This certification preparation program is intended for experienced IT security-related practitioners, auditors, consultants, investigators, or instructors, including network or security analysts and engineers, network administrators, information security specialists, and risk management professionals, who are pursuing CISSP training and certification to acquire the credibility and mobility to advance within their current computer security careers or to migrate to a related career.

Through the study of all 10 CISSP CBK domains, students will validate their knowledge by meeting the necessary preparation requirements to qualify to sit for the CISSP certification exam. The CISSP certification exam is intentionally difficult and should not be taken lightly. Even students with years of security experience should assume that they will have additional study time after class. Obtaining the CISSP Certification helps enhance incumbent security personnel’s’ professional development and can also assist individuals transitioning into new roles in this field.

Course Duration

12 weeks, 15 hours a week

Credit to be Awarded

Certified Information Systems Security Professional (CISSP) Certification

Learning method

“Blended”

General Requirement

Students must be 18 years of age, possess a high school diploma, or General Equivalency Diploma (GED), or Home School Diploma.

ISC2 OrganizationCertification Recommendations/ Prerequisites

Candidates must have a minimum of 5 years cumulative paid full-time work experience in two or more of the 8 domains of the (ISC)² CISSP CBK®. Candidates may receive a one-year experience waiver with a 4-year college degree, or regional equivalent or additional credential from the (ISC)² approved list, thus requiring four years of direct full-time professional security work experience in 2 or more of the 8 domains of the CISSP CBK.

If students don’t have the required work experience they may still sit for the exam and become an Associate of (ISC)² once successfully passing the CISSP exam. Associate of (ISC)² students will then have 6 years to earn the work experience required to become a CISSP.

ISC2 OrganizationCertification Exam Requirements

To be certified, students must first pass the certification exam with a minimum score of 700 on a scale of 100-1000 during the allotted 6 hours to complete the 250 question exam. Once students are notified that they have successfully passed the examination, students will be required to subscribe to the (ISC)² Code of Ethics and have their application endorsed before the credential can be awarded. An endorsement form for this purpose must be completed and signed by an (ISC)² certified professional who is an active member, and who is able to attest to their professional experience.

1. Information Systems Access Control, and Security Architecture and Design 
2. Network and Telecommunications Security, Information Security Management Goals, and Information Security Classification and Program Development  
3. Risk Management and Ethics, and Software Development Security 
4. Cryptography, and Physical Security 
5. Operations Security, Business Continuity and Disaster Recovery Planning, and Legal, Regulations, Compliance, and Investigations.

Security and Risk Management

Domain 1 still has the same name, but in some areas, there is an expansion of the skills required to pass the exam. For example, section 1.5 went from “Understand professional ethics” to “Understand, adhere to, and promote professional ethics”, and section 1.7 changed from “Understand business continuity requirements” to “Identify, analyze, and prioritize Business Continuity (BC) requirements”. Ensure that you have the expanded operational knowledge in these areas by making sure your study materials account for the new content.

Asset Security

Domain 2 also has the same name as before. Domain 2 is smaller than Domain 1, and the changes to it are less significant. One common theme throughout is improved precision of the topics. For example, section 2.2 used to be “Determine and maintain ownership”, which was a bit vague; most CISSP study materials assumed it meant ownership of data. Now, 2.2 is “Determine and maintain information and asset ownership”, which is much more precise. We see the same change a few other times in Domain 2; therefore, when studying, be sure to think about how the concepts apply to both information and other IT assets.

Security Architecture and Engineering

This domain has been expanded from “Security Engineering” to “Security Architecture and Engineering”. In small organizations, engineering and architecture are often handled by the same person or team; in large organizations, they are usually separate and often have different management chains. Be sure you understand how both an architect and an engineer approach the topics in this domain.

An architect focuses on high-level design without diving into the details (such as specific configurations or how things integrate), and therefore generally has a small amount of knowledge across a large number of technologies. Engineers, on the other hand, focus on the configuration and integration of technologies based on the high-level architecture, and therefore generally have deep knowledge of a few specific technologies. Of course, there are many exceptions. Pay particular attention to the addition of the architecture aspect, which applies across the domain. Beyond that, there are a few important new topics: cryptographic systems, cloud-based systems and IoT (all in section 3.5).

Communication and Network Security

From a title perspective, just a single letter has changed (“Communications” became “Communication”). Looking into the topics, “Prevent or mitigate network attacks” has been removed completely, so make sure you don’t focus on it unnecessarily. The rest of Domain 4 is mostly the same; therefore older study materials, such as the Official (ISC)² Guide to the CISSP CBK, should still be very effective for preparing for the exam.

Identity and Access Management

Not much was changed in Domain 5. There are a couple of new concepts, such as “Attribute-Based Access Control (ABAC)”. Also, section 5.6, titled “Prevent or mitigate access control attacks”, has been removed, so you can save some time by not studying this topic.

Security Assessment and Testing

For this CISSP domain, changes are minimal and the title remains the same. Study materials for the previous version of the exam should still be effective for the updated exam objectives.

Security Operations

As Domain 7 is one of the largest ones in CISSP certification, it has slightly more significant updates than the other domains. Also note that the weight of the domain (the number of questions covered on the exam) has increased the most, so make sure you spend more time digging into its topics and practicing exam questions for them. There are some new topics, such as “Asset management”, “Security training and awareness” and “Emergency management”.

Some topics experienced important changes; for example, you now need to understand “administrative” investigation and “industry standards” instead of “operational” investigations and “electronic discovery”; be sure to review training resources that account for these changes before attempting the exam. Other topics were clarified; for example, one of the topics in 7.1 was changed from “Digital forensics” to “Digital forensics tools, tactics, and procedures”.

Software Development Security

Though the title of this domain remains the same and the domain remains fairly small compared to most of the others, there are quite a few changes in it. A new section — “Define and apply secure coding guidelines and standards” — has been added. This is an area that you might want to investigate, especially if you don’t work in software development. There are also some minor clarifications. For example, instead of “Enforce security controls in development environments”, section 8.2 is now “Identify and apply security controls in development environments”.