Professional development

Certifications compared: CISSP vs. GSEC [updated 2021]

Daniel Brecht
March 25, 2021 by
Daniel Brecht

IT security professionals looking for a new job or ready to progress in their career will find that the right credentials can truly help them by proving their knowledge, skills and competencies to employers. Although the demand outweighs the supply of cybersecurity professionals, companies are looking for certified experts who can objectively prove their abilities and will to keep up to date in a fast-moving field.

We’ll compare and contrast two of the leading cybersecurity certifications — the (ISC)² Certified Information Systems Security Professional (CISSP) and the GIAC Security Essentials Certification (GSEC) — and explore their prerequisites, the material covered on the exams and possible training options.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Give your career a boost with top security certifications: CISSP vs. GSEC

As a cybersecurity professional (or information security professional), you've likely considered the benefits of certifications such as the CISSP and GSEC and wondered which would be better for you to achieve to effectively prove your background and expertise in the profession.

“The CISSP is ideal for experienced security practitioners, managers and executives interested in proving their knowledge across a wide array of security practices and principles,” says (ISC)².

“[The GSEC is ideal for security professionals] to demonstrate they are qualified for IT systems hands-on roles with respect to security tasks,” says SANS Institute.

(ISC)², or the International Information Systems Security Certification Consortium, issues the CISSP credentials to qualified candidates who can pass an exam to show their knowledge and skills on a range of security topics — along with an experience requirement. Those who take roles in networking, system administration, programming or security can look at attaining this credential, which is respected by employers worldwide.

GIAC, or the Global Information Assurance Certification, supplies the GSEC credentials to qualified, working professionals who can pass its exam to prove expertise on a range of topics. These topics include network security, hardening operating systems and handling cybersecurity incidents. GSEC does not have an experience requirement and is generally considered a more entry-level certification compared to the CISSP.

Both certifications are a great option but deciding which to pursue depends on the focus of the candidates. The (ISC)² certification is based on overall, theoretical knowledge of the cybersecurity realm. Its scope ranges through a wide variety of areas and requires strong experience to pass the test.

The GIAC credential is more concentrated on technical aspects and could be of value to employers who are looking for hands-on professionals. According to GIAC itself, “GSEC is more focused on what security professionals actually have to do, and goes deeper in technical concepts.”

Topics covered by CISSP and GSEC exams

Simply knowing the topics covered for your certification might help you choose the right credential and determine if you’re ready to take the exam.


The CISSP tests if candidates have the knowledge, skills and abilities in the field of IT security. The certification is appropriate for professionals whose daily tasks include monitoring systems (the software and hardware) and identifying risks associated with each network component to prevent any possible cyberattacks.

Due to the wide coverage of cybersecurity topics, as seen below, it is also great for those asked to design and manage cybersecurity programs for their organization. 

  • Security and risk management 15%
  • Asset security 10%
  • Security architecture and engineering 13%
  • Communication and network security 13%
  • Identity and access management (IAM) 13%
  • Security assessment and testing 13%
  • Security operations 13%
  • Software development security 11% 

Find updates to the exam below:

CISSP CAT exam information

  • Number of questions: 100-150
  • Length of exam: 3 hours
  • Exam question format: multiple-choice and advanced innovative questions
  • Passing score: 700 out of 1000 possible
  • Exam language availability: English
  • Testing Center: (ISC)² authorized Pearson Professional Centers (PPC) and Pearson VUE Authorized Test Center Selects (PVTC Selects) in a proctored environment. Find out more about online proctored exams (On VUE)


The SANS Institute issues the GSEC. The credential requires passing a computer-based exam validating a candidate’s specialized knowledge on a range of technical security topics. The GSEC certification covers many items:

  • Access control and password management
  • Active defense
  • Contingency plans
  • Critical controls
  • Cryptography
  • Cryptography algorithms and deployment
  • Cryptography application
  • Defense-in-depth
  • Defensible network architecture
  • Endpoint security
  • Enforcing Windows security policy
  • Incident handling and response
  • IT risk management
  • Linux security: structure, permissions and access
  • Linux services: hardening and securing
  • Linux: monitoring and attack detection
  • Linux: security utilities
  • Log management and SIEM
  • Malicious code and exploit mitigation
  • Network device security
  • Network security devices
  • Networking and protocols
  • Securing Windows network services
  • Security policy
  • Virtualization and cloud security
  • Vulnerability scanning and penetration testing
  • Web communication security
  • Windows access controls
  • Windows as a service
  • Windows automation, auditing and forensics
  • Windows security infrastructure
  • Wireless network security

As you can see, the GSEC covers an extensive number of hands-on topics. Candidates should keep in mind that GIAC requires its certification holders to possess information security knowledge beyond that of simple concepts and terminology.

GSEC exam information

  • Number of questions: 180
  • Length of exam: 5 hours
  • Exam question format: multiple-choice and advanced innovative questions
  •  Passing score: 73%
  • Testing Center: Remote proctoring through ProctorU, and onsite proctoring through Pearson VUE
  • All GIAC certification exams are web-based. They are proctored, open-book format, but not open-internet or open-computer


Both are valued credentials and require investment in time and money to achieve and maintain.

So, which certification will it be? Once decided, just know there are long-term requirements for maintaining credentials.

Continuing professional education (CPE) credits can be applied to maintain the certified GSEC designation. The same also goes for if you hold the CISSP certification that requires CPE credits — they can be obtained by attending industry events or conferences.

To help you decide which credential is right for you, consider the following factors and points of comparison.

Name of certification Topic covered Requirements Fees

Certified Information Systems Security Professional (CISSP). The exam covers eight topic domains of CISSP CBK. The broad spectrum of topics is listed in the CISSP certification exam outline. Eligibility for those with five years of full-time experience and a college degree. Recertification is required every three years, requiring 120 CPE credits. $749 exam cost. (ISC)² certified members pay a single AMF of $125, which is due each year upon the anniversary of their certification date.

GIAC Security Essentials. The exam objectives are listed on the GIAC website. Topic areas are also on SANS Institute’s website for the GSEC certification. A broad spectrum of topics is covered: from general security, networking to computing topics. No previous experience is required. Recertification is required every four years, requiring 36 CPEs over this period to remain certified. $1,149 exam cost without taking SANS official training. (Note: GIAC certification attempts purchased independently from a SANS training package are $1,999.) The certification maintenance fee is a non-refundable $429 payment, due once every four years at the time of registration.

What is the best way to train for any of the certification exams?

  • (ISC)²’s CISSP self-paced online training course is a suitable option in preparing for your exam
  •  GIAC’s affiliate SANS Institute offers SEC401 (a security essentials boot camp style course) that can help to prepare for the rigorous GSEC certification exam
  • Third-party courses from training partners offering skills training and certification boot camps can fit anyone’s schedule, needs and learning style

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

An evolving cybersecurity skill set 

As cybercrime, hacks and attacks continue to evolve, the role of IT professionals cannot remain the same. Today’s modern digital world has hiring firms leaning towards individuals who can demonstrate true talent, who are willing to continue their knowledge building and can keep pace with the many changes in the IT security realm.

Certifications can pinpoint specific expertise in hardware, software and networks while testing candidates on formal knowledge as well as tools of the trade, needed skills and hands-on abilities.

Explore your career options and then opt to acquire the relevant certification in line with the occupation you are seeking. Choosing between CISSP and GSEC might seem easier, with CISSP as the preferred option thanks to its worldwide reputation; however, GSEC and its technical hands-on focus can be even a better option for candidates with fewer years of experience or who aspire to roles like auditors, forensic analysts and penetration testers in addition to those as security managers and IT engineers.


Daniel Brecht
Daniel Brecht

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.