(ISC)² Certifications Compared: CISSP, SSCP, CCSP, CSSLP, CAP and HCISPP

Founded in 1989, (ISC)2 is a leading cybersecurity organization that  provides training, education and certifications for IT professionals and the organizations they support.  A non-profit organization, (ISC)2 boasts almost 140,000 members worldwide.

offers a comprehensive program with six different certifications, including certifications geared to information security, healthcare security and risk management. Most certifications are geared towards experienced security professionals with advanced or expert skills in their area of focus.

Earning and maintaining an (ISC)2 credential isn’t easy. In addition to passing an exam, candidates must meet experience requirements, agree to the (ISC)2 Code of Ethics, submit applications and endorsements, and pay an annual maintenance fee (AMF). Credentials are valid for three years, and candidates must earn continuing professional education credits (CPEs) to maintain the credential.

Let’s take a closer look at these certifications and see how the five lower (ICS)2 certifications compare to the pinnacle one —Certified Information Systems Security Professional (CISSP).

Note that (ISC)2 does not require candidates to meet the work experience requirements to sit for an examination. A candidate who lacks the experience required to earn a particular certification but who has passed the exam is awarded the designation Associate of (ISC)2.

Certified Information Systems Security Professional (CISSP)

One of the most difficult and prestigious (ISC)2 certifications to obtain is the CISSP credential. It targets experienced security professionals with advanced skills in designing, architecting, implementing, controlling and maintaining cybersecurity solutions and programs. CISSPs are typically managers, auditors, analysts, system engineers, CISOs and architects.

To earn the CISSP, candidates must have at least five years of paid work experience in a minimum of two of the eight CISSP Common Body of Knowledge (CBK) domains:

  • Security and Risk Management
  • Asset Security
  • Security Architecture and Engineering
  • Communication and Network Security
  • Identity and Access Management (IAM)
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security

The CISSP is the only (ISC)2 certification that offers additional concentrations beyond the base credential. Currently, there are three concentrations:

  • Information Systems Security Engineering Professional (CISSP–ISSEP)
  • Information Systems Security Management Professional (CISSP–ISSMP)
  • Information Systems Security Architecture Professional (CISSP–ISSAP)

The CISSP, like all (ISC)2 credentials, is valid for three years. To recertify, candidates must either take the exam again or earn 120 continuing professional education (CPE) credits (a minimum of 40 credits must be earned each year). The AMF is $85.

Handpicked related content:

Systems Security Certified Practitioner (SSCP)

If you’re interested in infrastructure security, then Systems Security Certified Practitioner (SSCP) is certainly a credential worth exploring. The credential validates a candidate’s technical skill and ability to administer IT infrastructures in accordance with established security guidelines, procedures and policies. SSCPs possess advanced technical skills and are able to recommend and employ best practices, as well as administer, implement and monitor security for IT infrastructures.

The SSCP is suited for IT professionals who support operational IT infrastructure security for their organizations, such as system administrators and engineers, security engineers, and network and security analysts.

To earn the SSCP, candidates must pass the SSCP exam and have at least one year of experience in at least one of the SSCP job domain areas:

  • Access Controls
  • Security Operations and Administration
  • Risk Identification, Monitoring and Analysis
  • Incident Response and Recovery
  • Cryptography
  • Network and Communication Security
  • Systems and Application Security

To maintain the credential, SSCPs must earn 60 CPE credits during each three-year renewal cycle and pay an annual maintenance fee of $65.

SSCP vs. CISSP at a Glance

While CISSP is aimed at infosec professionals in senior managerial security roles, the SSCP is designed for network security engineers, security administrators and systems engineers. Therefore, the knowledge base needed to pass the SSCP is smaller, and a SSCP candidate needs only one year of security experience, as compared to the five years required for the CISSP.

 CISSPSSCP
FocusIT security, cybersecurityIT infrastructure security
Roles• CIO/CISO
• Security director or IT director
• Security or network architect
• Security manager
• Auditor
• Analyst
• Systems engineer
• Consultant
• Network security engineer
• System administrator
• Security analyst
• Systems engineer
• Security consultant or specialist
• Security administrator
• Systems or network analyst
• Database manager
Domains• Security and Risk Management
• Asset Security
• Security Architecture and Engineering
• Communication and Network Security
• Identity and Access Management
• Security Assessment and Testing
• Security Operations
• Software Development Security
• Access Controls
• Security Operations and Administration
• Risk identification, Monitoring and Analysis
• Incident Response and Recovery
• Cryptography
• Network and Communications Security
• Systems and Application Security
Experience required5 years in 2 or more of the CISSP domains; experience must have been full time and paid; some education substitutions allowed in lieu of experience One year in at least one of the 7 SSCP domains; some substitutions for the experience requirement are granted for candidates with a bachelor’s or master’s degree in a cybersecurity program
Exam details100–150 questions, 3 hours 125 questions, 3 hours
Exam fee$699$249
MaintenanceValid for 3 years; 120 CPEs required to recertify (40 CPEs annually); AMF of $85Valid for 3 years; 60 CPEs required to recertify, AMF of $65
Average salary $109,965$93,240

Certified Cloud Security Professional (CCSP)

A relative newcomer to the (ISC)2 certification portfolio is the CCSP. Added in 2015, it is specifically geared towards IT pros with cloud security roles, such as system architect, enterprise architect, security architect, manager, administrator, engineer or consultant.

The CCSP is for advanced professionals with at least five years of IT experience; three of those years must be in the realm of information security and one year must be in at least one of the six CCSP domains:

  • Architectural Concepts and Design Requirements
  • Cloud Data Security
  • Cloud Platform and Infrastructure Security
  • Cloud Application Security
  • Operations
  • Legal and Compliance

Candidates should be able to perform tasks related to securing data, infrastructure and applications in the cloud, as well as recommend and apply best practices to cloud design and security architecture.

To maintain the certification, CCSPs must pay an AMF of $100 and earn 90 CPEs during the three-year renewal cycle.

CCSP vs. CISSP at a Glance

These certifications are targeted at different markets: CISSP will help you to move into management, while CCSP helps you stay technical. The CCSP credential targets professionals working with cloud technology and is typically held by security architects, security administrators and system engineers.

 CISSPCCSP
FocusIT security, cybersecuritySecure cloud infrastructure
Roles• CIO/CISO
• Security director or IT director
• Security or network architect
• Security manager
• Auditor
• Analyst
• Systems engineer
• Consultants, and IT
• Enterprise architect
• Security administrator
• Systems engineer
• Security architect
• Security consultant
• Security engineer
• Security manager
Domains• Security and Risk Management
• Asset Security
• Security Architecture and Engineering
• Communication and Network Security
• Identity and Access Management
• Security Assessment and Testing
• Security Operations
• Software Development Security
• Architectural Concepts and Design Requirements
• Cloud Data Security
• Cloud Platform and Infrastructure Security
• Cloud Application Security
• Operations
• Legal and Compliance
Experience required5 years in 2 or more of the CISSP domains; experience must have been full time and paid; some education substitutions allowed in lieu of experience5 years in information technology; 3 years must be in information security; at least one year must be in one of the CCSP domains; experience must have been paid
Exam details100–150 questions, 3 hours125 questions, 4 hours
Exam fee$699$599
MaintenanceValid for 3 years; 120 CPEs required to recertify (40 CPEs annually);
AMF of $85
Valid for 3 years; 90 CPEs required to recertify; AMF of $100
Average salary $109,965$133,820

Certified Secure Software Lifecycle Professional (CSSLP)

While all (ISC)2 certifications are security-focused, the CSSLP targets IT professionals who build and design security into the software development lifecycle (SDLC). CSSLPs are advanced cybersecurity professionals who employ best practices at all phases of the SDLC, from initial software design to development to testing to final deployment.

CSSLPs are usually software architects, engineers, developers, quality assurance professionals, project managers and security managers. To earn the credential, candidates must have a minimum of four years of full-time, paid experience working with the SDLC and experience in at least one of the CSSLP domains:

  • Secure Software Design
  • Secure Software implementation/Programming
  • Secure Software Testing
  • Software Lifecycle Management
  • Software Deployment Operations and Maintenance
  • Supply Chain and Software Acquisition
  • Secure Software Concepts
  • Security Software Requirements

Ninety CPEs are required to maintain the credential, along with payment of a $100 annual maintenance fee.

CSSLP vs. CISSP at a Glance

The CSSLP is more specialized certification than the CISSP. The CSSLP is focused around the security of the software development process, while the CISSP credential verifies your expertise in the cybersecurity field in general. The CSSLP can be a good complement to the CISSP credential.

