Back in September 2020 I took the training course and exam to become a CISSP - a Certified Information System Security Professional (you can read my blog post about the experience here). Since then I've received regular news and updates from (ISC)² and I've done my utmost to make use of the resources and benefits available to me. In this post I'll talk about how I've found being a CISSP over one year on.
Does it cost to be a CISSP / (ISC)² member?
In order to be a CISSP you have to pass an exam, which typically requires you to have either attended a course or studied from the various teaching manuals available. As you would expect, each of those things costs money. At the time of writing (late February 2022), the CISSP exam costs £585 - quite a lot although given how much it covers and how highly regarded the CISSP is it's a worthwhile investment in my view. Courses can cost thousands of pounds (intensive, week-long, residential).
Once you've passed the CISSP exam you won't have to do it again so long as you meet the CPE requirements - more on that later. There is an annual maintenance fee (AMF) of around £100 to pay, including from the year in which you pass. Paying the AMF and staying up to date via CPEs keeps you "in good standing", entitling you access to the various benefits and the ability to vote in the AGM.
Perks scheme and discounts
Inside the member portal there's a section called benefits, which presently offers discounts for a number of services, books and events. Booking for Security Congress (see my blog posts on 2021's congress), for example, is discounted for (ISC)² members. The benefits section has got smaller recently though, as I cover below.
Like a number of organisations (including my current employer and the BCS, the chartered institute for ICT), (ISC)² offers discounts on a number of benefits. Or rather, (ISC)² did. The perks scheme has come to an end as of January 2022 and the EMEA  are looking at what can succeed the scheme. I wasn't particularly using the perks scheme, so this isn't a huge disadvantage to me, but I'll keep an eye on the replacement one it arrives to see if I can be more efficient with money via it (given the rising cost of living, I think money efficiency is going to be increasingly important).
Continual Professional Education, known in some places as Continual Professional Development (CPD), is something that (ISC)² place a lot of emphasis on. As I mentioned earlier, I have to undertake CPE to stay current and in good standing - currently for a CISSP that's 120 points across the three year certification cycle. Roughly speaking, one point is one hour although depending on what you do that can vary. Handily there's a CPE tracker in the members' portal, and you can see I've managed all of my 120 points already 😀️ (I've completed 137 hours at the time of writing).
So, on to the first benefit that I use often - regular webcasts or (ISC)² Security Briefings. These are provided by partner BrightTalk (so you have to create another account with them) and cover a range of topics from technical subjects (techniques to help protect against threats) to career advice. These can either be watched live, allowing the audience to submit questions, or after the event. Often there's linked materials (refenced articles, copies of the slides etc.) which can be useful too.
CPE credits are added automatically as long as you added your (ISC)² membership number during sign up.
Some Professional Development Institute courses are provided free of charge to members. I've attended courses to help improve my interpersonal skills and learn how to build an effective cyber security awareness programme. I also undertook a course on digital forensics data acquisition to act as a refresher to the training I had years ago. These were video and slide based courses.
It looks like there's new lab courses available, which weren't there previously. I've only just spotted these and I'll spend some time later doing a lab course on "File Allocation and Tracking in NTFS".
Since January 2022, after completing the end of course assessment (and passing), (ISC)² member services will submit your CPU credits for you on the first of every month. Courses are accessed via the learning portal. For non members these courses can cost upwards of £50, so making use of them can pay for your maintenance fee fairly quickly.
I blogged about the 2021 Security Congress that I attended online. While it's not a requirement to be an (ISC)² member to attend the conference, you do get discounted entry. I won't say more on Security Congress here, but if you're interested please do see my earlier blog posts on it.
The regular InfoSecurity Professional Magazine magazine comes out every two months and contains a mix of articles, research and advertisements. Non members can also access the magazine for free, so do take a look. Members can complete the quiz to gain two CPEs.
Is it worth the money?
Yes, I feel it is - for two reasons. Access to benefits and professional recognition. After the initial time and financial investment (studying / taking a course and the exam cost), the annual maintenance fee isn't too costly. As with all subscription services, which is what this is at a basic level, the value of it comes down to how much you use it. There's a lot of content available to (ISC)² members, and so long as you access it the fee will pay for itself.
Similarly, the professional recognition can help open doors. Holding a CISSP tells people that you (should) know what you're talking about and you have a good idea of how to help keep a business safe. Research by (ISC)² has shown that salaries for certified people are higher than the salaries of those without certification. Obviously there's going to be some bias in that research, but a quick look around the market suggests the same. Working in the public sector, I didn't see a salary increase as a result of my certification but other industries may well provide such a benefit.
It's also worth noting there's a code of ethics that members of (ISC)² are expected to ascribe to, which can help employers understand what an employee is like.
Given the content and training material I've gained access to through my membership, the membership has paid for itself already. People seem to be impressed by the fact I hold a CISSP, which I think opens a few more doors - the additional validation of my skill set is useful.
(ISC)² have their own page on the benefits of membership here.
Banner image: My CISSP certificate (note sharing the ID is fine, and that's how potential employers validate my status)
 EMEA - Europe, Middle East, Asia