cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Aqeelnaqvi
Newcomer I

Documented Work Experience for CISSP

Hello,
 
I would like to get some feedback on the requirements related to work experience for the CISSP.
 
I am Engineer, and I have worked in the Telecom Cellular Wireless industry for almost six years, I have come to know that my experience will satisfy the required work experience. I have heard people with similar work experience getting the work experience accepted. If that's the case it will be great for me.
 
On a different note, I have already acquired Comptia Sec+ as well.
 
I am preparing myself to take the CISSP exam, but I would like to time that right, and for that I would really appreciate, if i know that my work experience will satisfy the five years experience requirement.
 
Bottom line is I am trying to make a career switch in the future, so I am trying to see where I stand.
 
 
 
Best,
Aqeel Naqvi
7 Replies
AlecTrevelyan
Community Champion

You can find the CISSP experience requirements here:

 

https://www.isc2.org/Certifications/CISSP/experience-requirements

 

Your Sec+ will give you a 1 year waiver so you only need 4 years in 2 of the 8 CISSP domains.

 

Take a look at the domains in the exam outline. These are broken down into sections/subsections:

 

https://www.isc2.org/-/media/ISC2/Certifications/Exam-Outlines/CISSP-Exam-Outline-2018-v718.ashx?la=...

 

Does your experience cover at least 1 section/subsection in at least 2 of the domains?

 

Aqeelnaqvi
Newcomer I

Hi Alec,

 

Thanks for your feedback, I am still not fully clear; and here is why; my experience is in Cellular Wireless Telecom network operations; I am not sure about how much that may fall in the 8 domains; with that said, I have read on different forums that ISC2 did accept work experience of people who are in the same industry as me. My work is focused on performance and design management of LTE network at AT&T wireless 

 

Others getting accepted is my main reason of having hopes that my work experience will be accepted.

 

 

AlecTrevelyan
Community Champion

These are some potential examples from the exam outline that might fit based on the description of your role you've provided...

 

Domain 3: Security Architecture and Engineering


3.7 Assess and mitigate vulnerabilities in mobile systems

 

3.10 Apply security principles to site and facility design

 

Domain 4: Communication and Network Security

 

4.1 Implement secure design principles in network architectures
- Internet Protocol (IP) networking

 

4.3 Implement secure communication channels according to design
- Voice
- Data communications

 

Aqeelnaqvi
Newcomer I

Hi Alec,

 

I really appreciate your help, thanks. I know the final word will be when I take the exam and submit my docs for review. 

 

Do you think i should be hopeful of getting the work requirement fulfilled?

 

I am mostly involved in 

RF network coverage analysis, optimization, and resolution of LTE network issues.

Optimization involves cell tower performance management, operating in Linux environment.

I also work on design proposals based on LTE coverage needs.

LTE network operations means working to improve the Data and Voice coverage and quality.

 

If my work experience has a chance of getting accepted it will make my choice of switching over a lot easier.

AlecTrevelyan
Community Champion

Firstly, do you know any ISC2 members who could endorse you after you pass the CISSP exam? If you do then maybe speak to them, explain your role in detail, and see if they can help you map your daily tasks to elements on the CISSP exam outline. If you can convince them you have the experience and they'll endorse you then that's all you need.

 

If you don't know any ISC2 members, you'd need to ask ISC2 to endorse you. This will involve giving details and documented evidence about your role (e.g. an offer letter from when you started the role). Given it's not clear cut even to you if your role covers the CISSP experience requirements as they are currently stated, it might be best to do a mapping of daily tasks to elements on the exam outline as part of your endorsement submission.

 

ISC2 keep their exams current through various workshops including one called the Job Task Analysis where they look at typical tasks security professionals undertake as part of their daily working activities. Through this process changes can be made to the domains of the certifications, including updates/removals/additions to the various tasks/subtasks within existing domains, or even updates/removals/additions of entire domains themselves.

 

As such, it is possible to argue that you are performing security functions as part of a role and therefore meet the experience requirement even if what you do isn't easily relatable to existing domains/tasks/subtasks. Although, obviously, it will be much easier to pass endorsement if your experience maps directly to existing domains/tasks/subtasks.

 

If you don't have enough experience you can always endorse as an Associate which will give you 6 years to gain the 4 years of experience you need. You can put the Associate designation on your resume (with some caveats) which along with your Sec+ might help you find a more security focused role.

 

In terms of your current role:

 

Are there ever any security considerations mentioned by your colleagues that need to be kept in mind while you're performing your usual duties? (I've worked with some mobile operators and security seems to be top of their minds.)

 

How about when you're working with the Linux environment, any security considerations while doing that?

 

At the very least I can't believe that everybody doesn't do this as part of their jobs, no mater what the role is:

 

Domain 1: Security and Risk Management

 

1.9 Understand and apply risk management concepts
-Identify threats and vulnerabilities

 

Do you follow secure working practices that apply controls so that if you make a mistake while optimising a cell tower you don't take it out of action?

 

Or when you're optimising your cell towers don't you need to make sure you don't turn the signal level up too high maybe due to emissions regulations?

 

Maybe that might fall under this:

 

Domain 1: Security and Risk Management

 

1.3 Determine compliance requirements
-Contractual, legal, industry standards, and regulatory requirements

 

I worked with a guy who absolutely met the CISSP experience requirements but for some reason he thought he didn't. He just needed some help in thinking about the daily tasks he used to do in a slightly different way and how they would then map to the CISSP domains. Sometimes we just don't appreciate all the facets of our roles at first. So just have a think about what you do and where security comes into it. Hopefully, that's all that's needed - a slight change in your viewpoint/mindset.

 

EDIT: Here are some links about AT&T's network reliability (aka "availability" the A in CIA) and network security to give you some insight into what they think is involved in operating their network securely:

 

https://about.att.com/csr/home/issue-brief-builder/people/network-reliability.html
https://about.att.com/csr/home/issue-brief-builder/people/network-security.html

 

Aqeelnaqvi
Newcomer I

I really appreciate your feedback, I will keep this in mind. I am at the beginning of my prep towards the CISSP; therefore, having all this information from the beginning is really really helpful.

 

I am not involved in the community, so currently I do not have anyone who would guide me directly on the experience and how it relates to my work, but what you explained above does give me some hope that there are some aspects of my current job that fall in that category.

 

There are various tasks, which may directly or indirectly relate to my current role.

 

I am involved with the change management team when we make changes a large scale to avoid unnecessary outages or disruptions.

As part of design, we are involved in attenuation of RF footprint to comply with local rules and laws.

 

I think you are right i need to provide details of my daily tasks, which may help me satisfy the work experience part, which i am skeptical about.

 

Regardless, having my sec+ with my Engineering degree, will get me at least 1 year of experience, and with CISSP under my belt, I think 4 years of experiences in six years should be that big of a problem.

 

Does CISSP accept partial work experience, for example let's say if i submit my docs, and later they determine that i satisfy some but not all experience criteria, would  I get like let's 2-3 years of experience towards my 5 years requirement?

 

 

 

AlecTrevelyan
Community Champion


@Aqeelnaqvi wrote:

 

Does CISSP accept partial work experience, for example let's say if i submit my docs, and later they determine that i satisfy some but not all experience criteria, would  I get like let's 2-3 years of experience towards my 5 years requirement?


If ISC2 deem via the endorsement process that you don't have enough experience I assume they'd suggest you endorse as an Associate. Any experience you have accumulated at that stage would not expire and could be listed again when you go for endorsement later down the line. Although, I don't know if they would provide feedback on how much/what experience they were able to verify.

 

Good luck with everything!