Security

Understanding CISSP Requirements

By SolarWinds MSP

18 April, 2019

The CISSP certification was named the “most valued credential among employers by a margin of 3 to 1” in Cybersecurity Trends Spotlight and Report. On LinkedIn, CISSP is the most required security certification for IT professionals working in this field. In this environment, it’s imperative that MSPs are familiar with CISSP, what it stands for, and how to become CISSP certified.

What is CISSP?

CISSP stands for Certified Information Systems Security Professional. It’s a certification offered by the (ISC)², an international, nonprofit association for IT and cybersecurity professionals. The certification validates an IT professional’s experience in designing, implementing, and managing cybersecurity programs.

CISSP was introduced in 1994 and approved by the US Department of Defense shortly thereafter. It’s the first security certification to meet the ISO/IEC Standard 17024, making it the gold standard in cybersecurity qualifications. The certification is available in 114 countries, and there are around 129,000 professionals who currently hold the CISSP certification. It’s a great way for IT professionals to set themselves apart as experienced and knowledgeable cybersecurity managers.

What are the requirements for CISSP certification?

Becoming certified as a CISSP is an involved process—which may be why there are so few CISSP professionals relative to the global IT security population. There’s an exam that a candidate must first qualify to take by having at least five years of paid work experience in two or more of the eight CISSP domains. A four-year college degree, a regional equivalent, or an additional credential from a pre-approved (ISC)² list can be substituted for one year of requisite experience.

Newer IT professionals who don’t have the requisite experience are still eligible to take the CISSP exam. However, they will not become full CISSP certified professionals—rather they will become an Associate of (ISC)² and have six years to earn the five years of experience necessary to be a CISSP.

There are some caveats when it comes to what the (ISC)² considers to be “professional work experience.” The association is looking for deep, meaningful professional experience, time dedicated specifically to at least two of their eight cybersecurity domains. As such, there are definitions as to what counts as “experience”:

Full-time experience: a minimum of 35/hours a week for four weeks counts as one month of work experience.
Part-time experience: cannot be less than 20 hours a week and no more than 34 hours a week.
Both paid and unpaid internships count against the experience requirement, but to qualify, an applicant must submit verification of time worked on the organization’s official letterhead.

By those definitions, 1,040 hours of part-time experience is the equivalent of six months of full-time experience. In total, CISSP requirements include five years cumulative paid work experience—so applicants need to make sure their full-time and part-time hours meet the strict definitions before embarking on the CISSP certification process.

Applicants who have enough experience can take the CISSP exam. The exam is made up of 100 to 150 CISSP domain-related questions, and participants can take up to three hours. It’s an expensive proposition: the CISSP exam for U.S. candidates is $549 or $599, depending upon whether you do an early registration or standard registration. Passing the CISSP exam means achieving a score of 700/1000 or higher.

The final step upon passing the exam is to complete an (ISC)² endorsement within nine months of passing the exam. There is an online application to be endorsed by an (ISC)²-certified professional, i.e., someone who is already a part of the (ISC)² association. The endorsement asks this member to attest that you have the professional experience. If you don’t know anyone who is a CISSP or (ISC)² certified, the organization can act as an endorser on your behalf. This final formality will be the last step to becoming a member of the (ISC)²—CISSPs will need to recertify every three years, meaning you will take continuing professional education credits and pay an annual membership fee.

What are the 8 domains of CISSP?

The (ISC)² CISSP requirements exam covers eight domains to certify that professionals have a holistic understanding of cybersecurity. Remember, you must have work experience in at least two of these domains in order to become certified.

1/ Security and Risk Management

How can cybersecurity managers set expectations and guide organizations to recognize and mitigate potential threats? This domain covers topics such as standards for information security and setting up a framework for organizations to keep data safe. Questions are primarily concerned with how to establish security governance principles that:

Align security with business strategy, goals, missions, and objectives
Set forth guidelines for organizational processes (e.g., acquisitions, divestitures, governance committees)
Delineate organizational roles and responsibilities
Establish security control frameworks
Maintain due care/due diligence processes

Compliance, ethics, regulatory, and legal issues are also covered under this section. Roughly 15% of the exam questions are concerned with Security and Risk Management, making this one of the biggest topics for CISSP verification.

