Some of the most sought-after certifications are provided by the International Information System Security Certification Consortium, or (ISC)², a global, non-profit body that, since 1989,  sets training standards for the information security industry and offers internationally-recognized, vendor-neutral security certifications that demonstrate applied expertise in different areas of information security. (ISC)² currently offers six internationally-recognized information security certifications:

Certified Information Systems Security Professional (CISSP) with optional concentrations:

Information Systems Security Architecture Professional (ISSAP) Information Systems Security Engineering Professional (ISSEP) Information Systems Security Management Professional (ISSMP)

Systems Security Certified Practitioner (SSCP) Certified Cloud Security Professional (CCSP) Certified Authorization Professional (CAP) Certified Secure Software Lifecycle Professional (CSSLP) HealthCare Information Security and Privacy Practitioner (HCISPP)

All certifications are grounded in (ISC)²’s common body of knowledge (CBK), which outlines global information security standards and best practices and complies with the standards of ANSI/ISO/IEC Standard 17024. Here is an overview of each of the (ISC)² certifications.

Certified Information Systems Security Professional

Currently the most popular (ISC)² option, this credential continues to be highly sought after by IT professionals and is well recognized by many organizations. The CISSP certification suits experienced security practitioners, managers and executives in positions like a chief information security officer, IT director/manager, security manager or auditor, security systems engineer and network architect. A look inside the CISSP domains:

Domain 1: Security and risk management Domain 2: Asset security Domain 3: Security architecture and engineering Domain 4: Communication and network security Domain 5: Identity and access management (IAM) Domain 6: Security assessment and testing Domain 7: Security operations Domain 8: Software development security

Effective May 1, 2021, the test will be based on a new CISSP Exam Outline. The exam consists of 100-150 questions of multiple-choice and advanced innovative items and costs $699, but the price will increase to $749 on May 1, 2021. Experience requirements: a minimum of five years of cumulative paid work experience in two or more of the eight domains of the CISSP CBK is requested. However, one of the years can be waived if the candidate has earned a four-year college degree, regional equivalent or is the holder of another credential from the (ISC)² approved list.

Certified Information Systems Security Professional concentrations

The CISSP concentrations are specialized credentials to prove your subject matter mastery.  If pursuing one of the three concentrations (ISSAP, ISSMP and ISSEP) is right for you, then it’s time to understand each one that has its own common body of knowledge (CBK) and goes beyond what is required for CISSP. Each of the concentrations focuses on a different area within the CISSP framework, allowing you to hone your skills and specialize. Experience requirement: to pursue any of the concentration certifications, you must have first earned your CISSP certification and maintained it. You must have at least two years of real-world experience in the area covered by the concentration (architecture, engineering or management). The exam consists of 125 multiple-choice questions (with a passing score of 700 out of 1,000 points) and costs $599. For more on the CISSP certification, view our CISSP hub.

Information Systems Security Architecture Professional (ISSAP)

This is an appropriate credential for a system architect or security architect. Getting certified proves your expertise in developing, designing and analyzing security solutions. The CISSP-ISSAP exam, which was last updated in Oct.2020, details the major topics and subtopics within the domains that are covered on the test.  A look inside the CISSP-ISSAP domains: 

Architect for governance, compliance and risk management Security architecture modeling Infrastructure security architecture Identity and access management (IAM) architecture Architect for application security Security operations architecture

Information Systems Security Engineering Professional (ISSEP)

This is an appropriate credential for an information assurance systems engineer or senior systems engineer. The CISSP-ISSEP exam, which was last updated in Nov. 2020, details the major topics and subtopics within the domains that are covered on the test. A look inside the CISSP-ISSEP domains: 

Systems security engineering foundations Risk management Security planning and design Systems implementation, verification and validation Secure operations, change management and disposal

Information Systems Security Management Professional (ISSMP)

This is an appropriate credential for a CISO, CIO, CTO or senior security executive. The CISSP-ISSMP exam, which was last updated in May 2018, details the major topics and subtopics within the domains covered on the test.  A look inside the CISSP-ISSMP domains: 

Leadership and business management Systems lifecycle management Risk management Threat intelligence and incident management Contingency management Law, ethics and security compliance management

Systems Security Certified Practitioner

This credential suits those who possess advanced technical skills. Their role may be to administer, implement and monitor security for IT infrastructures and recommend and employ best practices. The SSCP certification is a good fit for a systems administrator, security administrator or database administrator, and those who are in roles like security consultant and analyst or systems engineer. A look inside the SSCP domains:

Domain 1: Access controls Domain 2: Security operations and administration Domain 3: Risk identification, monitoring and analysis Domain 4: Incident response and recovery Domain 5: Cryptography Domain 6: Network and communications security Domain 7: Systems and application security

Effective November 1, 2021, the test will be based on a new SSCP exam outline. The exam consists of 125 multiple-choice questions with a passing score of 700 out of 1,000 points. It costs $249. Experience requirements: a minimum of one year of cumulative work experience in one or more of the seven domains of the SSCP CBK is required. However, a one-year prerequisite pathway will be granted for candidates with a bachelor’s or master’s degree in a cybersecurity program.

