Security Certifications - (ISC)2
The security certifications provided by the International Information Systems Security Certification Consortium, otherwise known as the (ISC)2, are globally recognized and are probably the most highly regarded certifications in the industry. These are general (non vendor-specific) certifications that address a variety of experience levels and areas of focus. The Certified Information Systems Security Professional, more commonly known as the CISSP, is the best-known security certification offered but there are a number of other valuable certifications provided by the (ICS)2.
Security Certifications Available
Associate of (ISC)2 This is a status available to those who pass the SSCP or CISSP exams but do not have the required years of professional experience to qualify for those certifications. This status provides (ISC)2 benefits that are available to those with certifications until the necessary experience has been accrued.
Systems Security Certified Practitioner (SSCP) This is an entry-level certification for those with at least one year professional experience.
Certification and Accreditation Professional (CAP) This is a certification for those who are responsible for accrediting and certifying the security of information systems.
Certified Secure Software Lifecycle Professional (CSSLP) For anyone involved in the software development life cycle, this certification addresses the need to incorporate security controls throughout the entire life cycle.
Certified Information Systems Security Professional (CISSP) The most globally recognized and respected security certification, this certification is targeted at middle and senior level security professionals.
CISSP Concentrations These are additional certifications for those who are already CISSP certified and wish to gain an even higher level of certification in Architecture, Engineering or Management.
Preparing for Exams
Classes to prepare for (ISC)2 exams can be taken at (ISC)2 facilities and at various colleges, technical training centers and online schools. Boot-camp style classes are available for those who want to attend full-day, intensive training over a two to seven day period, depending on the certification. In some cases, the exam is taken on the last day or days of the boot-camp. Other preparation options include employer-sponsored on-site training, self-paced video training, virtual classrooms and traditional vendor-site classes.
Prices vary widely depending on the type of training, the certificate and the vendor. Courses range from several hundred dollars for a video-based course to many thousands of dollars for the longest boot-camp style courses. (ISC)2 also offers two to five day review seminars at various locations with prices ranging from about $600 to almost $3000.
Exam Content
SSCP - This exam covers 125 questions and takes three hours. There are seven topics covered including Access Control, Analysis and Monitoring, Cryptography, Malicious Code, Networks and Telecommunications, Risk Response and Recovery and Security Operations & Administration.
CAP - This exam includes 125 questions and takes three hours. The following five topics are included: Understanding the Purpose of Certification, Initiation of the System Authorization Process, Certification Phase, Accreditation Phase and Continuous Monitoring Phase.
CSSLP - Seven topics are included in this exam. They are Secure Software Concepts, Secure Software Requirements, Secure Software Design, Secure Software Implementation/Coding, Secure Software Testing, Software Acceptance and Software Deployment, Operations, Maintenance and Disposal.
CISSP: This exam includes 250 questions and takes up to six hours. It covers the following ten security topics: Access Control, Application Security, Business Continuity and Disaster Recovery Planning, Cryptography, Information Security and Risk Management, Legal / Regulations / Compliance and Investigations, Operations Security, Physical (Environmental)Security, Security Architecture and Design and Telecommunications and Network Security.
CISSP Concentrations: Each concentration has a separate exam covering topics applicable to that specialty.
Taking Exams
Exams must be taken at a location authorized by (ISC)2. Some boot-camp training locations are able to offer the exam at the end of the boot-camp. The locations and schedule for (ISC)2 exams can be found on the (ISC)2 examination search page.
Maintaining Certifications
(ISC)2 certifications last for three years. To maintain an (ISC)2 certification, one must pay annual membership fees, abide by (ISC)2's Code of Ethics, and earn Continued Professional Education (CPE) credits. CPE credits can be earned a number of ways including taking courses, attending seminars, conferences, professional association meetings and vendor presentations, publishing an article, reading a book or serving on a board of a professional security organization. If a certificate holder fails earn the required number of CPE credits during the three years after certification or re-certification, they must re-take the exam to gain back certification.
Who Should get an (ISC)2 Certification?
Anyone who has involvement with network or systems security should consider working towards at least one of these certifications. Even those who already have a vendor-specific certification will benefit as these certifications are valued by all employers, regardless of what network products they use.
SSCP - This certification is appropriate for those who want to become a Network Security Engineer, Security Systems Analyst or Security Administrator. Others whose need to have an understanding of security issues but do not have security as their primary job, will also benefit from this certification. These jobs could include network analysts, software engineers, database administrators, systems analysts and IT auditors, among others.
CAP Professionals who have been responsible for certifying and accrediting information systems security for at least two years are candidates for this certification. Authorization officials, system owners, information owners, information system security officers and certifiers and senior systems managers are all appropriate candidates for this certification.
CSSLP This certification is intended for anyone who has at least four years experience with the software development life cycle. This could include project managers, developers, business application owners, analysts, architects and security specialists, among others.
CISSP Those who have five years professional security experience and have supervisory and decision-making responsibilities are good candidates for this exam. Although anyone can go to training and take the exams, they will need to meet the experience minimums before the certification is granted.
CISSP Concentrations
- CISSP- ISSAP This is the architecture certification which is appropriate for those who work in a consulting role in an organization and would typically be responsible for developing, designing or analyzing the overall security plan. To become certified, a person must have two years experience in the area of architecture.
- CISSP-ISSEP A certification for systems security engineering professionals, it covers best practices and methodologies for Risk Management, Systems Security Engineering and Certification and Accreditation.
- CISSP-ISSMP This certification requires two years of experience in the area of security management and is intended for those who are involved in developing the framework for an information security department.
Evaluating Training Options
There are numerous schools and training centers that offer training for the (ICS)2 certifications. Below are a few of the factors to be considered when selecting a training option:
- Training Style - Some people learn best in a classroom environment while others prefer the flexibility of a virtual classroom or video course. Yet others prefer a boot-camp course so they can stay focused without distractions from work or home.
- Exam Guarantee To avoid paying for training twice, students may want to go to a training center that will allow a student to re-take the course for free if they fail the exam.
- Whether the exam is included - Especially for boot-camp style training, the convenience of taking the exams at the end of the training is an added advantage for many.
- Location and Schedule Sometimes choosing a training course is just a matter of finding training in the local area that fits a persons schedule.
About (ICS)2
The International Information Systems Security Certification Consortium, or (ISC)2, is a global, non-profit organization that provides security certifications, education, online and local educational forums and peer networking for professionals in 135 countries. The (ISC)2 also maintains the Common Book of Knowledge (CBK) for IT security topics, which their training and exams are based on.
Online Course Finder
Find the path to your
education in 3 easy steps.