Done. The 6-hour exam with its 250 questions is finally in the past. Yes, I am talking about the famous CISSP or the “Certified Information Systems Security Professional” exam from ISC2. This is the certification that most information security professionals will try to obtain at one point in their career. Why? For most recruiters and companies that are looking for a professional in information security, the CISSP is now the golden ticket for employment in this field.
Studying
I would say that it all started in 2015. Back then, I decided to pursue the SSCP or the “System Security Certified Practitioner” from the same organization. This was a shorter exam, which is a little more technical, but not deeply technical either. It helped me have a first experience with an ISC2 exam before pursuing the CISSP. Both exams share some similar domains, but not necessarily at the same level.
For studying, I only bought the official study guide, the CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, which I think is really well written. Knowing that I perform much better when I have the occasion to practice beforehand, I used the official practice tests, the CISSP Official (ISC)2 Practice Tests and even the mobile application (the mobile application doesn’t exist anymore), which is really great to use during daily transit. There are many resources available with thousands of questions.
The exam itself is as with any exam, just longer and more expensive. What about the duration? In about 4 hours, I was able to answer the questions and review a few trickier ones.
Criticisms
There are some criticisms on this certification among professionals in information security. There seems to be a misconception about the knowledge and experience obtained with this certification. These days, a company will look first for a candidate with a CISSP for any kind of role related to the world of information security. It could be from the typical information security analyst to any technical role such as penetration testers, security architect, encryption specialists, security cloud specialists, etc. This is the biggest mistake.
In my opinion, this certificate is a management level certification giving better insight into policies and standards. The CISSP will be able to guide and manage the information security objectives of an organization. However, the person in this role will be supported by people with technical know-how. It is not a technical certification. Obviously, it depends on the person’s professional background since it is possible to have a CISSP holder with a deep understanding of the technical concepts.
Certification
Well, it is now the waiting period. I will hopefully obtain the CISSP certification some time in 2019 after I have completed the required experience. Every holder must have 4 to 5 years of direct information security experience in at least 2 of the 8 domains. However, I must admit that this is a great advantage for this certification. There is a one year waiver possible depending on previous academic experience and other certifications. I also had a similar situation with the CISA where there is a 2 to 5 year requirement.
What’s next after the CISSP?
I am still unsure about the next step. I think I have completed the majority of relevant certifications. On the other hand, I am always curious in privacy matters and I would like to be more proficient in questions related to privacy law. There is indeed a certification that piqued my interest from the International Association of Privacy Professionals but it will be for a different post…