 CISSPCSSLP
FocusIT security, cybersecuritySoftware development lifecycle security
Roles• CIO/CISO
• Security or IT director
• Security or network architect
• Security manager
• Auditor
• Analyst
• Systems engineer
• Consultant
• Software architect
• Engineer
• Developer
• Application security specialist
• Software program manager
• Quality assurance tester
• Penetration tester
• Software procurement analyst
• Project manager
• Security manager
• IT director
• IT manager
Domains• Security and Risk Management
• Asset Security
• Security Architecture and Engineering
• Communication and Network Security
• Identity and Access Management
• Security Assessment and Testing
• Security Operations
• Software Development Security
• Secure Software Design
• Secure Software Implementation/Programming
• Secure Software Testing
• Software Lifecycle Management
• Software Deployment Operations and Maintenance
• Supply Chain and Software Acquisition
• Secure Software Concepts
• Security Software Requirements
Experience required5 years in 2 or more of the CISSP domains; experience must have been full time and paid; some education substitutions allowed in lieu of experience4 years working with the SDLC in one or more of the CSSLP domains; experience must have been full time and paid; education may satisfy some of the experience requirement
Exam details100–150 questions, 3 hours175 questions, 4 hours
Exam fee$699$599
MaintenanceValid for 3 years; 120 CPEs required to recertify (40 CPEs annually); AMF of $85Valid for 3 years; 90 CPEs required to recertify; AMF of $100
Average salary$109,965$143,150

Certified Authorization Professional (CAP)

Another relative newcomer is the CAP credential. Introduced in 2015, it is the only (ISC)2 credential that specifically targets IT professionals working with the risk management framework (RMF). According to (ISC)2, it also has the distinction of being the only certification that maps directly from Department of Defense (DoD) mandate 8570 to the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF).

The CAP is an advanced credential. It targets information assurance professionals who use RMF to maintain information systems. The credential is ideally suited for persons serving in the military, employees of federal or local governments, and civilians and private organizations working with the government.

To earn the credential, candidates must possess at least two years of full-time experience in at least one of the CAP domains, plus pass an exam. The current exam will be updated after October 15, 2018, so candidates should ensure that they study from the correct exam outline. The current CAP domains are:

  • Security Control Assessment
  • Categorizing of Information Systems
  • Selection of Security Controls
  • Security Control Implementation
  • Risk Management Framework
  • Information System Authorization
  • Monitoring of Security Controls

To maintain the credential, CAPs must pay an annual maintenance fee of $65 and earn 60 CPEs in the three-year renewal cycle.

CAP vs. CISSP a Glance

The CAP and CISSP certifications center around different topics: CAP is focused on security auditing and compliance, while the CISSP is all about cybersecurity. A CAP certification candidate needs only two years of experience, as compared to the five years required for the CISSP.

 CISSPCAP
FocusIT security, cybersecurityIT information security, information assurance, risk management framework
Roles• CIO/CISO
• Security or IT director
• Security or network architect
• Security manager
• Auditor
• Analyst
• Systems engineer
• U.S. federal government
• DoD employees
• Military
• Federal contractors
• Local governments
• Private sector organizations
Domains• Security and Risk Management
• Asset Security
• Security Architecture and Engineering
• Communication and Network Security
• Identity and Access Management
• Security Assessment and Testing
• Security Operations
• Software Development Security
• Security Control Assessment
• Categorizing of Information Systems
• Selection of Security Control
• Security Control
• Implementation
• Risk Management Framework
• Information System Authorization
• Monitoring of Security Controls
Experience required5 years in 2 or more of the CISSP domains; experience must have been full time and paid; some education substitutions allowed in lieu of experience2 years full-time in at least one of the 7 CAP domains
Exam details1 (100 – 150 questions, 3 hours)1 (125 questions, 3 hours)
Exam fee$699$599
MaintenanceValid for 3 years;120 CPEs required to recertify (40 CPEs annually); AMF of $85Valid for 3 years; 60 CPEs required to recertify; AMF of $65
Average salary $109,965$124,610

Healthcare Information Security and Privacy Practitioner (HCISPP)

One only has to look to the EU’s new Global Data Privacy Regulation (GDPR) to understand that privacy — particularly privacy as it relates to personally identifiable information (PII) and personal health information (PHI) — has become a global concern. Therefore, healthcare organizations need highly skilled IT professions who are able to assess, implement and manage privacy and security controls to protect PII and PHI. This makes the Healthcare Information Security and Privacy Practitioner (HCISPP) is one of the top choices, if not the top choice, for IT professionals who want to work in the field of health IT.

The HCISPP is all about privacy in healthcare cybersecurity, protecting PII and PHI, and ensuring compliance with the various regulations designed to protect that data. The HCISPP is appropriate for any IT security professional working to protect personal health information within their organization. This includes roles such as privacy or compliance officer, security or privacy manager, medical records manager, and compliance auditor.

