If trying to decide between pursuing Security+ or CISSP is leaving you feeling somewhat overwhelmed, rest assured you’re in good company. These certifications share similar subject matter, and the prevalence of job postings conflating beginner and advanced certifications can understandably confuse you, as it has so many others.
We’re often asked by students to explain the difference between these two popular certifications, CompTIA’s Security+ and (ISC)2’s Certified Information Systems Security Professional (CISSP).
While both are globally recognized information security certifications, Security+ and CISSP are very different and designed for people at drastically different points in their careers.
In this article, we will walk you through a CompTIA Security+ vs CISSP comparison, highlight the differences and guide you toward the best certification for you.
What Are Security+ and CISSP Certifications?
The two are vendor-neutral, meaning they cover broader concepts that can apply to any system, not those specific to a particular company or infrastructure (such as only Cisco products or solely Linux-based systems).
They also have a wide scope of knowledge domains, covering topics like asset security, risk management, and security assessment and testing.
The tests share a similar format consisting of multiple choice questions and some hands-on style challenges - CompTIA calls these “Performance Based Questions” (PBQs) while (ISC)2 calls them “Advanced Innovative Questions.”
Take a closer look, however, and you will see that they are not tailored to the same audience.
According to the CompTIA website, Security+ is “the first security certification a candidate should earn. It establishes the core knowledge required of any cyber security role and provides a springboard to intermediate-level cyber security jobs.”
Security+ is marketed as an entry-level certification. The exam material assumes an understanding of enterprise networking and begins covering cyber security from the ground up. It tells employers you have the foundational knowledge to discuss security and apply these practices at a basic level.
The (ISC)2’s website says of their certification, “the CISSP is ideal for experienced security practitioners, managers and executives interested in proving their knowledge across a wide array of security practices and principles…”
There lies what should be the most important difference to you. CISSP is geared toward industry professionals looking to level up their credentials. The exam content assumes years of experience already under your belt and builds upon that.
Looking at this Cyber Security Certificate Landscape, you can get a better feel for how these certifications compare. In this application, you can see what areas of focus each certification has. The higher up the column, the more advanced the level.
This app is useful for reference and consistency. It isn’t a complete picture of all areas they cover, but it does a great job of providing a high-level overview.
The significant crossover in subject matter and the similar exam format are likely reasons for the constant comparison of the two certifications. As we’ll see when we take a closer look, these similarities are only surface-level.
As of the date of this writing, the current version of the Security+ exam is SY0-601. Its content is broken down into five domains.
- Attacks, Threats, and Vulnerabilities (24%)
- Architecture and Design (21%)
- Implementation (25%)
- Operations and Incident Response (16%)
- Governance, Risk, and Compliance (14%)
To see how each knowledge domain is broken down, review the CompTIA Security+ Certification Exam Objectives document.
The exam contains “no more than 90 questions”, which will either be in the format of multiple choice or the previously mentioned PBQ. You could potentially have anywhere between one and ten PBQs on the exam. More PBQs will result in fewer multiple-choice questions.
The PBQs will have you perform some basic hands-on tasks in a simulated environment. This could mean adding specific firewall rules to a table or drag-and-dropping security hardware into the correct positions of a network map.
The multiple choice questions will often follow a “given this scenario” format where you are expected to look at the circumstances presented and choose the best course of action. Others may ask you to compare and contrast concepts (such as elasticity vs. scalability).
A good example of a CompTIA-style exam question would be, “You want to implement a process that separates corporate apps from personal apps on mobile devices. Which of the following techniques will enable you to do this?”
Security+ requires a passing score of 750 (scored between 100-900) and can be written either from home or in person at a Pearson VUE testing center. You will have 90 minutes to complete the test and get your results almost immediately after the exam ends.
See our Security+ cheat sheet for a detailed break down of the domains.
CISSP is a four-hour-long examination consisting of 125-175 questions. It is comprised of both multiple-choice and advanced innovative questions. The required passing score is 700 out of 1000.
