Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
CISSP full form
CISSP stands for Certified Information Systems Security Professional. It is the flagship security credential issued by ISC2 (the International Information System Security Certification Consortium). To earn it, a candidate needs five years of cumulative, full-time work experience in two or more of the eight CISSP domains.
The eight domains are Security and Risk Management, Asset Security, Security Architecture and Engineering, Communication and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations, and Software Development Security. Applicants must also pass a 100-150 question adaptive exam in three hours, be endorsed by an existing ISC2 credential holder, and complete continuing professional education (CPE) credits on a three-year cycle.
I have held the CISSP since 2013, and this post explains the credential from both sides of the table. For a Canadian SMB choosing an MSP, a CISSP on the leadership team is the strongest publicly verifiable signal available. It says that everything from security architecture to incident response to compliance is directed by someone with a multi-domain track record, not a vendor-trained generalist.
KEY TAKEAWAYS
- CISSP stands for Certified Information Systems Security Professional, awarded by ISC2.
- Earning it takes five verified years in the field plus a three-hour adaptive exam.
- ISC2 counts just over 265,000 certified members and associates worldwide across all its credentials; CISSPs are the senior slice of a profession with a multimillion-person staffing gap.
- An MSP led by a CISSP applies framework-driven risk modelling and Canadian compliance discipline to every engagement.
- Any CISSP claim can be verified in about 2 minutes via the ISC2 public member directory.
Book a CISSP-Led IT Consultation
Consultations are run by the CISSP-led team at Fusion Computing, a Microsoft Solutions Partner serving Canadian SMBs since 2012.
What is a CISSP?
CISSP stands for Certified Information Systems Security Professional, an advanced information security certification issued by ISC2. It requires five years of paid, hands-on security experience across two or more of eight defined domains, an endorsement from an active ISC2 member, and an adaptive exam of 100-150 questions completed within three hours.
Every active holder is registered with ISC2 and publicly searchable. It is not one-time: holders complete 120 continuing professional education credits every three years to maintain active status. Three things make CISSP distinct. The experience requirement is verified rather than self-declared. The CBK spans the entire security landscape rather than a single technology. And the Code of Ethics gives ongoing professional weight beyond exam knowledge.
CISSP certification requirements: what ISC2 requires
According to ISC2’s published experience requirements, a CISSP candidate needs five years of cumulative, full-time work experience spanning two or more of the eight CISSP domains. A relevant post-secondary degree can substitute for one year, and someone who passes before accruing that experience becomes an Associate of ISC2 with six years to bank the rest.
- Experience: five years cumulative, in two or more of the eight domains. A bachelor’s or master’s degree in a related field can cover one of the five years.
- Exam: a computerized adaptive test of 100-150 items, per the official ISC2 exam outline. Time limit three hours; pass mark 700 out of 1000.
- Endorsement: an existing ISC2 member in good standing must formally vouch for the applicant’s five years before ISC2 grants active status.
- Maintenance: ongoing CPE credits on a three-year cycle, plus a binding commitment to the ISC2 Code of Ethics.
I went through that cycle myself. I sat the exam in 2013, an ISC2 member endorsed my application, and I have recertified on the CPE cycle ever since. To my eye, the endorsement step is the part MSP buyers underrate. It means another certified professional put their own name behind the claim. That is exactly the kind of accountability you want from the person designing your defences.
Book a CISSP-Led IT Consultation → and put those requirements to work on your own environment.
The 8 CBK domains a CISSP-certified leader covers
The official ISC2 outline (2026) fixes the format: all eight domains, examined adaptively across 100 to 150 items in three hours. The passing score is 700 out of 1000 and no domain is elective, which is why the table below maps each one to concrete MSP deliverables.
| Domain | Scope | What CISSP-led work looks like |
|---|---|---|
| 1. Security and Risk Management | CIA triad, governance, PIPEDA/PHIPA. | Risk-based assessment, gap report mapped to CIS Controls v8.1. |
| 2. Asset Security | Data classification, retention, ownership. | Classification policy, retention schedule, breach evidence readiness. |
| 3. Security Architecture and Engineering | Cryptography, secure design, cloud architecture. | M365 tenant baselines, ransomware-resilient backup, post-quantum readiness. |
| 4. Communication and Network Security | Segmentation, secure protocols, ZTNA. | Least-privilege firewall policies, VPN review, traffic inspection. |
| 5. Identity and Access Management | MFA, SSO, PAM, federated identity. | Conditional Access tuning, PAM rollout, quarterly access reviews. |
| 6. Security Assessment and Testing | Vulnerability management, pen test, audit. | Risk-prioritised remediation, evidence trail for SOC 2 or PCI-DSS. |
| 7. Security Operations | SOC tooling, IR, forensics, recovery. | IR playbooks, 24/7 MDR, PIPEDA breach-report readiness. |
| 8. Software Development Security | SDLC, third-party risk, API security. | Vendor risk assessments, supply-chain controls, secure Power Apps. |
Our FC internal benchmark from Q1 2026, built on anonymized client data across our 60+ Canadian SMB security engagements, says the table above is not theoretical. Every domain in it has produced at least one design decision a non-CISSP MSP would not have raised. We measured that pattern engagement by engagement, and in our practice the gap is widest in Domains 1, 6, and 7.
