Submit verified evidence of a minimum of five years of information security work experience, with a minimum of three years of information security management work experience in three or more of the job practice analysis areas.
The following security-related certifications and information systems management experience can be used to satisfy the indicated amount of information security work experience.
- Certified Information Systems Auditor (CISA) in good standing
- Certified Information Systems Security Professional (CISSP) in good standing
- Post-graduate degree in information security or a related field (e.g., business administration, information systems, information assurance)
- One full year of information systems management experience
- One full year of general security management experience
- Skill-based security certifications (e.g., SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security +, Disaster Recovery Institute Certified Business Continuity Professional (CBCP), ESL IT Security Manager)
- Completion of an information security management program at an institution aligned with the Model Curriculum
The experience substitutions will not satisfy any portion of the 3-year information security management work experience requirement.
Exception: Two years as a full-time university instructor teaching the management of information security can be substituted for every 1 year of information security experience.