The International Information Systems Security Certification Consortium ((ISC)2) will be making more stringent the requirements for the Certified Information Systems Security Professional (CISSP) certification.
Beginning Oct. 1, the minimum experience requirement for certification will be five years of relevant work experience in two or more of the 10 domains of the CISSP CBK, a taxonomy of information security topics (ISC)2 specifies, or four years of work experience with an applicable college degree or a credential from the (ISC)2-approved list.
Currently, CISSP candidates are required to have four years of work experience or three years of experience with an applicable college degree or a credential from the (ISC)2-approved list, in one or more of the 10 domains of the CISSP CBK.
Also beginning Oct. 1, CISSP candidates will be required to obtain an endorsement from an (ISC)2-certified professional.
Currently, candidates can be endorsed by an officer from the candidate’s organization if no CISSP endorsement can be obtained. The professional endorsing the candidate can hold any (ISC)2 base certification — CISSP, System Security Certified Practitioner (SSCP) or Certification and Accreditation Professional (CAPCM).
Sarah Bohne, (ISC)2 director of communications and member services, said that when (ISC)2 first formed it had just a few hundred credential holders, which is why the consortium elected to make this change now.
“We weren’t in a position to offer this before, so we said that it was all right if an officer of your corporation who worked with you could vouch for your ethics and background,” Bohne said.
Now, there are almost 50,000 CISSP members worldwide, which (ISC)2 considers a sufficient network for candidates to find endorsement.
“That just gives us an added level of reassurance that the candidates coming in, and the existing professionals who would endorse them, really take this seriously because their reputation and certification is on the line,” Bohne said. “They all subscribe to a code of ethics, and it just enhances that assurance for us.”
As for increasing the experience requirement, Bohne said this helps (ISC) 2 maintain “the gold standard” for certification in information security.
“It assures candidates that when they pursue it and obtain [CISSP] that they are going to acquire something that has a lot of meaning and strong reputation in the market,” Bohne said. “It says something to an employer about not only their skills and abilities but also the depth and breath of their knowledge.”
Could these more stringent requirements reduce the numbers of IT professionals certifying for CISSP? Maybe, but Bohne said numbers are not the point of CISSP.
“We have approximately 1,100 applicants sit for the CISSP exam every month,” Bohne said. “We want to focus not on the number of people who pass but the number of qualified people who pass the exam. Frankly, we’re not concerned about the numbers — we’re concerned about preserving the integrity of the credential.”
The consortium began developing this change to CISSP 18 months ago, and it won’t go into effect for another four months. That long gestation period for what is essentially just adjusting requirements was due to a need for careful consideration of the ramifications.
“We needed to study the impact on our existing members and do some focus groups and also think about the impact on certification candidates,” Bohne said. “It took a while to put all those pieces together, and we wanted to make sure we were doing the right thing for our existing credential holders and for the organization and profession.”