CCSP vs. CISSP: Which One Should You Take?

As part of your professional development in the cybersecurity industry, you’re likely going to face a decision on which certification you should obtain first. This usually pits CCSP and CISSP against each other and what you should choose depends on several key considerations.

In this article, we’ll give you an overview of these two certifications and which you should choose.

Overview: CCSP vs CISSP

Both CCSP and CISSP are certification programs developed by ISC2 that are helpful for any security professional but they do differ in focus, who they target, and how a professional can use the certification to advance their careers.

While there are differences in what the exam tests, what it looks like, and what it costs, there are some similarities in the certification. For example, both certifications last 3 years and have similar renewal requirements and regardless of certification, even if you have both), members need to pay an Annual Maintenance Fee (AMF) of $125.

Certified Cloud Security Professional (CCSP)

CCSP (Certified Cloud Security Professional) certification is focused on cloud security, architecture, design, operations, and targets a number of security professionals as well as enterprise and systems architects.

CCSP prerequisites

In order to take the certification exam, you need to meet a few requirements. These requirements include:

• A minimum of five years (cumulative) paid work experience in information technology, including:
  • Three years in information security
  • One year in one or more of the six domains in the CCSP CBK (Common Book of Knowledge):
    • 1. Cloud Concepts, Architecture, and Design
    • 2. Cloud Data Security
    • 3. Cloud Platform & Infrastructure Security
    • 4. Cloud Application Security
    • 5. Cloud Security Operations
    • 6. Legal, Risk, and Compliance

However, if you obtain the CSA’s CCSK certificate, you don’t have to have one year of experience in one of the six domains. If you have the CISSP credential, then you don’t have to meet any of the prerequisites. For more detailed information, visit ISC2’s site.

The certification is valid for three years but you can renew as long as you have obtained 30 continuing professional education credits (CPE) annually, for a total of 90 CPE credits.

CCSP exam format

The current exam format (updated in August 2019) will be updated to a new format in August 2022. We’ll provide an outline of the (as of this writing) current exam and detailed changes coming to the 2022 version.

The CCSP exam is a three-hour exam that requires 700 out of 1000 points (70%) to be scored in order to receive a passing grade. It has 125 questions in multiple-choice format, with a nearly even weight distribution across the six domains listed above.

The only exceptions are Domain 2: Cloud Data Security (19%) and Domain 6: Legal, Risk, and Compliance (13%). The exam costs $599 to take.

In the updated 2022 version, the only difference between the exams is the weight distribution across the various domains. Domain 2: Cloud Data Security has increased to 20% and to offset the increase, Domain 5: Cloud Security Operations has dropped to 16%.

See the full exam outlines at the links below:

• CCSP Exam Outline (Aug 2022)
• CCSP Exam Outline (Aug 2019)

Certified Information Systems Security Professional (CISSP)

CISSP (Certified Information Systems Security Professional (CISSP) is much more focused on cybersecurity and validates one’s expertise and ability to design, implement, and manage a cybersecurity program.

The roles offered by this certificate are varied from security practitioners to cybersecurity architects and program managers.

CISSP prerequisites

The requirements for the CISSP exam are a bit more rigorous than the ones for the CCSP exam. You need:

• A minimum of five years (cumulative) paid work experience in two or more of the eight domains of the CISSP CBK (Common Book of Knowledge):
  • 1. Security and Risk Management
  • 2. Asset Security
  • 3. Security Architecture and Engineering
  • 4. Communication and Network Security
  • 5. Identity and Access Management (IAM)
  • 6. Security Assessment and Testing
  • 7. Security Operations
  • 8. Software Development Security

If you have a four-year college degree (or regional equivalent) or an approved credential from ISC2’s list, that will count towards one of the required years of experience. To see the list of credentials accepted by ISC2, visit the CISSP website here.

The certification is valid for three years but also requires you to obtain 40 continuing professional education credits (CPE) annually for a total of 120 throughout the three years.

CISSP exam format

The exam was recently updated on May 1st, 2021 and it has a similar format to the CCSP exam. It’s a three-hour exam that requires a minimum of 700 out of a possible 1000 points to obtain a passing grade. The cost to take the exam is $749.

Questions can vary from 100 to 150 and are a mix of multiple-choice and “advanced innovative items” which are more akin to drag and drop style of questions. These are not write-in questions and answers.

As of this writing, the examination weights across the 8 domains are as follows.

1. Security and Risk Management: 15%
2. Asset Security: 10% 
3. Security Architecture and Engineering: 13%
4. Communication and Network Security: 13%
5. Identity and Access Management (IAM): 13%
6. Security Assessment and Testing: 12%
7. Security Operations: 13%
8. Software Development Security: 11%

To see the exam outline, visit the CISSP exam outline page here.

CCSP vs. CISSP: Salary comparison

The certification you get can impact the type of job you can have and the salary you can earn and it’s a key consideration when deciding which certification you want.

Salaries vary widely by region and the type of cybersecurity role you take so make sure you do some research before making a big decision. However, there have been some well-run surveys that can give us a sense of what kind of salaries professionals with these certifications can earn. 

CCSP salary estimate

According to ISC2’s own cybersecurity workforce study, professionals with a CCSP salary earn, on average, $114,172 a year in North America. Globally, that figure drops down to an annual salary of $80,717.

However, Certification Magazine’s Salary survey found that IT professionals with a CCSP certification earned, on average, $150,400 in the US and $119,880 globally.

CISSP salary estimate

According to the ISC2 Cybersecurity Workforce Study, professionals with a CISSP certification earn, on average, $120,552 a year in North America. Globally, they earn $92,639 annually on average.

According to Certification Magazine’s Salary Survey, professionals with a CISSP certification earn, on average, $134,890 a year in the US and $114,270 globally. However, the survey specifies professionals with degree who work in Architecture and who work in Management. These salaries, in the US, go up to $149,690 and $137,110 a year, respectively.

Considerations and questions to ask yourself

It’s not an easy decision to make on which certification to get but here are a couple of questions you may want to ask yourself.

Do I want a career in cybersecurity?

While both certifications are cybersecurity certifications, the CISSP certificate requires a broader and deeper understanding of more cybersecurity topics and can eventually lead cybersecurity professionals to take on management roles for cybersecurity programs.

CCSP, on the other hand, is more specific to cloud security and architecture, which limits your specific cybersecurity roles but also allows you to pivot to cloud-specific roles.

Will I only get one certification?

If you’re planning to get multiple certifications, the CISSP is likely the better choice because other certifications, like the CCSP, among others, are extensions of the CISSP.

How much time do I have?

This is a more practical consideration. The CCSP is more defined, is strictly a multiple-choice exam, and has fewer domains to study.

How important is salary in the short term?

When considering salary, you should also consider the types of roles these certifications can help you get. CCSP exams validate a more modern skillset and the corresponding roles have a lower floor in terms of salary.

However, because CISSP validates a much broader set of cybersecurity experience and can lead to managerial positions, there’s a higher ceiling. On the other hand, if you’re starting from the bottom, your salary may be significantly lower than if you had a CCSP certification.

Continuing cybersecurity education is ongoing

If you think you’re going to stick around in the cybersecurity field for a while, don’t put too much pressure on yourself. Both certifications are extremely helpful so there’s no wrong decision.

Remember that the CCSP validates cloud security and architecture which is extremely important for all organizations so it may be a way to leverage that outside of a traditional cybersecurity field.

To learn more about training and certification programs, visit Varonis here.