A Complete ISC2 Certification Guide
Cybersecurity is one of the highest-priority issues facing enterprises today. Organizations face threats from all angles — data breaches, crypto-jacking, IoT device vulnerabilities, mobile malware, and more. In a 2019 survey of CEOs, U.S. chief executives rated cybersecurity as their number one concern — behind fear of recession and new competitors. What's more, there's a widening shortage of cybersecurity professionals.
There are a number of cybersecurity certifications from vendors such as Microsoft and Cisco, as well as vendor-neutral programs from organizations such as CompTIA, the Information Systems Audit and Control Association (ISACA), Global Information Assurance Certification (GIAC), and ISC2.
The International Information System Security Certification Consortium ISC2 is a not-for-profit organization focused on cybersecurity training and professional certification. ISC2 certification programs are arguably the most comprehensive set of cybersecurity certifications in the industry.
This guide contains a comprehensive introduction to the various ISC2 certification programs, recommended ISC2 certification paths, the costs associated with ISC certification programs, and insights into job opportunities related to the ISC certification path.
What is ISC2 Certification?
ISC2 certifications are recognized worldwide as symbols of excellence in IT security. In particular, ISC2 Certified Information Systems Security (CISSP) and ISC2 Certified Cloud Security Professional (CCSP) certifications are highly prized by employers and IT professionals.
ISC2 certifications provide employers with proof that potential employees have the cybersecurity skills and expertise needed to protect their enterprise systems, networks, and information.
In addition to the Certified Information Systems Security Professional (CISSP) and Certified Cloud Security Professional (CCSP) certifications, the ISC2 certification set includes the Systems Security Certified Practitioner (SSCP), the Certified Authorization Professional (CAP), and the Certified Secure Software Lifecycle Professional (CSSLP). ISC2 certification also includes the HealthCare Information Security and Privacy Practitioner (HCISPP), recognizing the particular security and compliance requirements in the healthcare sector.
For career cybersecurity professionals who want to build upon their ISC2 CISSP certification, ISC2 has created CISSP Concentrations, which validate expertise in one or more information security specialization.
ISC2 Certification Process
ISC2 has a rigorous multi-step process for candidates to achieve certification:
Satisfy ISC2 designated work experience requirements in the security field.
Take and pass the requisite ISC2 certification exam.
Complete the ISC2 endorsement process to verify professional experience and standing in the cybersecurity industry.
Agree to support the ISC2 Code of Ethics.
Pay the initial ISC2 Annual Maintenance Fee (AMF) of $125 and receive ISC2 certification.
Members only pay a single AMF regardless of how many certifications they earn.
Finally, recognizing the "chicken and the egg" nature of work experience, the ISC2 certification path has an on-ramp for professionals who don't have the work experience prerequisite to becoming certified. Through the Associate of ISC2 program, candidates can take any ISC2 certification exam without the required work experience. Upon passing the exam, the person becomes an Associate of ISC2 as they work to gain the work experience required to become fully certified.
ISC2 Certifications
ISC2 has a broad portfolio of security certifications that are aligned with the ISC2 Common Body of Knowledge (CBK) — a compendium of cybersecurity domain topics, which is updated annually to reflect the latest in IT security knowledge and practices. ISC2 offers six certifications:
ISC2 Certified Information Systems Security Professional (CISSP)
ISC2 Systems Security Certified Practitioner (SSCP)
ISC2 Certified Cloud Security Professional (CCSP)
ISC2 Certified Authorization Professional (CAP)
ISC2 Certified Secure Software Lifecycle Professional (CSSLP)
ISC2 HealthCare Information Security and Privacy Practitioner (HCISSP)
An important aspect of ISC2 certification is that in addition to passing the required examination(s), there is an absolute requirement that individuals have prescribed years of relevant paid work experience in domain(s) in the Common Body of Knowledge (CBK).
ISC2 Certified Information Systems Security Professional (CISSP)
The ISC2 Certified Information Systems Security Professional (CISSP) is one of the most valued certifications available to IT security professionals. The certification is designed for experienced security practitioners, managers and executives. The ISC2 CISSP also meets the requirements of U.S. Department of Defense (DoD) Directive 8570.1.
