The (ISC)2 Organization

The (ISC) ² Organization

The CISSP certification is the result of cooperation among a number of North American professional societies in establishing the International Information Systems Security Certification Consortium (ISC) ² in 1989. The (ISC) ² is a non-profit corporation whose sole function is to develop and administer the certification program. The organization defined a common body of knowledge (CBK) that defines a common set of terms for information security professionals to use to communicate with each other and to establish a dialogue in the field. This guide was created based on the most recent CBK and skills, as described by (ISC) ² for security professionals. At this time, the domains in alphabetical order are as follows :

• Access Control

• Application Security

• Business Continuity and Disaster Recovery Planning

• Cryptography

• Legal, Regulations, Compliance, and Investigations

• Operations Security

• Physical (Environmental) Security

• Security Architecture and Design

• Information Security and Risk Management

• Telecommunications and Networking Security

The (ISC) ² conducts review seminars and administers examinations for information security practitioners who seek the CISSP, CAP, ISSEP, ISSAP, and ISSMP certifications.

Candidate CISSP Requirements

Beginning June 1, 2002, the (ISC) ² has divided the credentialing process into two steps: examination and certification. Once a CISSP candidate has been notified of passing the examination, he or she must have the application endorsed by a qualified third party before the CISSP credential is awarded. Another CISSP, the candidate’s employer, or any licensed, certified, or commissioned professional can endorse a CISSP candidate.

After the examination scoring and the candidate receiving a passing grade, a notification letter advises the candidate of his or her status. The candidate has 90 days from the date of the letter to submit an endorsement form. If the endorsement form is not received before the 90-day period expires , the application is void and the candidate must resubmit to the entire process. Also, a percentage of the candidates who pass the examination and submit endorsements are randomly subjected to audit and are required to submit a rsum for formal review and investigation.

You can find more information regarding this process at www.isc2.org.

The CISSP Examination

The examination questions are from the CBK and aim at the level of a three- to five-year practitioner in the field. The examination consists of 250 English language questions, of which 25 are not counted. The 25 are trial questions that might be used on future exams. The 25 are not identified, so there is no way to tell which questions they are. The questions are not ordered according to domain but are randomly arranged. There is no penalty for candidates answering questions of which they are unsure. Candidates have six hours for the examination.

The examination questions are multiple choice with four possible answers. No acronyms appear without an explanation. It is important to read the questions carefully and thoroughly and to choose the best possible answer of the four. As with any conventional test-taking strategy, a good approach is to eliminate two of the four answers and then choose the best answer of the remaining two. The questions are not of exceptional difficulty for a knowledgeable person who has been practicing in the field. Most professionals are not usually involved with all 10 domains in their work, however. It is uncommon for an information security practitioner to work in all the diverse areas that the CBK covers. For example, specialists in physical security might not be required to work in depth in the areas of computer law or cryptography as part of their job descriptions. The examination questions also do not refer to any specific products or companies. Approximately 70 percent of the people taking the examination score a passing grade.