2/ Asset Security

Questions covered under Asset Security are concerned with the physical management of information and device protection. Under this domain, applicants should know how to outline ownership rules for devices, data storage accounts, databases, and more. Other questions might cover:

Classifying information and assets
How to maintain asset ownership and privacy
Data security protocols and internal controls

Asset Security questions are only about 10% of the exam, but nevertheless, it’s an important part of cybersecurity in which all professionals should be well-versed.

3/ Security and Architecture Engineering

This domain covers how to keep data and business information secure. This might entail knowledge on encryption methods and strategic deployment, how to keep physical sites secure, and recognizing and resolving vulnerabilities. This technical section will also cover ways to assess security vulnerabilities in:

Web-based systems
Mobile systems
Embedded devices
Client-based systems
Server-based systems
Database systems
Cryptographic systems
Cloud-based systems
Internet of Things (IoT)
Industrial Control Systems
Distributed systems

Applicants should also study on-site security, such as fire prevention, wiring closets, and other physical infrastructure that could present a vulnerability. It’s estimated that 13% of exam questions cover this domain.

4/ Communication and Network Security

CISSP professionals should know about communication and network security as it relates to creating secure communication channels for internal messaging. This covers emails, enterprise messaging, and more. This domain will include questions regarding:

Secure network components, such as transmission media and Network Access Control (NAC) devices
How to implement secure design principles in network architectures
Design best practices for implementing secure communication channels

This is another big section on the exam: expect about 14% of the material to cover Communication and Network Security.

5/ Identity and Access Management

Access Management is primarily concerned with who is able to access an enterprise’s data, as well as what internal controls are in place to restrict or grant user access. CISSP professionals should know how to establish individual login credentials, create protocols for off-site access, and more. Topics in this domain will include:

Implementing authorization mechanisms, such as role-based access control (RBAC), rule-based access control, mandatory access control (MAC), and others
Managing the identification and authentication of users and devices
Controlling physical access to assets and sites

Applicants can expect around 13% of the exam to be related to Identity and Access Management questions.

6/ Security Assessment and Testing

A CISSP professional should be able to assess the effectiveness of different methods of security and identify vulnerabilities. This domain is similar to Security and Risk Management, but it covers the actual processes and methods one would use to test and monitor security. That might include topics such as:

How to design and audit internal, external, and third-party security strategies
How to conduct different security control tests
Collecting key performance and risk indicators
Internal, external, and third-party site security audits

Overall, the exam is going to consist of 13% of Security Assessment and Testing topics. It’s related heavily to the next domain topic, Security Operations.

7/ Security Operations

Like Security Assessment and Testing, this domain covers action items that security teams will perform regularly. Security Operations is of paramount importance in every industry, so it’s a good domain to understand before sitting for the CISSP exam. How can security teams put their limited resources to best use securing an organization’s information? Topics will include:

How to understand and support security investigations
Security provisioning, including asset management and inventory and configuration management
How to conduct logging and monitoring activities
Putting resource protection techniques into use

There are many more topics covered under this domain, so pay close attention during your preparation. Security Operations questions will make up about 13% of the CISSP exam.

8/ Software Development Security

Last, but not least, software development security concentrates on how IT professionals identify, buy, use, and analyze software to keep their information secure. Questions in this domain will cover items such as:

Security in the Software Development Life Cycle (SDLC)
How to assess a software’s security effectiveness
Secure coding guidelines and best practices

This final domain is only 10% of the exam’s questions, but important nonetheless.

Why get CISSP certified?

CISSP certification verification has many benefits for managed services provider (MSPs). It can lead to higher billing rates and give you the growth and learning to stay apprised of evolving cybersecurity threats. According to the (ISC)², CISSP members earn 35% more than nonmembers. There are other tangible benefits to joining the (ISC)², including discounts on industry conferences, webinars, and other professional development opportunities, and free or discounted subscriptions to magazines and other industry resources. Overall, CISSP gives IT professionals the background and knowledge they need to keep a company’s data and network secure.

Learn more about ways that CISSP-certified professionals are using information security products by visiting our resource library.

Additional Resources: