The Certified CISO (CCISO) Program is an exclusive program designed to produce top-level information security leaders by focusing on both technical skills and information-security management strategies in accordance to the executive management’s goals. CCISO arms information security executives with the right weapons to prevent potential cyber-attacks from arising and harming an organization. To become a CISO, one must have the technical knowledge and must incorporate certain skills such as establishing and maintaining organization’s goals and strategy. The program was developed with the aspiring CISO in mind, focusing on the most critical aspects of an information security program.
The foundation and outline of the CCISO program comprises three components—Training, Body of Knowledge, and the CCISO exam—formed by a core group of high-level information security executives, the CCISO Advisory Board (who contributed as authors), exam writers, quality checkers, and trainers.
The Role of a Chief Information Security Officer (CISO)
The CISO is an organization’s senior-level information security executive, who develops and maintains an information security strategy to address emerging threats in the cyber world in alignment with a business’ objective. They play a vital role in creating and leading a team of technical professionals to defend organizations by reducing cyber-risks, responding to incidents, establishing controls, and establishing and implementing policies and procedures.
What Does the CCISO Program Teach?
The program focuses on five domains to bring together all the components required for a C-Level position. It combines governance, security risk management, controls, audit management, security program management and operations, information-security core concepts, and strategic planning, finance, and vendor management––skills that are vital to leading a highly successful information security program.
The five domains were mapped in alignment to the NICE Cybersecurity Workforce Framework (NCWF), a national resource that categorizes and describes cybersecurity work, listing common sets of duties and skills needed to perform specific tasks.
The framework consists of seven highly important categories; one of which is “Oversight and Development” and deals with leadership, management, direction, and advocacy. It was upon these requirements that the CCISO program was created, with skill development courses in legal advice and advocacy, strategic planning and policy development, Information Systems Security Operations (ISSO), and Security Program Management (CISO) being 95% related to the NCWF.
Five CCISO Domains
The CCISO Body of Knowledge was written by CISOs for future CISOs and provides in-depth learning of the five domains that are crucial for a CISO. These five domains concentrate on technical knowledge, as well as information-security management principles, from a managerial point of view.
Domain 1: Governance
This domain covers structured planning, aligning information security requirements and business needs, leadership and management skills in compliance with cybersecurity and organizational laws and acts, analyzing the latest information security changes, trends and best practices, and report writing.
Domain 2: Security Risk Management, Controls, and Audit Management
This domain covers information-security management controls: analyzing, designing, identifying, implementing, and supervising information system controls’ process to mitigate risks, and test controls and create detailed reports. It also covers auditing management: understanding the process, applying principles, skills, and techniques, executing and evaluating results, analyze the results, and develop fresh procedures.
Domain 3: Security Program Management & Operations
This domain covers project development, planning, implementation, and budgeting, acquiring, developing, and managing information-security project teams, assigning tasks and training, managing teams, ensuring teamwork and communication, evaluating the project to ensure that it aligns with business requirements and achieves optimal system performance, and ensuring that changes to the existing information system processes are made in a timely manner.
Domain 4: Information Security Core Concepts
This domain covers designing, implementing, and ensuring proper plans for access control, risk management, phishing attacks, identity theft, physical security, disaster recovery, business continuity plans, firewalls, IDS/IPS and network defense systems, wireless security, virus, Trojans and malware threats, secure coding best practices and securing web applications, hardening OS, encryption technologies, and computer forensics and incident response.
Domain 5: Strategic Planning, Finance, and Vendor Management
Design, develop, and maintain enterprise information-security architecture (EISA), perform external and internal analysis of the organization, design a strategic plan that will enable business growth, acquire and manage resources based on an operational budget, and understand other business financial requirements.
These five domains are not limited to the information above. You can learn more about the domains here.
Why CCISO and Not Other Certifications:
1. Accredited by ANSI
EC-Council has been accredited by the American National Standards Institute (ANSI) for its CCISO certification program. It is one of the few certification bodies whose primary specialization is information security in order to meet the ANSI/ISO/IEC 17024 Personnel Certification Accreditation standard.
2. Designed by the Experts
The CCISO Advisory board is comprised of practicing CISOs who designed the program based on their day-to-day experiences—based on both technical and management concerns. The board is made up of security leaders from Amtrak, HP, the City of San Francisco, Lennar, the Center for Disease Control, universities, and consulting firms who have contributed their vast knowledge to create this program to address the lack of leadership training in information security.
3. Focuses on C-Level Management through the Five Domains
By focusing on these five domains, EC-Council not only ensures that their views align with those of the NCWF, but also meet the requirements of businesses and organizations around the world.
4. Bridges the Gap between Technical Knowledge, Executive Management, and Financial Management
The CCISO program does not stop at the technical aspects required, but extends to executive management and financial management, both of which are crucial to leading a successful information security program. It focuses on the application of technical knowledge rather than technical information, which is relevant to a chief information security officer’s daily tasks. Information security managers can rise through the technical ranks, but must learn executive-level management, strategic planning, financial management, and organizational skills to reach a C-Level position.
5. Recognizes the Importance of Real-World Experience
To reach a C-Level position, an information security officer must have prior experience to gain a holistic idea of what to expect while in the field. With this in mind, the CCISO program consists of many real-world experiences faced by current CISOs around the world.
The CCISO exam also challenges students to develop a business continuity plan for a company in a given industry and situation, use metrics to communicate risk for different audiences, and describes how to align security programs with the goals of the business––among many other exercises.
6. One Step beyond Other Certs
|Exam Proctored Online||✓||x||x||x||x||x|
|Aligns With the NCWF||✓||x||x||x||x||x|
|Domain 1: Governance||100%||20%||25%||35%||55%||10%|
|Domain 2: IS Management Controls and Auditing Management||100%||33%||60%||6%||40%||19%|
|Domain 3: Business Management||100%||40%||20%||50%||60%||21%|
|Domain 4: IS Core Competencies||100%||64%||80%||11%||25%||65%|
|Domain 5: Finance and Strategic Planning||100%||22%||10%||23%||15%||10%|
Who Is It For?
The CCISO is for information security executives aspiring to be CISOs through refining their skills and learning to align information security programs with business goals and objectives. This program also encourages existing CISOs to improve their technical and management skills, as well as business procedures.
Do You Qualify to Be a CCISO?
The CCISO program is not an entry-level program. In order to qualify for the program and exam, you must have a minimum of 5 years of prior experience in at least 3 of the 5 domains (experience can overlap).
Applicants who do not meet the requirements for the CCISO program can attend the EC-Council Information Security Management (EISM) certification.
Test your knowledge to know if you’re ready for the CCISO exam.
How Can You Train?
Gain access to official courseware and a certification exam voucher through any of these training options:
- Live Online Training: Get trained live and online by a Certified EC-Council Instructor via our iClass program.
- In-Person Training: You can attend classes at an EC-Council authorized training center.
- Self-Learn: CCISO applicants who have at least five years of experience in each of the five CCISO domains can purchase the CCISO Body of Knowledge, which covers knowledge on all five domains.
The CCISO exam consists of 150 multiple-choice questions that are administered over two and a half hours. The questions are based on knowledge of the five domains and require extensive thought and evaluation. The required score to achieve the CCISO certification is a minimum of 75%.
To become a Certified CISO, visit https://ciso.eccouncil.org/