Home > General Interest > Professional Certification
To help increase the professionalism and integrity of the information assurance community, several organizations have created certifications that an individual may achieve. These are used to demonstrate knowledge and experience in the IA community.
Note: This list is not meant to be an exhaustive list or represent all of the certifications avaliable. Also only a selection of certification organizations are represented. Those seeking professional certifications are encouraged to research certifications based on desired topics and the awarding body when making certification decisions.
| CASP+ | CompTIA | CompTIA Advanced Security Practitioner |
| Security+ | CompTIA | An industry standard foundational skills certification. |
| CAP | ISC2 | Certified Authorization Professional |
| CISSP | ISC2 | Certified Information Systems Security Professional - Designed to recognize mastery of an international standard for information security and understanding of a Common Body of Knowledge (CBK). |
| SSCP | ISC2 | Systems Security Certified Practitioner - The seven domain covered by examination include - Access Controls, Administration, Audit and Monitoring, Risk, Response and Recovery, Cryptography, Data Communications, and Malicious Code/Malware |
| CISA | ISACA | Certified Internal Systems Auditor |
| CISM | ISACA | Certified Information Security Manager |
| CRISC | ISACA | Certified in Risk and Information Systems Control |
| GSEC | SANS | GIAC Security Essentials |
| GISP | SANS | GIAC Information Security Professional |
| GPEN | SANS | GIAC Penetration Tester |
| ISO 27000 | A series of organizational management standards given by the International Standards Organization(ISO). These standards cover topics such as Risk, Controls, Incident Managment. Organizations may be certified against some of the standards. Some standards are listed as guidelines/best practices and may not be certified against. (Other/Former names BS7799, ISO 17799) |
Home > General Interest > Professional Certification
The International Information System Security Certification Consortium, or (ISC)², is a non-profit organization that specializes in training and certifications for cybersecurity professionals. It has been described as the "world's largest IT security organization". The most widely known certification offered by (ISC)² is the Certified Information Systems Security Professional (CISSP) certification.
CISSP Common Body of Knowledge (CBK)
CISSP Common Body of Knowledge (CBK) is a collection of 8 domains that covers all the comprehensive aspects of information security and CISSP domains explained. An applicant needs to show their expertise in each of the domains to gain the certification. According to (ISC)², "the CISSP CBK is a taxonomy – a collection of topics relevant to information security professionals around the world. The CISSP CBK establishes a common framework of information security terms and principles that allow information security professionals worldwide to discuss, debate and resolve matters about the profession with a common understanding.
Here is a list of eight CISSP CBK domains:
Security and Risk Management
This domain covers many of the foundational concepts of information systems security. This is the basic domain that is critical to understanding and implementing the rest of the domains. Some of the topics covered include:
- The principles of confidentiality, integrity, and availability of information
- Security governance and compliance
- Legal and regulatory issues relating to information security
- Professional ethics
- Personal Security policies
- Risk management
- Threat Modeling
Asset Security
This domain examines the protection of assets throughout the lifecycle. This domain addresses the physical requirements of information security. This domain covers the security information and requirements for assets within an organization. It covers:
- Asset identification and classification
- Maintaining information and asset ownership
- Privacy
- Asset Retention
- Data Security controls
- Information and asset handling requirements.
Security Architecture and Engineering
This domain examines the development of information systems that remain secure in the face of a myriad of threats. This domain includes various aspects of design principles, models, and secure capabilities assessment in organizational security architecture. Some of the topics covered include:
- Security design principles
- Selection of effective controls
- Mitigating vulnerabilities in systems
- Cryptography
- Secure site and facility design
- Physical design
Communications and Network Security
This domain examines network architecture, communications technologies, and network protocols intending to understand how to secure them. This domain consists of secure network components, principles, and implementing communications. Some of the topics covered include:
- Secure network architecture
- Secure network components
- Secure communication channels
Identity and Access Management
Identity and access management is one of the most important topics in information security. This domain covers the interactions between users and systems as well as between systems and other systems besides covering user accessibility features within an organization. Some of the topics covered include:
- Controlling physical and logical access to assets
- Identification and authentication
- Identity as a service
- Authorization methods
Security Assessment and Testing
This domain examines the way to verify the security of our information systems. This section deals with the design, performance, testing, and Information System auditing. This domain is crucial for the overall functioning of information systems. Some of the topics covered include
- Assessment and testing strategies
- Testing security controls
- Collecting security process data
- Analyzing and reporting results
- Conducting and facilitating audits
Security Operations
This domain covers many activities involved in the daily business of maintaining the security of our networks. This domain offers insight into the plan of operations with investigations, monitoring, and protection techniques for security. Some of the topics covered include:
- Supporting investigations
- Investigation types and their requirements
- Logging and monitoring
- Secure provisioning of resources
Software Development Security
This domain examines the application of security principles to the acquisition and development of software systems. This domain provides concepts, applications, and implementations for software security. Some of the topics covered include:
- Security in the software development life cycle
- Security controls in development environments
- Accessing software security
- Assessing the security implication of acquired software
- Secure coding guidelines and standards
Certified Information Systems Security Professional
CISSP (Certified Information Systems Security Professional) is an independent information security certification granted by the (ISC)². Certified Information Systems Security Professional (CISSP) is one of the gold standard and most sought information security certifications for proving knowledge in Cybersecurity. This validates the professionals for their information and experience to build and manage security architects for the organization. Knowledge of CISSP CBK is required to pass the CISSP exam.
With the advent of technology, it has been noticed that the security of information and data is on high alert. For the sake of cybersecurity, it is vital to have complete knowledge of CBK. CBK provides the framework needed to implement cybersecurity in any organization. People interested in working on information security, for example, individuals in the position of Chief Information Security Officer (CISO) are often trained in CISSP. This enables them to know the in and out of cybersecurity and protect the information and data that is part of their organization.