CISSP certification is evolving

The long view of security strategies for your network.

I recently spoke with Ed Zeitler, executive director of the (ISC)2 about recent developments at this important certification body for security professionals. In part one of this two-part series, Zeitler discusses the recent changes in the requirements for the Certified Information Systems Security Professional designation and the recent acceptance of CISSP as an international standard.

* Tell us about the recent changes in CISSP certification requirements.

There are three basic changes. First, experience goes from four years to five years. Second, in the past, you had to show experience in only one domain of the Common Body of Knowledge (CBK); now you need experience in at least two domains. Finally, the endorsement for applicants to the base certifications (i.e., CISSP, SSCP and CAP) must come from another (ISC)2-certified person who subscribes to the (ISC)2 Code of Ethics.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

I recently spoke with Ed Zeitler, executive director of the (ISC)2 about recent developments at this important certification body for security professionals. In part one of this two-part series, Zeitler discusses the recent changes in the requirements for the Certified Information Systems Security Professional designation and the recent acceptance of CISSP as an international standard.

* Tell us about the recent changes in CISSP certification requirements.

There are three basic changes. First, experience goes from four years to five years. Second, in the past, you had to show experience in only one domain of the Common Body of Knowledge (CBK); now you need experience in at least two domains. Finally, the endorsement for applicants to the base certifications (i.e., CISSP, SSCP and CAP) must come from another (ISC)2-certified person who subscribes to the (ISC)2 Code of Ethics.

* What led to the changes?

We are committed to maintaining the professionalism and integrity of the certification. Our latest global survey of information security professionals (with over 4,000 respondents) who have responsibility for managing and developing security policies showed they have an average of 8.6 years of experience. We regularly revise our CBK and our examinations to keep them rigorous and relevant to the ever-changing threat environment.

We do not want to lower the bar to meet increasing demands for certifications; we want the industry to rise up to meet those demands. Management must have confidence in our certifications and we want to ensure that rigor is maintained and recognized.

IDC has estimated that there are 1.5 million people in the world doing information security, and we currently have around 50,000 certificate holders. So our certified members are an elite group.

* How will the changes help to achieve your goals?

We want to keep pace with the complex demands of information security today. To ensure that our certifications remain the gold standard in the industry, additional measures of experience are necessary to prove that candidates clearly demonstrate a thorough understanding of how to implement an effective information security program and manage information security risks.

In changing the endorsement requirement so that only an (ISC)2-credential holder can endorse a candidate, we are better assured that the candidate will make the same ethical commitment as his or her endorser. And by vouching for the integrity of the candidate, the endorser is in effect putting his or her own professional reputation on the line.

* How did you respond to the recent announcement from the U.S. federal government that all of its Information System Security Officers (ISSO) would have to achieve formal security certification?

We have participated in a number of U.S. federal government programs that are aimed at professionalizing the workforce. Our involvement began before my tenure here at (ISC)2 but I am now actively involved. Our long history, the quality of our certifications and the fact they are accredited by the International Organization for Standardization (ISO) are important to the government experts.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.