CISSP's reputation as a certification is for being 'a mile wide and an inch deep'.
That's a limitation too - CISSP means you understand something, but not that you know how to do it.
But the exam is a six-hour marathon consisting of a vast array of intentionally confusing questions covering everything from the obvious to the extremely obscure.
For some the biggest reason not to do it is the sheer length of the exam, for others the breadth of the syllabus.
ISC2 really should look at splitting the syllabus into several shorter hour exams to do it justice.
The exam is not impossible or unreasonable - if you know the material you could even say it's not particularly difficult - it just requires you to understand what you're doing, as well as know what you're doing.
Whilst it's a 6 hour exam, you don't need to use all the time and I did it in just over 3 hours, including checking over my work.
The experience is easier, if it takes a little longer - 5 years experience in information security, with 1 year off for a degree.
There are no extra years off for other qualifications, but really don't do CISSP unless you've been doing something relevant for the last five years as you probably won't pass the exam anyway.
Unless you're supremely confident or just enjoy resitting exams, it's definitely worth investing in a training course.
Don't accept anything under 5 days, and be sure to do the homework - a course that long can't possibly teach you everything you need to know, so see it as a revision course and read around the syllabus in your weaker areas beforehand.
Be prepared also for travel costs unless you live in a major city, and keep an eye on exam dates as they often get booked up well in advance.
If you have information security or IT audit experience, good IT knowledge and a strong background in business, a one week training course followed by the exam may be enough.
You will want to take relevant courses, read up in weak areas, and spend a few months preparing for the exam.
If you've done a six hour exam once, you definitely won't want to do it three times.
However as the alternative is to resit the exam, I recommend the CPD option - strongly.
CISSP is the one 'must have' IT security qualification from a recruitment perspective, and everyone will learn something be doing it.
If you're new to Information Security or IT audit or looking to move in that direction from a relevant IT or operational field, maybe pass on CISSP for now and look at CISA or CISM as a qualification with a slightly narrower remit that will be easier to grasp, then follow up - CISSP just doesn't make much sense without supporting real life experience.
A good one is to do a one week boot camp course that leads up to the exam on the final day.
Find out about my experience of CISSP training here.
This Cyber News was published on securityboulevard.com. Publication date: Mon, 12 Feb 2024 01:13:04 +0000