The exam content is broken down into eight domains detailed in the official CISSP Certification Exam Outline:
- Security and Risk Management (15%)
- Asset Security (10%)
- Security Architecture and Engineering (13%)
- Communication and Network Security (13%)
- Identity and Access Management (IAM) (13%)
- Security Assessment and Testing (12%)
- Security Operations (13%)
- Software Development Security (11%)
Since the May 2021 rollout, English versions of the exam have changed from a standard linear format to a Computerized Adaptive Testing (CAT) format. This means that the number of questions and difficulty changes depending on how you’ve answered previous questions.
(ISC)2 explains how the CAT system works as follows:
“Following a candidate’s response to an item, the scoring algorithm re-estimates the candidate’s ability based on the difficulty of all items presented and answers provided. With each additional item answered, the computer's estimate of the candidate’s ability becomes more precise…”
Like Security+, the test is available through Pearson VUE, although the CISSP exam can only be written in person at a testing center.
There is an important difference between this exam and the Security+ exam. In the Security+ exam, you can flag questions to go back to later. Because of the way the CAT system operates, you cannot skip questions and come back to them later.
While Security+ covers foundational concepts, CISSP delves deeper into specific topics that you are likely to encounter frequently, such as identity and access management. CISSP also has a managerial focus, which prepares you for more advanced and better-paying roles.
While Security+ has no hard requirements to earn, CISSP has several requirements related to industry experience.
There are no requirements to sit and write the Security+ exam.
That said, there are some recommendations made by CompTIA. It is suggested that you have at least two years of experience in IT administration with a security focus. In actual fact, a strong training course will be more than sufficient to stand for those missing years of experience. The CompTIA Security+ Certification Total Prep Course is an excellent choice available as part of StationX VIP membership.
CompTIA also recommends that you have a foundational knowledge of IT before beginning your preparation for this certification. We agree and would recommend that you earn your Network+ certification first, though it is not a prerequisite.
The requirements for CISSP are much more demanding.
You are required to have a minimum of five years of work experience in at least two of the eight exam domains. There are specific rules regarding how many hours of work constitute full-time employment and what is permissible in terms of counting part-time hours.
You may satisfy a maximum of one of the five years of required experience if you hold a four-year degree in information security or hold one of an approved list of other security certifications (which includes Security+).
If you don’t have five years of experience, you do have the option to write the exam, but passing does not make you a CISSP. You become an “Associate of (ISC)2” until you gain the required experience. So you may say to potential employers that you are an associate who passed the exam but may not market yourself as a CISSP.
Security+ is far easier to obtain than CISSP. With CISSP, you need work experience and an endorsement from a CISSP holder in good standing. Security+ only requires you to show up, write the exam, and pass.
The format of the two exams are very similar, but their respective level of difficulty is far from equivalent. As you can see in the diagram below, Security+ is a certification you earn in the third stage of your career when preparing for general security-related positions.
CISSP, on the other hand, is pursued when you enter stage four in your career, becoming an advanced cyber security professional. While it’s true the two exams have some shared subject matter, their respective difficulties reflect this difference in skill and experience.
The Security+ exam is by no means easy. It will require many tiring hours of study and practice to be successful on your exam day. However, it is an entry-level exam. It is not designed to challenge career veterans. It is made for you, the student looking to get their first security certification to hang on your wall.
CompTIA has a nasty habit of using vague phrasing on some questions, forcing you to be very careful when reading to ensure you understand what they’re asking. A single word can change the entire question, so be sure not to rush through.
The PBQs sound intimidating, especially since they’re harder to practice on your own. Fortunately, they tend to be relatively straightforward if you understand the concepts you’ve been studying.
Be sure to take extra time learning your acronyms, there is no shortage of terms to remember.
Overall, Security+ offers a challenge but is fair in its difficulty for an entry-level student.
The new CAT exam system’s design generates a uniquely challenging exam tailored to your knowledge. As you get questions correct, the system will select more difficult questions from that domain.
While the exam becomes more and more difficult, the questions carry greater and greater value. Your continued success in answering questions will result in the exam ending earlier with a passing grade.
Specifically, the system first assesses your ability to meet the passing score at question 100. The test will end with a pass if the algorithm determines that you have a pass potential of at least 95%.
The test will instead result in a fail if the algorithm predicts your likelihood to fail at 95% or greater.
At question 100, if a 95% pass/fail judgment cannot be made, it is reevaluated after each question until question 150.