Candidates need at least two years of professional work experience before attempting the exam. This experience must be in at least one of the HCISPP domains that includes security, privacy or compliance. Legal experience may be substituted for compliance experience, and experience in information management may be substituted for the privacy requirement. In addition, candidates must have at least one year of work experience in the healthcare industry. The HCISPP domains are:

  • Information Risk Assessment
  • Information Governance and Risk Management
  • Privacy and Security in Healthcare
  • Healthcare Industry
  • Regulatory Environment
  • Third Party Risk Management

Like the other (ISC)2 certifications, the HCISPP is valid for three years. Sixty CPEs are required to renew. Candidates must also pay an annual maintenance fee of $65.

HCISPP vs. CISSP at a Glance

The HCISPP certification is similar to the CISSP, but it is narrowly targeted to the special demands of healthcare information security. It also requires less experience — two years that includes one year in healthcare is enough, while the CISSP certification requires 5 years of experience.

 CISSPHCISPP
FocusIT security, cybersecurityHealthcare cybersecurity privacy
Roles• CIO/CISO
• Security or IT director
• Security or network architect
• Security manager
• Auditor
• Analyst
• Systems engineer
• Consultant
• Compliance officer
• Information security manager
• Privacy officer
• Compliance auditor
• Risk analyst
• Medical records supervisor
• Information technology manager
• Privacy and security consultant
• Health information manager
• Practice manager
Domains• Security and Risk Management
• Asset Security
• Security Architecture and Engineering
• Communication and Network Security
• Identity and Access Management
• Security Assessment and Testing
• Security Operations
• Software Development Security
• Information Risk Assessment
• Information Governance and Risk Management
• Privacy and Security in Healthcare
• Healthcare Industry
• Regulatory Environment
• Third Party Risk Management
Experience required5 years in 2 or more of the CISSP domains; experience must have been full time and paid; some education substitutions allowed in lieu of experience2 years in at least one of the HCISPP domains that includes security, privacy and compliance; legal experience may be substituted for compliance; information management experience may be substituted for privacy; at least one year of experience must be in the healthcare industry
Exam details100–150 questions, 3 hours125 questions, 3 hours
Exam fee$699$599
MaintenanceValid for 3 years; 120 CPEs required to recertify (40 CPEs annually); AMF of $85Valid for 3 years; 60 CPEs required to recertify; AMF of $65
Average salary $109,965$93,838*

(ISC)2 Certifications Compared — Facts at a Glance

 CISSPSSCPCCSPCSSLPCAPHCISPP
FocusIT security, cybersecurityIT infrastructure security Secure cloud infrastructure Software development lifecycle security IT information security, information assurance, risk management framework Healthcare cybersecurity privacy
Experience required5 years in 2 or more of the CISSP domains; experience must have been full time and paid; some education substitutions allowed in lieu of experienceOne year in at least one of 7 SSCP domains; some substitutions for the experience requirement are granted for candidates with a bachelors or master’s degree in a cybersecurity program5 years in information technology; 3 years must be in information security; at least one year must be in one of the CCSP domains; experience must have been paid 4 years working with the software development lifecycle (SDLC) in one or more of the CSSLP domains; experience must have been full time and paid; education may satisfy some of the experience requirement 2 years of full-time experience in at least one of the 7 CAP domains 2 years in at least one of the HCISPP domains that includes security, privacy and compliance; legal experience may be substituted for compliance; information management experience may be substituted for privacy; at least one year of experience must be in the healthcare industry
Exam details100–150 questions, 3 hours125 questions, 3 hours125 questions, 4 hours 175 questions, 4 hours 125 questions, 3 hours 125 questions, 3 hours
Exam fee$699$249$599$599$599$599
MaintenanceValid for 3 years; 120 CPEs required to recertify (40 CPEs annually); AMF of $85Valid for 3 years; 60 CPEs required to recertify; AMF of $65Valid for 3 years; 90 CPEs required to recertify; AMF of $100Valid for 3 years; 60 CPEs required to recertify; AMF of $65Valid for 3 years; 60 CPEs required to recertify; AMF of $65Valid for 3 years; 60 CPEs required to recertify; AMF of $65
Average salary $109,965$93,240$133,820$143,150$124,610$93,838*

*Salary information for the HCISSP obtained from Glassdoor. All other salary information obtained from (ISC)2.

Handpicked related content: