CISSP isn’t as technical anymore

Several of my friends passed the CISSP exam recently, and told me that it isn’t as technical as I told them it would be.

They said it was more of a security manager certification.

In fact, in the boot camp they attended, the instructor said the same thing…that years ago it was much more technical, but when they redid the security domains from 10 down to 8, it really changed.

Others think they have been ramping the CISSP requirements down for a few years.

If the CISSP has changed that much, I wonder if it’s closer to ISACA’s CISM (even if that’s true, I still value ISC2’s certs over ISACA’s).

Perhaps that’s why ISC2 created the CISSP concentrations, which supposedly take the CISSP cert to the next level: the CISSP-ISSAP credential in architecture, the CISSP-ISSEP credential in engineering, and the CISSP-ISSMP in management.

For free videos on the concentrations, see this post, FREE CISSP Cert Webcasts from ISC2.

I told my friends that they better know their crypto and physical security to pass the exam; that’s what was stressed when I took it. They told me they had the most exam questions about the software development cycle.

If you took the CISSP a while ago or recently, I’d like to hear your opinion…



Filed under Certification, Security

11 responses to “CISSP isn’t as technical anymore

  1. I am also curious about the insights of others. I recently took the Security+ and was surprised of the amount of technical questions. I am starting an IT Auditor position and my plan was to do the CISA and CISSP, in that order, but it sounds like I may not need to do it in that order.


    • new,
      So were there more techy questions than you expected, or less? I wasn’t sure from your comment.

      If you’re new to audit, I’d still do the CISA first. You need to be a good auditor first; then master IT and security (even in IT audit)….


  2. I took the CISSP exam right before ISC2 changed to the new domains. It seemed far more technical than the CISM exam. That’s my experience, but I wonder if the new domains have shifted away from that?


  3. If this is the case, I may go for the Security+ exam then. I don’t think the experience requirements are as stringent for that one and I’m really more interested in being forced to learn more about Cryptography (due to studying for an exam) than just getting yet another cert for the hell of it.


  4. TT

    CISSP is not a technical certificate. My CISSP study enables me to see the big picture of infosec management. Security+ is a little more technical than CISSP. If people can pass security+, they should have no problem for technical parts in CISSP exam.


    • Tom,
      Are you saying the CISSP is not technical anymore or at least now? I take the mean the latter.
      I doubt that most would have passed it a decade ago with only Security+. I believe the CISSP used to cover much more breadth and depth than the Security+.

      Agree or dis?

      Either way, thanks for your input.


      • TT

        Not sure about the CISSP exam decade ago. I took the ten domain version CISSP exam this year. When I prepared the exam I was told by some CISSP folks that CISSP exam is not a technical exam. They are right about it. I hold same opinion after passing the exam. It is indeed an entry level InfoSec management certificate.

        I took Security+ exam before my CISSP. I agree that CISSP always covers much more breadth of InfoSec knowledges than Security+. However, Security+ is a little deeper in some technical domains. For example, there was an subnetting question in my Security+ exam. I have no doubt that we will not find a technical question like that in CISSP exam. I also agree that security+ knowledge is not sufficient to pass a CISSP exam.

        It is interesting that I read a post somewhere claiming that a CISSP failed Security+.


        • TT,
          THanks for your comments. It is sad that the CISSP has been deprecated.
          I wonder how many people reading this know the basics of subnetting, but no, that will never appear on CISSP or CISA.

          Good to learn more about Security+. I have a higher respect for it now. THanks.


  5. Took the 10 domain CISSP early this year. To me, the CISSP is still a management exam that covers the entire breadth of IT security. You need to know about technical topics such as crypto but not to the detail on how to implement it.

    Security+ is considered entry level. Comptia CASP is more technical, it has graphical and command line simulations and have questions that someone who has been securing IT infra will know how to answer. Also took it this year, the questions covers some of the more recent security related topics that we see in the news.

    CISM covers some of the CISSP domains and is more business orientated. This is a information security and not IT security cert. Good for someone implementing enterprise security policies and going for ISO27001.

    A good comparison is available from


Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.