A Complete (ISC)2 Certification Guide
Cybersecurity is one of the highest priority issues facing enterprises today. Organizations face threats from all angles — data breaches, crypto-jacking, IoT device vulnerabilities, mobile malware, and more. In a 2019 survey of CEOs, U.S. chief executives rated cybersecurity as their number one concern — behind fear of recession and new competitors. What's more, there's a widening shortage of cybersecurity professionals.
There are a number of cybersecurity certifications from vendors such as Microsoft and Cisco, as well as vendor-neutral programs from organizations such as CompTIA, the Information Systems Audit and Control Association (ISACA), Global Information Assurance Certification (GIAC), and (ISC)².
The International Information System Security Certification Consortium (ISC)² is a not-for-profit organization focused on cybersecurity training and professional certification. (ISC)² certification programs are arguably the most comprehensive set of cybersecurity certifications in the industry.
This guide contains a comprehensive introduction to the various (ISC)² certification programs, recommended (ISC)² certification paths, the costs associated with ISC certification programs, and insights into job opportunities related to the ISC certification path.
What is (ISC)² Certification?
(ISC)² certifications are recognized worldwide as symbols of excellence in IT security. (ISC)² Certified Information Systems Security (CISSP) and (ISC)² Certified Cloud Security Professional (CCSP) certifications in particular are highly prized by employers and IT professionals alike.
(ISC)² certifications provide employers with proof that potential employees have the cybersecurity skills and expertise needed to protect their enterprise systems, networks, and information.
In addition to the Certified Information Systems Security Professional (CISSP) and Certified Cloud Security Professional (CCSP) certifications, the (ISC)² certification set includes the Systems Security Certified Practitioner (SSCP), the Certified Authorization Professional (CAP), and the Certified Secure Software Lifecycle Professional (CSSLP). Recognizing the particular security and compliance requirements in the healthcare sector, (ISC)² certification also includes the HealthCare Information Security and Privacy Practitioner (HCISPP).
For career cybersecurity professionals who want to build upon their (ISC)² CISSP certification, (ISC)² has created CISSP Concentrations, which validate expertise in one or more information security specialization.
(ISC)² Certification Process
(ISC)² has a rigorous multi-step process for candidates to achieve certification:
Satisfy (ISC)2 designated work experience requirements in the security field.
Take and pass the requisite (ISC)² certification exam.
Complete the (ISC)² endorsement process to verify professional experience and standing in the cybersecurity industry.
Agree to support the (ISC)² Code of Ethics.
Pay initial (ISC)² Annual Maintenance Fee (AMF) of $125 and receive (ISC)² certification.
Members only pay a single AMF regardless of how many certifications they earn.
Finally, recognizing the "chicken and the egg" nature of work experience, the (ISC)² certification path has an on-ramp for professionals who don't have the work experience prerequisite to becoming certified. Through the Associate of (ISC)² program, candidates can take any (ISC)² certification exam without the required work experience. Upon passing the exam, the person becomes an Associate of (ISC)² as they work to gain the work experience required to become fully certified.
(ISC)² Certifications
(ISC)² has a broad portfolio of security certifications that are aligned with the (ISC)² Common Body of Knowledge (CBK) — a compendium of cybersecurity domain topics, which is updated annually to reflect the latest in IT security knowledge and practices. (ISC)² offers six certifications:
(ISC)² Certified Information Systems Security Professional (CISSP)
(ISC)² Systems Security Certified Practitioner (SSCP)
(ISC)² Certified Cloud Security Professional (CCSP)
(ISC)² Certified Authorization Professional (CAP)
(ISC)² Certified Secure Software Lifecycle Professional (CSSLP)
(ISC)² HealthCare Information Security and Privacy Practitioner (HCISSP)
An important aspect of (ISC)² certification is that in addition to passing the required examination(s), there is an absolute requirement that individuals have prescribed years of relevant paid work experience in domain(s) in the Common Body of Knowledge (CBK).
(ISC)² Certified Information Systems Security Professional (CISSP)
The (ISC)² Certified Information Systems Security Professional (CISSP) is one of the most valued certifications available to IT security professionals. The certification is designed for experienced security practitioners, managers and executives. The (ISC)² CISSP also meets the requirements of U.S. Department of Defense (DoD) Directive 8570.1.
