International Information Security Certification Consortium (ISC)²:  A Definitive Guide

The worldwide integration and use of the internet in the late 80’s and early 90’s, led to an important discussion about the need to secure information shared in cyberspace. The many contributing voices to this discussion, meant that there was a need to develop a standardized set of rules for the study and application of security measures.

Recognizing these needs, the International Information System Security Certification Consortium was formed as a non-profit organization and it specialized in educating and certifying professionals working on information security. Today, (ISC) ² has become the world’s largest IT security organization and its certifications are respected globally.

An Introduction to (ISC) ²

The world renowned (ISC) ² —pronounced eye-ess-cee squared—is a non-profit organisation which was developed in 1989 for the sole purpose of educating and certifying individuals in the IT security industry. Since then, its’ phenomenal growth has seen the organization establish offices in the United States, Honk Kong and Tokyo.

(ISC) ² also boasts of thousands of members in over 160 countries and a reputation second to none. The certification program is known for its Common Body of Knowledge framework which serves as one of the guiding standards and principles for the IT security industry. Therefore, network security experts, IT security professionals, and engineers can validate their abilities by attaining an (ISC) ² certificate.

Is the (ISC) ² Certification Program for You?

Although your professional development is a personal matter, it is still important for one to seek a more-informed opinion from mentors and other sources of knowledge when pursuing a career.

Here, the benefits of becoming (ISC) ² certified for both professionals and business will be discussed to help you make an educated decision when considering a certification program.

The Benefits of an (ISC) ² Certification

Anyone who is active in the cybersecurity industry has a lot to benefit by partaking in the (ISC) ² certification program. Aside from the knowledge to be gained, many other benefits will be explored in the coming paragraphs.

Benefits to IT Professionals

  • Validates your Abilities—mitigating risks and keeping track of security issues is one of the biggest challenges every organization that operates any form of IT infrastructure faces. Therefore, having a certificate that proves your understanding of security issues proves your pedigree to the world.
  • Puts you on a Pedestal—it is common knowledge that for every job position in the IT community, there are a thousand and one people qualified for it. So how can one stand out? In IT security, an (ISC) ² gives you the desired platform that puts you head and shoulder above your peers.
  • Boosts your Earning Potential—a fulfilling career is one where you do what you love while earning a respectable income. Everyone has responsibilities and an (ISC) ² certified professional can earn much more to meet his or her responsibilities.


The Benefits to Corporate Organizations

  • Increases an Organization’s Understanding and Implementation of Best Practices—businesses that employ certified professionals directly enhance their ability to integrate information security code of ethics and standards in the organization.
  • Projects Confidence to Your Clients—a corporation that ensures its staff are certified in security matters, is viewed as a favourable organization to do business with. This builds trust and client confidence when working with or on your platform.
  • Improves Internal Security—certified IT security professionals have the knowledge needed to create a coherent security culture across all departments of an organization. This drastically increases a business’s ability to deal with security threats and mitigate risks.


(ISC) ² Certification: An Overview

The entire (ISC) ² certification program is built on the backs of seven core disciplines in information security. These certificate programs were developed with professionals and IT security practitioners working in the cybersecurity niche. The seven professional certification programs include:

  • Systems Security Certified Practitioner (SSCP)
  • Certified Information Systems Security Professional (CISSP)
  • Certified Authorization Professional (CAP)
  • Certified Secure Software Lifecycle Professional (CSSLP)
  • Certified Cyber Forensic Professional (CCFP)
  • HealthCare Information Security and Privacy Practitioner (HCISPP)
  • Certified Cloud Security Professional (CCSP)

(ISC) ² also offers holders of the CISSP certificate further opportunities to specialize in security architecture, engineering or management with the following certification programs:

  • Information Systems Security Architecture Professional (CISSP—ISSAP)
  • Information Systems Security Engineering Professional (CISSP—ISSEP)
  • Information Systems Security Management Professional (CISSP—ISSMP)

For IT professionals looking to further authenticate their expertise on security by obtaining a specialized (ISC) ² certificate, it is important to understand how climbing the (ISC) ² ladder works.

The first step to becoming certified is obtaining your SSCP credentials, this grants you the status of an Associate (ISC) ² professional as well as one of the important prerequisites needed to obtain a specialized certificate. It is also important to note that the same certification path applies for CAP, CSSLP, CCFP, HCISSP, CCSP, or CISSP. And professionals with this credentials fall under the Associate of the (ISC) ² umbrella.


(ISC) ² Certification Levels and their Programs

All the certification programs outlined above fall under two distinct levels; an Associate of (ISC) ² and a Specialist certification program. Here are the certificates IT security practitioners, architects and `engineers can participate in:

Associate of (ISC) ²

System Security Certified Professional (SSCP)

The SSCP certification program focuses on IT administration and the task that comes with integrating the necessary security policies to keep an IT infrastructure standardized and its data secure. The program is ideal for network security engineers, system administrators and security analysts looking to validate their abilities.

Examinations—the SSCP program consists of an exam which tests your understanding of the IT operational roles needed to ensure security. The topics to be covered by interested candidates cover 7 CBK domains including:

  • Access control
  • Incident response
  • Networks and communication
  • Security operations
  • Risk identification
  • Cryptography
  • Systems and applications security.

The SSCP exam runs for 3 hours and it consists of 125 multiple choice questions prepared for participants. Interested in sitting for the program? Then you are required to have a minimum of a year’s experience working full-time in one of the specified domains. Successful candidates are automatically Associates of (ISC) ² and are privy to the benefits that come with the association.


Certified Information System Security Professional (CISSP)

As with all (ISC) ² certifications, the CISSP is a vendor-neutral program dedicated to IT security. It also happens to be the most visible and popular certification program (ISC) ² has to offer. The program was designed to help network security specialists, engineers, network architects etc. interested in pursuing a professional certificate program. Therefore, if you fall into the category of people who implement, manage and troubleshoot IT security issues, the CISSP was developed for you.

Examination—the CISSP examination you have to pass to become certified is designed to test your knowledge on the 8 domains of CISSP’s common body of knowledge. This means you will have to be conversant with;

  • Security and risk management
  • Asset security
  • Security engineering
  • Communications and network security
  • Identity and access management
  • Security operations
  • Security assessment and testing
  • Software development security

The length of the exam is 6 hours and in that time you will be tasked with answering 250 multiple choice questions. It is also important to note that you are expected to have a minimum of 5 years’ experience working in at least 2 of the above listed CBK niches. It is also important to note that the certificate is valid for 3 years and to recertify, you are expected to earn at least 40 CPE credits annually for the succeeding 3 years.

Certified Authorization Professional (CAP)

CAP certification program focuses on measuring your understanding of management, and your skill with authorizing and maintaining information systems. The program was developed for information security experts, IT managers and system managers looking to validate their abilities assess, secure and authorize interactions within an IT ecosystem.

Examinations—like other programs offered by (ISC)², it is important to note that the CAP exam is vendor neutral and focuses on 7 domains of the CAP certification program CBK. These domains include;

  • Risk management framework (RMF)
  • Categorization of information systems
  • Selection of security controls
  • Security control implementation
  • Security control assessment
  • Information system authorization
  • Monitoring of security control

The exams covering these 7 domains consists of 125 multiple choice questions which you must answer to the best of your abilities in 3 hours. There are certain criteria you need to meet in other to be able to sit the exam. This includes; work experience of 2 years in any of the 7 domains listed above and an understanding of (ISC)² code of ethics.

The CAP certificate remains valid for 3 years and if you are interested in recertification, you will have to earn a minimum of 20 CPE points every year for the 3 years your certificate remains valid. This means a total of 60 CPE points gets you recertified.

Certified Secure Software Lifecycle Professional (CSSLP)

The CSSLP program was developed as a means for everyone involved in the software industry to validate their abilities. Therefore if you are a software developer, architect, project manager, quality assurance provider etc. the CSSLP is a great way to highlight your particular skill sets. The entire program focuses on software design, implantation, testing and deployment.

Examinations—the CSSLP program focuses on what it takes for you to build secure software through its entire lifecycle. The program is centred on 8 domains of the CSSLP’s CBK. These domains include;

  • Secure software concepts
  • Secure software requirements
  • Secure software design
  • Secure software implementation
  • Secure software testing
  • Software acceptance
  • Software deployment, operations, maintenance and disposal
  • Supply chain and software acquisition

The examination runs for 4 hours and it consists of 175 multiple choice questions covering the above domains. To be considered as a participant for CSSLP, you are required to have at least 4 years’ experience working full-time in at least one of the domains outlined above. The certificate’s validity expires after 3 years and to recertify, you will have to earn at least 30 CPE credits annually for 3 years and also pay an annual fee of $100.

Lastly, it is important to note that from July 1st 2017, the exam pattern and the 7 domains will be changed.

Certified Cloud Security Professional (CCSP)

The CCSP is a certification program backed by both the (ISC)² and the Cloud Security Alliance—a cloud computing non-governmental organization. The certification program focuses on providing Systems Engineers, enterprise architects, security experts and IT managers with a way to validate their abilities. It is also one of the popular certifications (ISC)² has to offer.

Examinations—if interested in attaining the CCSP certificate, it is important for you to seek knowledge across the different domains that make up the entire program. There are 6 CBK domains that make up the CCSP and they are:

  • Architectural concepts and design requirements
  • Cloud data security
  • Cloud platform and infrastructure security
  • Cloud application security
  • Operations
  • Legal and compliance

The CCSP exam runs for 4 hours and in that time you will be expected to answer 125 multiple choice questions focused on the 6 domain niches above. In order to be a part of the CCSP program, it is important to note that there are certain requirements you are required to meet.

These requirements include; a minimum of 5 years’ experience working within one of the above niches and it is important to note that 3 of these years must be from the field of information technology.

The CCSP certificate is valid for only 3 years and recertification must be considered if you want to keep your certificate. The recertification process consists of acquiring at least 30 CPE credits annually as well as the payment of an annual $100 fee. This means you require a total of 90 CPE units for the 3 years your certificate stays valid.

Certified Cyber Forensic Professional (CCFP)

Security analysts, Systems engineers and IT managers who specialize in ensuring that an organization’s IT infrastructure is set up to meet standard procedures and policies, should consider the CCFP program. The entire program is centred on forensic techniques and their application in a digital/cloud-related space. Cyber forensic professionals are tasked with operations such as; malware analysis, incidence response and also providing evidence relating to crimes or security breaches in a court of law.

Examinations—choosing to validate your abilities as a digital forensic examiner or a cybersecurity specialist through the CCFP program involves sitting and passing the related exams. To successfully do this, you must be mindful of the 6 domains that account for the questions you have to answer. These domains include;

  • Legal and ethical principles
  • Investigations
  • Forensic science
  • Digital forensics
  • Application forensics
  • Hybrid and Emerging technologies

The exam consists of 125 questions and you will be tasked to answer them in 4 hours. If you are interested in participating in the CCFP program, you are required to have a Bachelor’s degree or have passed through a 4-year course. A 3- year working experience in a field related to IT security or forensics is also a prerequisite for interested candidates. Lastly, it is important to note that you will have to recertify every three years for your certificate to remain valid. Recertification means you must have acquired at least 30 CPE units annually for three years while paying a fee of $100 yearly.

HealthCare Information Security and Privacy Practitioner (HCISPP)

The integration of digital infrastructures, cloud computing and other emerging technologies in healthcare means that IT professionals must be involved in safeguarding the information contained in these infrastructures. To adequately get this done, IT professionals with these abilities will be needed and this is where the HCISPP certification comes in.

The HICSPP program is recommended for compliance officers, privacy officers, digital security experts and analysts interested in validating their understanding of the healthcare IT industry.

Examination—the HCISPP is a non-vendor specific program. This means that you will not be tasked with answering questions relating to specific products or services. The exam covers 6 domains which include;

  • Healthcare industry
  • Regulatory environment
  • Privacy and security in healthcare
  • Information governance and risk management
  • Information risk assessment
  • Third party risk management

The HCISPP exam is made up of 125 multiple choice questions which must be answered in three hours.  To qualify for the HCISPP program, you must have acquired at least 2 years’ experience in one of the domains mentioned above. The HCISPP has a three-year life-span and to recertify, you must accumulate at least 20 CPE units annually to make up for the total of 60 CPE units you need to qualify for recertification. An annual fee of $65 is also needed for the three years your certificates stays valid.

Specialist (ISC)² Certifications

(ISC)² offers IT professionals advanced certification options under its CISSP umbrella which you can take advantage of if interested in going further in your pursuit of specialized security credentials. These specialized certification opportunities all have one thing in common; the need to have a valid CISSP certificate in order to be considered for further training.

Information Systems Security Architecture Professional (ISSAP)

The ISSAP is an advanced certification which was developed for security experts, system architects and technology officers looking to specialize in analysing and providing security for IT architectures. This certificate is something you should consider if you are looking to consult or develop security measures to protect IT infrastructure.

Examination—like the CISSP examination, the ISSAP program is based on 6 CBK domains which you must update your knowledge on in order to be successful. The domains you will be tested on include;

  • Access control systems and methodology
  • Communications and network security
  • Cryptography
  • Security architecture analysis
  • Technology related business continuity planning and disaster recovery planning
  • Physical security considerations

The ISSAP exam runs for 3 hours and you will be tasked with answering 125 multiple choice questions in that duration. There are certain prerequisites you must have acquired to qualify to be part of the ISSAP program. They include; a valid CISSP certificate and at least 2 years work experience in any of the 6 domains listed above.

It is important to note that from July 1st 2017, the above exam outline will be updated therefore rendering this obsolete.

Information Systems Security Engineering Professional (ISSEP)

The CISSP-ISSEP certification program was developed by (ISC)² in conjunction with the National Security Agency (NSA) to provide IT professionals with an advanced training procedure and examination process to validate our skill sets. The entire program focuses on training and testing your abilities to integrate security measures across diverse projects. The ISSEP is aimed at senior security analysts, senior systems engineers and information assurance officers.

Examination—the ISSEP examination is built on the CBK initiative and is set up to test your understanding across 4 domains. These domains include;

  • System security engineering
  • Certification and accreditation, risk management framework
  • Technical management
  • S. government information assurance related policies and insurance

The entire examination consists of 150 questions and it runs for 3 hours. If you are interested in pursuing an (ISC)² career path, it is important to note that having a valid CISSP certificate for 2 years is a prerequisite to participating in the ISSEP program.

Information Systems Security Management Professional (ISSMP)

The CISSP-ISSMP credential is designed as the project management certificate for the IT security niche. The entire program tests your ability to manage a business’s continuity planning program and your ability to lead during the project actualization phase. This means the ISSMP is an advanced certification which validates the knowledge and abilities of senior IT professional such as; Chief information officers, Chief technology officers and senior security executives.

Examination—the ISSMP exam is based on 5 domains from the (ISC)² common body of knowledge (CBK) and they include;

  • Security leadership and management
  • Security lifecycle management
  • Security compliance management
  • Contingency management
  • Law, ethics and incident management

The CISSP-ISSMP exam consists of 125 multiple choice questions and you will be given 3 hours to complete the exam. As an advanced certification program, you are expected to have a valid CISSP credential for approximately 2 years in other to be qualified to take the ISSMP examination.

Training and Practice Materials

Pursuing an (ISC)² certification is a well-rounded process that consists of more than just sitting your chosen exam and passing it. This is because the certification program also includes multiple learning opportunities which allow you acquire extensive knowledge of the IT security industry.

Many students also choose to learn at their own pace in order to eliminate confusion and other scheduling challenges that usually come up when you work and study simultaneously. If you fall into this category, then it is recommended that you take advantage of the customized learning processes SkillsBuild provides to its students.

Here, you can easily tailor your learning experience to fit your personal schedule without missing on any of the CBK domains you have been tasked with studying.

The Salary Advantages of Obtaining an (ISC)² Certificate

Everyone including you believes that acquiring an (ISC) ² certificate is a path way to both personal and professional development in the field of IT security and this is indeed true. One of the great advantages your certification will give you, is the ability to earn more than your peers without one.

System Security Certified Professional (SSCP)—certified professionals earn $50,000 to $55,000

Certified Information System Security Professional (CISSP)—certified professionals earn $69,000 to $80,000

Certified Authorization Professional (CAP)—certified professionals earn $60,000 to $69,000

Certified Secure Software Lifecycle Professional (CSSLP)—certified professionals earn $65,000 to $70,000

Certified Cyber Forensic Professional (CCFP)—certified professionals earn $70,000 to $80,000

 HealthCare Information Security and Privacy Practitioner (HCISPP)—certified professionals earn $65,000 to $75,000

Information Systems Security Architecture Professional (ISSAP)—certified professionals earn $87,000 to $100,000

Information Systems Security Engineering Professional (ISSEP)—certified professionals earn $100,000 to $102,000

Information Systems Security Management Professional (ISSMP)—certification professionals earn $105,000 to $110,000


Since its inception, the (ISC)² has remained one of the most popular IT security certification body in the tech community. Today, (ISC)² boasts of thousands of members across 160 nations. Successfully participating in its programs puts you in its select community of professionals with validated credentials.