Received a nice email from ISC2 this morning confirming that my Certified Information Systems Security Professional (CISSP) certification is all set for another three years. Having been involved with creating a certification, I find ISC2's process quite interesting. First, obviously, there is the barrier of obtaining the CISSP credential. The 6-hour exam is certainly not an easy one as it encompasses an extremely wide area in the 10 domains of the Common Body of Knowledge. Then there is the professional experience requirement and then the requirement to be endorsed by another CISSP. Add to that the fact that the exams are not computer-based but rather proctored... and are therefore only scheduled an infrequent intervals. All in all, it winds up not being terribly easy to obtain the CISSP credential. Which is part of the point, really. There have been too many certification mills out there.
Anyway, once you obtain the CISSP, the next part is to maintain the credential. There's an Annual Maintainence Fee to pay, but that's <$100 and not really a big deal. Much harder is the Continuing Professional Education (CPE) requirement which is that over three years you have to obtain 120 CPEs. If you fail to do so after 3 years, you lose your CISSP and have to retake the exam! Now, it's not overly difficult to obtain CPEs. You can get them for attending conferences, webcasts, training courses... even, once per year, for reading a security book. You can also get more for providing training or serving on the board of a local security association. Really, it's nothing for the normal security professional who is keeping up on the current state of the profession. And that's the point, really. ISC2 wants to ensure that someone representing themself as a CISSP does in fact have relatively current security knowledge. The main issue, I find, is remembering to record CPEs with ISC2! If I attend a conference or webinar or something like that, I try to remember to go and record that soon thereafter.
In any event... I've blown past the required CPEs... now the counter gets reset and I'll have to start again to have them in place before 2010! :-)
P.S. Wikipedia, of course, also has more info on the CISSP.