In September 2018, I took the (ISC)2 SSCP exam (Systems Security Certified Practitioner). This was a bit different from any of the previous exams I’ve taken: normally I would sit the exam(s), then get a qualification if I passed. In this case, the exam is only one component: you also need to be endorsed by an (ISC)2 member who will vouch for you having suitable experience.
The name (ISC)2 is (or was) an abbreviation for International Information System Security Certification Consortium. If you think of a mathematical formula, (ISC)2 = IISSCC. They also offer the CISSP (Certified Information Systems Security Professional), which is aimed at higher level strategic roles and probably better known; that’s the type of certification that a CISO (Chief Information Security Officer) might have. By contrast, the SSCP is aimed at tactical (hands on) roles, and that interests me more than the management side of things.
The SSCP and CISSP both have a CBK (Common Body of Knowledge), spread across multiple domains (topics). Passing the SSCP or CISSP exam will qualify you to become an Associate of (ISC)2. However, to actually get the SSCP certification you need to have 1 year’s experience in at least 1 of the 7 domains. For the CISSP you need to have 5 years’ experience in at least 2 of the 8 domains.
So, if you’re trying to move from a general role (e.g. service desk) into a security role, this implies that you wouldn’t be eligible for either. However, if you have a relevant degree in a cybersecurity program then the ISC2 will accept that in lieu of a year’s experience for the SSCP.
In 2018, I was very enthusiastic about getting a more prestigious certification, and I thought that this would really open doors for me. However, reviewing it in 2020, I don’t think it’s really helped my career at all, and I don’t recall seeing any job adverts that mentioned the SSCP. Prices have also risen, so I don’t know whether I’ll maintain it long-term, and right now I wouldn’t recommend it to anyone else; my advice is to do the Security+ instead.
Preparation
I used the second edition of Darril Gibson’s All-In-One exam guide to prepare for the exam, because I was impressed by the study guide he wrote for the Security+ exam. However, I only got partway through before I took the exam (I finished 5 chapters out of 14), and that was enough for me to pass. There’s a lot of overlap between the exam objectives for SSCP and Security+, so ideally I’d like to see a shorter book that just covers the differences between them.
I reported some errata which never made it onto the author’s website, e.g. the book claims that 802.11ac supports 2.4 GHz and 5 GHz whereas in fact that protocol only supports 5 GHz. Also, the description of code signing is incorrect: he’s confused between a digital certificate (issued to a software publisher and used for all their applications) and a signature (generated by the certificate, but unique to each application).
In fairness, I swapped emails with Darril Gibson, and he explained that recent life events (in particular his wife’s illness) took priority over errata, especially since this edition was about to be superseded. The SSCP exam objectives were revised in November 2018, so Gibson released a third edition of his book to reflect that; I haven’t read it, so I don’t know whether any of the errors were corrected.
Here are a few things I noticed in the SSCP book that weren’t in the Security+ syllabus:
- Security models (e.g. Bell-LaPadula)
- Cloud security (e.g. encrypting files locally before you upload them)
- Capability tables (“what files can this person access?” rather than “who can access this file?”)
- Database design, e.g. primary/foreign keys
The book (and the practice test included on the DVD) advise frequent password changes. I disagree (along with NIST and the NCSC) but this was a case of “tell them what they want to hear” during the exam. Similarly, one of the questions implied that MAC filtering is only bad because it’s a hassle to maintain the list (rather than being pointless because someone can spoof a MAC address). I don’t know whether any of this changed in the 2018 revision.
Registering for the exam was more difficult than it really should have been. I had create a new account with Pearson Vue, where they asked for a phone number and mobile number, but they wouldn’t let me leave the main phone number box blank; there are a lot of people who don’t have landlines anymore! They also had “employer” and “position” as compulsory fields, which would be difficult if you took this exam before you found a job; I’m not sure whether they’d accept “N/A” as a valid answer.
Pearson Vue also ask you to state whether you’re eligible for certification, based on these criteria. I found this question the most tricky:
“Have you ever been known by any other name, alias, or pseudonym? (Omit user identities or screen names with which you were publicly identified. Also omit name changes due to marriage or adoption.)”
Does the screen name bit mean that you need a public look-up table somewhere? E.g. “My Twitter handle is redrobin but everyone knows my real name behind it.” How about online dating sites, where you explicitly aren’t allowed to use your real name, but the people who run the site are aware of it?
NB Pearson Vue don’t ask you to answer “yes or no” for each of these questions, they just ask you whether you’re eligible, bearing in mind that your answers to those questions might impact your eligibility.
I contacted ISC2 for advice. They replied:
“So long as you do not change your name for any unethical reason, it should not hurt your chances of sitting for the examination.”
That’s a bit less conclusive than I would have liked, but it would only be relevant if I was picked for a random audit. So, I stated that I was eligible.
Back on the Pearson Vue site, they also asked for demographic information, specifically my ethnic origin. I’d normally choose “White British”, but in this case all of the answers seemed to imply that I was American. The closest option was “Non-Hispanic White or Euro-American”, but maybe “Other” would be more accurate? It’s good that they’re not making “White” the default, but they could make the options a bit clearer. In the end, I said “Prefer Not To Answer”.
Finally, Pearson Vue asked whether I was applying to take the Associate of ISC2. I chose “No”, on the basis that I already had enough experience to get the SSCP certification; other people might need to become an Associate while they get that experience. However, in hindsight it might have been better to choose “Yes”. After I took the exam, I couldn’t add anything to my CV until I was awarded the certification. If I’d chosen the other option, maybe I could have become an Associate immediately (and put that on my CV), then submitted my application to get my experience endorsed? Ultimately, I don’t think it made much difference.
NB You can’t start the endorsement process until after you’ve taken the exam.
The exam
After I’d registered, I chose a test centre. The list was shorter than usual, i.e. there are test centres who are registered with Pearson Vue but don’t offer the ISC2 exams. I think this is because the venue needs to have higher security. In particular, they did a palm vein scan to verify my identity rather than just looking at photo ID, and I’m guessing that not all test centres have that equipment.
The actual exam cost me £199 (+VAT), which is roughly the same as the Security+ (now £207+VAT).
During the exam, they allow 3 hours for 125 questions. When I did the practice exam (from the study guide), it took me 45 minutes; the actual exam took me 1h10m. I went through the questions 3 times: a first pass to answer the ones I was sure about and flag any that I wasn’t sure about, a second pass to review the flagged questions, and a third pass to review all of my answers. So, I could have finished within an hour if I’d needed to. If you know the material, the 3 hour time limit is generous; it’s not a race, so I’m not saying this to brag, but you shouldn’t need to worry about running out of time.
NB The CISSP exam now uses adaptive testing (where you only get one chance to answer each question), but that isn’t being used for the SSCP yet.
One tip is to read the questions carefully. There’s an important difference between “a symmetric algorithm” and “asymmetric algorithm”! (I remember a Physics teacher at school with a Welsh accent: “This is an AND gate and this is a NAND gate.” That caused some confusion…)
My exam also asked about Bluetooth security, so you should be familiar with the 4 security levels and the 3 security modes. However, this wasn’t covered in Gibson’s book, and Bluetooth wasn’t even mentioned in the 2015 exam outline. Looking at the 2018 exam outline, section 6.6 is now called “Operate and configure wireless technologies (e.g., bluetooth, NFC, WiFi)”, although it doesn’t go into any detail. I know that some exam providers will add extra questions that don’t count towards the score, as a form of prototyping, so that might have happened here. In any case, I think this is useful knowledge to have, whether it’s in the exam or not.
At the end of the exam, it said that my result was a provisional pass, but it didn’t give me a score. As I understand it, this is the same for everyone, and the provisional result would only change if they had reason to think that I was cheating. I received an email that evening, repeating the provisional status and prompting me to begin the endorsement process.
Endorsement
The SSCP experience page lists the requirements. At the bottom of the page, they have some approved degree programs, which currently includes “Computer Science”.
None of my work colleagues were ISC2 members, but you can submit evidence of your degree and then someone in the ISC2 head office will provide the endorsement.
In my case, I have a BSc Honours degree in Computer Science (from the University of Durham) and an MSc in Advanced Computing (from Kings College London). They asked me to upload a scanned copy of my degree certificate, but the website would only accept one attachment; I suggested that they should accept multiple documents, for people with multiple degrees. Anyway, I uploaded my undergrad degree certificate, and that was good enough.
The initial email said:
“The endorsement process may take up to six (6) weeks to complete (unless your application is randomly selected for audit, in which case, it may take longer).”
This was repeated the following day, after I’d uploaded my documentation:
“Please allow 6 weeks for your submission to be reviewed and processed.”
After 6 weeks, I hadn’t heard anything, so I went back to the website. The main endorsement page then said:
“Due to the high volume, Endorsement Application review may take up 8 weeks to complete. We apologize for the inconvenience.”
That was disappointing, and it would have been nice if they’d at least sent me an email notification.
Based on advice from the forum, I went to this page to check how far my application had got:
https://apps.isc2.org/Endorsement/
NB That URL starts with “apps” rather than “www”.
According to that page:
“You submitted your application on 09/14/2018. Your application is being reviewed by (ISC)² for Endorsement Assistance.”
However, checking that page again today (in April 2020), it still says exactly the same thing. So, don’t rely on that for meaningful information.
I eventually got an email on 2nd November, 7 weeks after I started the endorsement process, telling me that I’d been awarded the SSCP certification. I was quite proud of this, so I downloaded one of the logos from the members’ website and updated the header (banner) for my LinkedIn profile.
A week later, I got another notification, saying that I now had a digital badge on Acclaim. That’s useful, and I’m glad to see exam providers using that platform.
CPE
Like many certifications, the SSCP will expire after 3 years unless it gets renewed. (I believe that this is a requirement for ISO 17024.) At CompTIA and Cisco, the default choice is to take another exam (either at the same or higher level). However, the ISC2 don’t even offer that as an option. Instead, you have to earn CPE (Continuing Professional Education) credits, and pay an AMF (Annual Maintenance Fee).
When I took the exam in 2018, the AMF was separate (cumulative) for each certification. So, you would pay $65/year for the SSCP or $85/year for the CISSP (and therefore $150/year for both). In 2019, the ISC2 changed this policy: it now costs $125/year regardless of which certification(s) you hold. It’s also now due at the start of the membership year rather than at the end.
This is good news for people who have multiple certifications, but less good for people with a single certification; in my case, the price has almost doubled! As a concession, they allowed existing members (customers?) to pay the AMF up-front at the old rates, so I paid $195 (3 x $65) in June 2019, covering the period from December 2018 to November 2021. Next year, I’ll need to decide whether I want to maintain this certification at the higher price; right now, I think it’s more likely that I’ll ditch it.
As for the CPE credits, there’s a quota for each 3 year certification cycle. They split it up into a recommended number per year, but you can do an uneven distribution if you prefer. For the SSCP, you need 60 credits in total: 45 from group A and 15 from group A or B. (For the CISSP, you need 120 in total: 90 from group A and 30 from group A or B. If you have multiple certifications, the same credits count towards both.) Basically, group A is for stuff that’s directly relevant to the CBK; group B is for stuff that’s more general, e.g. a professional speaking course. If you do everything in group A then you don’t have to worry about the split.
In fairness, you can earn credits from “free” resources (i.e. where the cost is covered by the AMF). For instance, there’s a magazine released every 2 months, with a quiz in the back. If you pass the quiz, you get 2 CPE credits. So, you can get 12 CPE credits per year that way; you can also go through the back issues (dating back to 2014) to pick up some extra credits.
My main concern there is that the questions aren’t always relevant. For instance, if there’s an article about the skills that are most in demand, then the quiz asks you to list those skills, that’s legitimate. On the other hand, if there’s an article about a new ISC2 director, and the quiz asks which university they went to, I really don’t care; this is not useful knowledge for me to retain.
You can also earn CPE credits for watching webinars. Again, there’s an archive going back several years, although the newer videos are more likely to be useful.
You can get CPE credits for some activities from other training providers, although it’s tricky to find out which are actually approved; in some cases it’s similar to my concern about eligibility (pre-exam), i.e. you can submit things and you’ll automatically get the credits, but if an auditor reviews it then those credits might disappear. Offensive Security courses are a pretty safe bet for group A: I got 10 credits for the WiFu course, and I believe that the PWK course is worth 40 credits. (Technically, the CPE credits are for the course rather than the exam, but you need to submit the exam results as evidence that you learnt the material.)