Interview Questions to Ask Candidates with CISSP, CFT, or CISA Credentials

When interviewing cybersecurity professionals, it's essential to move beyond simply verifying their certifications and delve into their practical understanding and application of the knowledge they've gained. The true value of a credential like the certified information systems security professional (CISSP), a CFT course, or a CISA training course lies in how the individual applies its principles to real-world scenarios. This approach helps you identify candidates who are not just certified but are genuinely competent and can contribute meaningfully to your organization's security posture. The following questions are designed to probe the depth of a candidate's expertise, their problem-solving skills, and their ability to translate theoretical knowledge from their training into actionable, effective security practices.

For the CISSP Candidate

Asking a candidate who holds the certified information systems security professional designation about designing a security awareness program tests their grasp of the 'Security and Risk Management' domain. A strong answer should go beyond simply suggesting a yearly training video. Look for a structured approach that begins with a needs assessment to identify the specific risks and vulnerabilities unique to your company's culture and data. They should mention developing tailored content for different departments—for instance, finance staff need different training on phishing than the R&D team handling intellectual property. A proficient candidate will discuss delivery methods, such as interactive modules, simulated phishing exercises, and ongoing communications like newsletters or lunch-and-learns. Crucially, they must explain how to measure the program's effectiveness through metrics like reduced click-through rates on test phishing emails or improved scores in knowledge assessments. This demonstrates they understand that security awareness is a continuous process, not a one-time event.

The second question, about performing a quantitative risk analysis, targets the core of risk management. A textbook answer might define terms like Annualized Loss Expectancy (ALE), Single Loss Expectancy (SLE), and Exposure Factor (EF). However, you want to hear about a real application. A compelling response will describe a specific project or threat they analyzed. They should walk you through the steps: identifying a critical asset, estimating its value, researching the probability of a specific threat occurring, and then calculating the potential financial impact. The best answers will also include how they presented this data to business leaders—perhaps using a cost-benefit analysis to justify a security control investment. This shows they can communicate risk in business terms, bridging the gap between the technical security team and executive management, a key skill for any seasoned certified information systems security professional.

For the CFT Course Graduate

When interviewing a candidate who has completed a comprehensive CFT course (Computer Forensics Training), you need to assess their hands-on technical skills and their adherence to strict legal protocols. The question about creating a forensic image is fundamental. A competent candidate will not just say "I use a write-blocker"; they will detail a meticulous process. This includes verifying the integrity of their tools beforehand, physically connecting the source drive through a hardware write-blocker to prevent any data alteration, and using a forensically sound tool like FTK Imager or dd to create a bit-for-bit copy. They must emphasize the critical practice of hashing—generating a cryptographic hash (like MD5 or SHA-256) for both the original source and the forensic copy. They should explain that this hash is a digital fingerprint; if the hashes match, it proves the copy is absolutely identical and unaltered. The importance of this process is twofold: it preserves the original evidence in a pristine state for analysis and establishes a verifiable chain of custody from the very beginning.

Building on this, the question about ensuring integrity and admissibility in court is where theory meets the high stakes of legal proceedings. The candidate's answer must revolve around the unbreakable 'Chain of Custody'. They should describe a documented log that tracks every person who handled the evidence, the time and date of transfer, and the purpose for each access. Any gap in this log can render evidence inadmissible. Look for them to mention how they store evidence in secure, access-controlled environments and use cryptographic hashes at every stage of the investigation to re-verify that the data has not been tampered with. Their ability to articulate this process clearly and confidently indicates they understand that the technical findings of a CFT course are useless if they cannot withstand legal scrutiny. They are not just technicians; they are potential expert witnesses.

For the CISA Certified Professional

A professional certified through a CISA training course is trained to think like an auditor. The question about auditing an access control system tests their knowledge of the 'Protection of Information Assets' domain. A superficial answer might list a few controls. A deep, insightful answer will demonstrate a risk-based auditing approach. They should start by understanding the business context and identifying the most critical systems and data. Then, they would outline a plan to test a layered set of controls. This includes technical controls like reviewing user access lists for segregation of duties conflicts (e.g., the same person shouldn't be able to create a vendor and pay an invoice), testing the strength of password policies, and examining logs for failed login attempts. They should also mention physical controls for accessing server rooms and administrative controls like the process for onboarding and offboarding employees. The 'how' is key—they might describe using automated tools to scan user permissions, conducting interviews with system administrators, and performing sample testing of user activities. This structured methodology shows they can provide assurance that access is properly granted, monitored, and revoked.

The business landscape and its regulatory requirements are constantly shifting. Therefore, a CISA training course graduate must demonstrate a commitment to continuous learning. When asked how they stay current with regulations like GDPR or SOX, a great candidate will have a proactive and multi-faceted strategy. They might mention subscribing to updates from official regulatory bodies, following thought leaders and legal experts on professional networks like LinkedIn, participating in industry forums like ISACA, and attending webinars and annual security conferences. The most impressive candidates will go a step further and explain how they translate this knowledge into action—for example, by conducting internal gap assessments when a new regulation is announced or updating internal audit checklists to reflect new requirements. This shows they are not just passive recipients of information but active participants in maintaining your organization's compliance posture.

The ultimate goal of these interview questions is to peel back the layers of a resume and a certification. A certified information systems security professional should demonstrate strategic risk thinking. A CFT course graduate must show meticulous, legally-sound technical practices. A professional from a CISA training course needs to exhibit a systematic, risk-based audit mindset. By focusing on these practical, scenario-based questions, you can effectively gauge a candidate's true ability to apply the valuable concepts from their rigorous training and become a trusted, impactful member of your security team.