The ISC2 CISSP validates a candidate's knowledge in eight security domains:
Domain 1: Security and Risk Management
Domain 2: Asset Security
Domain 3: Security Architecture and Engineering
Domain 4: Communication and Network Security
Domain 5: Identity and Access Management (IAM)
Domain 6: Security Assessment and Testing
Domain 7: Security Operations
Domain 8: Software Development Security
Required exam: Earning the ISC2 CISSP certification requires passing one exam — the CISSP exam.
Prerequisites: Candidates who pass the CISSP exam, but do not have the required work experience, will become an Associate of ISC2. They will then have up to six (6) years to achieve the five (5) years required experience in order to be awarded the CISSP certification.
Required experience: Candidates must have a minimum of five (5) years cumulative paid work experience in two or more of the eight domains of the CISSP CBK. Candidates may satisfy one year of the required experience if they have a four-year college degree or equivalent credential from the ISC2 approved experience list.
ISC2 Systems Security Certified Practitioner (SSCP)
The ISC2 Systems Security Certified Practitioner (SSCP) is designed for IT administrators, managers, directors and network security professionals who have hands-on operational responsibility for security of their organization's data, systems, and networks.
The ISC2 SSCP validates a candidate's knowledge in seven security domains:
Domain 1: Access Controls
Domain 2: Security Operations and Administration
Domain 3: Risk Identification, Monitoring and Analysis
Domain 4: Incident Response and Recovery
Domain 5: Cryptography
Domain 6: Network and Communications Security
Domain 7: Systems and Application Security
Required exam: Earning the ISC2 SSCP certification requires passing one exam — the SSCP exam.
Prerequisites: Candidates who pass the SSCP exam, but do not have the required work experience will become an Associate of ISC2. They then have two (2) years in which to gain the one year of required experience and be awarded the SSCP certification.
Required experience: Candidates must have a minimum of one (1) year cumulative work experience in one or more of the seven domains of the SSCP CBK. Candidates who hold an accredited degree from a cybersecurity program may be deemed to have satisfied their one-year work experience requirement.
ISC2 Certified Cloud Security Professional (CCSP)
The ISC2 Certified Cloud Security Professional (CCSP) is reported to be the industry's leading cloud security certification. The certification is designed for IT and security leaders who are responsible for cloud security architecture, design, operations, and service orchestration.
The ISC2 CCSP validates a candidate's knowledge in six security domains:
Domain 1: Architectural Concepts and Design Requirements
Domain 2: Cloud Data Security
Domain 3: Cloud Platform and Infrastructure Security
Domain 4: Cloud Application Security
Domain 5: Operations
Domain 6: Legal and Compliance
Required exam: Earning the ISC2 CCSP certification requires passing one exam — the CCSP exam.
Prerequisites: Candidates who pass the CCSP exam, but do not have the required work experience will become Associates of ISC2. They then have six (6) years in which to gain the five (5) years required experience and be awarded the CCSP certification.
Required experience: Candidates must have a minimum of five (5) years cumulative work experience in IT and one year in one or more of the six domains of the CCSP CBK. The ISC2 CISSP credential can be substituted for the entire CCSP work experience requirement. The CSA CCSK can be substituted for the requirement for one year of experience in one or more of the six domains of the CCSP CBK.
ISC2 Certified Authorization Professional (CAP)
The ISC2 Certified Authorization Professional (CAP) is designed for IT security and information assurance practitioners in U.S. Federal Government departments and the United States military, government contractors, as well as state and local government and private sector organizations. The ISC2 CAP covers the risk management framework (RMF) for the U.S. federal government and its contractors. The ISC2 CAP is the only certification under the DoD8570 mandate that aligns with each RMF step.
The ISC2 CAP validates a candidate's knowledge in seven security domains:
Domain 1: Information Security Risk Management Program
Domain 2: Categorization of Information Systems (IS)
Domain 3: Selection of Security Controls
Domain 4: Implementation of Security Controls
Domain 5: Assessment of Security Controls
Domain 6: Authorization of Information Systems (IS)
Domain 7: Continuous Monitoring
Required exam: Earning the ISC2 CAP certification requires passing one exam — the CAP exam.
Prerequisites: Candidates who pass the CAP exam, but do not have the required work experience will become Associates of ISC2. They then have three (3) years in which to gain the two (2) years required experience and be awarded the CAP certification.
Required experience: Candidates must have a minimum of two (2) years cumulative work experience in one or more of the seven domains of the CAP CBK.
ISC2 Certified Secure Software Lifecycle Professional (CSSLP)
The ISC2 Certified Secure Software Lifecycle Professional (CSSLP) is designed for software development and security professionals who are responsible for applying best practices to each phase of the SDLC – from software design and development, to testing and deployment.
The ISC2 CSSLP validates a candidate's knowledge in eight security domains:
Domain 1: Secure Software Concepts
Domain 2: Secure Software Requirements
Domain 3: Secure Software Design
Domain 4: Secure Software Implementation/Programming
Domain 5: Secure Software Testing
Domain 6: Secure Lifecycle Management
Domain 7: Software Deployment, Operations, and Maintenance
Domain 8: Supply Chain and Software Acquisition
Required exam: Earning the ISC2 CSSLP certification requires passing one exam — the CSSLP exam.
Prerequisites: Candidates who pass the CSSLP exam, but do not have the required work experience will become an Associate of ISC2. They then have five (5) years in which to gain the four (4) years of required experience and be awarded the CSSLP certification.
Required experience: Candidates must have a minimum of four (4) years cumulative paid full-time Software Development Lifecycle work experience in one or more of the eight domains of the CSSLP CBK. Candidates who hold an accredited four-year degree in IT, computer science, or related field may be deemed to have satisfied one (1) year of the four (4) year work experience requirement.
ISC2 HealthCare Information Security and Privacy Practitioner (HCISSP)
The ISC2 HealthCare Information Security and Privacy Practitioner (HCISPP) is designed for information security and health management professionals who are responsible for guarding patients' protected health information (PHI).
The ISC2 HCISPP validates a candidate's knowledge in seven security domains:
Domain 1: Healthcare Industry
Domain 2: Information Governance in Healthcare
Domain 3: Information Technologies in Healthcare
Domain 4: Regulatory and Standards Environment
Domain 5: Privacy and Security in Healthcare
Domain 6: Risk Management and Risk Assessment
Domain 7: Third-Party Risk Management
Required exam: Earning the ISC2 HCISPP certification requires passing one exam — the HCISPP exam.
Prerequisites: Candidates who pass the HCISPP exam, but do not have the required work experience will become an Associate of ISC2. They then have three (3) years to gain the two (2) years of required experience and be awarded the HCISPP certification.
Required experience: Candidates must have a minimum of two (2) years cumulative paid work experience in one or more knowledge areas of the HCISPP CBK that includes security, compliance and privacy, with at least one of those years in the healthcare industry. Legal experience may be substituted for compliance and information management experience may be substituted for privacy.
ISC2 CISSP Concentrations
For Certified Information Systems Security Professionals (CISSP) looking to extend their security subject matter expertise, the CISSP concentrations provide an ideal ISC2 certification path. ISC2 offers three CISSP concentrations:
Architecture: Information Systems Security Architecture Professional (CISSP-ISSAP)
Engineering: Information Systems Security Engineering Professional (CISSP-ISSEP )
Management: Information Systems Security Management Professional (CISSP-ISSMP)
These specialized credentials build upon the CISSP and help a candidate demonstrate mastery of information security.
ISC2 Architecture: CISSP-ISSAP
The ISC2 Information Systems Security Architecture Professional (CISSP-ISSAP) certification is designed for professionals such as senior engineers and architects who design enterprise information security programs and provide executive and upper level management with risk-based guidance to meet organizational goals. The ISC2 CISSP-ISSAP meets the U.S. DoD Directive 8570.1 requirements for Level III Information Assurance System Architects and Engineers (IASAE III) job positions.
The ISC2 CISSP-ISSAP validates a candidate's knowledge in seven security domains:
Domain 1: Identity and Access Management Architecture
Domain 2: Security Operations Architecture
Domain 3: Infrastructure Security
Domain 4: Architect for Governance, Compliance, and Risk Management
Domain 5: Security Architecture Modeling
Domain 6: Architect for Application Security
Required exam: Earning the ISC2 CISSP-ISSAP certification requires passing one exam — the CISSP-ISSAP exam.
Prerequisites: Prior to attempting this certification, candidates must earn the CISSP certification and be in good standing.
Required experience: In addition to a CISSP, candidates must have two (2) years cumulative paid work experience in one or more of the six domains of the CISSP-ISSAP CBK.
ISC2 Engineering: CISSP-ISSEP
The ISC2 Information Systems Security Engineering Professional (CISSP – ISSEP) certification is designed for systems engineers who incorporate security into projects, applications, business processes and information systems.
ISC2 developed this ISC2 certification in conjunction with the U.S. National Security Agency (NSA), and is a valuable accreditation for systems security engineering professionals in both government and commercial sectors. The ISC2 CISSP-ISSEP meets the U.S. DoD Directive 8570.1 requirements for Level III Information Assurance System Architects and Engineers (IASAE III) job positions.
The ISC2 CISSP-ISSEP validates a candidate's knowledge in five security domains:
Domain 1: Security Engineering Principles
Domain 2: Risk Management
Domain 3: Security Planning, Design, and Implementation
Domain 4: Secure Operations, Maintenance, and Disposal
Domain 5: Systems Engineering Technical Management
Required exam: Earning the ISC2 CISSP-ISSEP certification requires passing one exam — the CISSP-ISSEP exam.
Prerequisites: Prior to attempting this certification, candidates must earn the CISSP certification and be in good standing.
Required experience: In addition to a CISSP, candidates must have two (2) years cumulative paid work experience in one or more of the five domains of the CISSP-ISSEP CBK.
ISC2 Management: CISSP-ISSMP
The ISC2 Information Systems Security Management Professional (CISSP-ISSMP) certification is designed for executives such as chief information officers, chief information security officers, and chief technology officers. The ISC2 CISSP-ISSMP meets the U.S. DoD Directive 8570.1 requirements for CSSP Manager job positions.
The ISC2 CISSP-ISSMP validates a candidate's knowledge in six security domains:
Domain 1: Leadership and Business Management
Domain 2: Systems Lifecycle Management
Domain 3: Risk Management
Domain 4: Threat Intelligence and Incident Management
Domain 5: Contingency Management
Domain 6: Law, Ethics, and Security Compliance Management
Required exam: Earning the ISC2 CISSP-ISSMP certification requires passing one exam — the CISSP-ISSMP exam.
Prerequisites: Prior to attempting this certification, candidates must earn the CISSP certification and be in good standing.
Required experience: In addition to a CISSP, candidates must have two (2) years cumulative paid work experience in one or more of the six domains of the CISSP-ISSMP CBK.
Associate of ISC2 Designation
Work experience requirements for ISC2 certifications are extensive and are policed rigorously. The requirements are set high — five (5) years for the CISSP and CCSP, four (4) years for the CSSLP, and two (2) years for CAP and HCISSP — in order to ensure the most experienced candidates for ISC2 certification. But the stringent work experience hurdles could prove a deterrent to early career professionals who want to enter the cybersecurity space.
Recognizing the "chicken and the egg" nature of work experience, ISC2 created the Associate of ISC2 designation as the on-ramp for professionals who don't have the work experience prerequisite to become certified. Through the Associate of ISC2 program, candidates can take any ISC2 certification exam without the required work experience.
Upon passing the exam, the person is eligible to become an Associate of ISC2 as they work to gain the work experience required to become fully certified. Employers recognize that the Associate of ISC2 has value and are consequently open to employment candidates who have earned this designation.
Associates of ISC2 are required to be ISC2 members in good standing. They pay an Annual Maintenance Fee (AMF) of $50, compared to the $125 AMF paid by full members. They must also meet the continuing professional education (CPE) requirements of their certification, while they work to gain the required experience to certify as a CISSP, SSCP, CCSP, CAP, CSSLP, HCISPP or CCFP and complete the ISC2 endorsement process.
