Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Defender I

Questions from New Aspirant for Certification

I recently received in in-system private mail asking several questions about preparing for the CISSP exam. The questions themselves are likely to come to mind to many others, and there is no personal information in them. Thus, I am providing those questions and my answers here, to help others who may be concerned about the costs and steps to become certified.



1 - one of the pre-requisites that I read on ISC2 website is about proven past experience. So, when do I submit this proof? - before registering for exam or after?

DCS: You do not need to verify your cybersecurity experience until after you have passed the exam. Once (ISC)2 notifies you that you have passed (not the provisional passing score at the testing center), you must either have an existing g(ISC)2 member (fully certified) endorse you for certification, having reviewed and verified your experience history as you provide to his satisfaction, OR you must send your experience history statement ot the (ISC)2 office adn ask them to endorse you. DO the latter only if you do not have a member who knows you personally and can endorse you.


2 - As a proof - My manager is willing to give me letter with details - would that be suffice with my employment and salary letters?

DCS: you do not need to provide any salary information. However, a statement from your manager describing your information security experience, number of years performing the tasks, and organized according to the eight domains, can be used to either a local endorser or to the (ISC)2 staff.



3 - Can I appear for exam without the proof letter? or it is mandatory.

DCS: You can take the exam with absolutely on infosec experience. You should not do so; but you can. If you do pass the test with no experience, you have wasted your time and money, because you have only two years to get endorsed with 4 or 5 years of domain-specific infosec experience. Therefore, you should not take the exam until you have at least three years of experience.



4 - Finally, the cost of course - it’s about 7500 USD! - Do I really need that? or I can prepare on my own with official books and prepare for exam.

DCS: You are not required to take any preparation course. The only mandatory fee is for he exam itself. There are several ways to prepare, including online course, cooperative study groups. self-study, and the high cost intensive week-long classes. The 7500USD cost you refer is clearly for one of the official (ISC)2 or independent boot camp classes. You need not take that unless you really want to. Personally, I discourage such a class, unless you need it to focus your attention in one week. The reason for my recommendation is that such cram courses do not result in long term memory. Either multi-week cooperative study groups or even self study accordion to your own study plan will result in much better understanding and knowledge retention.


5 - if I avoid the course fee - I still need to arrange for 745 USD - for the CISSP exam. Is that correct understanding?

DCS: Yes, you will have to pay the fee for the exam, itself, and take the exam at a testing center.



Good luck, all!



D. Cragin Shelton, DSc
My Blog
My LinkeDin Profile
My Community Posts
16 Replies
Contributor I

I am answering my own question; the previous paper-based exam had 250 questions. Now, how many points were required to pass??


I remember it as a test-taker had to get a total of 750 points to pass the paper-based exam. NOW, all of the sites say that the present adaptive tests require 700 points as a passing number. Is my memory correct? were the paper tests scored as passing at 750 points or more?


thank you,

Dr. Jan

Advocate II

Back in 2013, almost a decade ago, at the ISC2 conference at Warwick Uni, they asked for a show of hands and for anyone who was under 40 or female to put their hands down.  The majority of the room still had their hands up.  You'd have thought an aging occupation with a bias towards men would take on board the need to attract a wider demographic.


Advocate I

Having certs from several orgs and seeing that not everyone does everything the same, am not totally surprised by these.


AFAIK, the only certification org that requires proof of experience BEFORE you take their exams is PMI (Project Management Institute).  But you submit this proof on-line to them before you are allowed to schedule their exams.  So such proof is not needed at the exam center.

Also, AFAIK, PMI is the only group that requires training for their certs.  Again, like experience you submit this proof on-line before scheduling your exam.  While SANS/GIAC certs are closely tied to their courses, you can actually take ("challenge") the exam without taking the courses.

Advocate I

Am sorry, when did this thread turn into "bash ISACA"??

I do wonder when you attempted the CISM exam.

I got my CISM in 2015.  At the time I didn't have the title of "manager".  And this in no way prevented me from getting it.  This is because I looked at the application and in particular the TASKS being asked for, and decided that many of them I had done even if I wasn't a manager (yet).  So I check off the ones I had done, got my former boss to sign off, and got it.  And am sure this is how many others got it.


"ISACA is an accessory to Gender Discrimination by putting the requirements on CISM that they do. They are unwittingly contributing to the already overwhelming discrimination against females in cybersecurity and tech in general with their requirements."

OH PUHLEEZE.  This is nonsense.  Again, have you in fact looked at the CISM requirements? 


In fact for the last several years ISACA has had their SheLeadsTech initiative to INCREASE the number of women in IT.  It's a program of their One in Tech foundation.  My local chapter has been doing an annual SheLeadsTech event for several years.

Yes, companies DECADES ago discriminated against women in managerial positions, but this is largely a thing in the past, what with the many female managers and CEOs, many in cybersecurity.  I know many myself just in my local area.  And many are ISACA members...

Viewer II

So, I just completed the self-paced CS course and signed up to take the exam in June. I have no experience in this field but I need at least 5 years for an endorsement and/or I have wasted my time completing this course?
Advocate I

@Juliette-3137 wrote:

"So, I just completed the self-paced CS course and signed up to take the exam in June. I have no experience in this field but I need at least 5 years for an endorsement and/or I have wasted my time completing this course?"

Sorry, but what is this "CS course" you took?  What certification is it tied to?

The CC certification has NO experience requirement.  The CISSP cert requires 5 years of experience (or 4 if you have a degree).  HOWEVER, if you don't have the experience you can sign up as an Associate of ISC2 until you get the experience (you are given 5-6 years to get this).


So it would depend on what training and what cert you are pursing.  I would wonder if you have no experience why would you go after a cert that requires it?  If you have no experience, the CC is the only one you can get.

Contributor I

Hi Steve-Wilme,

I am in one Thousand Percent agreement with your statement that the male-focused 'business of cyber' needs a much more rounded demographic. I re-up your challenge. This is especially because DISA and quite a few government agencies gripe and moan because there are 'not enough people' to do the work of cybersecurity.


I am nearing 450 peer-reviewed papers about women in male-focused 'businesses.' Women in cyber are 'gender segregated,' meaning that a large percentage of females are in the 'governance' part of cybersecurity. In the security sector of personnel security, women comprise a large percentage because the work is seen asl 'less technical' and more as administrative work. (Everyone 'knows' that women are only cut out for secretarial works, while the men are 'better suited' for technical work, and leadership (of Course)).


= = = = = = =

Facts list from Authoritative Studies on Women in Tech/Cybersecurity

Here is a sampling of results from several studies:

- “There is little to no RESPECT for women in male-dominated fields” (emphasis is original) (Fouad, & Singh, 2011)                   

- 94% of reviews for females in tech had criticism-based feedback, compared to 59% for males (Ashcraft, McLain, & Eger, 2016)

- 87% of women experience demeaning comments from male colleagues (emphasis mine) (Vassallo, et al., 2017).


- 71 % of women got negative feedback (in reviews) about their personality compared to 2% of men getting negative feedback about personality. 81% of males got constructive feedback about personality (Ashcraft, McLain, & Eger, 2016) (emphasis mine).


- 56% of women in tech leave their organizations at the mid-level points (10-20 years) in their careers (Ashcraft, McLain, & Eger, 2016)


- Males benefit from being the lone male in female-dominant work environments, but females do not benefit. Rather, females are exposed to harassment of all kinds in male-dominated workplaces (Kabat-Farr & Cortina, 2014) (emphasis mine).

From Frost & Sullivan report on Women in Cybersecurity (2017):

- Women are globally underrepresented in the cybersecurity profession at 11%, much lower than the representation of women in the overall global workforce.

- Globally men are four times more likely to hold C- and executive-level positions, and nine times more likely to hold managerial positions than women (emphasis mine).

- Women enter the cybersecurity profession with higher education levels than men.

- Women disproportionately occupy entry-level and non-managerial positions.  

- 51% of women report various forms of discrimination in the cybersecurity workforce (emphasis mine).

- In 2016 women in cybersecurity earned less than men at every level (emphasis mine).


                                                                                                (Frost & Sullivan, 2017)


There is more, much, much more. I have heard personal experiences from dozens of females. Often we are treated as 'less than.' Our education or certification levels hold less credence than they do if the holder is male. The structural societal biases are magnified in a male-dominated 'business.'


Our national security is at stake without enough people to do the work. Thanks for your insight Re: Well, at least the AMF system doesn't charge us 100 times as much as it should ... 


Best regards,


Dr. J. Shuyler Buitron, DCS, MSIA, CISSP

Cyber Co-Manager, SME