1. Get the Job
  2. Get Ahead
  3. Office Life
  4. Work-Life Balance
  5. Home Office
Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.
Build Your Career Get the Job

How to Become a Certified Information Systems Security Professional (CISSP)

How to Become a Certified Information Systems Security Professional (CISSP)
Credit: Guadilab/Shutterstock

Corporate America and the U.S. government have been sounding the alarm bell for years: there's a significant shortage of skilled security professionals in this country. Although numbers vary among various sources, it's safe to say the U.S. is lacking upwards of 350,000 security professionals (as of 2017), and the global shortfall for such jobs is expected to reach 3.5 million by 2021.

Almost every day, around 10,000 positions are available on U.S. job sites that request a CISSP. This clearly points to a need for skilled infosec workers, and CISSPs in particular, which is great news for aspiring CISSP candidates.

A Certified Information Systems Security Professional (CISSP) is a seasoned employee or consultant, usually with a title like Security Manager, Security Analyst or Chief Information Security Officer, to name just a few. This person has been on the job for five or more years, and has thorough knowledge of the IT threat landscape, including emerging and advanced persistent threats, as well as controls and technology to minimize attack surfaces. A CISSP also creates policies that set a framework for proper controls, and can perform or oversee risk management and software development security.

Here's what you'll need to become a CISSP through (ISC)2:

  1. Obtain Five Years of Security Work Experience — You must be able to show proof of five paid full-time years of work experience in at least two of the eight CISSP CBK (Common Body of Knowledge) domains, which are Security and Risk Management, Asset Security, Security Engineering, Communications and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations, and Software Development Security. On-the-job experience is crucial for both the exam and the certification process.
  2. Prepare For and Pass the CISSP Exam — Complete the CISSP exam with a minimum score of 700 out of 1,000. The exam is six hours long and includes a mix of multiple-choice and advanced innovative questions. It costs $699. The (ISC)2 CISSP webpage offers a download of the exam outline as well as a link to a Study App (available through the App Store and Google Play for about $10). You can also obtain the official textbook and test your knowledge with CISSP Flash Cards. If you need more than self-study materials, (ISC)2 and a lot of third parties offer CISSP in-class and online training. Training costs vary widely, but the online self-paced course costs $2,750 through (ISC)2. In-class training will cost appreciably more. Before scheduling your exam with Pearson VUE, go over the background qualifications, which might exclude you from sitting for the exam.
  3. Get Endorsed to Become a CISSP — Once you complete the CISSP exam, you'll have to subscribe to the (ISC)2 Code of Ethics and complete an endorsement form to become a CISSP. The endorsement form must be signed by another (ISC)2 certified professional who is able to verify your professional work experience. You must submit the completed form within nine months of passing your exam to become fully certified, because passing the exam doesn't automatically grant you certification status.

After you become fully certified, you'll have to maintain your credential by recertifying every three years. CISSPs are required to pay an $85 maintenance fee during the three-year cycle ($255 total). They must also submit 40 continuing professional education (CPE) credits each year, for a total of 120 CPEs. For more information on the steps to becoming a CISSP and maintaining your certification status, visit isc2.org.

If you are certain that the CISSP path is right for you but you have no relevant work experience, look into becoming an Associate of (ISC)2. The program is ideal for students and career changers, and will allow you to take advantages of educational opportunities, forums and peer networking offered through (ISC)2. Another approach is to get the entry-level A+, Network+ and Security+ certifications from CompTIA. With that foundation, you can apply for a security-related position and get some much-needed hands-on experience in the IT arena.

If you've been working in IT security for a year or two, consider pursuing the (ISC)2 Systems Security Certified Professional (SSCP) credential. Although it's not an official prerequisite, the SSCP is considered a precursor of sorts to the CISSP, covering many of the same topic domains. In theory, achieving the SSCP can also lead to the kind of security position needed to fulfill the CISSP work experience requirement.

It seems that go-getters are always looking for a way to move on or up. Once you get your CISSP, you might be interested in specializing in architecture, engineering or management, perhaps for another boost in pay. The (ISC)2 program offers concentrations in those areas for CISSP credential holders, called ISSAP, ISSEP and ISSMP, respectively.

And, because cloud computing and virtualization have become extremely important in the IT space over the last few years, there's one more advanced-level (ISC)2 certification to consider: the Certified Cloud Security Professional, or CCSP. This certification, formed in cooperation between (ISC)2 and the Cloud Security Alliance (CSA), aims at folks who procure, secure and manage cloud infrastructures or who purchase cloud services. The CCSP requires five years of relevant on-the-job experience, but you can use the CISSP to substitute for the entire requirement.

Be sure that a CISSP is the route you want to take, and that you can complete the credential, before embarking on this long and expensive journey. However, if you set realistic certification targets, and manage your time wisely, you can't help but succeed.

Ed Tittel

Ed is a 30-year-plus veteran of the computing industry, who has worked as a programmer, a technical manager, a classroom instructor, a network consultant and a technical evangelist for companies that include Burroughs, Schlumberger, Novell, IBM/Tivoli and NetQoS. He has written and blogged for numerous publications, including Tom's Hardware, and is the author of over 140 computing books with a special emphasis on information security, Web markup languages and development tools, and Windows operating systems.