For the complete documentation index, see /llms.txt. Markdown version of this page: /en/insights/strategy/what-cissp-means-when-picking-a-consultant.md.
EN / NB Contact us →
EN / NB

Consulting

MDR / SOC

Vulnerability Management

Identity

Compliance

AI Security

CrowdStrike

Aikido

Tenable

Idira (CyberArk)

Browse

Series

Events & resources

About us

Company info

Contact

Partners

Strategy ↗

What CISSP certification means when picking a cybersecurity consultant

CISSP signals broad security judgment and a five-year experience bar, but it does not promise hands-on depth in any single tool you buy.

6 min read By Fredrik Standahl
CISSP, FM CyberSecurity branded cover

You are about to hand a stranger the keys to how your company defends itself. The letters after their name are one of the few signals you can check before the contract is signed. CISSP is the one you will see most, and it is easy to over-read or under-read. Reading it correctly saves you from paying senior rates for a junior profile, or dismissing a strong consultant because the credential looked generic.

In conversations with buyers this year, the same question keeps coming up: “They have CISSP, is that good enough?” The honest answer is that it tells you something real and specific, and it leaves a gap you still have to close yourself. Here is how to read it.

CISSP, FM CyberSecurity

What CISSP is

CISSP is a broad information-security certification from ISC2, the body that issues it. The full name is Certified Information Systems Security Professional. It is built around management and design judgment across the whole of security, not deep operation of one product. Think of it as proof that someone can see the full board, not that they can run any single piece on it.

The certificate covers eight subject areas that ISC2 calls the CISSP domains: security and risk management, asset security, security architecture and engineering, communication and network security, identity and access management, security assessment and testing, security operations, and software development security. That spread is the point. A CISSP holder has been tested on how risk, identity, networks, and operations fit together, which is the kind of thinking a consultant needs to advise a whole business.

What the letters signal about a consultant

The strongest signal is the experience bar behind the certificate. ISC2 requires five years of cumulative full-time work in two or more of the eight domains before someone can hold CISSP. So the credential is not just an exam pass. It means the person has spent years doing security work, not weeks cramming for a test. That alone filters out a large share of people who simply call themselves consultants.

Two more things come attached. ISC2 requires every holder to commit to a Code of Ethics as a condition of certification, and to keep the credential they must earn 120 continuing-education credits every three years. For you as a buyer, that means a current CISSP is someone who agreed to be held to a professional standard and who has kept learning since they first qualified. A lapsed or never-renewed credential is worth checking for the same reason.

So when you see CISSP on a profile, read it as: this person has senior-level breadth, real years behind them, and an obligation to stay current. That is a solid floor. It is not the whole picture.

What CISSP does not tell you

CISSP measures breadth, not hands-on depth in the specific tool you are buying. A consultant can hold CISSP and still have never tuned a detection rule in CrowdStrike Falcon, run a scan in Tenable, or implemented an ISO 27001 management system end to end. The certificate says they understand the concepts across the field. It does not say they have shipped the exact work you need this quarter.

This is where buyers go wrong in both directions. Some treat CISSP as a guarantee of delivery and skip the rest of the diligence. Others see “general” certification and assume it is shallow. Neither read is right. The fix is to pair the credential with one or two implementation-level proofs: a named project, a platform certification on the product you run, or a reference you can call. CISSP gets the consultant onto the shortlist. The project evidence wins them the work.

How to read a full credential stack

Look for breadth and depth together, and check that the senior claims carry weight. A profile that pairs CISSP with a platform or standards certification on your specific need is the pattern you want, one credential covering the wide view and another proving the hands-on track.

As a concrete example, my own profile is CISSP plus ISO 27001 Senior Lead Implementer and NIS2 Senior Lead Implementer. The CISSP carries the broad security judgment described above. The two Senior Lead Implementer credentials sit on top, and their Senior tier calls for more than ten years of experience, so together the stack shows breadth from CISSP and depth in compliance implementation. That is the shape to look for in anyone you are evaluating: a wide credential, a deep one, and senior claims you can verify.

When you read a consultant’s credentials, ask three plain questions. Does a broad certificate like CISSP show senior judgment across security. Is there a second credential or named project proving depth in the exact thing you are buying. And can you confirm the senior-tier claims, by date, source, or reference. If the answer to all three is yes, the letters are doing their job.

Next step

See FM CyberSecurity’s credentials and partner certifications at our partners page. Or talk to our consulting practice for a 30-minute conversation on what to look for in the consultant you are about to hire.

FAQ

What does CISSP stand for and who issues it?

CISSP stands for Certified Information Systems Security Professional. It is issued by ISC2, an independent body that certifies security professionals. It is a broad, management-and-design level credential that covers eight security domains rather than one product or tool.

How much experience does CISSP require?

ISC2 requires five years of cumulative full-time experience in two or more of the eight domains before someone can hold the certification. That experience bar is the main reason CISSP carries weight: it is not an exam-only credential.

Does CISSP mean a consultant can run my specific security tools?

Not on its own. CISSP proves broad security judgment across the field, not hands-on depth in any single platform. Pair it with a platform certification, a named project, or a reference on the exact tool or standard you need, so you confirm both the wide view and the hands-on track.

Do CISSP holders have to keep the certification current?

Yes. To keep CISSP, holders must earn 120 continuing-education credits every three years and commit to the ISC2 Code of Ethics. A current credential signals someone who has kept learning; it is worth confirming the certification has not lapsed.

Is CISSP enough on its own to choose a consultant?

It is a strong floor, not a full answer. CISSP gets a consultant onto your shortlist by showing senior breadth and a real experience bar. To pick between candidates, add implementation-level proof on your specific need. See our guide on why tenders increasingly require ISO 27001 for how standards credentials fit alongside it.

More on Strategy

19 May 2026 · Strategy
Cyber Index #59 - 93% use AI agents for sensitive tasks, MySQL exposure, and when compliance cancels work

This week's Cyber Index roundup: 30+ stats on AI agents accessing data beyond scope, ransomware recovery times, identity breaches, MySQL exposure, and the exception economy.

12 May 2026 · Strategy
How we publish to our website with no admin login

FM CyberSecurity publishes through a Cloudflare Workers MCP server, gated by Microsoft Entra. No admin login, no user table, no CMS, no /forgot-password page.

15 Apr 2026 · Strategy
Charlotte AI: what does agentic SOC mean for you?

A look at how CrowdStrike's agentic SOC changes the economics of 24/7 monitoring for SMBs.

← Back to all insights
Questions or inquiry? [email protected] Contact us →