There are currently, 21 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here
Select Interface Language:
ISO 17799 Resources
There are now quite a few BS7799, ISO27001 and ISO 17799 portals on the web offering commercial tools & products. Possibly the most complete is ISO 17799 and ISO 27001 Central.
Call for Papers
We are shortly to launch a content section for papers and articles on ISO 17799 implementation, BS7799, AS4444, ISO 27001, UNE71502, and information security generally. If you have produced a paper and would like us to publish it, please contact us via the feedback form above.
ISO 27001, ISO 27002 & ISO17799 User Group: Forums
17799.Com :: View topic - CISA and CISSP Difference?
Posted: Wed Mar 09, 2005 4:26 pm Post subject: Queries
I would like to know the difference between CISA and CISSP certifications. If one has to go for a certification which would be a better choice? Or are both certifications independent and can be be taken up seperatly.Of what i have heardCISSP is much more technical but CISA gives you only a broad idea of IS security.
Can any one throw some light on this?
If a person is CISA certified would it be of any value to go for a CISSP certification as well?
Posted: Wed Apr 13, 2005 4:58 am Post subject: Re: Queries
I dare to submit an answer – or more accurately, my opinion…
As for the certifications – they are offered by two completely separate organizations and are complimentary in nature – but are focused on two different roles. I have both certifications - CISSP and a CISA. I work in a Fortune 50 organization in InfoSec. From my point of view, and from my personal experience, I offer the following…
1.) I think CISA’s are more concerned with “what” security controls are and “when” and/or “why” certain controls are mandatory or appropriate. I think CISSP’s are more likely to answer the “how” a certain security control should be implemented. Example, if I had my auditor hat on and I was assessing a system before going live, I might find that the system stored sensitive enough information that two-form authentication was required (CISA). However, I might have to put my CISSP hat on and talk with my CISSP buddies to figure out exactly what type of two-form authentication is appropriate and how to roll it out.
2.) CISSP’s are typically considered more “technical” and CISA’s are considered more “administrative”. Take this with a grain of salt. I’m not disrespecting anyone – just a casual observation. Put another way – I think CISSP are more hands-on when it comes to security controls. CISA’s inspect and direct.
3.) A high-end security admin, engineer or architect would be more likely to have a CISSP. These individuals have a very broad knowledge base of IT security. I have heard the CISSP domains and test described as a mile wide and an inch deep. These folks know a little (or more likely a lot) about a LOT of different InfoSec related issues!
4.) Someone working in compliance, risk management, internal audit is more likely to have a CISA. Specifically, someone working in internal audit or for a consulting firm as a SarbOx auditor, HIPAA Auditor or GLB Auditor is more likely to have a CISA. CISA’s typically match requirements (legal or otherwise) to controls – but don’t do the actual work. They are experts in “security by the book”.
5.) I tend to see a lot of folks that work in Privacy end up having both.
6.) A CISSP would not need to know much about auditing techniques, standards, guidelines and procedures. A CISA would not need to know as much about the CIA-triad and in-depth security knowledge.
Posted: Sun May 01, 2005 11:51 pm Post subject: CISA certification
Your information about CISA and CISSP is very helpful. I'm an Oracle developer planning to go for CISA certification. I don't have much experience with Information Security. I have a commerce background. I haven't made up my mind yet...I'm in that deciding phase, what are the things that you need to know even before you think of this field. Immediately after college I joined the job and have one and half years of experience.How competitive do you need to be technically for this exam? Do you have any suggestions for me. Thank You in advance.
I will try to do my best to provide unbiased suggestions
In short, if you want to pursue a technical career path - go CISSP. If you are more interested in audit, assessments, governance - CISA may be the way to go. I personally believe the CISSP is more valuable in the "real world" and more applicable. Meaning, I think you will have more opportunities to exercise the experience and knowledge demonstrated or covered by the CISSP exam than the CISA exam.
One word of caution - both have "minimum" requirements. For example, the CISA exam requires...
"A minimum of five years of professional information systems auditing, control or security work experience (as described in the job content areas) is required for certification. Substitutions and waivers of such experience may be obtained as follows:"
You can find additional details at:
Specific to your question about how technical you must be.... I think you need to have a very deep understanding of IT in general. An auditor routinely comes across legacy systems and quite complex environments. The exam addresses this. I hear many fellow auditors (who don't pass the exam) say, the questions are 15 years old - nobody works on that stuff. I tend to disagree - I see it all the time.
You do not need to be as "hands-up" technical as "book smart" - at least in my personal experience. For example, on a recent audit, we walked into a Linux application house running Windows AD. They were using AD as their primary authentication store. I brought with me a Linux expert and a Windows expert to actually sit in front of the keyboard and gather the data I asked for. I knew "what" to get and "why" to get it. These experts knew "how". Again - this is all in my personal experience and I'm quite certain there are plenty of individuals out there that can (and routinely) do both! But in a general sense, CISA types are more hands-off.
Posted: Wed Jun 22, 2005 6:55 pm Post subject: CISSP Certification
Actually getting a CISSP certification depends on you sitting a 6 hour pencil and paper exam with 250 multiple-choice questions. They are held approximately once a month in London or Oxford at present. For more information look at www.cissp.com/Exam/exam.asp. For training courses take a look at net-security-training.co.uk. Good luck
CISA is more towards the aspect of Auditing Information systems including Information Security whereas CISSP is a technical certification(Vendor neutral) for Information security only. CISSP however is very broad in its coverage and shallow as far as depth of the coverage is concerned.
CISA - 200 questions - 4 hours - Conducted twice in year
CISSP - 250 Questions - 6 hours - Generally once in a month depending on location
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum