In 2019, the Payment Card Industry (PCI) Security Standards Council (SSC) modified the Qualification Requirements for Qualified Security Assessor (QSA) employees. Prior to the modification, the requirements stipulated that QSA employees must hold either an Information Security certification or an audit certification, but now QSA employees must have a minimum of two (2) industry certifications: one (1) Information Security and one (1) IT audit certification. https://www.pcisecuritystandards.org/documents/Frequently_Asked_Questions_for_QSA_Requirement_for_Industry_Recognized_Professional_Certifications.pdf

I first obtained my QSA certification under the old rules. When I first heard of the upcoming change, I felt like it was unfair for the PCI SSC to move the goalposts. My primary concern was that I would have to dedicate countless hours studying to obtain another certification, the cost of which starts at $500. Additionally, once you obtain another certification, you have to pay annual maintenance fees and secure the necessary amount of Continuing Professional Education (CPEs) to retain the certification.

Once I overcame my personal concerns and looked at the change, I realized it does make sense. In order to be a successful QSA, you should have knowledge of Information Security principles and procedures and have auditing skills. Many of the PCI Report on Compliance (RoC) requirements involve testing of IT and Information Security controls. A QSA should also have effective report writing and interviewing skills, which is clearly more tied to the auditing discipline.

What qualifies as an Information Security certification?

Information Security certifications must come from this list:

· (ISC)2 Certified Information System Security Professional (CISSP)

· ISACA Certified Information Security Manager (CISM)

· Certified ISO 27001 Lead Implementer

What qualifies as an IT audit certification?

IT audit certifications must come from this list:

· ISACA Certified Information Systems Auditor (CISA)

· GIAC Systems and Network Auditor (GSNA)

· Certified ISO 27001, Lead Auditor, Internal Auditor

· IRCA ISMS Auditor or higher (e.g., Auditor/Lead Auditor, Principal Auditor)

· IIA Certified Internal Auditor (CIA)

My personal career path of choice was auditing, so I obtained the CISA in 2017 as a prerequisite for the QSA under the old rules. Once the new rule was implemented, I had a tough decision to make: obtain the CISSP, CISM, or ISO 27001. All of the certifications require a defined number of years of prior experience and passing an exam; however, CISSP and CISM exam preparation can be done as self-study. The ISO 27001 Auditor certification requires a candidate to take a five-day Auditor Course, and on the fifth day you need to pass the written exam to obtain the certification. The five-day course requirement was not preferred with my current workload. This narrowed the options to either the CISSP or CISM.

The five (5) domains for the CISA exam are as follows:

1. Information System Auditing Process (21%)
2. Governance and Management of IT (17%)
3. Information Systems, Acquisition, Development, and Implementation (12%)
4. Information Systems Operations and Business Resilience (23%)
5. Protection of Information Assets (27%)

The four (4) domains for the CISM exam are as follows:

1. Information Security Governance domain covers (24%)
2. Information Risk Management and Compliance domain covers (30%)
3. Information Security Program Development and Management domain covers (27%)
4. Information Security Incident Management domain covers (19%)

The eight (8) domains for the CISSP exam are as follows:

1. Security and Risk Management
2. Asset Security
3. Security Architecture and Engineering
4. Communications and Network Security
5. Identity and Access Management
6. Security Assessment and Testing
7. Security Operations
8. Software Development Security

The first thing I noticed was the CISSP covers a whopping eight (8) domains and is often described as a 'mile wide and an inch deep.' I have a lot of respect for the CISSP but a fear of the amount of information covered. Another observation was both the CISM and CISA are administered by the same organization, ISACA, which mean there were likely to be some similarities in test-taking techniques.

The CISSP is administered by ISC². I also have an ISC­­­² certificate called the Systems Security Certified Practitioner (SSCP), but it only covers five (5) of the eight (8) domains in the CISSP. Once I started studying for the CISM, I noticed significant overlap with the CISA test content.

All things considered, I am not sure how I would have performed on the CISSP test—maybe I will find out one day! I am certain that the overlapping content coupled with my familiarity with auditing-related items made the CISA/CISM combination the best choice for me. I was able to pass the CISM in February 2020 and was thereby able to retain my QSA certification.