The International Information System Security Certification Consortium, or (ISC)², is a global, non-profit body that sets training standards for the information security industry and offers internationally-recognized, vendor-neutral security certifications that demonstrate applied expertise in different areas of information security. These certifications are grounded in (ISC)²’s Common Body of Knowledge (CBK), which outlines global information security standards and best practices.

(ISC)², which was established in 1989 to standardize training and certification in the cybersecurity industry, was the first information security certifying association to comply with the standards of ANSI/ISO/IEC Standard 17024.

(ISC)² offers 6 internationally-recognized information security certifications:

  • Systems Security Certified Practitioner (SSCP)
  • Certified Information Systems Security Professional (CISSP) with optional concentrations:
    • Information Systems Security Architecture Professional (ISSAP)
    • Information Systems Security Engineering Professional (ISSEP)
    • Information Systems Security Management Professional (ISSMP)
  • Certified Authorization Professional (CAP)
  • Certified Secure Software Lifecycle Professional (CSSLP)
  • HealthCare Information Security and Privacy Practitioner (HCISPP)
  • Certified Cloud Security Professional (CCSP)

The CISSP is currently the most popular (ISC)² credential. It accounts for the majority of certifications awarded by (ISC)². The CISSP certification is one of the finalists in the SC Awards 2018 for professional leadership in cybersecurity, https://www.iamcybersafe.org/gisws/.

An (ISC)² credential not only demonstrates expertise in a particular field, but it also denotes membership of a worldwide network of 130,000+ IT security professionals. According to the Global Information Security Workforce Study 2017, (ISC), ² members reported earning 35% more on average than non-members who participated in the study.

Associate of (ISC)²

The Associate of (ISC)² is a designation, not a certification. It is designed for candidates who have knowledge in a specific field of cybersecurity, but lack the experience required to certify as a cybersecurity professional in IT Administration (SSCP), Leadership and Operations (CISSP), Authorization (CAP), Software Security (CSSLP), Healthcare Information Security and Privacy (HCISPP) or Cloud Security (CCSP). The Associate designation demonstrates knowledge of and the ability to apply security best practices.

(ISC)² offers candidates without experience the option of taking a certification exam and being designated as an Associate of (ISC)² if they pass with the requisite score, pay the exam fees, make a legal commitment to abide by the (ISC)² Code of Ethics and pay the membership fee of USD 35 within 9 months of taking the exam.

(ISC)² certification exams are demanding and necessitate in-depth preparation. Preparation options for each certification exam are outlined in the sections below.

To maintain your Associate of (ISC)² designation, you need to pay the annual maintenance fee and earn at least 15 Continuing Professional Education (CPE) credits each year.

https://www.isc2.org/Certifications/Associate

Systems Security Certified Practitioner (SSCP)

The SSCP is an entry-level credential for information security professionals. This American National Standards Institute (ANSI)-accredited certification validates technical expertise in implementing, supervising, and managing IT infrastructure and in securing privacy, integrity, and accessibility of data in accordance with information security policies and practices.

Eligibility requirements for certification include at least a year of work experience in one or more of the 7 SSCP Common Body of Knowledge (CBK) domains, a scaled score of 700 or higher on a 3-hour, 125-question exam, acceptance of the (ISC)² Code of Ethics and a completed application endorsement form endorsed by an (ISC)² member.

The 7 SSCP CBK domains for exams before November 1, 2018, are:

  • Access Controls
  • Security Operations and Administration
  • Risk Identification, Monitoring, and Analysis
  • Incident Response and Recovery
  • Cryptography
  • Networks and Communications Security
  • Systems and Application Security

The SSCP will be based on a new exam outline with effect from November 2018. Please refer to https://www.isc2.org/-/media/ISC2/Certifications/Exam-Outlines/SSCP-Exam-Outline-Nov-1-2018.ashx?la=en&hash=61FCD307FDBFA6737B36724D355A4B36FA1C0D90 and https://www.isc2.org/certifications/sscp/domain-change-faq.

The work experience prerequisite is waived for candidates who hold a bachelor’s or master’s degree in a program preapproved by (ISC)² or a degree in cybersecurity that covers cyber and information systems security. https://www.isc2.org/Certifications/SSCP/Prerequisite-Pathway.

If you haven’t got the required work experience, you can still take the exam. On passing the exam, you are designated as an Associate of (ISC)² and have up to 2 years within which to gain the necessary experience.

Preparation options for the exam include in-person as well as online training seminars from (ISC)². (ISC)² provides classroom training at their own facilities as well as through (ISC)² Official Training Providers.

Self-study options include an Official (ISC)² Guide to the SSCP CBK Textbook, Official (ISC)² SSCP Study Guide, interactive flashcards, exam outline and an official study app.

It’s necessary to abide by the (ISC)² Code of Ethics, earn and post at least 20 Continuing Professional Education (CPE) credits each year and pay the annual maintenance fees to maintain the SSCP credential over the 3-year certification cycle.

Certified Information Systems Security Professional (CISSP)

The CISSP was the first information security certification to conform to the exacting standards of ISO/IEC Standard 17024. This globally-recognized credential is widely considered the most valuable information security credential available today.

The CISSP validates knowledge and skills in designing, building, implementing, and administering an information security system. It is designed for experienced security professionals who conceive, build, and manage an organization’s security system, handling everything from security strategy to implementation. The CISSP suits security consultants, managers, analysts, architects, chief information security officers and security systems engineers.

To be eligible for CISSP, you need a minimum of 5 years of paid, full-time, cumulative work experience in at least 2 of 8 CISSP CBK domains, a scaled score of 700 or higher on the exam, to subscribe to the (ISC)² Code of Ethics and an application endorsed by an (ISC)² certified professional who is an active member. These conditions need to be met within 9 months of taking the exam. Else, you need to retake the exam. If you take the exam in English, you’ll have to answer 150 items in 3 hours.

The CISSP exam will follow a new exam outline with effect from April 15, 2018. https://www.isc2.org/-/media/ISC2/Certifications/Exam-Outlines/CISSP-Exam-Outline-121417–Final.ashx

The 8 CISSP CBK domains are:

  • Security and Risk Management
  • Asset Security
  • Security Architecture and Engineering
  • Communication and Network Security
  • Identity and Access Management (IAM)
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security

One year of the required work experience can be substituted with:

A 4-year college degree or its equivalent or

A credential approved by (ISC)² – https://www.isc2.org/Certifications/CISSP/Prerequisite-Pathway

The other option is to become an Associate of (ISC)² by passing the CISSP exam with the required score, after which you have a maximum of 6 years to gain work experience.

(ISC)² recommends a combination of CISSP training courses and individual study as preparation for the exam. You may opt for in-person or online training seminars. Classroom training is led by instructors authorized by (ISC)² and can be had through (ISC)² or their Official Training Providers.

InfoSec Institute’s 7-day CISSP Training Boot Camp covers all the 8 CBK domains. You may opt for classroom or live-online training. Both have ‘best-in-the-industry’ pass rates. Those who enroll can avail of InfoSec’s CISSP Dual Certification program at no additional cost and train for the ISSAP, ISSEP or ISSMP.

https://www.infosecinstitute.com/courses/cissp-boot-camp/

(ISC)² self-study resources include the Official (ISC)² Guide to the CISSP CBK Textbook, Official (ISC)² CISSP Study Guide, interactive flashcards, exam outline, an official study app, CISSP for Dummies and CISSP practice tests.