The (ISC)² CISSP validates a candidate's knowledge in eight security domains:
Domain 1: Security and Risk Management
Domain 2: Asset Security
Domain 3: Security Architecture and Engineering
Domain 4: Communication and Network Security
Domain 5: Identity and Access Management (IAM)
Domain 6: Security Assessment and Testing
Domain 7: Security Operations
Domain 8: Software Development Security
Required exam: Earning the (ISC)² CISSP certification requires passing one exam — the CISSP exam.
Prerequisites: Candidates who pass the CISSP exam, but do not have the required work experience, will become an Associate of (ISC)². They will then have up to six (6) years to achieve the five (5) years required experience in order to be awarded the CISSP certification.
Required experience: Candidates must have a minimum of five (5) years cumulative paid work experience in two or more of the eight domains of the CISSP CBK. Candidates may satisfy one year of the required experience if they have a four-year college degree or equivalent credential from the (ISC)² approved experience list.
(ISC)² Systems Security Certified Practitioner (SSCP)
The (ISC)² Systems Security Certified Practitioner (SSCP) is designed for IT administrators, managers, directors and network security professionals who have hands-on operational responsibility for security of their organization's data, systems, and networks.
The (ISC)² SSCP validates a candidate's knowledge in seven security domains:
Domain 1: Access Controls
Domain 2: Security Operations and Administration
Domain 3: Risk Identification, Monitoring and Analysis
Domain 4: Incident Response and Recovery
Domain 5: Cryptography
Domain 6: Network and Communications Security
Domain 7: Systems and Application Security
Required exam: Earning the (ISC)² SSCP certification requires passing one exam — the SSCP exam.
Prerequisites: Candidates who pass the SSCP exam, but do not have the required work experience will become an Associate of (ISC)². They then have two (2) years in which to gain the one year of required experience and be awarded the SSCP certification.
Required experience: Candidates must have a minimum of one (1) year cumulative work experience in one or more of the seven domains of the SSCP CBK. Candidates who hold an accredited degree from a cybersecurity program may be deemed to have satisfied their one year work experience requirement.
(ISC)² Certified Cloud Security Professional (CCSP)
The (ISC)² Certified Cloud Security Professional (CCSP) is reported to be the industry's leading cloud security certification. The certification is designed for IT and security leaders who are responsible for cloud security architecture, design, operations, and service orchestration.
The (ISC)² CCSP validates a candidate's knowledge in six security domains:
Domain 1: Architectural Concepts and Design Requirements
Domain 2: Cloud Data Security
Domain 3: Cloud Platform and Infrastructure Security
Domain 4: Cloud Application Security
Domain 5: Operations
Domain 6: Legal and Compliance
Required exam: Earning the (ISC)² CCSP certification requires passing one exam — the CCSP exam.
Prerequisites: Candidates who pass the CCSP exam, but do not have the required work experience will become Associates of (ISC)². They then have six (6) years in which to gain the five (5) years required experience and be awarded the CCSP certification.
Required experience: Candidates must have a minimum of five (5) years cumulative work experience in IT and one year in one or more of the six domains of the CCSP CBK. The (ISC)² CISSP credential can be substituted for the entire CCSP work experience requirement. The CSA CCSK can be substituted for the requirement for one year of experience in one or more of the six domains of the CCSP CBK.
(ISC)² Certified Authorization Professional (CAP)
The (ISC)² Certified Authorization Professional (CAP) is designed for IT security and information assurance practitioners in U.S. Federal Government departments and the United States military, government contractors, as well as state and local government and private sector organizations. The (ISC)² CAP covers the risk management framework (RMF) for the U.S. federal government and its contractors. The (ISC)² CAP is the only certification under the DoD8570 mandate that aligns with each RMF step.
The (ISC)² CAP validates a candidate's knowledge in seven security domains:
Domain 1: Information Security Risk Management Program
Domain 2: Categorization of Information Systems (IS)
Domain 3: Selection of Security Controls
Domain 4: Implementation of Security Controls
Domain 5: Assessment of Security Controls
Domain 6: Authorization of Information Systems (IS)
Domain 7: Continuous Monitoring
Required exam: Earning the (ISC)² CAP certification requires passing one exam — the CAP exam.
