When searching for prospective job opportunities, you will likely see CISSP and CEH in the list of desired professional certifications. You may ask yourself, “which one should I work on, and why?
Many of our students have brought up this same question. Since time and money are finite commodities, it’s essential to invest in a certification that aligns with your professional experience and career goals.
We have a great deal of experience with and provide training for both certifications. This article will give you an in-depth comparison of CEH vs CISSP so that you can decide which is right for you.
What Are CISSP and CEH Certifications?
While CISSP and CEH are both highly-recognized industry certifications, they differ greatly in their scope and purpose.
The Certified Information Systems Security Professional (CISSP) is a certification created by the International Information Systems Security Certification Consortium, often shortened to (ISC)2 or sometimes (ISC)².
The CISSP certification was established in 1994, making it the oldest ANSI 17024 accredited information security certification. CISSP is designed for security professionals with several years of experience who want to demonstrate their knowledge and expertise across various information security disciplines. It is often described as “a mile wide and an inch deep.”
Like CISSP, EC-Council’s Certified Ethical Hacker (CEH) certification is also ANSI 17024 accredited but did not arrive on the scene until 2003, nearly nine years after CISSP.
There are two available CEH Certifications:
- CEH (ANSI): a knowledge-based multiple choice exam
- CEH (Practical): a hands-on virtual lab that simulates ethical hacking activities
In this article, we’ll only be covering CEH (ANSI).
Both CISSP and CEH are written exams but differ greatly in approach and rigor.
CISSP Exam Details
CISSP is a closed-book, knowledge-based exam. It consists of 125-175 total questions and must be completed within 4 hours. The test is comprised of:
- 50 unscored items (questions that might be used in future tests but don’t count against your score)
- 75-125 Multiple choice questions and advanced innovative items (i.e., drag and drop items into the correct order)
The CISSP exam covers eight domains and is weighted as follows:
- Security and Risk Management (15%)
- Asset Security (10%)
- Security Architecture and Engineering (13%)
- Communication and Network Security (13%)
- Identity and Access Management (IAM) (13%)
- Security Assessment and Testing (12%)
- Security Operations (13%)
- Software Development Security (11%)
The exam uses the Computerized Adaptive Testing (CAT) format, meaning that the number and difficulty of the questions are dynamically adjusted based on your previous answers. Because of this, you can’t skip a question and go back to it later, nor can you change an answer you’ve already submitted.
The minimum passing grade for the CISSP exam is 700/1000 points.
CEH (ANSI) Exam Details
CEH (ANSI) is a closed-book, knowledge-based exam. It consists of 125 multiple-choice questions covering 20 domains and must be completed within 4 hours. Some of the topics covered include:
- Information security threats and attack vectors
- Attack detection
- Attack prevention
- Information security procedures and methodologies
The minimum passing score for CEH (ANSI) exam can range from 60% to 85% depending on the test bank you receive.
The specific topics you’ll need to know for the exam are covered in our comprehensive CEH exam cheat sheet.
Both certifications require several years of professional experience, but each offers options for those who lack the required tenure.
To receive the CISSP certification, (ISC)2 requires that candidates possess a minimum of five years of cumulative experience in two or more of the eight domains within its CISSP Common Body of Knowledge (CBK).
Completing a four-year college degree or attaining an approved certification can be counted toward one year of the five-year requirement.
Note: Be aware that this is not cumulative; you cannot combine multiple certifications, degrees, or a combination of both to achieve more than a year off the total experience requirement.
You can find a complete list of accepted certifications here.
If you pass the exam but don’t possess the requisite experience, you will receive the “Associate of (ISC)2” designation instead.
Additionally, all CISSP candidates must be endorsed by an active CISSP holder within nine months of passing the CISSP exam.
CEH (ANSI) Requirements
As a prerequisite to taking the CEH (ANSI) exam, EC-Council requires candidates to either:
- Complete EC-Council’s official CEH training course or
- Possess at least two years of work experience in Information Security
If you have the relevant experience and wish to skip the official training course, you must submit an Eligibility Application Form and pay an application fee (details below). This fee is non-refundable, regardless of whether or not your application to sit for the exam is accepted.
Winner: CEH (ANSI)
While CISSP and CEH require several years of experience, CEH candidates can forgo this requirement by completing the official training. Unlike CISSP, passing the CEH exam grants you the CEH certification, even if you don’t possess several years of industry work experience. See "How to Get the Certified Ethical Hacker (CEH) ANSI Certification" for more details.
CISSP is a very challenging exam covering a broad range of information and cyber security disciplines. The CAT format adds to the overall challenge by ratcheting up the difficulty for each successfully answered question for a given domain.
By contrast, CEH (ANSI) has a much narrower focus, concentrating solely on penetration testing-related concepts.
As you can see in the Skills Roadmap below, CEH is an exam you would pursue when gaining a general understanding of cyber security. CISSP is a certification you earn while upping your skills and knowledge to an advanced level. This gap is reflected in their difficulty levels.
Winner: CEH (ANSI)
CEH is considered the easier of the two exams. There are potentially fewer questions on the CEH exam, and the format is linear, allowing you to skip questions you’re unsure of and return to them later.
Recognition and Reputation
The CISSP and CEH certifications are well-recognized certifications in the cyber security industry, but for different reasons.
(ISC)2 claims that CISSP is “the most globally recognized certification in the information security market,” and for good reason! The United Kingdom’s National Academic Recognition Information Centre (NARIC) found CISSP comparable to a Master’s Degree.
CEH (ANSI)’s Reputation
The CEH (ANSI) certification is well known amongst prospective employers (as we’ll demonstrate below) but holds less value to serious cyber security professionals. It lacks the depth and hands-on experience needed to be a successful penetration tester and the breadth of cyber and information security knowledge gleaned from CISSP.
While you can complete CEH without the requisite experience, CISSP cannot be attained without the knowledge needed to pass the exam and several years of relevant work history to back it up.
We searched several popular online job boards for US-based opportunities and found that “CISSP” appeared in job postings between 3.6-5.7 times more often than “CEH,” making it hands-down the more popular certification to prospective employers by a vast margin.
Very few of these listings (10-11%) included both search terms, implying that most employers tend to prefer one or the other, but not both. The table below was compiled from data* published on Payscale.com, comparing salary ranges by certification and job title:
*The figures above were current at the time of writing. The CEH certification was based on 2,612 individual reports, while CISSP salaries came from a much smaller sample size of 824.
In addition to expectations and responsibilities, experience also goes a long way toward determining overall compensation for a given role. The graph below illustrates a breakdown of the average experience level of CEH holders according to payscale.com:
Although CEH (ANSI) is considered an entry-level ethical hacking certification, the data implies that very few entry-level job candidates hold that cert, the vast majority being early to mid-career in experience.
Ethical hacking requires a general knowledge of computer networking, systems administration, and scripting. As such, most individuals enter into cyber security through a feeder role, such as IT support or software development, as illustrated in StationX’s cyber security pathway.
In contrast, the vast majority of CISSP holders are mid-career and above, with the most experienced representing the largest group:
Positions that require CISSP certification are in greater demand and pay better across the board than those looking for CEH candidates. It’s no surprise that CISSP holders (by virtue of its requirements) tend to be more experienced and thus command higher salaries.
Cost and Recertification
The CEH certification is more expensive to earn and maintain. However, retaking is less costly if you fail to pass the first time.
The current cost of the CISSP exam is $749. No discount is offered for retakes should you fail to pass on your first attempt.
The CISSP certification is valid for three years. To recertify, you must:
- Pay an annual maintenance fee of $125, Associates of (ISC)2 (i.e., those who passed the exam but don’t possess the requisite work experience) pay $50 annually
- Earn 120 Continuing Professional Experience (CPE) credits within the three-year recertification window
CPE credits are earned through attending conferences, publishing information security-related works, serving on panels, and other activities. In their official handbook, you can find more information about (ISC)2’s CPE requirements.
CEH (ANSI) Cost
Before purchasing an exam voucher, you must spend $850 for the official CEH training course.
Alternatively, if you have at least two years of information security experience, you can submit an eligibility application form and a non-refundable $100 application fee. If EC-Council rejects your application, they will not refund your $100 fee.
The current cost of the CEH (ANSI) exam voucher through Pearson Vue is $1199. If you plan to take the exam online via ProctorU, you can save a little money by purchasing an ECC exam voucher for $950.
If you fail your CEH (ANSI) exam, you can apply for a retake, and if approved, you can purchase the voucher for $499.
The CEH certification is valid for three years. To recertify, you must:
- Pay an annual membership fee of $80
- Earn 120 EC-Council Continuing Education (ECE) credits within the three-year recertification window
ECE credits are earned by attaining other security-related certifications and attending information security-related conferences and events. You can find more information about ECE credits in EC-Council’s ECE Policy.
We fully break down the costs of attaining and maintaining the CEH ANSI here.
The cost of a CISSP exam is $300 less than CEH for an experienced individual (i.e., $100 application fee and $950 ECC exam voucher). Otherwise, the difference is $1,050 if you include CEH’s official training course.
While the annual maintenance fees for CISSP are more expensive, CISSP holders tend to earn more than CEH holders, so the cost is less impactful. For Associate of (ISC)2 members, the annual costs are $30/year less than CEH.
CISSP vs CEH: The Final Verdict:
To earn a CISSP demonstrates the knowledge and experience to succeed across a wide range of information and cyber security roles. Despite CEH’s focus on penetration testing, earning a CEH certification does not provide the hands-on skills needed to be successful in that field.
Below is a summary of our evaluation:
If you’re interested in pursuing a career in penetration testing, there are other certifications and programs that do a better job of preparing you for that role (e.g., OSCP). If you work in a tangential role and want to understand more about the tools and methods employed by pen testers, CEH could be valuable in that context.
Our recommendation is to work toward earning a CISSP. Even if you don’t possess the requisite experience, the Associate of (ISC)2 can still serve as means to break into the industry and eventually obtain your CISSP.
StationX offers bundles for both CISSP and CEH certification through our VIP subscription. VIP membership provides you with the relevant content needed to successfully prepare for and pass either exam and unlimited access to hundreds of other courses!