The Advanced Innovative Questions are similar in style and complexity to those of Security+.
In short, the exam will be difficult. In fact, it will adapt to challenge you further. Fortunately, if it decides you’ve proven yourself sufficiently, it will end early and grant you a passing grade.
Security+ is certainly the easier exam. You are given a set pool of questions at the beginning of the exam and can return to previous questions to change your answers. CISSP does not allow you to skip a question to return to later, nor can you edit previous answers. Your next questions are chosen based on how well you answered the previous ones, creating a more challenging exam.
At the time of this writing, a nationwide job search on Indeed pulled 10,148 job postings in America mentioning Security+ vs. 22,714 mentioning CISSP.
While seeing over double the postings requesting CISSP says a lot, there are other factors to consider.
Going through the top 50 results for CompTIA Security+, seven required additional and more advanced certifications, six of which specifically required CISSP.
In the same top 50 results, 18 of the postings were specifically entry-level or help desk. This is certainly not a bad thing, especially if you are starting out in your career. By comparison, the vast majority of the top 50 CISSP postings were senior or managerial positions with salaries above $100,000 per year.
According to ZipRecruiter, the average salary for a CISSP holder today is $129,877, while they estimate the average salary for a Security+ holder to be $58,325.
So what do we take away from this? Again, Security+ is geared toward those starting their journey into information security. The job descriptions and salaries prove this. CISSP is representative of seasoned professionals who are able to demand higher salaries.
CISSP is one of the most in-demand cyber security certifications. Positions requiring CISSP pay roughly double those that only require Security+. As you see above, there are also double the job postings for CISSP holders.
Cost and Recertification
CISSP is certainly a more expensive certification to earn and maintain.
The cost of writing the CISSP exam is $749 USD compared to $381 USD for Security+. (ISC)2 also requires a membership fee of $125 yearly, which is not the case with CompTIA and Security+.
Both certifications are valid for a period of three years, after which they must be renewed either by retaking the exam or earning educational credits. CompTIA refers to these as continuing education units (CEUs), and (ISC)2 calls them continuing professional education (CPEs).
CompTIA and (ISC)2 have specific guidelines as to what counts as an educational credit, but in general, these can include taking other security-related courses, earning certifications, speaking at conferences, publishing, or attending industry events.
Security+ renews with 50 CEUs within three years of the exam’s validity. Your renewal may or may not come with an additional cost.
If you renew by earning a more advanced CompTIA certificate, such as the Pentest+ or CySA+, there is no fee. If you renew using outside certifications or other approved means, the renewal requires a $150 fee.
CISSP requires 120 CPEs to renew, with 40 being earned each year, requiring much more of an investment to maintain.
This comes down to numbers. Security+ is less expensive, does not require membership fees, and has easier renewal requirements.
Security+ vs CISSP - The Final Verdict
As we’ve seen, CISSP vs Security+ is not an apples-to-apples comparison. CISSP and Security+ are very different in cost, testing, requirements, and outcome. Yet, there remains much confusion in this regard.
Matters certainly aren’t helped by the embarrassingly high number of HR Departments that mistakenly demand CISSP for an entry-level position. You do not need to be a CISSP to troubleshoot a DNS issue, and you won’t find a CISSP to work for an entry-level support desk salary.
If you wanted to compare certifications of a similar status, CISSP and CompTIA’s Advanced Security Practitioner (CASP+) are more closely aligned with each other, while (ISC)2’s Systems Security Certified Practitioner (SSCP) is more on par with Security+.
Answering which certification is better is easy. CISSP is more sought after and opens you to more rewarding opportunities. But is it the better certification for you? If you have to ask, the answer is no.
Students starting at zero or near zero should start with the fundamentals. In terms of security fundamentals, Security+ is an excellent certification to earn. It covers a wide range of topics without going too deep for beginners. It shows you can talk shop with professionals without getting lost in the conversation. Check out our Security+ courses to help you prepare for the certification exam!
When setting long-term goals, or if you’ve worked in security for several years and are ready to level up your career, CISSP must be on your radar. If you are at that point in your career or want to become an Associate of (ISC)2, we have a great selection of CISSP prep courses.