CompTIA Advanced Security Practitioner (CASP+) and (ISC)2’s Certified Information Systems Security Professional (CISSP) are both advanced cyber security certifications that are accepted as part of the DoD 8570 framework.
While they claim to have somewhat different audiences, both market themselves to seasoned security professionals looking to prove their expertise and earn high salaries.
Understanding how CISSP vs CASP+ differ and which does more to move your career forward is important when planning your long-term goals, so let’s break them down and see which is better for you.
What Are CISSP and CASP+ Certifications?
The Certified Information Systems Security Professional (CISSP) advertises itself as “the most globally recognized certification in the information security market.” We feel this is a fair claim.
CISSP certifies an information security professional's profound technical and managerial knowledge and expertise to successfully design, engineer, and manage an organization's total security posture.
In many ways, CISSP is as much about project management as it is technical expertise. It proves you understand risk management, compliance and regulatory agreements, legal issues, business continuity, reporting, designing and auditing security strategies, and many other skills that would not typically be considered “technical.”
CISSP is geared towards seasoned security practitioners, managers, and executives who want to demonstrate their expertise in a broad range of security techniques and principles. Typical CISSP job titles include:
- Chief Information Security Officer
- Chief Information Officer
- Director of Security
- IT Director/Manager
- Security Systems Engineer
- Security Analyst
- Security Manager
- Security Auditor
- Security Architect
- Security Consultant
- Network Architect
According to the CompTIA website, “CompTIA Advanced Security Practitioner (CASP+) is an advanced-level cybersecurity certification for security architects and senior security engineers charged with leading and improving an enterprise’s cybersecurity readiness.”
The takeaway is that this is a technical certification, not one focusing on management. CompTIA clearly states that CASP+ is “for advanced practitioners — not managers.” It qualifies individuals on their ability to design and implement cybersecurity solutions. If CISSP is about designing and managing, CASP+ is about engineering and implementing.
The CASP+ exam covers applying security practices to cloud / on-premises / endpoint / mobile infrastructures, monitoring, detection, and incident response, automating security operations, and implementing security solutions.
CASP+ job titles include:
- Security Architect
- Senior Security Engineer
- SOC Manager
- Security Analyst
- Application Security Engineer
- Technical Lead Analyst
As Patrick Lane stated in his blog post on the CompTIA website, CompTIA’s New CASP Exam Is Here: Keep Your Hands on the Keyboard:
“Not everyone wants to manage cybersecurity policies. Many cybersecurity professionals want to work directly with cybersecurity technology and geek out on the keyboard forever.”
We can see this distinction in the skills roadmap below. CISSP is a certification you begin pursuing when you want to develop an advanced skill level in a broad range of cyber security topics. CASP+ is also a certification to pursue at an advanced level, but it is specialized rather than broad.
CISSP is a four-hour examination comprised of multiple choice and Advanced Innovative Questions, which we will discuss further. The required passing score is 700 out of 1000.
The exam content is broken down into eight domains detailed in the official CISSP Certification Exam Outline:
- Security and Risk Management (15%)
- Asset Security (10%)
- Security Architecture and Engineering (13%)
- Communication and Network Security (13%)
- Identity and Access Management (IAM) (13%)
- Security Assessment and Testing (12%)
- Security Operations (13%)
- Software Development Security (11%)
The CISSP exam comprises two types of questions: multiple choice and Advanced Innovative Questions. The Advanced Innovative Questions are similar to the Performance Based Questions you find on various CompTIA exams. These are hands-on challenges, as you can see in the example below.
Since May 2021, English versions of the exam have changed from a standard linear format to a Computerized Adaptive Testing (CAT) format. This means that the number of questions and difficulty changes depending on how you’ve answered previous questions.
(ISC)2 explains how the CAT system works as follows:
“Following a candidate’s response to an item, the scoring algorithm re-estimates the candidate’s ability based on the difficulty of all items presented and answers provided. With each additional item answered, the computer's estimate of the candidate’s ability becomes more precise…”
Put simply, the exam adjusts its questions to become more challenging as you go.
The most current version of the CASP+ exam at the time of writing is exam code CAS-004. You have 165 minutes to complete the exam, which will consist of no more than 90 questions. Like most other CompTIA exams, CASP+ consists of both multiple choice and Performance Based Questions (PBQs).
Unlike other certifications from CompTIA, there is no scaled score. This is simply a pass-or-fail exam.
