cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AndreaMoore
Community Manager

Additional Non-CISSP Path to ISSAP, ISSEP and ISSMP Certification

ISC2 has introduced an additional path to earning Concentrations-Logo-350x350.png

the ISSAPISSEP and ISSMP certifications. This new path removes the CISSP as a requirement, while recognizing seven years of relevant experience as a qualifying factor in earning the ISSAP, ISSEP or ISSMP.

 

There are now two ways to earn and maintain these specialized, role-based certifications. Learn more at ISC2 Insights: https://www.isc2.org/Insights/2023/10/Additional-Non-CISSP-Path-to-ISSAP-ISSEP-and-ISSMP-Certificati...

 




ISC2 Community Manager
39 Replies
tldutton
ISC2 Team

.

denbesten
Community Champion

One way is through the petition process, found in the bylaws [link], specifically section "VI. Meetings of Members",  subsection "8. Right of Petition:", but this is often perceived as adversarial.  The one advantage being that it guarantees action/attention.

 

Hoping @tldutton finds an affable path (e.g. a "suggestion box").

 

 

dcontesti
Community Champion

I can only speak for the past. 

 

Ideas would come to someone in Management or an individual Board member (remember getting in front of the entire Board as a member is almost impossible but you can catch them at Conferences et al) from a variety of sources (members, other organisations, members of management, individual board members, etc.).  These ideas were typically talked about amongst management and sometimes even vetted with individual board members.  If the idea was deemed worthy, then a case was brought before the Board who would review the case and either approve or deny  the certification. 

 

This may have changed over the years but the Board is supposed to be Strategic in nature.  That being said part of the strategy might be diversifying the protfolio.

 

d

 

awoolnough
Community Manager

To clarify some of the above, the day-to-day review and management of our certification portfolio is the responsibility of the organization (Management). Any recommendations they have are sent to the Board for review and discussion as part of the Board's oversight and governance role. The Board can then approve the changes or not (or send them back for further work).

 

To address the point about communication, in addition to the webinar mentioned by another poster we communicated this news to the membership across all of our channels. We sent direct emails to ISSAP, ISSEP and ISSMP cert holders, and posted articles in our November Member News & Resources newsletter, as well as on social channels. This change was also addressed in Town Hall at Security Congress, which was accessible to all of our members both in person and online. 

 

If you would like to ensure you are receiving the most up-to-date messaging, we encourage you to review your communication preferences, https://my.isc2.org/s/Dashboard/PreferencesIf you have board related questions you can email legal@isc2.org.

 

I hope this is helpful. 

JoePete
Advocate I


@awoolnough wrote:

To clarify some of the above, the day-to-day review and management of our certification portfolio is the responsibility of the organization (Management). Any recommendations they have are sent to the Board for review and discussion as part of the Board's oversight and governance role.


Perhaps you meant to write "organization (the members);" we are a corporation - a group of shareholders (i.e., members) functioning as an individual entity. The members are the organization.

 

The larger conundrum is that anything impacting certification ostensibly impacts the definition of "member" within our bylaws. Our bylaws do not appear to grant the board the authority to create additional classes of membership (that would take a member-approved amendment). In the context of the expanding suite of credentials, I'm wondering that if we aren't creating classes of membership, then what would such a thing look like? We don't all have the same credential (CISSP) any more. We pay different AMFs. Have to complete different CPEs. And at this stage, we don't all have to be security professionals any more (despite what our Articles of Incorporation) say.

 

I appreciate that from management's view there is a process in place, but the process goes much further, not just to the board, but ultimately to the membership. If someone disagrees with that, fine, but I've never heard dialog.

Narsil
Newcomer III


@awoolnough wrote:

 

I hope this is helpful. 


What would be VERY helpful, and encouraging, is for ISC2 to commssion new Official ISC2 Guide to the 'concentration' CBK books.

 

e.g. The ISSAP CBK 2nd edition is over 10 years old now.

The exam outline for ISSAP has been revised multiple times in that decade, with the most recent in 2020, and so one would assume it is soon due for another revision next year or so.

 

Recently the author of the last edition was critical, in a fair and objective manner, of the missed opportunity by ISC2 in relation to the Concentrations.

 

It seriously cannot be expected CISSPs purchase ISC2 training courses in order to study for the concentrations, and especially as feedback in recent times has not been kind to this material on offer.

 

Early_Adopter
Community Champion

@Narsil At the ISC2 Secure APAC conference Clar Rosso addressed the audience. Often you can find out more about people’s plans by what they say Vs what they don’t say.

So CC was provided much time with candidates, associates and member at 500k however she didn’t seem to mention any other certifications, let alone the former CISSP concentrations. She was followed up by a lady from the Cyberpeace institute who was very keen on non-traditional paths into cybersecurity - and nothing else on certifications in the morning sessions. I had to carry out calls on the PM sessions so if it was mentioned there I don’t know.

What is clear is that with pilots signed with CSC for CC to be adopted it’s latest focus there and not so much in other areas.

I’ve got mixed feelings as I think CompTOA’s Security+ is still the dominant predator in the entry level cyber security certification market(it’s the one the jobs ask for) boosting the membership to 500k members, associates and candidates seemingly surpasses ISACA at 170k member and starts to get close to CompTIA with 2.5 million certified personnel. That’s an order of magnitude higher than IAPP with a mere 50k members, so it’s exiting times.

Anyway it’s hard to see what the current state of the former concentrations are as member counts redirects and no longer lists member counts by certifications after the data by country went away.

https://www.isc2.org/About/Member-Counts

There is an archived version at:

https://web.archive.org/web/20230316191559/https://www.isc2.org/About/Member-Counts#

However we see for the former concentration with just over 2K ISSAP(and SABSA, TOGAF, DODAF snapping at its heels, and behind perhaps of more practical use especially in EA circles) and just over 1K for ISSEP and ISSMP respectively as of 2022 I think that holder will be aging out faster than they certify(especially with no updated CBK) so I’m afraid the writing may be on the wall. As a holder of three certifications with ISC2 at the sunset of my career I can reflect that CISSP has been useful, more for the connection with people at conferences than career(I started working for me current employer before certifying, and unlike uS based folks I don’t have it as a checkbox need, so it’s always been nice to have). But for the concentrations that always made it look interesting I can’t see ISC2 concluding the juice of reviving the material is currently worth the squeeze.

Cyberpeace is below for reference:

https://cyberpeaceinstitute.org/
tldutton
ISC2 Team

Reach out to me directly in reference to the alternate paths to the ISSAP, ISSEP, and ISSMP. I was the business owner for that particular project and am intimately aware with ALL the facts, not the conjecture that seems to be floating around.
Narsil
Newcomer III


@tldutton wrote:
Reach out to me directly in reference to the alternate paths to the ISSAP, ISSEP, and ISSMP. I was the business owner for that particular project and am intimately aware with ALL the facts, not the conjecture that seems to be floating around.

Hi @tldutton,

 

Perhaps then you're best placed to address the status of when ISC2 plans to commission new Official ISC2 Guide to the 'concentration' CBK books?

 

As mentioned in an earlier post, the ISSAP CBK 2nd edition is over 10 years old now, ISSMP CBK over 8 years old, and the ISSEP CBK guide was released a whopping 18 years ago!

 

One would've thought with this de-coupling of the concentrations from the CISSP as an alternate, this would have deemed a mandatory refreshing of "Guide to CBK" content to encourage adoption and pursuit?

nkeaton
Newcomer III

I know am late to the discussion. I read all of the comments. I am an ISSEP. Oddly because of some timing issues, I earned the certification after it was an ISSEP and not a CISSP-ISSEP. I do not that its status change impacts its importance. Of course this is the oddball of the 3 being more or less developed for NSA. I do feel like my CISSP was important for that exam, but I think that my CGRC prepared me much more for it and would not have minded taking the ISSEP after the CGRC rather than after the CISSP. As far as notification, with the name change of CGRC from CAP and the JTAs for architecture and management, I was guessing that there would be new certifications that would be equal to a CGRC. So I was wrong unless new ones are announced; I think that this was what they were doing then. Since we no longer have a regular publication, I think that we miss a lot even with E-mails and quarterly webinars. I am not offended by the way that I am treated as a member. Yes, I would have liked to know, but it would not have changed anything that have done.