The purpose of this article is to discuss the various options for getting CISSP certified and to answer some of the common questions that arise. If you have any further questions then by all means leave a comment at the foot of the article. The bottom line in terms of getting certified is that there are two primary hurdles:
- you must pass the CISSP exam
- you must have 5 (or in some circumstances 4) years of relevant experience
Although you may have your sights set on the exam and are concentrating on that being the challenge, it’s important that you consider the experience requirement carefully. From the point that you pass the exam, you start a timer which gives you 6 years to certify. If you don’t manage this, you have to take the exam again (which no one wants to have to do, believe me, once is enough). This 6 year window gives you time to build up your experience in order to get certified but what sort of experience do you require?
The first thing to know, is how much experience is needed. You may have noticed that in the bullet points above I referred to either 5 or 4 years being required. This depends on whether you can waive a year by having a relevant qualification or certification. The (ISC)2 guidelines state that:
“A candidate shall be permitted a waiver of one year experience if:
Based on a candidate’s education
Candidates can substitute a maximum of one year of direct full-time security professional work experience described above if they have a four-year college degree or regional equivalent or an advanced degree in information security from the U.S. National Center of Academic Excellence in Information Assurance Education (CAE/IAE).
For holding an additional credential on the (ISC)² approved list below
Valid experience includes information systems security-related work performed as a practitioner, auditor, consultant, investigator, or instructor that requires information security knowledge and involves the direct application of that knowledge. The five years of experience must be the equivalent of actual full-time information security work (not just information security responsibilities for a five-year period); this requirement is cumulative, however, and may have been accrued over a much longer period of time.”
(source: (ISC)2 February 2017)
So, if you want to use 4 rather than 5 years, you either need an undergraduate degree (or the alternative listed above) or you need a credential from the approved list. In addition the work must be paid and cover at least two of the 8 domains from the Common Body of Knowledge. The best source that I’ve found to decide whether your experience is sufficient, is to use the exam outline provided by (ISC)2 because it breaks down each domain into sub topics, which make it much easier to gauge your level of relevant experience. You can download a free copy of the exam outline here.
Planning when to take the exam
By now you should have noticed that this decision is dictated largely by how you intend to fulfill the experience requirement. If you already have the 4/5 years of experience then it doesn’t matter when you pass. If you’re looking to change careers and feel being certified would be of benefit, or if you have a significant period of free time in which to study, then of course these factors will affect your decision of when to take the exam, but having the experience already makes the tactical decision of when to study for/take the exam moot.
You can pass the exam without the experience and become an Associate of (ISC)2. This effectively means that you get to bank your exam for 6 years, at the end of which you must have your 4/5 years of experience in order to certify as a full CISSP. You can call yourself an Associate of (ISC)2 but cannot call yourself CISSP, or imply that you are certified in any way while you are an associate. This 6 year timer can give you a good idea of how to plan your certification if you don’t yet have the required amount of experience. There are a number of situations you may find yourself in which I have laid out below:
- you have no relevant experience and are not in a job that will give you that experience
- you have no relevant experience but have started a permanent full time job that will give you the relevant experience (in 2+ domains)
- you have some years of relevant experience but are short of the required 4-5 years
If you fall into scenario 1 you may wish to think twice about whether you really want to study for the exam just yet. If you pass, you then have the pressure of finding the relevant 4-5 years of experience when don’t yet even have a job that will give you that experience. My recommendation in this case is to wait until you are in a relevant role. For those of you who are in scenario 2 then there’s nothing stopping you taking the exam and becoming an Associate of (ISC)2 until you have accrued the relevant experience. Your timing in this case will probably depend on when you have the time to study (e.g. if you’re planning on having children in the next couple of years then now might be a better time to hit the books!). The 3rd scenario is similar but gives you a little more of a cushion in that you can already knock some time of the 4/5 year requirement.
The decision of when to study for and take the CISSP exam depends on a combination of:
- how you will fulfill the experience requirement
- when you will have sufficient time to study
- when you are planning a career change that would benefit from being certified
The long and short of it is that you must either have the required 4/5 years of experience when you pass the exam, or be confident that you will have within 6 years of passing the exam. If you have found this article useful or have any feedback please comment below and share with anyone you think might benefit from it! You can also get hold of study materials to help you pass your exam from the resources page!