The need to protect information resources has produced a demand for information systems security professionals. Along with this demand came a need to ensure that these professionals possess the knowledge to perform the required job functions. To address this need, the Certified Information Systems Security Professional or the CISSP certification was developed. This certification guarantees to all parties that the certified individual meets standard criteria of knowledge and continues to upgrade that knowledge in the field of information systems security. The CISSP initiative also serves to enhance the recognition and reputation of the field of information security.
The CISSP certification is the result of cooperation among a number of North American professional societies in establishing the International Information Systems Security Certification Consortium or ISC2 in 1989. ISC2 is a nonprofit corporation whose sole function is to develop and administer the certification program. The organization has defined a common body of knowledge (CBK) that defines a common set of terms that information security professionals can use to communicate with each other and establish a dialogue in the field. At this time, the domains for the CISSP certification are: Access Control Systems and Methodology, Application and Systems Development Security, Business Continuity Planning and Disaster Recovery Planning, Cryptography, Law, Investigation, and Ethics, Operations Security, Physical Security, Security Architecture and Models, Security Management Practices, and Telecommunications and Networking Security.
The examination questions for the CISSP certification are taken from the CBK and are aimed at the level of a 3-to-5-year practitioner in the field. It comprises 250 English-language questions of which 25 are not counted. The 25 are trial questions that may be used on future exams. The 25 are not identified, so there is no way to tell which questions they are. The questions are not arranged on the basis of domain, but are randomly arranged. There is no penalty for answering questions that are in doubt. Six hours are allotted for the examination. The questions are not of exceptional difficulty for a knowledgeable person who has been practicing in the field. However, most professionals are not usually involved with all ten domains in their work. It is uncommon for an information security practitioner to work in all the diverse areas covered by the CBK. Approximately 70% of the people taking the examination score a passing grade.