CISSP certificate – I

A few years ago (2011), our colleague José Luis Villalón told us about the (ISC)2 CISSP certification. As things have changed somewhat since then, and taking advantage of the fact that I recently passed the exam, we are going to take a look at this certification, the changes it has undergone and (in the next post) some advice that has personally helped me to pass the exam.


The CISSP (Certified Information Systems Security Professional) certification of (ISC)2 is currently one of the main (basic to me, although that depends on your experience and background) certifications in the field of information security, although it is more widespread in the USA than in other countries, if we take a look at the number of certificates per country. While on 31 December 2018 the US had around 84500 certificates, between Germany (2100), France (1000), Italy (400) and Spain (650) barely reach to 4000 certifications. This is probably due to the fact that many Human Resources departments in the US consider CISSP to be a basic prerequisite in the field of cybersecurity, in addition to the significant greater acceptance that (ISC)2 certificates have in the US market.


CISSP is often said to be “a mile width and an inch deep“, meaning that it encompasses a large number of security concepts in multiple domains, but does not delve into them. This definition is quite adequate; the material on which the certification is based covers (for example) aspects of risk management, software development methodologies, security models or encryption algorithms, but always from a high level point of view.

Even so, in order to face the certification test it is advisable to be aware of some specific details, such as the key lengths of the main cryptographic algorithms, CMMI levels or which IPSec protocol provides non-repudiation capabilities. In this sense, in spite of those details that it is necessary to memorize, it is mainly a certification of understanding of concepts.

The CISSP material is based on the CBK or Common Body of Knowledge, which we could consider as the set of basic knowledge that somebody must have to obtain certification. This CBK is updated on a regular basis, and covers the following eight main domains (in contrast to the ten that existed until 2015):

  1. Security and Risk Management.
  2. Asset Security.
  3. Security Engineering and Architecture.
  4. Communications & Network Security.
  5. Identity & Access Management (IAM).
  6. Security Assessment & Testing.
  7. Security Operations.
  8. Software Development Security.

In this regard, it should be borne in mind that since this is a certification closely related to the American market, there are abundant references to NIST documentation and to specific details of the American military sector, such as classification levels.

However, where this aspect is most noticeable is the content of legislation, which contains specific references to cybersecurity laws such as the Patriot Act or the Computer Fraud and Abuse Act (CFAA). Although it cannot be ruled out that a question on these subjects will appear in the test (I have not found any place where (ISC)2 pronounces on what role the American legislation has in the tests carried out outside the US) and it is important to know them, it is also probably not necessary to know in detail all the amendments that, for example, the CFAA has undergone during these past years, although that is exclusively my opinion.

Prerequisites and maintenance

As is customary in many other certifications, in order to achieve certification it is not only necessary to have passed the exam, but also to have some creditable experience. In this case, the candidate must have at least five years of experience in two or more of the CBK’s domains, which can be reduced to four if s/he has some other recognized certification such as CISA or certain educational requirements.

After passing the exam, the candidate must be endorsed by a person who holds the certification, or if he or she has no contact, ask (ISC)2 to act as his endorser. If all goes well, currently the estimated time to obtain the candidate after providing the necessary experience is eight weeks.

Also, as usual, to maintain certification, 120 hours of Continuing Professional Education (CPE) must be accredited over a three-year period. If this is not done, it is necessary to repeat the exam, as is the case with other ISACA certifications, for example.


The format and duration of the examination is probably the element that has undergone the greatest changes in recent years, if we focus on the English version (the other versions do not seem to have changed). In any case, given that all available documentation is in English, I strongly recommend taking the exam in that language, so as not to encounter nomenclature problems, dubious translations, translated acronyms, etc. In addition, as indicated below, the length of the exam (in questions and duration) in that case is significantly less.

In such a case, from an exam of 250 multiple choice questions and a duration of 6 hours in the past, it is now an adaptive exam that consists of 100 to 150 questions to be completed in a maximum of 3 hours, among which are included 25 pre-test questions that are not valued (but that, nevertheless, are indistinguishable from the questions that compute for the result).

The fact that it is adaptive implies that:

  • The difficulty of the questions increases as the candidate responds correctly to previous answers.
  • It is not possible to review the answers given to previous questions.
  • With only 100 questions answered (of which only 75 count, although as I said it is not possible to know which ones are “real”) the test can determine on the basis of statistical criteria whether the candidate has passed or failed the exam, so fatigue is no longer a relevant factor, as it probably was until now. In the case that with 100 questions the test cannot reliably determine if it passes or is suspended, it continues until it can determine it, the 150 questions are reached or the time runs out.

In any case, detailed information on this type of test can be found on the official (ISC)2 page.

Although there are other aspects that any candidate should review before considering getting certified (exam price, exam schedule, endorser, ethical code, etc.), these are some of the main aspects to take into account.

In the next post I will go deep in my personal experience and I will give some concrete advice and useful resources, according to my experience, for those people who are thinking of getting this certificate, to which could be applied what it’s not as bad as it’s made out to be.

[Subscribe to our Telegram channel for more posts like this:]

See also in: