The major focus of the CISSP certification is centered on security technology and management, but the functional areas in the realm of regulation and compliance are “softer” areas that are somewhat removed from security itself.
However, there are compliance-related tasks for which the CISSP certification does not prepare its candidates. Activities such as business controls development, internal audits and the interpretation and application of regulations are barely touched on in the CISSP world. Other certifications, such as the Certified Information Systems Auditor (CISA), focus on controls and internal audits.
From an upcoming article on the adequacy of the CISSP certification in today’s new regulation-centric security environment