There used to be an obvious choice of which (ISC)2 certification you should get, but is that still the case?
CISSP has long been considered the standard in advanced cyber security certifications. That said, (ISC)2 has seen the growing need for a cloud platform focused security certification. Enter CCSP. The Consortium markets both as advanced security certifications, CISSP focused on management and CCSP with a technical focus on cloud security.
What are the differences in required knowledge? Which lends itself towards your future career goals? Which pays better? And perhaps most importantly, in the dramatic shift from traditional networks to cloud infrastructure, which will hold future relevance?
We will break down this information and help you decide which certification is best for you. Let’s take a look at CISSP vs CCSP.
What are CISSP and CCSP Certifications?
CISSP and CCSP are advanced certifications offered by Internation Information System Security Certification Consortium, but they certainly have different focuses, as we explain below.
The Certified Information Systems Security Professional (CISSP) advertises itself as “the most globally recognized certification in the information security market.” There’s very little arguing on that point.
CISSP is, in many ways, equally about project management and technical proficiency. It demonstrates your understanding of a variety of skills that aren't normally categorized as "technical," like risk management, compliance and regulatory agreements, legal considerations, business continuity, reporting, designing and auditing security plans, and many more.
In short, CISSP validates the significant technical and administrative expertise and knowledge required for an information security professional to properly plan, implement, and manage an organization's overall security posture.
CISSP is geared towards seasoned security practitioners, managers, and executives who want to demonstrate their expertise in a broad range of security techniques and principles. Typical CISSP job titles include:
- Chief Information Security Officer
- Chief Information Officer
- Director of Security
- IT Directors/Manager
- Security Systems Engineer
- Security Analyst
- Security Manager
- Security Auditor
- Security Architect
- Security Consultant
- Network Architect
According to the (ISC)2 “CCSP (Certified Cloud Security Professional) is ideal for IT and information security leaders seeking to prove their understanding of cyber security and securing critical assets in the cloud. It shows you have the advanced technical skills and knowledge to design, manage and secure data, applications and infrastructure in the cloud.”
This tells us two things that differentiate it from CISSP. Firstly, as we already know, it is focused on cloud platforms and cloud security. Secondly, it has a greater technical focus than managerial.
That’s not to say there are no administrative knowledge domains. There is a section on legal, risk management, and compliance on the CCSP certification exam. But it is minor compared to cloud security architecture, infrastructure security, and cloud security operations.
CCSP job titles include:
- Enterprise Architect
- Security Administrator
- Security Architect
- Security Consultant
- Security Engineer
- Security Manager
- Systems Architect
- Systems Engineer
There is a fair amount of crossover in terms of job titles with CISSP, but you may have noticed CCSP lacks jobs like “Chief,” “Director,” or “Manager” in its list.
While both exams are designed by the same organization, they are very different. CISSP runs on a new exam format designed by (ISC)2, while CCSP is still on the old system as of the time of writing.
CISSP is a four-hour examination comprised of multiple choice and Advanced Innovative Questions, which we will discuss further. The required passing score is 700 out of 1000.
The exam content is broken down into eight “Common Body of Knowledge (CBK)” domains detailed in the official CISSP Certification Exam Outline.
The CISSP certification exam comprises two types of questions: multiple choice and Advanced Innovative Questions. The Advanced Innovative Questions are similar to the Performance Based Questions you find on various CompTIA exams. These are hands-on challenges, as you can see in the example below.
Since May 2021, English exam versions have changed from a standard linear format to a Computerized Adaptive Testing (CAT) format. This means that the number of questions and difficulty changes depending on how you’ve answered previous questions.
(ISC)2 explains how the CAT system works as follows:
“Following a candidate’s response to an item, the scoring algorithm re-estimates the candidate’s ability based on the difficulty of all items presented and answers provided. With each additional item answered, the computer's estimate of the candidate’s ability becomes more precise…”
This was a complicated way of saying, the system makes the questions harder as you go.
The CCSP certification requires passing a four-hour multiple-choice exam consisting of 150 questions with four choices each. Unlike CISSP, it currently contains no Advanced Innovative Questions. Whether this changes in the future remains to be seen.
The passing grade for the CCSP exam is 700 out of 1000.
Its knowledge domains are as follows
The CCSP exam questions will vary, some being straightforward definitions and others asking you to identify a best practise or appropriate concept.
When it comes to a more complete knowledge requirement, CISSP wins this one.
CISSP seems to cover many of the topics found in the CCSP exam (even though they may not be cloud focused). Instead, they will be discussed in a broad sense which should apply to any infrastructure.
The requirements for CISSP and CCSP are incredibly similar, which should be no surprise considering they are both advanced certifications for security professionals offered by the same organization. There are a few differences to note.
We’ve gone over the way to earn your CISSP in several prior articles, so if this is old news feel free to skip down. If it’s new to you, take the time to go over this because the requirements are not straightforward.
(ISC)2 does not require work experience to sit and write the exam, but it does require work experience to claim the title of CISSP.
CISSP candidates must have a minimum of five years of cumulative paid work experience in two or more of the eight domains of the CISSP CBK.
Earning a four-year college degree (or regional equivalent) or an additional credential from the (ISC)2 approved list will satisfy one year of the required experience. You can only satisfy a total of one year out of the five.
What happens if you pass the exam without experience?
If you write the exam and pass without having the required paid experience, you become what is known as an “Associate of (ISC)2”. You can state that you are an associate and that you have passed the CISSP exam, but you cannot advertise yourself as a CISSP.
From the time of passing the exam, you will have six years to earn the five years of required experience. You must also receive an endorsement from an (ISC)2 member in good standing.
Much like CISSP, there is a work experience requirement for CCSP candidates.
To qualify, you must, of course, pass the CCSP certification exam. This will give you the title of Associate of (ISC)2.
You must also possess at least five years of cumulative, paid, full-time work experience in information technology. Three of those years must be in information security. One of the years must be in one (or more) of the six knowledge domains we covered in the exam details.
You can qualify one of the years of experience by holding the Certificate of Cloud Security Knowledge (CCSK) from Cloud Security Alliance. You can qualify all five years by already being a CISSP certification holder.
You then require the endorsement of another (ISC)2 certified professional in good standing who can attest to your experience.
The two certifications are too similar to score.
You can bypass much of the CCSP certification requirements by already holding a CISSP, speeding up the process for some.
CISSP offers many more options to qualify one year of experience, including a degree and wide range of potential certifications.
You might expect the difficulty of the two certifications to be roughly equivalent, based on some similar subjects and being offered by the same organizing body. This, however, is not the case.
As we’ve said, (ISC)2 has begun using the new CAT system on the CISSP exam. This system adjusts the questions on the fly, making the exam more challenging as you proceed. As you correctly answer questions, CAT will select more difficult questions from that knowledge domain.
The trade off is, as the questions get more difficult, they also become worth more points. Correctly answering the increasingly complex questions can result in the exam ending earlier with a passing grade.
It does this by assessing your score on question 100. If it determines that you are 95% likely to pass, it will end the exam with a pass. Conversely, if it determines that you are 95% likely to fail, it will end the exam with a failing grade.
If the likelihood of either a pass or fail is less than 95% by question 100, it will reevaluate the odds after each question until question 150, when the exam will end regardless.
CISSP was considered a very difficult exam prior to this new system’s introduction. The CAT system has not helped matters in that regard.
CCSP maintains the old linear multiple choice format (at least for the time being). Unlike CISSP, you will face no Advanced Innovative Questions. This makes it an exam based on memorization and conceptual understanding, not at all performance based.
CCSP’s CBK is also smaller in scope to that of CISSP’s.
CISSP contains many of the same subjects as CCSP. CCSP only requires you understand their application in terms of cloud infrastructure, while CISSP stresses their application to all manner of information security.
We can also see by the advertised job titles mentioned previously, CISSP will require you to understand subjects of value to CISOs, IT Managers and Security Directors, while CCSP does not.
We are not suggesting CCSP is an easy exam. However, between the narrower focus of the knowedge domains, the lack of performance questions, and that it does not subject you to the CAT system, CCSP will undoubtably be easier to pass.
CISSP has long been one of the most sought after security certifications on the market. But how has CCSP developed with the dramatic rise in cloud technology?
At the time of writing, an America-wide job search for CISSP on Indeed.com resulted in 13,474 postings, while CCSP only resulted in 1,900.
Quickly browsing through the first 15 postings for CCSP, only three did not also list CISSP as an acceptable certification for the position.
Both CISSP and CCSP are included in the DoD 8570 baseline certifications. However, CCSP does not come close to the clearance level of CISSP.
According to PayScale, the annual average salary of a CISSP is $123,000 USD per year. They list the annual average salary of a CCSP at $122,000 USD per year.
We did a salary comparison using other job sites that have reported similar numbers, likely due to jobs requesting CCSP also accepting CISSP.
There is no debate here. CISSP is more in demand among recruiters, qualifies you for a higher level of DoD clearance, and pays roughly the same if not more.
Cost and Recertification
The cost of writing the CISSP exam is $749 compared to $599 for CCSP. Both require a membership fee of $125 yearly. It is worth noting that if you hold multiple (ISC)2 certifications, you are only required to pay one fee to cover all of them.
Validity and Renewal
Both certifications are valid for a period of three years, after which they must be renewed either by retaking the exam or earning Continuing Professional Education (CPE) credits.
(ISC)2 has specific guidelines as to what counts as a CPE, but in general, these can include taking other security related courses, earning certifications, speaking at conferences, publishing, or attending industry events.
CISSP requires 120 CPEs to renew, while CCSP only requires 90 CPEs within the three years.
CCSP is cheaper to write and requires less upkeep.
CISSP vs CCSP: The Final Verdict
It might be the harder and more expensive exam, but CISSP still reigns supreme in the world of information security certifications.
CISSP has long been a must-have certification for senior cyber security professionals. It is the closest the security industry has to a standard certification.
That wasn’t really the debate. The question comes down to future-proofing. As cloud technology moves towards becoming the standard, will CCSP eventually hold more value than CISSP?
Our opinion is no.
That’s not to say CCSP is without value. There is certainly a place for it, especially if your aim is to stay in cloud security. CISSP simply offers more to its holders, and will most certainly continue to do so in the future.
A CISSP certificate also works to satisfy eligibility requirements for CCSP, meaning it makes sense for you to earn your CISSP first, then consider if CCSP will add additional value to your resume and knowledge.
Whatever you decide, you can view our collection of CISSP preparation courses and practice tests here and our CCSP courses and practice tests here.