a third time, they can retest after 90 test-free days or 180 days from their first exam attempt. Candidates may attempt an (ISC)² exam up to four times within 12 months at a maximum.
CISSP salary information
The CISSP is one of the most sought after professional designations largely because the CISSP certification consistently ranks as the top-paying industry certification. In 2018, (ISC)2 reported the average salary for CISSP holders was $131,030. While (ISC)2 has not published salary figures for subsequent years, the current skills gap in information security jobs has most assuredly driven CISSP salaries even higher.
The US Bureau of Labor Statistics indicates that expected job growth for Information Security Analysts for the years 2019 to 2029 is much faster than average at a 31 percent growth rate.
The CISSP is US Department of Defense (DoD) approved and opens numerous opportunities within the US Federal Government. (ISC)² reports that members earn 35 percent more than non-members.
The CISSP is a globally recognized certification and can open doors to international travel and positions around the world.
If there were only a single professional certification for information security practitioners to consider, and truthfully there are many more, it would be the CISSP. It is the most widely recognized and comprehensive certification available.
By design, the CISSP is challenging to obtain. The level of knowledge and experience required to earn certification is integral to its value to employers. A CISSP is requisite for many high-level security roles and provides a standard by which security leaders are measured.