Why does CISSP certification matter for an MSP?
According to Statistics Canada’s survey of cyber security and cybercrime (2024), about 1 in 6 Canadian businesses were hit by an incident in 2023. National recovery spending doubled to CA$1.2 billion, with small businesses paying roughly CA$300 million of it. The leanest teams absorb the worst of that impact, so the discipline behind your MSP’s security decisions matters.
For an MSP, the CISSP is the difference between security delivered as a product bundle and security delivered as a discipline. Most MSPs without one default to a vendor catalogue: every client gets the same EDR, the same email filter, the same backup tier, whether they are a 12-person law office or a 150-seat manufacturer. A CISSP-led MSP starts with the client’s actual threat model and works backwards to controls that match.
That shift produces five observable differences. Threat modelling happens before tool selection. Incident response follows documented playbooks. Compliance obligations across PIPEDA, PHIPA, PIPA, and PCI-DSS are designed as overlapping controls rather than parallel silos. Audit evidence is generated as a byproduct of operations. And clients receive a multi-year security roadmap rather than a quote. Fusion’s cybersecurity services are built around that discipline.
Book a CISSP-Led IT Consultation → to see which of those five differences your current provider is missing.
CISSP vs CISA vs CISM vs Security+: how do they differ?
CISSP sits in a family of security credentials with different depth. ISACA’s CISA validates five years of audit and assurance work, its CISM covers security programme management, CompTIA’s Security+ is the entry-level baseline with no experience requirement, and ISC2’s CCSP goes deep on cloud. The table compares the five you will actually meet in MSP marketing.
| Certification | Issued by | Experience required | Primary scope | Best for |
|---|---|---|---|---|
| CISSP | ISC2 | 5+ years across 2+ domains. | All eight security domains, full breadth. | Senior practitioners, security architects, MSP leadership. |
| CISA | ISACA | 5 years in audit or assurance. | Audit, assurance, control verification. | Internal auditors and SOC 2 / ISO 27001 assessors. |
| CISM | ISACA | 5 years in security management. | Governance, programme oversight, risk management. | Security managers and compliance leads. |
| CompTIA Security+ | CompTIA | None required. | Core security concepts, entry-level operations. | Help desk, junior analysts, IT generalists. |
| CCSP | ISC2 | 5 years IT, 3 in cloud security. | Cloud-specific architecture and operations. | Cloud architects in cloud-heavy environments. |
The difference is scope rather than difficulty. CISA validates the ability to verify controls. CISM validates programme management. Security+ validates baseline knowledge. CCSP validates cloud depth. CISSP is the only one validating breadth across all eight domains at a senior practitioner level. For an MSP whose remit is a client’s entire environment, that breadth is the point.
How rare are CISSPs in Canada? (workforce data)
CISSP scarcity in the Canadian market: ISC2, the certification body, reports more than 265,000 certified members and associates worldwide across all of its credentials. Its annual Cybersecurity Workforce Study keeps documenting a multimillion-person global shortfall of qualified security staff. CISSP holders sit at the senior, scarcest end of that pool.
The Canadian Centre for Cyber Security advises Canadian organisations of every size to adopt structured, framework-aligned governance. Statistics Canada’s cyber security and cybercrime survey shows SMBs suffer a large share of incidents while being least likely to employ senior security leadership. Sources: ISC2 Workforce Study, Canadian Centre for Cyber Security, Statistics Canada, 2026.
For a Canadian SMB, finding a CISSP-led MSP outside the Toronto core is uncommon. Markets like Hamilton, Kitchener-Waterloo, and suburban Vancouver have meaningfully fewer CISSP holders than the resident business population needs. An owner who deliberately selects a CISSP-led provider acquires a capability most local peers do not have.
What can a CISSP-led MSP do that an uncertified MSP cannot?
An uncertified MSP can deliver competent endpoint protection, patching, and backup. What it generally cannot deliver is the architectural sequencing and the forensic discipline that a structured threat model such as MITRE ATT&CK demands when something actually goes wrong. That gap shows up in the first 72 hours of an incident.
A CISSP-led provider performs structured threat modelling against STRIDE and MITRE ATT&CK before recommending a tool, and runs incident response from a documented playbook. It maps Canadian compliance obligations as overlapping controls and delivers a risk-weighted multi-year roadmap. Across Fusion Computing’s 60+ Canadian SMB security engagements through Q1 2026, the design decisions that prevented incidents have almost always been architectural rather than product-level.
“The assessment found an admin account with domain-level rights that had been inactive for four years but was still open. One phishing email away from a full breach. We never would have caught that on our own.”
How does cyber insurance treat CISSP-led security?
Cyber insurance underwriters increasingly differentiate based on the depth of the security programme behind the application. CISSP-led security generally maps to faster underwriting and access to higher coverage tiers because insurer questionnaires now demand specific control evidence: documented IR playbooks, MFA enforcement reports, privileged access reviews, and tested backup recovery.
