Should I Accept New ISC(2) Certification Agreement?

Today I received an email from the International Information Systems Security Certification Consortium, Inc., ISC(2), that read, in part:

"The purpose of this notice is to provide information regarding the status of your (ISC)² certification.

Our records indicate that your anniversary date is near and your Annual Maintenance Fees are current. As you are aware, a total of 120 Continuing Professional Education (CPE) credits, of which at least 80 must be Type 'A' credits, are required to be submitted during each three year certification period in order to maintain your credential. Our records indicate that, based upon your CPE submissions to date, you are not on track to meet your recertification requirements at the end of the three year period. We urge you to pay close attention to this matter to avoid the expiration of your CISSP credential."

OH NO! Time for me to log in to the ISC(2) Web site to record in some of the hundreds of CPEs I haven't logged. However, as soon as I entered my credentials, I see this:

Certification Agreement


This Certification Agreement ("Certification Agreement") is entered into as of the date set forth ("Effective Date") on the Application Agreement ("Application Agreement") by and between the undersigned ("Certification Candidate") and the International Information Systems Security Certification Consortium, Inc. "(ISC)²".

This doesn't look so great. As I read through the text (which you can retrieve as a .pdf here, I find this section (all emphasis additions are mine):


6.1 Certification Candidate agrees that to the extent (ISC)² previously disclosed or currently or subsequently discloses to the Certification Candidate, or the Certification Candidate learns from (ISC)², information relating to (ISC)²'s Exams, products or sensitive aspects of (ISC)²'s business (including without limitation, computer programs, names and expertise of employees and consultants, know-how, business, financial, customer and product development plans, forecasts, questions, answers, worksheets, computations, drawings, diagrams, length and/or number of Exam segments and/or questions, or any communication, including verbal communication regarding or related to the Exam, the identity of Exam administrators, and other Exam takers, price and cost data, price and fee amounts, pricing and billing policies, marketing techniques, future plans and potential strategies of (ISC)² which have been or are being discussed), such information shall be deemed the confidential property of (ISC)² ("Proprietary Information"). Certification Candidate recognizes and acknowledges that (ISC)²'s Proprietary Information (and the confidential nature thereof) is critical to (ISC)²'s business and that (ISC)² would not enter into this Agreement without assurance that its Proprietary Information and the value thereof will be protected as provided in this Section and elsewhere in this Agreement.

6.2 Certification Candidate agrees (i) to hold (ISC)²'s Proprietary Information in confidence as a fiduciary and to take all reasonable precautions to protect such Proprietary Information, (ii) not to use such Proprietary Information at any time during or following the term of this Agreement, except as contemplated by this Agreement, and (iii) that to not disclose, publish, disclose, reproduce or transmit any Proprietary Information to any third party, in any form, including without limitation, verbal, written, electronic or any other means for any purpose.

Are they serious? What am I supposed to do with this confidential and proprietary information from the front matter of the CISSP Prep Guide?

"The Examination The examination questions are from the CBK and aim at the level of a three to five-year practitioner in the field. It consists of 250 English language questions, of which 25 are not counted..."

I am honestly considering clicking the "do not accept" button. I wonder if this blog post will upset ISC(2) enough to revoke my CISSP anyway?

2.2 Certification Revocation. (ISC)² may, at its sole discretion, revoke a Certification Candidate's certification under the following circumstances:
2.2.5 Upon (ISC)²'s determination at its sole discretion that Certification Candidate has acted in any manner contradicting the (ISC)² Code of Ethics, that sullies or reflects poorly on the Mark, or involves any form of dishonesty or the giving of a false statement...

What should I do? Have you accepted this new "agreement?"


Anonymous said…
Although, when I first obtained the CISSP, I didn't expect it to be a great benefit, I am about to allow my certification to lapse.

There are a few reasons:

1. The main thing that interested me about the certification were the code of ethics and the requirement for professional experience. In real life, I have never heard of a single case where either have been enforced, and several cases where they have been violated, rendering them useless.

2. The CPE system is both hard to use (as evidenced by the fact that both of us have literally hundreds of CPEs that we have not entered) and seems more geared towards advertising and promoting seminars than measuring 'ongoing work in the field'.

3. The certification is, in some circles, actually considered a negative - in other words one is thought to be less technically capable than if one did not have the certification at all.

In other words, it seems that, worse than having no positive value, it may have a negative one.

Your post here only emphasises the decision I'd already made.
Anonymous said…
I remember when you were certificationless. You expressed being proud of this fact in 2000.
Anonymous said…
I had my bureaucratic run-in with (ISC)² back in 1997, before the CISSP was 'cool', and subsequently became a pimped-out cash cow for them. At that time, I swore that I'd never sit for the cert exam or play any of the rest of their silly games. I'm glad that others in the community may now be seeing the cert, and the organization, for what I've always felt they were.
Anonymous said…

I've been an info security professional for the last 10 years at a Fortune Global 10 company. Various people have tried to get me to take the exam for years but I've resisted.

Quick poll, how many of us will every have the chance to design a secure data hosting facility? What's that? None you say? So how does it do me any good to know that some schmoo has decreed that a 10 foot tall perimeter fence is necessary? Why not 12? Why no barb wire? How many of us will have the chance to decide on Halon* or CO2, and why should we go with CO2 like the course recommends?

IMHO it is a paper certification and cheesy continuing education requirements.

I also know several people who got the certification while they were out of work for a year or two. Cuz yeah, those are the qualified and talented people I want working for me.

Finally, I will admit that having 'CISSP' in your resume will get you past the first round of circular filings by the departmental secretary. I hope the rest of the resume and personal contacts will get me around that hurdle, should it be necessary.

* And yes, I worked around Halon in the service and saw all of the training films. It isn't toxic until it hits 900 degrees F. - at which point you have other problems.

Sorry for the rant, blame it on donut Friday. :)
Anonymous said…
Get yourself a nice SANS/GIAC cert. It includes a week's worth of training and a 6-month lab assignment.
Anonymous said…
CISSP is a title like all the others, it proves nothing more than you have passed the exam, and that for a brief moment you remembered all the concept needed for the test. This certification has gain prestige not by its body of certification but by the people who got certified.
I fear that the prestige is now dilute by the vast number of certified.
Every certifications that I know of, progress folling the Gartner Hype Cycle. It appear that CISSP is now in the disillusionment phase. I hope it will move on to the slope of enlightenment. So many don't...

As for your question, Yes I have clicked on accept the agreement even if I don't really agree with all the terms. Then again, what difference does that make? How many CISSP have infriged the Agreement or the code of ethics? Too much to count I'd say.
I have high standards of ethics and I stand by it. In face of contradiction, incoherence or plain stupidity, I use my good judgement and go on.
Anonymous said…
I have been considering pursuing the CISSP certification. I am still a beginner in the InfoTec Security world, so I thought that maybe in a couple of years it might be worth it. After having read all the input so far, I am now considering otherwise. Who knows maybe in a couple of years, it will be different.

In reality if the certification is not a requirement in your job, then why bother. Is it just to have the letters after your name. In some way maybe it does reflect the fact that you have the experience, but I imagine there are a number of people with the cert and no real world experience. I could be wrong on this, since I have not done any studying for the cert at this time.

I think that a person in your position, would not need any certifications especially in InfoTec Security. IMHO experience speaks louder than certs. Of course in the end the decision is solely yours to make.


Anonymous said…
I agree with the person above me, being a relative newcomer to security as well. In fact, I will still welcome the ability to include CISSP on my resume, but hearing information like Richard's and other posters at the very least keeps me grounded in how I view the cert, and gives me a better sense of judging other certs as well.

I will not deny though, that a cert (even one I may not respect highly after 3-5 years experience) does help one out when still in the infancy of their career.
Anonymous said…
When was the last time any of us were out drinking a beer with other security people and someone DIDN'T make a joke about the CISSP being lame?

The CISSP is a joke. The world has changed and is changing too fast for that cert. Technical and non-technical issues have come up that it doesn't address. Worthless.

I wouldn't even use it to "get past HR" in the resume pile. If you are a good security professional word of mouth will take you places. If you are looking for a foot in the door, take a job as a sysadmin, network eng, etc. and make your way to the top like the rest of us CISSP-lapsing prima donnas.
Anonymous said…
Hmm. It's a lot of language which, so far as I can tell, basically adds up to ISC2's CISSP info is a secret, and ISC2 expects you to help maintain that secret.

How standard is that clause, and others like it?

Personally I wouldn't use this as a reason to decline a CISSP certification or drop an existing one ... there are so many other good reasons!
DavidJBianco said…
The first rule of CISSP is, "Do not talk about CISSP."
Anonymous said…
I have to say with all sincerity that donut Friday rocks.
Anonymous said…
Not wanting to start a flame, but here goes. I have been in IT Sec since 96. I have seen flames erupt with any cert change. This is no different. When SANS dropped the practical, immediately there was a brouhaha on the watering of the cert. Get real people, all groups such as ISC2, SANS, MS, AICPA use their certs to make money. To those of you who say they won't get a CISSP because of this, consider it in a different way. The SANS Cert, The CISSP Cert, are a ticket. Do you want a ticket to play in a broad spectrum IT security realm or just be a Firewall admin. Make your choice. btw, I have a GIAC advanced Cert, CISSP, and a CISA. They have been my ticket for a higher level position
Anonymous said…
I'm not a CISSP but from my experience certifications have been valuable in measuring potential employees. Sure, its not a perfect measurement, but it means more to me than years on the job. It means that they sought out the certification and did the work. I don't think a college diploma means all that much either butmost organizations today will not consider a candidate without one.
Anonymous said…
I'm sorry but this is just so much blather.
If you don't want a CISSP then don't take one.
BTW the website you enter the CPE information on is dead simple to use so if the author has "hundreds" of credits he "forgot" to enter...he really has no excuse.
BTW the language he highlights in the agreement seems designed to combat "brain dump" type sites for those who wish to cheat on the exam.
Anonymous said…
Wow, sure sounds like the last guy/gal works for ISC2. I took this exam last May and passed. It took me two hours and 40 minutes to finish the beast and the questions read like Greek to me. I following the advice of a wise man and just answered the questions without changing any answers. I swear my test was a testbed version because of the type of questions I had. I haven't been to one event which grants CPE's since I took the test. I am a member of the ISSA-NOVA chapter, but I seem to be out of town everytime there is a meeting. I'm sure I'll be faced with the same dilemma you are Richard when my expiration date comes up. Should I care, maybe. I'll just put on my resume for my next job that I'm a former CISSP. If the interviewer ask me about it, I'll say I was too busy doing actual information assurance task to maintain my standing with ISC2.

Anonymous said…
In the end isn't up to the CISSP's themselves to raise the standard to an acceptable level?
We can all moan and groan about what it has become but how many of us have invested time and effort to help ISC2 increase the standard(s)?
As far as the initial question goes - Richard illustrates some valid points - The fact that the number of questions being deemed a "secret" that can not be discussed by CISSP's is ridiculous. How many of you remember the "Puzzle Palace" book and the stir it caused in the government - "secret" words that can't be confirmed or denied (I know there was much more too it - simply generalizing for a moment). In the end even the government recognized that you can't stop people from uttering the phrases top secret or even god forbid spoke, umbra, etc... it is an unenforceable rule that serves no purpose.
Anonymous said…
With all the comments trashing CISSP as basically useless, what about all those folks that took the exam several times and still failing? Are they even qualify to be working in their field?

Popular posts from this blog

Five Reasons I Want China Running Its Own Software

Cybersecurity Domains Mind Map

A Brief History of the Internet in Northern Virginia