Certified Information Systems Security Professional

出典: フリー百科事典『ウィキペディア(Wikipedia)』
ナビゲーションに移動 検索に移動

Certified Information Systems Security Professional (CISSP) は、一般に(ISC)²英語版によって非営利で運営される独立な情報セキュリティ認証機関である[1]


2010年7月20日の時点で(ISC)²は、134の国で 67,744人のCISSP 認定を持つメンバーを報告している[2]2004年6月にCISSP は、米国国家規格協会 (ANSI) のISO/IEC17024:2003によって最初の情報セキュリティ資格として認定され、業界へのグローバル標準の受入とその要求を導いた[3]。それは、それらの情報保証技術(IAT)と 情報保証管理 (IAM)分類の両方で公式に米国防省によって認可された[4]。CISSP は、米国の国家安全保障局ISSEPプログラムのベースラインとして採用された[5]


1980年代半ば、情報セキュリティの専門家達[誰?]は、構造を提供し能力を実証するための標準化された認証プログラムの必要性を見出し始めた。1988年11月、データ処理管理学会(DPMA、Data Processing Management Association )のコンピュータ・セキュリティ分科会(SIG-CS、SIG for Computer Security )はこの認証プログラムに興味を持った組織を招来し、1989年半ばにNPO(ISC)² が結成された[6]


The CISSP curriculum covers subject matter in a variety of Information Security topics. The CISSP examination is based on what (ISC)² terms the Common Body of Knowledge (or CBK). According to (ISC)², "the CISSP CBK is a taxonomy -- a collection of topics relevant to information security professionals around the world. The CISSP CBK establishes a common framework of information security terms and principles that allow information security professionals worldwide to discuss, debate and resolve matters pertaining to the profession with a common understanding."[7]

The CISSP CBK is fundamentally based on the CIA triad, the core information security and assurance tenets: confidentiality, integrity and availability,[7] and attempts to balance the three across ten areas of interest, which are also called domains. The ten CBK domains are:[8]

  • アクセス・コントロールAccess Control
    • 分類とコントロール(Categories and Controls)
    • 脅威と対策のコントロール(Control Threats and countermeasures)
  • アプリケーション・セキュリティApplication Development Security
    • ソフトウエア・ベース・コントロール(Software Based Controls)
    • ソフトウエア開発ライフサイクルと原理(Software Development Lifecycle and Principles)
  • ビジネス継続性計画Business Continuity および 災害復旧Disaster Recovery 計画
    • 応答と回復計画(Response and Recovery Plans)
    • 回復活動(Restoration Activities)
  • 暗号Cryptography
    • Basic Concepts and Algorithms
    • Signatures and Certification
    • Cryptanalysis
  • Information Security Governance and Risk Management
    • Policies, Standards, Guidelines and Procedures
    • Risk Management Tools and Practices
    • Planning and Organization
  • Legal, Regulations, Investigations and Compliance
    • Major Legal Systems
    • Common and Civil Law
    • Regulations, Laws and Information Security
  • Operations Security
    • Media, Backups and Change Control Management
    • Controls Categories
  • Physical (Environmental) Security
    • Layered Physical Defense and Entry Points
    • Site Location Principles
  • Security Architecture and Design
    • Principles and Benefits
    • Trusted Systems and Computing Base
    • System and Enterprise Architecture
  • Telecommunications and Network Security
    • Network Security Concepts and Risks
    • Business Goals and Network Security


Candidates for the CISSP must meet several requirements:

  • Possess a minimum of five years of direct full-time security work experience in two or more of the ten (ISC)² information security domains (CBK). One year may be waived for having either a four-year college degree, a Master's degree in Information Security, or for possessing one of a number of other certifications from other organizations.[9] A candidate not possessing the necessary five years of experience may earn the Associate of (ISC)² designation by passing the required CISSP examination. The Associate of (ISC)² for CISSP designation is valid for a maximum of six years from the date (ISC)² notifies the candidate of having passed the exam. During those six years a candidate will need to obtain the required experience and submit the required endorsement form for certification as a CISSP. Upon completion of the professional experience requirements the certification will be converted to CISSP status.[10]
  • Attest to the truth of their assertions regarding professional experience and accept the CISSP Code of Ethics.[11]
  • Answer four questions regarding criminal history and related background.[12]
  • Pass the CISSP exam with a scaled score of 700 points or greater out of 1000 possible points. The exam is multiple choice, consisting of 250 questions with four options each, to be answered over a period of six hours. 25 of the questions are experimental questions which are not graded.[12]
  • Have their qualifications endorsed by another CISSP in good standing. The endorser attests that the candidate's assertions regarding professional experience are true to the best of their knowledge, and that the candidate is in good standing within the information security industry.[13]


The CISSP credential is valid for only three years, after which it must be renewed. The credential can be renewed by re-taking the exam; however, the more common method is to report at least 120 Continuing Professional Education (CPE) credits since the previous renewal. Currently, to maintain the CISSP certification, a member is required to earn and submit a total of 120 CPEs by the end of their three-year certification cycle and pay the Annual Membership Fee of US$85 during each year of the three-year certification cycle before the annual anniversary date. With the new changes effective 30 April 2008, CISSPs are required to earn and post a minimum of 20 CPEs (of the 120 CPE certification cycle total requirement) and pay the AMF of US$85 during each year of the three-year certification cycle before the member’s certification or recertification annual anniversary date. For CISSPs who hold one or more concentrations, CPEs submitted for the CISSP concentration(s) will be counted toward the annual minimum CPEs required for the CISSP.[14]

CPEs can be earned through several paths, including taking classes, attending conferences and seminars, teaching others, undertaking volunteer work, professional writing, etc.., all in areas covered by the CBK. Most activities earn 1 CPE for each hour of time spent, however preparing (but not delivering) training for others is weighted at 4 CPEs/hour, published articles are worth 10 CPEs, and published books 40 CPEs.[14]


Experienced information security professionals with an (ISC)² credential in good standing can progress to meet requirements for (ISC)² Concentrations to demonstrate further knowledge of select CBK domains. A passing score on a concentration examination is intended to demonstrate proven capabilities and subject-matter expertise beyond that required for the CISSP.

Current concentrations for CISSPs include the:


(ISC)² promotes the CISSP certification as the "international gold standard" against which other security certifications are measured.[15]

IT data recovery professionals with security expertise are often in high demand, and the CISSP is one metric by which that expertise can be demonstrated. In 2005, CertMag surveyed 35,167 IT professionals in 170 countries on compensation and found that CISSPs led their list of certificates ranked by salary, with the Certified Information Systems Security Management Professional (CISSP-ISSMP) program drawing $116,970 annually and the Certified Information Systems Security Architecture Professional (CISSP-ISSAP) earning $111,870.” A 2006 Certification Magazine salary survey also ranked the CISSP credential highly at $94,070 per year, and ranked CISSP concentration certifications as the top best paid credentials in IT, with CISSP-ISSAPs averaging at $114,210 per year and CISSP-ISSMP at $111,280 per year.[16] These numbers correlate with compensation advantages enjoyed by IT security professionals in general, as well as with advantages accruing to the seniority and management roles that intersect with the concentration certificates.[17]


Others reveal a different opinion, mentioning that "academic qualifications support broad knowledge and skills in general, professional certifications may be effective in a limited area of operations. Academic programs exposing the students to theoretical concepts and problem solving experience are critical for preparing graduates for jobs in the information security".[18]

Two CISSP certified experts damaged Samsungs reputation in March 2011, by publishing an exceedingly poorly researched report containing false allegations[19]. The bloggospehere has since been calling for their credentials to be revoked.[20]


  1. ^ About (ISC)²”. (ISC)² (2009年). 2009年11月23日閲覧。
  2. ^ Member Counts”. (ISC)². 2009年7月8日閲覧。
  3. ^ “(ISC)² CISSP Security Credential Earns ISO/IEC 17024 Re-accreditation from ANSI” (プレスリリース), Palm Harbor, FL: (ISC)², (2005年9月26日), http://www.isc2.org/PressReleaseDetails.aspx?id=2796 2009年11月23日閲覧。 
  4. ^ DoD 8570.01-M Information Assurance Workforce Improvement Program (PDF)”. United States Department of Defense (2005年12月19日). 2007年3月23日閲覧。
  5. ^ NSA Partners With (ISC)² To Create New InfoSec Certicication” (2003年2月27日). 2008年12月3日閲覧。
  6. ^ Harris, Shon (2010). All-In-One CISSP Exam Guide (5 ed.). New York: McGraw-Hill. pp. 7-8. ISBN 0071602178. 
  7. ^ a b Tipton; Henry. Official (ISC)² Guide to the CISSP CBK. Auerbach Publications. ISBN 0-8493-8231-9. 
  8. ^ CISSP Education & Certification”. (ISC)² (2009年). 2010年11月10日閲覧。
  9. ^ CISSP Professional Experience Requirement”. (ISC)² (2009年). 2008年12月3日閲覧。
  10. ^ How to Become an Associate”. (ISC)² (2009年). 2009年11月23日閲覧。
  11. ^ (ISC)² Code of Ethics”. (ISC)² (2009年). 2008年12月3日閲覧。
  12. ^ a b How To Certify”. (ISC)² (2009年). 2008年12月3日閲覧。
  13. ^ Endorsement”. (ISC)² (2009年). 2008年12月3日閲覧。
  14. ^ a b Maintaining Your Credential”. (ISC)² (2009年). 2008年12月3日閲覧。
  15. ^ “(ISC)² CISSP Security Credential Achieves New International Standard for Personnel Certification” (プレスリリース), Vienna, VA: (ISC)², (2004年6月23日), https://www.isc2.org/PressReleaseDetails.aspx?id=3260 2009年11月23日閲覧。 
  16. ^ “Top Certifications by Salary in 2007”. Certification Magazine. (April 11, 2007). オリジナルの2007年3月29日時点によるアーカイブ。. https://web.archive.org/web/20070329054214/http://www.certmag.com/images/CM1206_salSurveyFig1.jpg 2007年10月14日閲覧。. 
  17. ^ Sosbe, Tim; Hollis, Emily; Summerfield, Brian; McLean, Cari (December 2005). “CertMag’s 2005 Salary Survey: Monitoring Your Net Worth”. Certification Magazine (CertMag). オリジナルの2007年6月7日時点によるアーカイブ。. https://web.archive.org/web/20070607155757/http://www.certmag.com/articles/templates/CM_gen_Article_template.asp?articleid=1524&zoneid=224 2007年4月27日閲覧。. 
  18. ^ Hentea, Mariana; Dhillon, Harpal and Dhillon, Manpreet (2006). “Towards Changes in Information Security Education” (PDF). Journal of Information Technology Education 5: 221–233. http://citeseerx.ist.psu.edu/viewdoc/download?doi= 
  19. ^ "[1]". Networkworld.com. Retrieved on 2011-04-03.
  20. ^ "[2]". Networkworld.com. Retrieved on 2011-04-03.