A CISSP-led MSP produces this evidence as part of normal operations; an uncertified provider often has to assemble it under deadline. Carriers may also deny coverage if controls described in the application were not in place at the time of incident, and CISSP-level documentation closes that gap.
Not sure where your controls stand today? Take the free cybersecurity assessment → and get the same gap report our underwriter-facing clients use across Ontario and British Columbia.
How to verify an MSP’s CISSP claim
Verification takes about 2 minutes and should happen before signing any cybersecurity-led MSP agreement. The CISSP is a personal credential held by an individual, never a company, so “our team is CISSP-certified” without a named individual is meaningless. ISC2’s public member verification portal confirms any holder’s active status from just a name and certification number.
The 4-step check starts with paperwork: ask for the certified individual’s full name and certification number, then search the ISC2 member verification portal to confirm active status. Then ask what operational role the holder plays in your account, and confirm visible CPE activity such as conference attendance.
Red flags include team-level rather than named claims, lapsed certifications, CISSP holders in pure sales roles, and confusion with unrelated credentials such as MCSE or Security+. If the MSP cannot articulate how the CISSP changes the way they work, the credential is decorative rather than operational.
Book a CISSP-Led IT Consultation
Fusion Computing runs every client security engagement under named, verifiable CISSP leadership. Run the directory check above on us before you book.
Framework alignment behind CISSP-led MSP work: the NIST NICE Cybersecurity Workforce Framework defines the work roles behind security engineering, architecture, and operations, the same functions the eight CISSP domains examine.
The Canadian Centre for Cyber Security recommends framework-aligned governance for organisations of all sizes. Fusion Computing aligns client environments to CIS Controls v8.1 as a managed MSP service for Canadian SMBs, with Canadian regulatory layers (PIPEDA, PHIPA, PIPA, PCI-DSS) handled as overlapping rather than separate programmes. Sources: NIST NICE Framework, Canadian Centre for Cyber Security, CIS Controls v8.1, 2026.
Frequently asked questions
What does CISSP stand for?
CISSP stands for Certified Information Systems Security Professional, an advanced security certification issued by ISC2. It validates expertise across eight domains and requires five years of paid security experience and an endorsement from an active ISC2 member. The computerized adaptive exam runs 100-150 questions, scored out of 1000 with 700 needed to pass.
What are the eight CISSP domains?
The eight CBK domains are Security and Risk Management, Asset Security, Security Architecture and Engineering, Communication and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations, and Software Development Security. Together they describe the full scope of senior security practitioner responsibilities.
Why should an MSP have a CISSP-certified leader?
A CISSP-led MSP applies threat modelling before tool selection, runs incident response from documented playbooks, maps Canadian compliance obligations such as PIPEDA as overlapping controls, and produces a risk-weighted roadmap covering 3 or more years. Most MSPs without a CISSP default to a vendor bundle.
How is CISSP different from CompTIA Security+?
Security+ is an entry-level credential with no work experience requirement, appropriate for help desk staff and junior analysts. CISSP requires five years of verified paid experience and covers all eight security domains at architectural depth. On MSP technical staff Security+ is a positive baseline; in MSP leadership CISSP is a fundamentally different statement.
How is CISSP different from CISM?
CISM, issued by ISACA, focuses on security governance and programme management. CISSP, issued by ISC2, covers governance plus the seven other domains including architecture, network, IAM, and operations. CISM holders are typically programme managers; CISSP holders are typically architects or senior practitioners. Both require five years of experience.
How rare are CISSP holders in Canada?
ISC2 reports more than 265,000 certified members and associates worldwide across all of its credentials, and its Cybersecurity Workforce Study documents a persistent multimillion-person global staffing gap. Canadian holders concentrate in Toronto, Ottawa, Montreal, Calgary, and Vancouver; markets like Hamilton and suburban Vancouver have meaningfully fewer holders relative to local SMB demand.
How do I verify an MSP’s CISSP claim?
Ask for the named individual’s full name and certification number, then search the ISC2 public member verification portal at isc2.org to confirm active status, a check that takes about 2 minutes. Then ask what operational role the holder plays in your account; a CISSP in a non-delivery role is a marketing asset rather than a security one.
Does cyber insurance require a CISSP-led MSP?
No carrier formally requires CISSP, but underwriting questionnaires increasingly demand documented IR playbooks, MFA enforcement reports, privileged access reviews, and tested recovery procedures. CISSP-led programmes produce that evidence by default and generally clear underwriting faster than teams assembling it under a 30-day renewal deadline.
Is Fusion Computing CISSP-led?
Yes. Fusion Computing is led by Mike Pearlstein, CISSP, who has held the certification since 2013 and has operated Fusion’s managed IT and cybersecurity practice since 2012. The CISSP is operationally active across every client engagement.
Related Resources
- Cybersecurity Services: CISSP-led Canadian SMB security programme.
- What is an MSSP?: how managed security service providers operate.
- What is Managed Detection and Response?: the operational layer behind CISSP Domain 7.
- Cyber Insurance Coverage Checklist: the controls underwriters expect.
- Managed IT Services: the broader Fusion service line.
Last updated: July 2026. Fusion Computing.

