Professional development

Should you take the CCSP/SSCP before the CISSP? [updated 2022]

Greg Belding
August 22, 2022 by
Greg Belding

With the number of information security certifications seemingly growing by the day, some in information security are starting to wonder whether there are any specific benefits to be had by earning the common certifications for this career track in a certain order. Those focusing on systems security (including Cloud) may be asking themselves the optimal order in which to earn the Systems Security Certified Practitioner (SSCP), Certified Cloud Security Professional (CCSP) and the Certified Information Systems Security Professional (CISSP)

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

SSCP

Released by ISC2, the Systems Security Certified Practitioner (SSCP) is intended for those working in systems and network security who develop information security standards, policies and procedures, and who manage hardware and software implementation for an organization. The SSCP is fairly broad, as it covers seven domains of knowledge. Below is a list of these domains and their respective exam content weights:

  • Domain 1 - Security operations and administration (16%)
  • Domain 2 - Access controls (15%)
  • Domain 3 - Risk identification, monitoring and analysis (15%)
  • Domain 4 - Incident response and recovery (14%)
  • Domain 5 - Cryptography (9%)
  • Domain 6 - Network and communications security (16%)
  • Domain 7 - System and application security (15%)

SSCP requirements

Candidates for this certification have several options to meet the experience requirement. SSCP candidates must have either one year of paid work experience minimum in one of the seven knowledge domains covered by the certification exam. Or they may be granted a one-year prerequisite pathway for earning either a bachelor’s or master’s degree in cybersecurity. 

Another possible option is that if candidates do not have the work experience or prerequisite pathway, they can earn an Associate of ISC2 by passing the SSCP certification exam and have two years to earn one year of experience. Those that pass the exam will have to find another ISC2-certified professional and obtain an endorsement from them.

SSCP exam information

  • Number of questions: 150
  • Length of exam: 4 hours
  • Exam question format: Multiple-choice
  • Passing score: 700 (out of 1000 possible)

Please note that effective November 1, 2021, the following SSCP exam outline applies. 

CCSP

This certification, also hosted by ISC2, is a vendor-neutral approach to broad cloud security knowledge, including practices, principles, cloud platforms and technologies. Intended for experienced professionals in cloud security, this certification exam covers six CSSP domains of knowledge (along with their respective exam content weights):

  • Domain 1 - Cloud concepts, architecture, and design (17%)
  • Domain 2 - Cloud data security (20%)
  • Domain 3 - Cloud platform and infrastructure security (17%)
  • Domain 4 - Cloud application security (17%)
  • Domain 5 - Cloud security operations (16%)
  • Domain 6 - Legal, risk and compliance (13%)

CCSP requirements

Candidates for the Certified Cloud Security Professional (CCSP) certification must have five years of paid work experience in information technology, with three years being in information security and one year in at least one of the domains of knowledge this certification exam covers. CCSP candidates also can go for the Associate of ISC2 if they do not meet the experience requirement. 

Paid internships and part-time work qualify for your work experience. This certification also requires an endorsement from an ISC2-certified professional.

CCSP exam information

  • Number of questions: 125
  • Length of exam: 3 hours
  • Exam question format: Multiple-choice
  • Passing score: 700 (out of 1000 possible)

CISSP

Last is another ISC2 certification — the Certified Information Systems Security Professional (CISSP). This certification is intended for seasoned information security professionals and is highly sought after by organizations looking to take their information security to the next level. 

You must pass a longer certification exam than the others explored above to earn this certification. It covers eight domains of knowledge:

  • Security and risk management
  • Asset security
  • Security architecture and engineering
  • Communication and network security
  • Identity and access management (IAM)
  • Security assessment and testing
  • Security operations
  • Software development security

CISSP requirements

The requirements for CISSP are steeper than the certifications above. CISSP candidates must have at least five years of paid, cumulative work experience in at least two of CISSP’s knowledge domains. Those with a four-year college degree, or another ISC2 certification from an approved list, can subtract one year of work experience from that requirement. There is also the option to earn an Associate of ISC2, at which point the candidate would have six years to satisfy the experience requirement. 

CISSP exam information

  • Number of questions: 100-150
  • Length of exam: 3 hours
  • Exam question format: Multiple-choice and advanced innovative questions
  • Passing score: 700 (out of 1000 possible)

For more on the CISSP certification, view our CISSP hub.

Recommendations

This article will forward two recommendations, one general and the other situation-specific.

General recommendation

As you can see from the exam requirements above, SSCP is an entry-level certification that requires one year of paid work experience. In contrast, both CCSP and CISSP require at least five years of paid work experience, so it should be no surprise that you should earn SSCP first if you want to earn all three certifications. CISSP should be earned last by at least 95% of those seeking these certifications. 

Situation-specific recommendation

The proverbial “odd man out” in this progression of certifications is CCSP. While the other two certifications focus on system and network information security, CCSP is unique because it focuses on cloud-based security. 

You need to ask yourself whether you want to become certified in cloud-based security. If you do, I would say to either take CCSP before CISSP or concurrently if you think you can handle the workload. 

The first choice would be ideal, as there is a slightly less strict experience requirement for CCSP, leaving candidates with the time to prepare for the CCSP certification exam before they are qualified to take the CISSP exam. Of course, if you have earned a four-year degree, you will be ready to take the CCSP and CISSP simultaneously, at which point you can decide for yourself which certification you want to earn first.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Pursuing the right certification 

SSCP, CCSP and CISSP are highly respected information security certifications that can help information security professionals reach new heights in their careers. Before you begin to prepare for these exams, it is essential to realize that they apply to different points in their career and will have to adjust their timetable for earning these certifications accordingly. 

Sources

Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.