How Much Does it Cost to Get ISC2 Certified?
Your cost to be ISC2 certified includes the ISC2 certification exam cost plus your $125 ISC2 annual maintenance fee (AMF) for the three (3) years that the credential is valid. For example, in the Americas, the CISSP certification cost would be $1074 — $699 for the exam plus $375 in AMFs.
ISC2 exam prices are normally $599 in the Americas, with the CISSP exam costing $699 and the SSCP exam costing $249. Your total ISC2 certification cost will also include what you spend on study materials and certification training courses that you take in preparation for the exam. Beyond the exam, you'll also need to budget for the costs involved in continuing professional education (CPE) credits needed to keep the certification valid.
ISC2 Recertification and Renewal
ISC2 certifications are valid for three years and may be renewed by earning and submitting continuing professional education (CPE) credits for each year of the three-year certification cycle. For each ISC2 certification, there is a minimum number of CPE credits — with a suggested minimum number per year — required before the certification expires. Remember, of course, that holders must also be current with paying their annual maintenance fee (AMF).
Associates of ISC2 are on a one-year certification cycle and are required to earn and submit 15 CPE credits each year — plus pay their $50 AMF.
Renewal of the CISSP certification requires a total of 120 CPE credits over the three-year certification cycle, with a recommended 40 credits per year. For holders of one or more of the CISSP concentration credentials — CISSP-ISSAP, CISSP-ISSEP, or CISSP-ISSMP — 20 CPE credits in the CISSP three-year cycle must be directly related to each concentration held.
For more information on CPE credits required to recertify and renew each ISC2 certification, download the ISC2 Continuing Professional Education Handbook.
ISC2 Certification Salary and Career Information
With the reported shortage of cybersecurity professionals, now is a good time to earn ISC2 certification. And for women, cybersecurity spells opportunity, according to an ISC2 Cybersecurity Workforce Study: Women in Cybersecurity, men still outnumber women and generally get paid more, but women are finding their way to security leadership positions in higher numbers.
ISC2 certifications are highly regarded credentials for IT security professionals, and this is reflected in the expected salary for ISC2 certifications. In Certification Magazine's last survey of certification salaries, eight ISC2 certifications made the top 30 average salaries. The three CISSP Concentrations—CISSP-ISSEP, CISSP-ISSAP, and CISSP-ISSMP—came in third, sixth, and seventh, respectively. The ISC2 Certified Secure Software Lifecycle Professional (CSSLP) came in fourth.
The Certified Information Systems Security Professional (CISSP), the Certified Cloud Security Professional (CCSP), the HealthCare Information Security and Privacy Practitioner (HCISSP), and the Certified Authorization Professional (CAP) were also in the Top 30.
A review of the certification data collected by PayScale, shows that even the Associate of ISC2 credential is of value, with an average salary of $65,000. Moving along the ISC2 certification path, an average salary of $74,000 is reported for holders of the System Security Certified Practitioner (SSCP) certification.
The premier ISC2 Certified Information Systems Security Professional (CISSP) certification commands an average salary of $109,000. At the same time, the CISSP Concentrations have yearly salaries of $155,000 for management professionals (CISSP-ISSMP), $129,000 for security architects (CISSP-ISSAP), and $142,000 for security engineers (CISSP-ISSEP).
Government organizations and contractors are popular employers, which is not surprising given that Associate of ISC2, SSCP, CISSP, the CISSP Concentrations (CISSP-ISSAP, CISSP-ISSEP, CISSP-ISSMP), and CSSLP are all DOD 8570-approved baseline certifications.
ISC2 Certification Training
Good luck to you as you start on your ISC2 certification path. CBT Nuggets has video training that supports the ISC2 certification programs for the ISC2 Certified Information Systems Security Professional (CISSP).
Our training changes occasionally, so be sure to check CBT Nuggets for new or updated ISC2 certification training relevant to your personal goals.
delivered to your inbox.
By submitting this form you agree to receive marketing emails from CBT Nuggets and that you have read, understood and are able to consent to our privacy policy.