(ISC)² certifications: The ultimate guide [updated 2021]
Certifications are a great way to make you more attractive to employers when competing for vacant positions and when planning to advance your career within your current company.
Some of the most sought-after certifications are provided by the International Information System Security Certification Consortium, or (ISC)², a global, non-profit body that, since 1989, sets training standards for the information security industry and offers internationally-recognized, vendor-neutral security certifications that demonstrate applied expertise in different areas of information security.
(ISC)² currently offers six internationally-recognized information security certifications:
- Certified Information Systems Security Professional (CISSP) with optional concentrations:
- Systems Security Certified Practitioner (SSCP)
- Certified Cloud Security Professional (CCSP)
- Certified Authorization Professional (CAP)
- Certified Secure Software Lifecycle Professional (CSSLP)
- HealthCare Information Security and Privacy Practitioner (HCISPP)
All certifications are grounded in (ISC)²’s common body of knowledge (CBK), which outlines global information security standards and best practices and complies with the standards of ANSI/ISO/IEC Standard 17024.
Here is an overview of each of the (ISC)² certifications.
Certified Information Systems Security Professional
Currently the most popular (ISC)² option, this credential continues to be highly sought after by IT professionals and is well recognized by many organizations. The CISSP certification suits experienced security practitioners, managers and executives in positions like a chief information security officer, IT director/manager, security manager or auditor, security systems engineer and network architect.
A look inside the CISSP domains:
- Domain 1: Security and risk management
- Domain 2: Asset security
- Domain 3: Security architecture and engineering
- Domain 4: Communication and network security
- Domain 5: Identity and access management (IAM)
- Domain 6: Security assessment and testing
- Domain 7: Security operations
- Domain 8: Software development security
Effective May 1, 2021, the test will be based on a new CISSP Exam Outline.
The exam consists of 100-150 questions of multiple-choice and advanced innovative items and costs $699, but the price will increase to $749 on May 1, 2021.
Experience requirements: a minimum of five years cumulative paid work experience in two or more of the eight domains of the CISSP CBK is requested. However, one of the years can be waived if the candidate has earned a four-year college degree, regional equivalent or is the holder of another credential from the (ISC)² approved list.
Certified Information Systems Security Professional concentrations
The CISSP concentrations are specialized credentials to prove your subject matter mastery.
If pursuing one of the three concentrations (ISSAP, ISSMP and ISSEP) is right for you, then it’s time to understand each one that has its own common body of knowledge (CBK) and goes beyond what is required for CISSP.
Each of the concentrations focuses on a different area within the CISSP framework, allowing you to hone your skills and specialize.
Experience requirement: to pursue any of the concentration certifications, you must have first earned your CISSP certification and maintained it. You must have at least two years of real-world experience in the area covered by the concentration (architecture, engineering or management).
The exam consists of 125 multiple-choice questions (with a passing score of 700 out of 1,000 points) and costs $599.
Information Systems Security Architecture Professional (ISSAP)
This is an appropriate credential if you’re a system architect or security architect. Getting certified proves your expertise in developing, designing and analyzing security solutions. The CISSP-ISSAP exam, which was last updated in Oct.2020, details the major topics and subtopics within the domains that are covered on the test.
A look inside the CISSP-ISSAP domains:
- Architect for governance, compliance and risk management
- Security architecture modeling
- Infrastructure security architecture
- Identity and access management (IAM) architecture
- Architect for application security
- Security operations architecture
Information Systems Security Engineering Professional (ISSEP)
This is an appropriate credential for an information assurance systems engineer or senior systems engineer. The CISSP-ISSEP exam, which was last updated in Nov. 2020, details the major topics and subtopics within the domains that are covered on the test.
A look inside the CISSP-ISSEP domains:
- Systems security engineering foundations
- Risk management
- Security planning and design
- Systems implementation, verification and validation
- Secure operations, change management and disposal
Information Systems Security Management Professional (ISSMP)
This is an appropriate credential for a CISO, CIO, CTO or senior security executive. The CISSP-ISSMP exam, which was last updated in May 2018, details the major topics and subtopics within the domains covered on the test.
A look inside the CISSP-ISSMP domains:
- Leadership and business management
- Systems lifecycle management
- Risk management
- Threat intelligence and incident management
- Contingency management
- Law, ethics and security compliance management
Systems Security Certified Practitioner
This credential suits those who possess advanced technical skills. Their role may be to administer, implement and monitor security for IT infrastructures and recommend and employ best practices. The SSCP certification is a good fit for a systems administrator, security administrator or database administrator, and those who are in roles like security consultant and analyst or systems engineer.
A look inside the SSCP domains:
- Domain 1: Access controls
- Domain 2: Security operations and administration
- Domain 3: Risk identification, monitoring and analysis
- Domain 4: Incident response and recovery
- Domain 5: Cryptography
- Domain 6: Network and communications security
- Domain 7: Systems and application security
Effective November 1, 2021, the test will be based on a new SSCP exam outline.
The exam consists of 125 multiple-choice questions with a passing score of 700 out of 1,000 points. It costs $249.
Experience requirements: a minimum of one year of cumulative work experience in one or more of the seven domains of the SSCP CBK is required. However, a one-year prerequisite pathway will be granted for candidates with a bachelor’s or master’s degree in a cybersecurity program.
Certified Cloud Security Professional
The CCSP certification is ideal for IT and information security leaders responsible for applying best practices to cloud security architecture, design, operations and service orchestration. The CCSP was last updated in August 2019, and is a good option for professionals in roles as enterprise and systems architects, security and systems engineers and security architects and consultants.
A look inside the CCSP domains:
- Domain 1: Cloud concepts, architecture and design
- Domain 2: Cloud data security
- Domain 3: Cloud platform and infrastructure security
- Domain 4: Cloud application security
- Domain 5: Cloud security operations
- Domain 6: Legal, risk and compliance
The exam consists of 125 multiple-choice questions with a passing score of 700 out of 1,000 points and costs $599.
Experience requirements: candidates must have a minimum of five years of cumulative paid work experience in information technology. Three of these years must be in information security. One year must be in one or more of the six domains of the CCSP CBK; however, earning CSA’s CCSK certificate can fulfill this requirement. The entire experience requirement is waived if the tester is already in possession of the (ISC)²’s CISSP credential.
Certified Authorization Professional
This credential maps directly from the Department of Defense (DoD) mandate 8570 to the National Institute of Standards and Technology (NIST) risk management framework (RMF). The CAP certification is suited for persons serving in the military, as well as employees or contractors working with the government. It’s the only (ISC)² credential that specifically targets IT professionals tasked with RMF compliance, a set of standards enabling DoD agencies to effectively manage cybersecurity risk and make more informed, risk-based decisions.
A look inside the CAP domains:
- Domain 1: Information security risk management program
- Domain 2: Categorization of information systems (IS)
- Domain 3: Selection of security controls
- Domain 4: Implementation of security controls
- Domain 5: Assessment of security controls
- Domain 6: Authorization of information systems (IS)
- Domain 7: Continuous monitoring
Effective Aug. 15, 2021, the test will be based on a new CAP exam outline.
The exam consists of 125 multiple-choice questions (a passing score is 700 out of 1,000 points) and costs $599.
Experience requirements: candidates are required to have a minimum of two years of cumulative work experience in one or more of the seven domains of the CAP CBK.
Certified Secure Software Lifecycle Professional
This credential targets IT professionals who build and design security into the software development lifecycle (SDLC). The CSSLP certification, which was last updated in Sept. 2020, is appropriate for software architects, engineers and developers responsible for applying best practices to each phase of the SDLC (from software creation and implementation to testing and deployment).
A look inside the CSSLP domains:
- Domain 1.Secure software concepts
- Domain 2. Secure software requirements
- Domain 3. Secure software architecture and design
- Domain 4. Secure software implementation
- Domain 5. Secure software testing
- Domain 6. Secure software lifecycle management
- Domain 7. Secure software deployment, operations and maintenance
- Domain 8. Secure software supply chain
The exam consists of 125 multiple-choice questions (a passing score is 700 out of 1,000 points) and costs $599.
Experience requirements: a minimum of four years of cumulative paid software development lifecycle (SDLC) professional work experience in one or more of the eight domains of the (ISC)² CSSLP CBK is required. Candidates with a four-year degree or regional equivalent in computer science, information technology (IT) or related fields can meet the requirement by demonstrating three years of cumulative paid SDLC professional work experience in one or more of the eight domains of the CSSLP CBK.
HealthCare Information Security and Privacy Practitioner
This credential benefits professionals working to protect personal health information within their organization. The HCISPP certification, which was last updated Sept. 2019, suits experienced health information workers, system administrators, privacy managers, medical records overseers, security auditors and compliance officers.
A look inside the HCISPP domains:
- Domain 1. Healthcare industry
- Domain 2. Information governance in healthcare
- Domain 3. Information technologies in healthcare
- Domain 4. Regulatory and standards environment
- Domain 5. Privacy and security in healthcare
- Domain 6. Risk management and risk assessment
- Domain 7. Third-party risk management
The exam consists of 125 multiple-choice questions and has a passing score of 700 out of 1,000 points. It costs $599.
Experience requirements: candidates are required to have a minimum of two years of cumulative paid work experience in one or more knowledge areas of the HCISPP CBK that includes security, compliance and privacy. One of those years must be in the healthcare industry. “Legal experience may be substituted for compliance and information management experience may be substituted for privacy.”
The Associate of (ISC)² program
The Associate of (ISC)² program is designed for those ready to start a cybersecurity career.
This designation allows anyone to take any of the certification exams without the required work experience. This is a great option for aspiring cybersecurity pros determined to fast-track their careers.
The length of your exam will vary based on the certification you are pursuing. Associates of (ISC)² will need to pay an AMF of $50 which is due each year upon the anniversary of achieving their associate status.
In addition to the options provided by (ISC)², a variety of live and on-demand courses are available from training providers like Infosec, making it easy for professionals to find learning opportunities that fit their needs, location and schedule.
Follow these steps to register for an exam:
- Create an account with Pearson VUE, the exclusive, global administrator of all (ISC)² exams
- Select the (ISC)² certification exam you are pursuing
- Schedule your exam and testing location
Maintaining your certification
(ISC)² certified members will need to pay a single AMF of $125 each year upon the anniversary of their certification date.
To maintain the credential, certified members are to meet several continuing professional education CPE requirements over their three-year certification cycle. Professional development activities such as webinars, courses, online events and publications can earn CPE credits.
Acquire an (ISC)² certification
An (ISC)² certification can help professionals prove their technical knowledge and level of expertise to current or prospective employers. Credential holders can boost their job prospects, advance their careers and may be able to secure positions with higher salaries.
(ISC)² Information Security Certifications, (ISC)², Inc.
What You Need To Know About (ISC)² Exams, (ISC)², Inc.
(ISC)² Certification Exam Outlines, (ISC)², Inc.
Exam Action Plan, (ISC)², Inc.