Information Systems Security Architecture Professional (CISSP-ISSAP)
Information Systems Security Engineering Professional (CISSP-ISSEP)
Information Systems Security Management Professional (CISSP-ISSMP)
The CISSP certification covers eight domains of information security knowledge. These domains are meant to serve as the broad knowledge foundation required to succeed in the information security profession.
Security and Risk Management
Asset Security
Security Architecture and Engineering
Communication and Network Security
Identity and Access Management (IAM)
Security Assessment and Testing
Security Operations
Software Development Security
The CISSP domains are periodically updated by (ISC)2. The most recent revision May 1, 2021 slightly modified the weighting for Communication and Network security from 14 percent to 13 percent while increasing the focus on Software Development Security from 10 percent to 11 percent. It also added or expanded coverage of topics such as the data management lifecycle, microservices, containerization, serverless computing, quantum computing, 5G networking, and modern security controls.
Complete details on the CISSP Common Body of Knowledge (CBK) are contained in the Exam Outline. It includes a full outline of exam topics, can be found on the (ISC)2 website at www.isc2.org
.
Taking the CISSP Exam
The English version of the CISSP exam uses a technology called computer adaptive testing (CAT). With this format, you will face an exam containing between 100 to 150 questions with a three-hour time limit. You will not have the opportunity to skip back and forth because the computer selects the next questions that it asks you based upon your answers to previous questions. If you're doing well on the exam, it will get more difficult as you progress. Don't let that unnerve you!
Other versions of the exam in French, German, Brazilian Portuguese, Spanish, Japanese, Simplified Chinese, and Korean use a traditional linear format. The linear format exam includes 250 questions with a six-hour time limit. For either version of the exam, passing requires achieving a score of at least 700 out of 1,000 points. It's important to understand that this is a scaled score, meaning that not every question is worth the same number of points. Questions of differing difficulty may factor into your score more or less heavily, and adaptive exams adjust to the test taker.
That said, as you work through these practice exams, you might want to use 70 percent as a goal to help you get a sense of whether you're ready to sit for the actual exam. When you're ready, you can schedule an exam at a location near you through the (ISC)2 website.
Questions on the CISSP exam are provided in both multiple-choice form and what (ISC)2 calls advanced innovative questions, which are drag-and-drop and hotspot questions, both of which are offered in computer-based testing environments. Innovative questions are scored the same as traditional multiple-choice questions and have only one right answer.
(ISC)² exam policies are subject to change. Please be sure to check isc2.org for the current policies before you register and take the exam.
Computer-Based Testing Environment
CISSP exams are now administered in a computer-based testing (CBT) format. You'll register for the exam through the Pearson Vue website and may take the exam in the language of your choice. It is offered in English, French, German, Portuguese, Spanish, Japanese, Simplified Chinese, Korean, and a visually impaired format.
You'll take the exam in a computer-based testing center located near your home or office. The centers administer many different exams, so you may find yourself sitting in the same room as a student taking a school entrance examination and a healthcare professional earning a medical certification. If you'd like to become more familiar with the testing environment, the Pearson Vue website offers a virtual tour of a testing center.
home.pearsonvue.com/test-taker/Pearson-Professional-Center-Tour.aspx
When you take the exam, you'll be seated at a computer that has the exam software already loaded and running. It's a pretty straightforward interface that allows you to navigate through the exam. You can download a practice exam and tutorial from the Pearson Vue website.
http://www.vue.com/athena/athena.asp
At the time this book went to press, (ISC)2 was conducting a pilot test of at-home computer-based exams for CISSP candidates in the United States. It is possible that this pilot will be extended to a permanent product and may become available in additional countries. Check the (ISC)2 website for more information.
Exam Retake Policy
If you don't pass the CISSP exam, you shouldn't panic. Many individuals don't reach the bar on their first attempt, but gain valuable experience that helps them succeed the second time around. When you retake the exam, you'll have the benefit of familiarity with the CBT environment and CISSP exam format. You'll also have time to study the areas where you felt less confident.
After your first exam attempt, you must wait 30 days before retaking the computer-based exam. If you're not successful on that attempt, you may re-test after 60 days. If you don't pass after your third attempt, you can re-test after 90 days for that and any subsequent attempts. You can’t take the test more than 4 times within a single calendar year. You can obtain more information about (ISC)2 and its other certifications from its website at www.isc2.org
.
Work Experience Requirement
Candidates who want to earn the CISSP credential must not only pass the exam but also demonstrate that they have at least five years of work experience in the information security field. Your work experience must cover activities in at least two of the eight domains of the CISSP program and must be paid, full-time employment. Volunteer experiences or part-time duties are not acceptable to meet the CISSP experience requirement.
You may be eligible to waive one of the five years of the work experience requirement based upon your educational achievements. If you hold a bachelor's degree or four-year equivalent, you may be eligible for a degree waiver that covers one of those years. Similarly, if you hold one of the information security certifications on the current (ISC)2 credential waiver list (www.isc2.org/credential_waiver/default.aspx
), you may also waive a year of the experience requirement. You may not combine these two programs. Holders of both a certification and an undergraduate degree must still demonstrate at least four years of experience.
If you haven't yet completed your work experience requirement, you may still attempt the CISSP exam. Individuals who pass the exam are designated Associates of (ISC)2 and have six years to complete the work experience requirement.
Recertification Requirements
Once you've earned your CISSP credential, you'll need to maintain your certification by paying maintenance fees and participating in continuing professional education (CPE). As long as you maintain your certification in good standing, you will not need to retake the