intro-to-it-due-diligence-ebook-small

Follow Me

As the networked world continues to shape and impact every aspect of our lives, threats to the global network infrastructure continue to rise in parallel.

That's why there has never been a greater urgency for a global standard of excellence for those who protect the networked world.

That has been the mission of the International Information Systems Security Certification Consortium (ISC)² from its inception. Formed in 1989 by multiple professional associations to develop an accepted industry standard for the practice of information security, (ISC)² crated the information security industry's first and only CBK, a global compendium of industry best practices. Continually updated to incorporate rapidly changing technologies and threats, the CBK continues to serve as the basis for (ISC)²'s education and certification programs.

Just as technology and its impact on society have dramatically changed since (ISC)² was first envisioned, so has the role of information security professionals. The need for highly qualified informational security professionals to protect information assets has now been accepted by organizations worldwide both private and public. In recent years, the rise of Chief Information Security Officer position has been a watershed event in the influence and significance of the information security professional in maintaining effective IT governance and risk management.

Results from the 2005 Global Information Security Workforce Study, conducted by global analyst firm IDC and sponsored by (ISC)², revealed that ultimate responsibility for information security moved up the management hierarchy, with more respondents identifying the board of directors and CEO, or a CISO/CSO as being accountable for their company's information security. The study also showed that nearly 75 percent of all respondents believed their influence with executives and the board of directors would increase in the coming year. These findings bode well for the profession and for effectively security infrastructure.

(ISC)² is continuing to do its part to assist all those who choose this profession and proliferate standards for professionalism, whether by crating the first information security career guide for high school and college students to meet the growing demand for new talented entries into the field, establishing Affiliated Local Interest Groups to meet the peer networking and professional growth needs of (ISC)² members and other information security professionals worldwide, working with top organizations such as Microsoft to require certifications of security partners, or organizing seminars around the world with the most respected thought leaders in the industry.

With the ever-growing importance to organizations and society-at large, (ISC)² remains committed to ensuing the highest standards of information security are maintained by certified professionals worldwide. Its Certified Information Systems Security Professional (CISSP) certification, considered the Gold Standard in the information security industry, continues to be an invaluable tool in independently validating a candidate's expertise in developing information security policies, standards and procedures as well as managing implementation across the enterprise.

In addition to passing the six-hour CISSP exam, applicants must be endorsed by an existing (ISC)² credential-holder, demonstrate sufficient processional experience in one or more of the CBK domains, and subscribe to the (ISC)² Code of Ethics. The Code of Ethics describes the professional behavior expected of the CISSP.

A major factor that sets the CISSP apart from other security certifications is the breadth of knowledge and the experience necessary to pass the exam. CISSP candidates can't be overly specialized in just one domain they must know and understand the full spectrum of the CBK to become certified. In order to maintain their certification, holders of the CISSP are required to earn 120 Continuing Professional Education (CPE) credits every three years. CPE credits are earned through activities related to the informational security profession including, but no limited to, the following:

  • Attending educational courses or seminars
  • Attending security conferences
  • Being a member of an association chapter and attending meetings
  • Listening to vendor presentations
  • Completing university/college courses
  • Providing Security training
  • Publishing security articles or books
  • Serving on industry boards
  • Self-study
  • Completing volunteer work, including serving on (ISC)² volunteer committees

Re-certification is required for information security professionals to maintain their CISSP title.
In addition, the CISSP was the first information security credential to be accredited by ANSI (American National Standards Institute) under ISO/IEC standard 17024. ISO/IEC 17024 establishes a global benchmark for certification of personnel and is becoming increasingly important to organizations for ensuring competency in different professions.

Applicants must have a minimum of five years of direct full-time security professional work experience in two or more of the ten domains of the (ISC)² CISSP CBK.

CISSP professional experience includes:

  • Work requiring special education or intellectual attainment, usually including a liberal education or college degree.
  • Work requiring habitual memory of a body of knowledge shared with others doing similar work.
  • Management of projects and/or other employees.
  • Supervision of the work of others while working with a minimum of supervision of one's self.
  • Work requiring the exercise of judgment, management decision-making, and discretion.
  • Work requiring the exercise of ethical judgment (as opposed to ethical behavior).
  • Creative writing and oral communication.
  • Teaching, instructing, training and the mentoring of others.
  • Research and development.
  • The specification and selection of controls and mechanisms (i.e. identification and authentication technology) (does not include the mere operation of these controls).
  • Applicable titles such as officer, director, manager, leader, supervisor, analyst, designer, cryptologist, cryptographer, cryptanalyst, architect, engineer, instructor, professor, investigator, consultant, salesman, representative, etc. Title may include programmer. It may include administrator, except where it applies to one who simply operates controls under the authority and supervision of others. Titles with the words "coder" or "operator" are likely excluded.

The applicant must meet the following requirements to qualify to sit for the examination: A. Subscribe to the (ISC)² Code of Ethics; and B. Have a minimum five years* of direct full-time security professional work experience in two or more of the ten domains of the information systems security CBK® . Waiver of Experience: If certain circumstances apply and with Appropriate documentation, candidates are eligible to waive a maximum of two years of professional experience* as follows:

  • One year waiver of the professional experience requirement for education.
    Candidates can substitute a maximum of one year of direct full-time security professional work experience described above if they have a four-year college degree OR Master's Degree in information security from a U.S. National Center of Academic Excellence in information Security (CAEIAE) or regional equivalent. If you hold both a four-year degree and a Master's degree, you may only apply for a one year waiver of experience.
  • One-year waiver of the professional experience requirement for holding an additional credential on the (ISC)² approved list.

Valid experience includes information systems (IS) security-related work performed as a practitioner, auditor, consultant, investigator or instructor, that requires IS security knowledge and involves the direct application of that knowledge. The four years of experience must be the equivalent of actual full time IS security work (not just IS security responsibilities for a four year* period); this requirement is cumulative, however, and may have been accrued over a much longer period of time.

Maintenance Requirements
Upon successfully passing the CISSP examination, you will receive your certificate and ID card. You also become eligible to be listed in the CISSP Directory, can elect to participate in the Speakers' Bureau, serve on (ISC)² committees and participate in its annual elections.

Recertification is also required every three years, with ongoing requirements to maintain your credentials in good standing. This is primarily accomplished through continuing professional education [CPE], 120 credits of which are required every three years. More information on qualifying CPEs will be available upon certification.