Prerequisites: Candidates who pass the CAP exam, but do not have the required work experience will become Associates of (ISC)². They then have three (3) years in which to gain the two (2) years required experience and be awarded the CAP certification.
Required experience: Candidates must have a minimum of two (2) years cumulative work experience in one or more of the seven domains of the CAP CBK.
(ISC)² Certified Secure Software Lifecycle Professional (CSSLP)
The (ISC)² Certified Secure Software Lifecycle Professional (CSSLP) is designed for software development and security professionals who are responsible for applying best practices to each phase of the SDLC – from software design and development, to testing and deployment.
The (ISC)² CSSLP validates a candidate's knowledge in eight security domains:
Domain 1: Secure Software Concepts
Domain 2: Secure Software Requirements
Domain 3: Secure Software Design
Domain 4: Secure Software Implementation/Programming
Domain 5: Secure Software Testing
Domain 6: Secure Lifecycle Management
Domain 7: Software Deployment, Operations, and Maintenance
Domain 8: Supply Chain and Software Acquisition
Required exam: Earning the (ISC)² CSSLP certification requires passing one exam — the CSSLP exam.
Prerequisites: Candidates who pass the CSSLP exam, but do not have the required work experience will become an Associate of (ISC)². They then have five (5) years in which to gain the four (4) years of required experience and be awarded the CSSLP certification.
Required experience: Candidates must have a minimum of four (4) years cumulative paid full-time Software Development Lifecycle work experience in one or more of the eight domains of the CSSLP CBK. Candidates who hold an accredited four-year degree in IT, computer science, or related field may be deemed to have satisfied one (1) year of the four (4) year work experience requirement.
(ISC)² HealthCare Information Security and Privacy Practitioner (HCISSP)
The (ISC)² HealthCare Information Security and Privacy Practitioner (HCISPP) is designed for information security and health management professionals who are responsible for guarding patients' protected health information (PHI).
The (ISC)² HCISPP validates a candidate's knowledge in seven security domains:
Domain 1: Healthcare Industry
Domain 2: Information Governance in Healthcare
Domain 3: Information Technologies in Healthcare
Domain 4: Regulatory and Standards Environment
Domain 5: Privacy and Security in Healthcare
Domain 6: Risk Management and Risk Assessment
Domain 7: Third-Party Risk Management
Required exam: Earning the (ISC)² HCISPP certification requires passing one exam — the HCISPP exam.
Prerequisites: Candidates who pass the HCISPP exam, but do not have the required work experience will become an Associate of (ISC)². They then have three (3) years to gain the two (2) years of required experience and be awarded the HCISPP certification.
Required experience: Candidates must have a minimum of two (2) years cumulative paid work experience in one or more knowledge areas of the HCISPP CBK that includes security, compliance and privacy, with at least one of those years in the healthcare industry. Legal experience may be substituted for compliance and information management experience may be substituted for privacy.
(ISC)² CISSP Concentrations
For Certified Information Systems Security Professionals (CISSP) looking to extend their security subject matter expertise, the CISSP concentrations provide an ideal (ISC)² certification path. (ISC)² offers three CISSP concentrations:
Architecture: Information Systems Security Architecture Professional (CISSP-ISSAP)
Engineering: Information Systems Security Engineering Professional (CISSP-ISSEP )
Management: Information Systems Security Management Professional (CISSP-ISSMP)
These specialized credentials build upon the CISSP and help a candidate demonstrate mastery of information security.
(ISC)² Architecture: CISSP-ISSAP
The (ISC)² Information Systems Security Architecture Professional (CISSP-ISSAP) certification is designed for professionals such as senior engineers and architects who design enterprise information security programs and provide executive and upper level management with risk-based guidance to meet organizational goals. The (ISC)² CISSP-ISSAP meets the U.S. DoD Directive 8570.1 requirements for Level III Information Assurance System Architects and Engineers (IASAE III) job positions.