Its domains have been decreased from the previous version, consisting of the following:
- Security Architecture (29%)
- Security Operations (30%)
- Security Engineering and Cryptography (26%)
- Governance, Risk, and Compliance (15%)
CompTIA’s CASP+ Certification Exam Objectives document breaks down the sub-topics of each domain and what type of questions to expect.
As with most CompTIA exams, the multiple choice questions tend to be in the vein of, “Given a scenario,” where you are given conditions and asked to choose a solution. This may involve the correct way to implement a software application or to make sense of data output.
The PBQs are more hands-on. For example, you might be given an emulated terminal on a Red Hat Linux system and be tasked with closing all unnecessary ports, or installing the correct security patch on a virtual windows environment. See CompTIA’s example of a PBQ below.
Both exams are primarily multiple-choice with some simulation questions. Both cover many of the same topics.
CISSP covers a greater range of material, which proves a more diverse skillset of its members. If you fail your CISSP exam, you will receive a score with some information about which domains to focus on. In contrast, CASP+ is a pass/fail exam, meaning you will not receive any feedback on how close you were to passing or on which domain you need to focus.
We’ve had students ask for clarification on this, as there are several conditions and exceptions to earning this particular certification.
(ISC)2 does not require work experience to sit and write the exam, but it does require work experience to claim the title of CISSP.
Candidates must have a minimum of five years of cumulative paid work experience in two or more of the eight domains of the CISSP common body of knowledge.
Earning a four-year college degree (or regional equivalent) or an additional credential from the (ISC)2 approved list will satisfy one year of the required experience. You can only satisfy a total of one year out of the five.
Can you still write the exam without the work experience? Yes.
If you write the exam and pass without having the required paid experience, you become what is known as an “Associate of (ISC)2”. You are permitted to state that you are an associate and that you have passed the exam, but you cannot claim the title of CISSP.
From the time of passing the exam, you will have six years to earn the five years of the required experience. You must also receive an endorsement from a fellow CISSP in good standing.
Many of you reading this may not yet have the required experience to claim the title of CISSP. This does not mean you should dismiss the value of writing the exam. You still add credibility to your name and resume by being an Associate of (ISC)2. Just be aware you must gain the required experience within six years of passing the exam.
CompTIA does not have any strict requirements to write the exam. You will not be denied your certification or eligibility to write the test because you lack prior certifications or proven job experience. However, its recommendations need to be taken into account.
CompTIA strongly recommends you possess a minimum of ten years of experience in Information Technology, with at least five of those years specifically being in Information Security.
As well, CompTIA suggests you have a knowledge base equivalent to that of a Network+, Security+, CySA+ (CompTIA Cybersecurity Analyst), Cloud+, and PenTest+ holder.
CompTIA often recommends a particular amount of experience before attempting even their more beginner-level exams. In most cases, a strong prep course can be a sufficient replacement for missing job experience. In the case of CASP+, this is not recommended.
While we absolutely recommend CASP+ exam prep courses before attempting the exam, at least some hands-on experience should be under your belt before pursuing this particular advanced certification.
CASP+ does not require verifiable experience, while CISSP does. (ISC)2 also requires a CISSP in good standing to vouch for your experience before they will award you the title.
Even though (ISC)2 allows you to become an associate member until you complete the required work experience and receive a member endorsement, CASP+’s lack of hard-and-fast requirements puts it more in reach for some.
As touched on earlier, (ISC)2 has begun using the new CAT system on the CISSP exam. This system is designed to adjust the exam as you go, making it more challenging with each question. As you correctly answer questions, CAT will select more difficult questions from that knowledge domain.
As the questions get more difficult, they also become worth more points. As a result, correctly answering the increasingly complex questions can result in the exam ending earlier with a passing grade.
It does this by assessing your score on question 100. If it determines that you are 95% likely to pass, it will end the exam with a pass. Conversely, if it determines that you are 95% likely to fail, it will end the exam with a failing grade.
If the likelihood of either a pass or fail is less than 95% by question 100, it will reevaluate the odds after each question until question 150, when the exam will end regardless.
CISSP was always considered a difficult exam, but this new system takes it a step further. If it finds you know a domain well, it will make those questions more difficult to create a further challenge.
The CASP+ exam has a narrower focus than CISSP. As we’ve established, CISSP is a managerial certification covering many aspects of Information Security. CASP+ is a technically focused certification.