Certified Cloud Security Professional

The CCSP certification is ideal for IT and information security leaders responsible for applying best practices to cloud security architecture, design, operations and service orchestration. The CCSP was last updated on August 1, 2022, and is a good option for professionals in roles as enterprise and systems architects, security and systems engineers and security architects and consultants. A look inside the CCSP domains:

Domain 1: Cloud concepts, architecture and design Domain 2: Cloud data security Domain 3: Cloud platform and infrastructure security Domain 4: Cloud application security Domain 5: Cloud security operations Domain 6: Legal, risk and compliance

The exam consists of 150 multiple-choice questions with a passing score of 700 out of 1,000 points and costs $599. Experience requirements: candidates must have a minimum of five years of cumulative paid work experience in information technology. Three of these years must be in information security. One year must be in one or more of the six domains of the CCSP CBK; however, earning CSA’s CCSK certificate can fulfill this requirement. The entire experience requirement is waived if the tester is already in possession of the (ISC)²’s CISSP credential.

Certified Authorization Professional

This credential maps directly from the Department of Defense (DoD) mandate 8570 to the National Institute of Standards and Technology (NIST) risk management framework (RMF). The CAP certification is suited for persons serving in the military, as well as employees or contractors working with the government. It’s the only (ISC)² credential that specifically targets IT professionals tasked with RMF compliance, a set of standards enabling DoD agencies to effectively manage cybersecurity risk and make more informed, risk-based decisions. A look inside the CAP domains: 

Domain 1: Information security risk management program Domain 2: Categorization of information systems (IS) Domain 3: Selection of security controls Domain 4: Implementation of security controls Domain 5: Assessment of security controls Domain 6: Authorization of information systems (IS) Domain 7: Continuous monitoring

Effective Aug. 15, 2021, the test will be based on a new CAP exam outline. The exam consists of 125 multiple-choice questions (a passing score is 700 out of 1,000 points) and costs $599. Experience requirements: candidates are required to have a minimum of two years of cumulative work experience in one or more of the seven domains of the CAP CBK. For more on the CAP certification, view our CAP hub.

Certified Secure Software Lifecycle Professional

This credential targets IT professionals who build and design security into the software development lifecycle (SDLC). The CSSLP certification, which was last updated in Sept. 2020, is appropriate for software architects, engineers and developers responsible for applying best practices to each phase of the SDLC (from software creation and implementation to testing and deployment). A look inside the CSSLP domains:

Domain 1.Secure software concepts Domain 2. Secure software requirements Domain 3. Secure software architecture and design Domain 4. Secure software implementation Domain 5. Secure software testing Domain 6. Secure software lifecycle management Domain 7. Secure software deployment, operations and maintenance Domain 8. Secure software supply chain

The exam consists of 125 multiple-choice questions (a passing score is 700 out of 1,000 points) and costs $599. Experience requirements: a minimum of four years of cumulative paid software development lifecycle (SDLC) professional work experience in one or more of the eight domains of the (ISC)² CSSLP CBK is required. Candidates with a four-year degree or regional equivalent in computer science, information technology (IT) or related fields can meet the requirement by demonstrating three years of cumulative paid SDLC professional work experience in one or more of the eight domains of the CSSLP CBK.

HealthCare Information Security and Privacy Practitioner 

This credential benefits professionals working to protect personal health information within their organization. The HCISPP certification, which was last updated Sept. 2019, suits experienced health information workers, system administrators, privacy managers, medical records overseers, security auditors and compliance officers.   A look inside the HCISPP domains:

Domain 1. Healthcare industry Domain 2. Information governance in healthcare Domain 3. Information technologies in healthcare Domain 4. Regulatory and standards environment Domain 5. Privacy and security in healthcare Domain 6. Risk management and risk assessment Domain 7. Third-party risk management

The exam consists of 125 multiple-choice questions and has a passing score of 700 out of 1,000 points. It costs $599. Experience requirements: candidates are required to have a minimum of two years of cumulative paid work experience in one or more knowledge areas of the HCISPP CBK that includes security, compliance and privacy. One of those years must be in the healthcare industry. “Legal experience may be substituted for compliance and information management experience may be substituted for privacy.”

The Associate of (ISC)² program

The Associate of (ISC)² program is designed for those ready to start a cybersecurity career. This designation allows anyone to take any of the certification exams without the required work experience. This is a great option for aspiring cybersecurity pros determined to fast-track their careers. The length of your exam will vary based on the certification you are pursuing. Associates of (ISC)² will need to pay an AMF of $50 which is due each year upon the anniversary of achieving their associate status.

Training

In addition to the options provided by (ISC)², a variety of live and on-demand courses are available from training providers like Infosec, making it easy for professionals to  find learning opportunities that fit their needs, location and schedule.

Registration

Follow these steps to register for an exam: 

Create an account with Pearson VUE, the exclusive, global administrator of all (ISC)² exams Select the (ISC)² certification exam you are pursuing Schedule your exam and testing location

Maintaining your certification

(ISC)² certified members will need to pay a single AMF of $125 each year upon the anniversary of their certification date. To maintain the credential, certified members are to meet several continuing professional education CPE requirements over their three-year certification cycle. Professional development activities such as webinars, courses, online events and publications can earn CPE credits.

Acquire an (ISC)² certification

An (ISC)² certification can help professionals prove their technical knowledge and level of expertise to current or prospective employers. Credential holders can boost their job prospects, advance their careers and may be able to secure positions with higher salaries.   

Sources:

(ISC)² Information Security Certifications, (ISC)², Inc. What You Need To Know About (ISC)² Exams, (ISC)², Inc. (ISC)² Certification Exam Outlines, (ISC)², Inc. Exam Action Plan, (ISC)², Inc.