Certifications are a great way to make you more attractive to employers when competing for vacant positions and when planning to advance your career within your current company.
Some of the most sought-after certifications are provided by the International Information System Security Certification Consortium, or (ISC)², a global, non-profit body that, since 1989, sets training standards for the information security industry and offers internationally-recognized, vendor-neutral security certifications that demonstrate applied expertise in different areas of information security.
(ISC)² currently offers six internationally-recognized information security certifications:
- Certified Information Systems Security Professional (CISSP) with optional concentrations:
- Systems Security Certified Practitioner (SSCP)
- Certified Cloud Security Professional (CCSP)
- Certified Authorization Professional (CAP)
- Certified Secure Software Lifecycle Professional (CSSLP)
- HealthCare Information Security and Privacy Practitioner (HCISPP)
All certifications are grounded in (ISC)²’s common body of knowledge (CBK), which outlines global information security standards and best practices and complies with the standards of ANSI/ISO/IEC Standard 17024.
Here is an overview of each of the (ISC)² certifications.
Certified Information Systems Security Professional
Currently the most popular (ISC)² option, this credential continues to be highly sought after by IT professionals and is well recognized by many organizations. The CISSP certification suits experienced security practitioners, managers, and executives in positions like a chief information security officer, IT director/manager, security manager or auditor, security systems engineer, and network architect.
A look inside the CISSP domains:
- Domain 1: Security and risk management
- Domain 2: Asset security
- Domain 3: Security architecture and engineering
- Domain 4: Communication and network security
- Domain 5: Identity and access management (IAM)
- Domain 6: Security assessment and testing
- Domain 7: Security operations
- Domain 8: Software development security
Effective May 1, 2021, the test will be based on a new CISSP Exam Outline.
The exam consists of 100-150 questions of multiple-choice and advanced innovative items and costs $699, but the price will increase to $749 on May 1, 2021.
Experience requirements: a minimum of five years cumulative paid work experience in two or more of the eight domains of the CISSP CBK is requested. However, one of the years can be waived if the candidate has earned a four-year college degree, regional equivalent, or is the holder of another credential from the (ISC)² approved list.
Certified Information Systems Security Professional concentrations
The CISSP concentrations are specialized credentials to prove your subject matter mastery.
If pursuing one of the three concentrations (ISSAP, ISSMP, and ISSEP) is right for you, then it’s time to understand each one that has its own common body of knowledge (CBK) and goes beyond what is required for CISSP.
Each of the concentrations focuses on a different area within the CISSP framework, allowing you to hone your skills and specialize.
Experience requirement: to pursue any of the concentration certifications, you must have first earned your CISSP certification and maintained it. You must have at least two years of real-world experience in the area covered by the concentration (architecture, engineering, or management).
The exam consists of 125 multiple-choice questions (with a passing score of 700 out of 1,000 points) and costs $599.
Information Systems Security Architecture Professional (ISSAP)
This is an appropriate credential if you’re a system architect or security architect. Getting certified proves your expertise in developing, designing, and analyzing security solutions. The CISSP-ISSAP exam, which was last updated in Oct.2020, details the major topics and subtopics within the domains that are covered on the test.
A look inside the CISSP-ISSAP domains:
- Architect for governance, compliance, and risk management
- Security architecture modeling
- Infrastructure security architecture
- Identity and access management (IAM) architecture
- Architect for application security
- Security operations architecture
Information Systems Security Engineering Professional (ISSEP)
This is an appropriate credential for an information assurance systems engineer or senior systems engineer. The CISSP-ISSEP exam, which was last updated in Nov. 2020, details the major topics and subtopics within the domains that are covered on the test.
A look inside the CISSP-ISSEP domains:
- Systems security engineering foundations
- Risk management
Security planning and design
- Systems implementation, verification, and validation
- Secure operations, change management, and disposal
Information Systems Security Management Professional (ISSMP)
This is an appropriate credential for a CISO, CIO, CTO, or senior security executive. The CISSP-ISSMP exam, which was last updated in May 2018, details the major topics and subtopics within the domains covered on the test.
A look inside the CISSP-ISSMP domains:
Leadership and business management
Systems lifecycle management
Threat intelligence and incident management
Law, ethics, and security compliance management
Systems Security Certified Practitioner
This credential suits those who possess advanced technical skills. Their role may be to administer, implement and monitor security for IT infrastructures and recommend and employ best practices. The SSCP certification is a good fit for a systems administrator, security administrator, or database administrator, and those who are in roles like security consultant and analyst or systems engineer.
A look inside the SSCP domains:
- Domain 1: Access controls
- Domain 2: Security operations and administration
- Domain 3: Risk identification, monitoring, and analysis
- Domain 4: Incident response and recovery
- Domain 5: Cryptography
- Domain 6: Network and communications security
- Domain 7: Systems and application security
Effective November 1, 2021, the test will be based on a new SSCP.
The exam consists of 125 multiple-choice questions with a passing score of 700 out of 1,000 points. It costs $249.
Experience requirements: a minimum of one year of cumulative work experience in one or more of the seven domains of the SSCP CBK is required. However, a one-year prerequisite pathway will be granted for candidates with a bachelor’s or master’s degree in a cybersecurity program.
Certified Cloud Security Professional
The CCSP certification is ideal for IT and information security leaders responsible for applying best practices to cloud security architecture, design, operations, and service orchestration. The CCSP was last updated in August 2019 and is a good option for professionals in roles as enterprise and systems architects, security and systems engineers, and security architects and consultants.
A look inside the CCSP domains:
- Domain 1: Cloud concepts, architecture, and design
- Domain 2: Cloud data security
- Domain 3: Cloud platform and infrastructure security
- Domain 4: Cloud application security
- Domain 5: Cloud security operations
- Domain 6: Legal, risk, and compliance
The exam consists of 125 multiple-choice questions with a passing score of 700 out of 1,000 points and costs $599.
Experience requirements: candidates must have a minimum of five years of cumulative paid work experience in information technology. Three of these years must be in information security. One year must be in one or more of the six domains of the CCSP CBK; however, Earning CSA’s CCSK certificate can fulfill this requirement. The entire experience requirement is waived if the tester is already in possession of the (ISC)²’s CISSP credential.
Certified Authorization Professional
This credential maps directly from the Department of Defense (DoD) mandate 8570 to the National Institute of Standards and Technology (NIST) risk management framework (RMF). The CAP certification is suited for persons serving in the military, as well as employees or contractors working with the government. It’s the only (ISC)² credential that specifically targets IT professionals tasked with RMF compliance, a set of standards enabling DoD agencies to effectively manage cybersecurity risk and make more informed, risk-based decisions.
A look inside the CAP domains:
- Domain 1: Information security risk management program
- Domain 2: Categorization of information systems (IS)
- Domain 3: Selection of security controls
- Domain 4: Implementation of security controls
- Domain 5: Assessment of security controls
- Domain 6: Authorization of information systems (IS)
- Domain 7: Continuous monitoring
The exam consists of 125 multiple-choice questions (a passing score is 700 out of 1,000 points) and costs $599.
Experience requirements: candidates are required to have a minimum of two years of cumulative work experience in one or more of the seven domains of the CAP CBK.
Certified Secure Software Lifecycle Professional
This credential targets IT professionals who build and design security into the software development lifecycle (SDLC). The CSSLP certification, which was last updated in Sept. 2020, is appropriate for software architects, engineers, and developers responsible for applying best practices to each phase of the SDLC (from software creation and implementation to testing and deployment).
A look inside the CSSLP domains:
- Domain 1.Secure software concepts
- Domain 2. Secure software requirements
- Domain 3. Secure software architecture and design
- Domain 4. Secure software implementation
- Domain 5. Secure software testing
- Domain 6. Secure software lifecycle management
- Domain 7. Secure software deployment, operations, and maintenance
- Domain 8. Secure software supply chain
The exam consists of 125 multiple-choice questions (a passing score is 700 out of 1,000 points) and costs $599.
Experience requirements: a minimum of four years of cumulative paid software development lifecycle (SDLC) professional work experience in one or more of the eight domains of the (ISC)² CSSLP CBK is required. Candidates with a four-year degree or regional equivalent in computer science, information technology (IT), or related fields can meet the requirement by demonstrating three years of cumulative paid SDLC professional work experience in one or more of the eight domains of the CSSLP CBK.
HealthCare Information Security and Privacy Practitioner
This credential benefits professionals working to protect personal health information within their organization. The HCISPP certification, which was last updated Sept. 2019, suits experienced health information workers, system administrators, privacy managers, medical records overseers, security auditors, and compliance officers.
A look inside the HCISPP domains:
- Domain 1. Healthcare industry
- Domain 2. Information governance in healthcare
- Domain 3. Information technologies in healthcare
- Domain 4. Regulatory and standards environment
- Domain 5. Privacy and security in healthcare
- Domain 6. Risk management and risk assessment
- Domain 7. Third-party risk management
The exam consists of 125 multiple-choice questions and has a passing score of 700 out of 1,000 points. It costs $599.
Experience requirements: candidates are required to have a minimum of two years of cumulative paid work experience in one or more knowledge areas of the HCISPP CBK that include security, compliance, and privacy. One of those years must be in the healthcare industry. “Legal experience may be substituted for compliance and information management experience may be substituted for privacy.”