What does this mean for difficulty? CompTIA exams are typically thought of as very broad but very shallow. This is a reality of vendor-neutral exams. Since you are not specifically learning the ins and outs of a Cisco or Juniper router and how to configure them, you are given a broad overview that applies as universally as possible.
In our comparison, CASP+ will have a deeper focus on fewer topics than CISSP. CASP+ is about how to perform tasks, while the CISSP asks why you should perform something.
A significant difference students will notice is that CASP+ allows you to review your answers. You can flag questions and return to them later or change your answers so long as you have time remaining.
By contrast, once you answer a question on the CISSP exam, it’s locked in. The system uses that answer to choose your next question, so there’s no undoing or rethinking anything.
There isn’t a universally accepted opinion on which exam is more difficult. This is likely due to whether the individual exam taker is more technically minded or better at managing larger scenarios.
Our opinion is that the CISSP will be the more challenging one for several reasons.
First, the CASP+ exam allows you to review and change your answers before submitting the exam. This allows you to let a question stew in your mind while working on other challenges. You may find a hint to an answer hidden in the phrasing of a later question. You cannot go back to a question during the CISSP exam.
Second, there is a greater range of topics to cover for CISSP. A narrower but deeper exam, like with the CASP+, means ideas build upon each other. The wide range of content for CISSP requires greater study.
Third, CISSP is a four-hour exam that uses an algorithm to make itself more difficult as you go. CASP+ selects from a set pool of questions at the beginning and lets you work through them as you wish.
CASP+ is by no means an easy exam, but we feel CISSP will present a greater challenge to exam takers.
At the time of writing, an America-wide job search for CISSP on Indeed.com resulted in 20,403 postings, while CASP only resulted in 1,399.
Despite being out for four years, it is not nearly as recognized as CISSP.
Both exams are included in the DoD 8570 baseline certifications. Both qualify you for many Information Assurance positions, but only CISSP is accepted for an Information Assurance Management Level III position.
According to ZipRecruiter, the current average salary of a CISSP is $129,000 USD per year ($62/hour). They list the salary of a CASP+ at $112,736 USD per year ($54/hour).
There is no debate here. CISSP is more in demand among recruiters, qualifies you for a higher level of DoD clearance, and pays more per year.
Cost and Recertification
The cost of writing the CISSP exam is $749 compared to $480 for CASP+. (ISC)2 also requires a membership fee of $125 yearly, which is not the case with CompTIA and CASP+.
Validity and Renewal
Both certifications are valid for a period of three years, after which they must be renewed either by retaking the exam or earning educational credits. CompTIA refers to these as continuing education units (CEUs), while (ISC)2 calls them continuing professional education (CPEs).
CompTIA and (ISC)2 have specific guidelines as to what counts as an educational credit, but in general, these can include taking other security-related courses, earning certifications, speaking at conferences, publishing, or attending industry events.
CASP+ renews with 75 CEUs within three years of the exam's validity. The renewal requires a $150 fee.
CISSP requires 120 CPEs to renew, with 40 being earned each year, requiring much more of an investment to maintain.
As an aside, CompTIA considers many popular certifications to be worth 75 CEUs, allowing you to renew your CASP+ with a single exam. This list includes (among others):
- LPT - Licensed Penetration Tester
- CCISO - Chief Information Security Officer
- GSE: GIAC Security Expert
- GSOM: GIAC Security Operations Manager
- Certified Information Systems Auditor (CISA)
- Certified Information Security Manager (CISM)
- CCFP- Certified Cyber Forensics Professional
- CISSP - Certified Information Systems Security Professional
CompTIA has made CASP+ an easier certification to renew, a more affordable exam to write, and does not subject its members to yearly fees.
CASP+ vs CISSP - The Final Verdict
Despite the cost, fees, and requirements, CISSP is our choice as the better certification.
In our experience, there is very little debate on this matter. CISSP is not only a superior certification to CASP+, it is a must-have goal for senior cybersecurity professionals.
Long term, you should aim to pass the Certified Information Systems Security Professional (CISSP) certification. The CISSP is the closest the security industry has to a standard in certification.
While CASP+ markets itself as geared towards those who wish to remain in hands-on technical positions (rather than management), it is still a board-stroke exam. Being vendor-neutral limits how technical it can get.
CISSP covers much of the same material as CASP+ and then much more. It is well-known and highly sought after. CASP+ may be getting recognition as well, but CISSP is too established to be dethroned that easily.