I recently spoke with Ed Zeitler, executive director of the (ISC)2 about recent developments at this important certification body for security professionals. In part one of this two-part series, Zeitler discusses the recent changes in the requirements for the Certified Information Systems Security Professional designation and the recent acceptance of CISSP as an international standard.

* Tell us about the recent changes in CISSP certification requirements.

There are three basic changes. First, experience goes from four years to five years. Second, in the past, you had to show experience in only one domain of the Common Body of Knowledge (CBK); now you need experience in at least two domains. Finally, the endorsement for applicants to the base certifications (i.e., CISSP, SSCP and CAP) must come from another (ISC)2-certified person who subscribes to the (ISC)2 Code of Ethics.

* What led to the changes?

We are committed to maintaining the professionalism and integrity of the certification. Our latest global survey of information security professionals (with over 4,000 respondents) who have responsibility for managing and developing security policies showed they have an average of 8.6 years of experience. We regularly revise our CBK and our examinations to keep them rigorous and relevant to the ever-changing threat environment.

We do not want to lower the bar to meet increasing demands for certifications; we want the industry to rise up to meet those demands. Management must have confidence in our certifications and we want to ensure that rigor is maintained and recognized.

IDC has estimated that there are 1.5 million people in the world doing information security, and we currently have around 50,000 certificate holders. So our certified members are an elite group.

* How will the changes help to achieve your goals?

We want to keep pace with the complex demands of information security today. To ensure that our certifications remain the gold standard in the industry, additional measures of experience are necessary to prove that candidates clearly demonstrate a thorough understanding of how to implement an effective information security program and manage information security risks.

In changing the endorsement requirement so that only an (ISC)2-credential holder can endorse a candidate, we are better assured that the candidate will make the same ethical commitment as his or her endorser. And by vouching for the integrity of the candidate, the endorser is in effect putting his or her own professional reputation on the line.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.