The CISSP is valid for 3 years. However, you need to maintain it by following the (ISC)² Code of Ethics, earning and posting 40 or more CPE credits per year and paying the annual maintenance fees before your certification anniversary date. https://www.isc2.org/Certifications/CISSP

Concentrations

CISSP-certified professionals may work towards specializations in Information Systems Security Architecture Professional (ISSAP), Information Systems Security Engineering Professional (ISSEP) or Information Systems Security Management Professional (ISSMP). At least 2 years of relevant experience is required to earn a specialization. CISSP concentrations demonstrate current and advanced knowledge of information security architecture, engineering, or management.

https://www.isc2.org/Certifications/CISSP-Concentrations

CISSP-ISSAP

The CISSP-ISSAP is suitable for a security analyst or a chief security architect. It validates advanced expertise in analyzing an information security program and developing and implementing appropriate security solutions as well as advising senior management on the company’s risk posture.

To earn the CISSP-ISSAP, you need to have maintained your CISSP credential, have a minimum of 2 years paid, cumulative work experience in a full-time capacity in at least 1 of the 6 CISSP-ISSAP CBK domains, pay the exam fees, pass the 125-question, 3-hour exam with a scaled score of 700 or higher and have your application endorsed by an (ISC)² active member or by (ISC)² within 9 months of taking the exam.

The 6 CBK domains are:

  • Identity and Access Management Architecture
  • Security Operations Architecture
  • Infrastructure Security
  • Architect for Governance, Compliance, and Risk Management
  • Security Architecture Modeling
  • Architect for Application Security

(ISC)² offers both self-paced training and self-study resources to help you prepare for the exam. Their self-paced training includes modular instruction and interactive study resources, virtual classes via HD video and exhaustive content. https://www.isc2.org/Training/Online-Self-Paced

Self-study materials include an exam outline (https://www.isc2.org/-/media/ISC2/Certifications/Exam-Outlines/ISSAP-Exam-Outline.ashx) and the Official (ISC)² Guide to the CISSP-ISSAP CBK Textbook.

Infosec Institute offers a 4-day ISSAP training course, which acquaints participants with the latest information security systems technology. The course includes complete and up-to-date study resources, pre-class mentoring, practice questions and hotel accommodation, snacks, and lunch for 4 days. Infosec claims this course has a 93% pass rate.

http://resources.infosecinstitute.com/issap-training/#gref

To maintain your CISSP-ISSAP specialization and recertify after 3 years, you need to earn 20 CPE credits each year and pay an annual maintenance fee in addition to your CISSP annual fee. You may set off these 20 credits against the CISSP CPE credits required provided the credits are in the security architecture domain.

CISSP- ISSEP

The CISSP-ISSEP was developed jointly with the U.S. National Security Agency (NSA). Designed for information systems security engineers and senior systems security analysts, the CISSP-ISSEP demonstrates superior knowledge in systems engineering principles and procedures and the ability to secure applications, processes, projects, and information systems as a whole.

To qualify for CISSP-ISSEP, you must be a CISSP who complies with (ISC)² requirements, have a minimum of 2 years paid, full-time, cumulative work experience in at least 1 of the 5 CISSP-ISSEP CBK domains, pay the exam fees, pass the 150-question, 3-hour exam with a scaled score of 700 or higher and have your application endorsed by an (ISC)² active member or by (ISC)² within 9 months of taking the exam.

The 5 CISSP-ISSEP CBK domains are:

  • Security Engineering Principles
  • Risk Management
  • Security Planning, Design, and Implementation
  • Secure Operations, Maintenance, and Disposal
  • Systems Engineering Technical Management

To prepare for the exam, you can choose from the options available from (ISC)² as well as third-party providers, such as Infosec Institute.

(ISC)² offers a self-paced training program that comprises virtual lessons in a modular format led by authorized trainers. You’ll gain access to comprehensive, current content and interactive study materials. https://www.isc2.org/Certifications//Training/Online-Self-Paced

The exam outline is available at https://www.isc2.org/-/media/ISC2/Certifications/Exam-Outlines/ISSEP-Exam-Outline-v1204—March-2018-Final.ashx

InfoSec Institute offers a 4-day ISSEP Training Boot Camp, which incorporates hands-on security expertise of engineers who have at least 10 years of experience maintaining information assurance requirements of the Federal Government and includes training materials that help students understand every aspect of the ISSEP process and ensure they’re able to implement the same.

https://www.infosecinstitute.com/courses/issep-boot-camp/

To maintain the CISSP-ISSEP credential and recertify after 3 years, you need to obtain at least 20 CPE credits per year, which can count toward your CISSP CPE requirement if these are on the topic of security engineering, pay the annual maintenance fee over and above your CISSP annual fee.

CISSP-ISSMP

The CISSP-ISSMP is designed for senior information technology professionals, such as chief information security officers, senior security executives, and chief technology officers. This credential proves the holder has elite expertise in establishing and managing information security programs, including leading incident response and mitigation teams.

To certify as a CISSP-ISSEP, you must be a CISSP who complies with (ISC)² requirements, have a minimum of 2 years paid, full-time, cumulative work experience in at least 1 of the 6 CISSP-ISSMP CBK domains, pay the exam fees, pass the 125-question, 3-hour exam with a scaled score of 700 or higher and have your application endorsed by an (ISC)² active member or by (ISC)² within 9 months of taking the exam.

With effect from May 15, 2018, there will be some changes in the CISSP-ISSMP exam outline. For details, please see https://www.isc2.org/-/media/ISC2/Certifications/Exam-Outlines/ISSMP-Exam-Outline-Effective-May-2018.ashx.

The 6 CISSP-ISSMP CBK domains as per the new exam outline are:

  • Leadership and Business Management
  • Systems Lifecycle Management
  • Risk Management
  • Threat Intelligence and Incident Management
  • Contingency Management
  • Law, Ethics, and Security Compliance Management

(ISC)² recommends you combine training courses and individual study to prepare for the exam. (ISC)² offers both in-person and online training seminars led by authorized instructors who have years of industry experience.

Self-study materials include an exam outline and the Official (ISC)² Guide to the CISSP-ISSMP CBK Textbook.

Details are available at: https://www.isc2.org/Certifications/CISSP-Concentrations

To maintain your CISSP-ISSMP concentration and recertify after 3 years, you need to earn 20 CPE credits each year, which can count toward your CISSP CPE requirement if these are in the area of security management and pay the annual maintenance fee in addition to the CISSP annual fees.

Certified Authorization Professional (CAP)

The CAP credential validates the ability to authorize, maintain and secure information systems within the Risk Management Framework (RMF). Holders have the expertise to implement risk assessment processes and establish security measures. CAP is the only DoD 8570 mandated certification that is in line with each step of the RMF.

The ANSI-accredited CAP conforms to the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) 17024 Standards.

Prerequisites for certification include at least 2 years paid, full-time, cumulative work experience in one or more of the 7 CAP CBK domains. Once you have this, you can earn the CAP certification if you pass the 3-hour, 125-question exam with a scaled score of 700 or higher, agree to the (ISC)² Code of Ethics and have your completed application form endorsed by (ISC)² or an active member of (ISC)². These requirements need to be fulfilled within 9 months of taking the exam.

Candidates without the requisite experience can still take the exam and become an Associate of (ISC)² if they pass, following which they have a maximum of 3 years to gain the required experience.

The 7 CAP CBK domains are:

  • Risk Management Framework (RMF)
  • Categorization of Information Systems
  • Selection of Security Controls
  • Security Control Implementation
  • Security Control Assessment
  • Information System Authorization
  • Monitoring of Security Controls

With effect from October 15, 2018, the CAP exam will follow a new outline. https://www.isc2.org/-/media/ISC2/Certifications/Exam-Outlines/CAP-Exam-Outline-Post-Oct-15.ashx?la=en&hash=9EA1F4E2B2C17EA180FA4C7683671D3D2BB49FDB

To prepare for the exam, you can join a training course as well as study on your own. A range of classroom and online training options are available. (ISC)² provides classroom training at their facilities and through (ISC)² Official Training Providers.

(ISC)² self-study resources include the Official (ISC)² Guide to the CAP CBK Textbook, an exam outline, and interactive flashcards.

InfoSec Institute offers a 3-day CAP Training Boot Camp. All InfoSec courses are led by experienced and certified instructors who are security experts. https://www.infosecinstitute.com/courses/cap-boot-camp/

As with other (ISC)² credentials, you need to abide by the (ISC)² Code of Ethics, earn and post 20 or more CPE credits per year over the 3-year certification lifecycle and pay the annual maintenance fees before your certification anniversary to maintain the CAP. https://www.isc2.org/Certifications/CAP

Certified Secure Software Lifecycle Professional (CSSLP)

The globally-recognized, ANSI-accredited CSSLP certification suits professionals who work in software development and are responsible for establishing application security policies. A CSSLP-certified professional can determine and implement application security practices throughout the Software Development Lifecycle (SDLC).

To qualify, you need at least 4 years of work experience. This must be paid, full-time, cumulative SDLC experience in one or more of the 8 CSSLP CBK domains. A 4-year college degree can fulfill 1 year of work experience.

The 8 CSSLP CBK domains are:

  • Secure Software Concepts
  • Secure Software Requirements
  • Secure Software Design
  • Secure Software Implementation/Programming
  • Secure Software Testing
  • Secure Lifecycle Management
  • Software Deployment, Operations, and Maintenance
  • Supply Chain & Software Acquisition

It’s possible to take the exam even if you lack the required experience. Passing the exam will make you an Associate of (ISC)², after which you have 5 years to obtain the necessary experience.

The CSSLP credential is yours once you have the stipulated experience, pass the 4-hour, 175-question exam with a scaled score of 700 or higher, agree to the (ISC)² Code of Ethics and complete your application form and have it endorsed by an (ISC)² active member or (ISC)² within 9 months of taking the exam.

To ensure thorough preparation for the exam, get hands-on training by joining a training course and study on your own as well. (ISC)² provides both classroom and online training.

InfoSec Institute offers an up-to-date CSSLP Training Boot Camp that covers all the 8 domains of the CSSLP CBK. This hands-on course includes mentoring and drill sessions, a comprehensive review of the CBK and question and answer sessions in a seminar format. https://www.infosecinstitute.com/courses/csslp-boot-camp/.

(ISC)² self-study options include the Official (ISC)² Guide to the CSSLP CBK Textbook, an exam outline, and interactive flashcards.

This certification is also valid for 3 years during which you’ll need to comply with the (ISC)² Code of Ethics, get at least 30 CPE credits per year and pay the annual maintenance fees before your certification anniversary.

https://www.isc2.org/Certifications/CSSLP

HealthCare Information Security and Privacy Practitioner (HCISPP)

The HCISPP is an international credential designed for professionals who work in healthcare information security. It recognizes the ability to implement, administer and evaluate appropriate security procedures and controls to safeguard health care information. What is singular about the HCISPP is that it validates information security skills as well as privacy best practices and methods in healthcare security.

To qualify, candidates must have at least 2 years of paid, full-time, cumulative work experience in one or more of the HCISPP CBK knowledge areas, including compliance, privacy, and security. A minimum of one year of work experience should be in healthcare. Information management and legal experience will do in place of privacy and compliance, respectively.

The 6 HCISPP CBK domains are:

  • Healthcare Industry
  • Regulatory Environment
  • Privacy and Security in Healthcare
  • Information Governance and Risk Management
  • Information Risk Assessment
  • Third Party Risk Management

You’ll also have to pass the 3-hour, 125-question exam with a scaled score of 700 or higher, agree to the (ISC)² Code of Ethics and have your completed application form endorsed by (ISC)² or an active member of (ISC)² within 9 months of taking the exam.

