ISC

ISC provides vendor-neutral cybersecurity certifications for information technology professionals. Its certifications validate skills in risk management, governance, cloud security, software development, and systems security architecture.

8Exams

Available Exams

CISSP

Certified Information Systems Security Professional

SSCP

System Security Certified Practitioner (SSCP)

CCSP

Certified Cloud Security Professional (CCSP)

CISSP-ISSAP

Information Systems Security Architecture Professional

CISSP-ISSMP

Information Systems Security Management Professional

CISSP-ISSEP

Information Systems Security Engineering Professional

CAP

Certified Authorization Professional

CSSLP

Certified Secure Software Lifecycle Professional

ISC2 (the International Information System Security Certification Consortium) formed in 1989 with a specific mandate: establish a standardized, vendor-neutral baseline for cybersecurity competence. Today, the non-profit organization counts more than 270,000 certified members worldwide. While hardware and software vendors validate your ability to configure their specific products, ISC2 certifications validate your understanding of security principles, risk management, and governance.

The CISSP Standard

The CISSP (Certified Information Systems Security Professional) anchors the ISC2 portfolio. Introduced in 1994, it remains the most requested security credential in enterprise job postings. As of 2024, more than 170,000 professionals hold the certification.

Continue Reading

The CISSP targets senior security practitioners, managers, and executives. It requires five years of cumulative, paid work experience across two or more of its eight domains. These domains cover asset security, architecture, network security, identity and access management, and software development security.

The exam uses Computerized Adaptive Testing (CAT). Candidates face between 100 and 150 questions over three hours. The testing engine adjusts question difficulty based on previous answers, ending the exam once it calculates your proficiency with 95% statistical confidence. Passing requires a score of 700 out of 1000.

This exam tests judgment, not just memorization. Questions often present scenarios where multiple answers are technically correct, but one is the best choice from a management or risk perspective. You must evaluate technical vulnerabilities in the context of business impact.

Operations and Cloud Security

Not every professional has five years of experience or a desire to move into management. ISC2 offers credentials for operational and specialized roles.

The SSCP (System Security Certified Practitioner) targets IT administrators and security operations center (SOC) analysts. It requires just one year of experience. The exam tests practical, hands-on knowledge. Domains include access controls, cryptography, incident response, and network security. In 2025, ISC2 moved the SSCP to the CAT format. The exam runs two hours and presents 100 to 125 questions. It proves you can implement and monitor IT infrastructure using established security policies.

For practitioners managing cloud environments, the CCSP (Certified Cloud Security Professional) validates expertise in cloud architecture, data security, and multi-tenant infrastructure. The CCSP demands a blend of traditional security principles and cloud-native context. You must understand shared responsibility models, container orchestration scenarios, and legal compliance across different geographic regions. The exam lasts three hours and contains 100 to 150 questions. Candidates often fail the CCSP by applying on-premises security logic to cloud scenarios. The exam requires you to think in terms of elasticity, distributed data, and cloud service provider contracts.

Software and Frameworks

Application security requires a distinct skill set from network defense. The CSSLP (Certified Secure Software Lifecycle Professional) focuses on integrating security practices into every phase of the software development lifecycle. It targets software architects, developers, and QA testers. Rather than patching vulnerabilities after deployment, the CSSLP proves you can build secure applications from the ground up. The exam covers secure software requirements, design, implementation, testing, and deployment.

For professionals working with government systems or heavily regulated industries, ISC2 offers the CAP (Certified Authorization Professional). In 2023, ISC2 rebranded this credential as the Certified in Governance, Risk and Compliance (CGRC), though it frequently appears under its legacy CAP designation in job requirements and legacy systems. This certification proves your ability to use the Risk Management Framework (RMF) to authorize and maintain information systems. It focuses heavily on security control assessment, continuous monitoring, and organizational risk management. You must understand how to categorize information systems, select appropriate privacy controls, and secure formal authorization to operate.

Advanced CISSP Concentrations

Professionals who already hold the CISSP can pursue three concentration exams to prove subject matter expertise in specific disciplines. These require two additional years of experience in the specialized area.

The CISSP-ISSAP (Information Systems Security Architecture Professional) targets chief security architects. It tests your ability to develop, design, and integrate security infrastructure. You must demonstrate mastery of identity management architecture, cryptographic systems, and physical security integration.

The CISSP-ISSMP (Information Systems Security Management Professional) shifts focus entirely to leadership. It targets Chief Information Security Officers (CISOs) and directors who manage security programs. The exam covers enterprise incident management, disaster recovery planning, and executive communications. It proves you can translate technical risks into financial and operational terms for a board of directors.

The CISSP-ISSEP (Information Systems Security Engineering Professional) was developed in conjunction with the U.S. National Security Agency (NSA). It proves your ability to practically apply systems engineering principles to build secure systems, often in the context of government or military infrastructure. The exam covers technical management, systems security engineering, and specific government certification processes.

Career Value and The Endorsement Process

ISC2 certifications carry distinct weight in the job market because they are difficult to earn and maintain.

Passing an ISC2 exam is only the first step. To earn the actual certification, you must complete the endorsement process. Another ISC2-certified professional in good standing must verify your work experience and attest to your professional character. If you do not know an existing member, ISC2 can act as your endorser provided you submit detailed proof of your employment history. Candidates who pass an exam but lack the required experience become an Associate of ISC2, giving them a grace period to accumulate the necessary work hours.

This rigor makes these credentials a reliable filter for hiring managers. Many organizations use the CISSP as a hard requirement for senior security engineering and management roles. Furthermore, the U.S. Department of Defense recognizes all ISC2 certifications under its 8140 directive, making them mandatory for many military and defense contractor positions.

These certifications force you to step back from the command line. A firewall misconfiguration is a technical problem. The resulting data breach, regulatory fine, and reputational damage are business problems. ISC2 exams require candidates to prioritize the business problem over the technical one, treating security as a function of risk management rather than just IT operations.