The (ISC)² CISSP-ISSAP validates a candidate's knowledge in seven security domains:
Domain 1: Identity and Access Management Architecture
Domain 2: Security Operations Architecture
Domain 3: Infrastructure Security
Domain 4: Architect for Governance, Compliance, and Risk Management
Domain 5: Security Architecture Modeling
Domain 6: Architect for Application Security
Required exam: Earning the (ISC)² CISSP-ISSAP certification requires passing one exam — the CISSP-ISSAP exam.
Prerequisites: Prior to attempting this certification, candidates must earn the CISSP certification and be in good standing.
Required experience: In addition to a CISSP, candidates must have two (2) years cumulative paid work experience in one or more of the six domains of the CISSP-ISSAP CBK.
(ISC)² Engineering: CISSP-ISSEP
The (ISC)² Information Systems Security Engineering Professional (CISSP – ISSEP) certification is designed for systems engineers who incorporate security into projects, applications, business processes and information systems.
This (ISC)² certification was developed by (ISC)² in conjunction with the U.S. National Security Agency (NSA), and is a valuable accreditation for systems security engineering professionals in both government and commercial sectors. The (ISC)² CISSP-ISSEP meets the U.S. DoD Directive 8570.1 requirements for Level III Information Assurance System Architects and Engineers (IASAE III) job positions.
The (ISC)² CISSP-ISSEP validates a candidate's knowledge in five security domains:
Domain 1: Security Engineering Principles
Domain 2: Risk Management
Domain 3: Security Planning, Design, and Implementation
Domain 4: Secure Operations, Maintenance, and Disposal
Domain 5: Systems Engineering Technical Management
Required exam: Earning the (ISC)² CISSP-ISSEP certification requires passing one exam — the CISSP-ISSEP exam.
Prerequisites: Prior to attempting this certification, candidates must earn the CISSP certification and be in good standing.
Required experience: In addition to a CISSP, candidates must have two (2) years cumulative paid work experience in one or more of the five domains of the CISSP-ISSEP CBK.
(ISC)² Management: CISSP-ISSMP
The (ISC)² Information Systems Security Management Professional (CISSP-ISSMP) certification is designed for executives such as chief information officers, chief information security officers, and chief technology officers. The (ISC)² CISSP-ISSMP meets the U.S. DoD Directive 8570.1 requirements for CSSP Manager job positions.
The (ISC)² CISSP-ISSMP validates a candidate's knowledge in six security domains:
Domain 1: Leadership and Business Management
Domain 2: Systems Lifecycle Management
Domain 3: Risk Management
Domain 4: Threat Intelligence and Incident Management
Domain 5: Contingency Management
Domain 6: Law, Ethics, and Security Compliance Management
Required exam: Earning the (ISC)² CISSP-ISSMP certification requires passing one exam — the CISSP-ISSMP exam.
Prerequisites: Prior to attempting this certification, candidates must earn the CISSP certification and be in good standing.
Required experience: In addition to a CISSP, candidates must have two (2) years cumulative paid work experience in one or more of the six domains of the CISSP-ISSMP CBK.
Associate of (ISC)² Designation
Work experience requirements for (ISC)² certifications are extensive and are policed rigorously. The requirements are set high — five (5) years for the CISSP and CCSP, four (4) years for the CSSLP, and two (2) years for CAP and HCISSP — in order to ensure the most experienced candidates for (ISC)² certification. But the stringent work experience hurdles could prove a deterrent to early career professionals who want to enter the cybersecurity space.
Recognizing the "chicken and the egg" nature of work experience, (ISC)² created the Associate of (ISC)² designation as the on-ramp for professionals who don't have the work experience prerequisite to become certified. Through the Associate of (ISC)² program, candidates can take any (ISC)² certification exam without the required work experience.
Upon passing the exam, the person is eligible to become an Associate of (ISC)², as they work to gain the work experience required to become fully certified. Employers recognize that the Associate of (ISC)² has value and are consequently open to employment candidates who have earned this designation.
Associates of (ISC)² are required to be (ISC)² members in good standing. They pay an Annual Maintenance Fee (AMF) of $50, compared to the $125 AMF paid by full members. They must also meet the continuing professional education (CPE) requirements of their certification, while they work to gain the required experience to certify as a CISSP, SSCP, CCSP, CAP, CSSLP, HCISPP or CCFP and complete the (ISC)² endorsement process.
How Much Does it Cost to Get (ISC)² Certified?
Your cost to be (ISC)² certified includes the (ISC)² certification exam cost, plus your $125 (ISC)² annual maintenance fee (AMF) for the three (3) years that the credential is valid. For example, in the Americas, the CISSP certification cost would be a total of $1074 — $699 for the exam plus $375 in AMFs.
(ISC)² exam prices are normally $599 in the Americas, with the CISSP exam costing $699 and the SSCP exam costing $249. Your total (ISC)² certification cost will also include what you spend on study materials and certification training courses that you take in preparation for the exam. Beyond the exam, you'll also need to budget for the costs involved in continuing professional education (CPE) credits needed to keep the certification valid.
(ISC)² Recertification and Renewal
(ISC)² certifications are valid for three years and may be renewed by earning and submitting continuing professional education (CPE) credits for each year of the three-year certification cycle. For each (ISC)² certification, there is a minimum number of CPE credits — with a suggested minimum number per year — required before the certification expires. Remember of course that holders must also be current with paying their annual maintenance fee (AMF).
Associates of (ISC)² are on a one-year certification cycle and are required to earn and submit 15 CPE credits each year — plus pay their $50 AMF.
Renewal of the CISSP certification requires a total of 120 CPE credits over the three-year certification cycle, with a recommended 40 credits per year. For holders of one or more of the CISSP concentration credentials — CISSP-ISSAP, CISSP-ISSEP, or CISSP-ISSMP — 20 CPE credits in the CISSP three-year cycle must be directly related to each concentration held.
For more information on CPE credits required to recertify and renew each (ISC)² certification, download the (ISC)² Continuing Professional Education Handbook.
(ISC)² Certification Salary and Career Information
With the reported shortage of cybersecurity professionals, now is a good time to earn (ISC)² certification. And for women, cybersecurity spells opportunity. According to an (ISC)² Cybersecurity Workforce Study: Women in Cybersecurity, men still outnumber women and generally get paid more, but women are finding their way to security leadership positions in higher numbers.
(ISC)² certification are highly regarded credentials for IT security professionals and this is reflected in (ISC)² certification salary expected. In Certification Magazine's last survey of certification salaries, eight (ISC)² certifications made the top 30 average salaries. The three CISSP Concentrations — CISSP-ISSEP, CISSP-ISSAP, and CISSP-ISSMP — came in third, sixth and seventh, respectively. The (ISC)² Certified Secure Software Lifecycle Professional (CSSLP) came in fourth.
Also in the Top 30 were the Certified Information Systems Security Professional (CISSP), the Certified Cloud Security Professional (CCSP), the HealthCare Information Security and Privacy Practitioner (HCISSP), and the Certified Authorization Professional (CAP).
A review of the certification data collected by PayScale, shows that even the Associate of (ISC)² credential is of value, with an average salary of $65,000. Moving along the (ISC)² certification path, an average salary of $74,000 is reported for holders of the System Security Certified Practitioner (SSCP) certification.
The premier (ISC)² Certified Information Systems Security Professional (CISSP) certification commands a $109,000 average salary, while the CISSP Concentrations have yearly salaries of $155,000 for management professionals (CISSP-ISSMP), $129,000 for security architects (CISSP-ISSAP), and $142,000 for security engineers (CISSP-ISSEP).
Government organizations and contractors are popular employers, which is not surprising given that Associate of (ISC)², SSCP, CISSP, the CISSP Concentrations (CISSP-ISSAP, CISSP-ISSEP, CISSP-ISSMP), and CSSLP are all DOD 8570-approved baseline certifications.
(ISC)² Certification Training
Good luck to you as you start on your (ISC)² certification path. CBT Nuggets has video training that supports the (ISC)² certification programs for the (ISC)² Certified Information Systems Security Professional (CISSP).
Our training does change occasionally, so be sure to check CBT Nuggets for new or updated (ISC)² certification training that's relevant to your personal goals.
delivered to your inbox.
By submitting this form you agree to receive marketing emails from CBT Nuggets and that you have read, understood and are able to consent to our privacy policy.