If you don’t have the required experience, you can take the exam and qualify as an Associate of (ISC)² if you pass with the requisite score, following which you will have 3 years at the most to get the required experience.

To prepare for the exam, take a suitable training course as well as study on your own. (ISC)² and third-party providers offer both classroom and online training seminars. (ISC)² courses are offered at (ISC)² facilities or through their Official Training Providers.

(ISC)² self-study options include the Official (ISC)² Guide to the HCISPP CBK Textbook, exam outline, and interactive flashcards.

The HCISPP is valid for 3 years. To maintain it during this period, you need to follow the (ISC)² Code of Ethics, obtain at least 20 CPE credits per year and pay the annual maintenance fees before your annual certification anniversary.

https://www.isc2.org/Certifications/HCISPP

Certified Cloud Security Professional (CCSP)

Jointly created by (ISC)² and Cloud Security Alliance (CSA), CCSP is the leading cloud security credential. It demonstrates in-depth knowledge of and experience in applying cloud security policies and practices to secure cloud computing architecture. CCSP holders are knowledgeable about the latest technologies and threats and can identify risks and implement appropriate mitigation strategies, thereby ensuring the security of data and systems.

To achieve the CCSP credential, you need to have at least 5 years of cumulative, salaried work experience in a full-time capacity, to pass the 4-hour, 125-question exam with a scaled score of 700 or higher, legally support the (ISC)² Code of Ethics and have your application form endorsed by an active member of (ISC)² or (ISC)² within 9 months of taking the exam.

Of the 5 years of experience, 3 years need to be in information security and 1 year in at least 1 of the 6 CCSP CBK domains:

  • Architectural Concepts & Design Requirements
  • Cloud Data Security
  • Cloud Platform & Infrastructure Security
  • Cloud Application Security
  • Operations
  • Legal & Compliance

CSA’s CCSK certificate can fulfill 1 year of experience in at least 1 of the 6 CCSP CBK domains. The entire experience requirement is waived for those who hold a valid CISSP credential.

If you lack the required work experience, you can become an Associate of (ISC)² by passing the CCSP exam. After that, you’ll have a maximum of 6 years to obtain the stipulated work experience.

To prepare for the exam, take the most suitable training course and supplement that with individual study.

(ISC)² and third-party providers offer in-person as well as online training courses. (ISC)² provides classroom training at their own facilities as well as through Official Training Providers.

(ISC)² self-study options include the Official (ISC)² Guide to the CCSP CBK Textbook, the Official (ISC)² CCSP Study Guide, interactive flashcards, and an exam outline.

InfoSec Institute offers a 6-day CCSP Training Boot Camp that comprises a comprehensive review of the entire body of knowledge and question and answer sessions in a seminar format. https://www.infosecinstitute.com/courses/ccsp-boot-camp/

The CCSP certification needs to be maintained over its 3-year lifecycle. It is necessary to keep to the (ISC)² Code of Ethics, obtain at least 30 CPE credits each year and pay the annual maintenance fees before the anniversary of your certification.

https://www.isc2.org/Certifications/CCSP

According to the Global Information Security Workforce Study (GISWS) 2017 undertaken by the Center for Cyber Safety and Education (Center) and (ISC)², the information security workforce gap is expected to touch 1.8 million by 2022. Reportedly, a sizeable number of companies worldwide are looking to expand their information security departments to address the impending shortage. This will likely see an uptick in demand for (ISC)² certified professionals.

References:

https://www.iamcybersafe.org/gisws/

https://www.isc2.org/News-and-Events/Press-Room/Posts/2017/06/07/2017-06-07-Workforce-Shortage

http://www.tomsitpro.com/articles/isc2-certification-guide,2-1010.html

https://www.isc2.org/Certifications/

https://www.infosecinstitute.com/courses/