Professional development

HCISPP or CISSP? What’s the difference and which is best for you? [updated 2021]

Rodika Tollefson
July 23, 2021 by
Rodika Tollefson

One of the industries currently most vulnerable to cyberattacks is healthcare. Institutions and organizations large and small have seen increased attacks in both frequency and severity over the past few years. The growing number of breaches underscores the need for more skilled cybersecurity professionals.

The healthcare cybersecurity niche can be quite fruitful right now. Opportunities are widely available; however, employers still want to ensure they’re hiring candidates with the right skills, and they typically look for validation like industry certifications. Then, you may be trying to decide between Healthcare Information Security and Privacy Practitioner (HCISPP) or a Certified Information Systems Security Personnel (CISSP).

(ISC)², considered one of the leaders in professional cybersecurity certifications, offers both credentials. Both are good choices that cover different focus areas and skill sets.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

CISSP certification

Benefits of earning your CISSP

Considered by many as the gold standard for infosec professionals, the CISSP certification is in high demand by employers across all sectors. Jobs that require a CISSP certification range from security analyst to chief information security officer.

“Cybersecurity professionals who earn the CISSP are among the most sought-after security experts in the world,” says (ISC)². This explains why they are also amongst the highest salaried credential holders.

The CISSP is ideal for those seeking to prove their understanding of cybersecurity strategy and their hands-on ability in implementing such strategy through engineering and managing an organization's security program able to withstand the current, ever-changing threat landscape.

Much of the exam content from the recent CISSP domain refresh highlights the technical and managerial knowledge, skills and abilities required in today’s security professionals.

Overview of CISSP exam

CISSP is not a beginner cert — to qualify for the exam, you need at least five years of cumulative, paid experience in at least two of the domains covered by the credential. The exam knowledge body includes eight domains:

The three-hour CISSP exam contains 100–150 questions, and you need a minimum score of 700 out of 1,000 to pass. The certification is valid for three years, and recertification requires 120 continuing professional education (CPE) credits.

HCISPP certification

Benefits of HCISPP

HCISPP is a stand-alone credential — you don’t need to earn CISSP to qualify for it. Like CISSP, it’s a vendor-neutral certification, but it’s much narrower in scope because it’s only focused on healthcare.

Earning the HCISPP healthcare cybersecurity certification prepares IT pros to be at the forefront of protecting patient information. “The HCISPP is the only certification that combines cybersecurity skills with privacy best practices and techniques,” says (ISC)², Inc.

The HCISPP is in high demand. 

(ISC)² lists the following five reasons that create high demand for HCISPPs:

  • They understand the healthcare environment: since healthcare has a unique set of challenges, threats and practices, specialized knowledge has a significant advantage compared to a generalist’s understanding of the industry.
  • They help manage risks: HCISPPs have knowledge that’s specific to the threats and risks of healthcare security and understand the unique requirements related to personal health information.
  • They show commitment to the healthcare industry: the specialized cert validates their pledge to keep patient data secure.
  • They contribute to the patient experience: HCISPPs are essential to providing programs and services within a secure ecosystem.
  • They show they’re serious about their healthcare career: getting certified demonstrates their commitment.

Overview of the HCISPP exam

The HCISPP certification requires less experience than CISSP — only two years of cumulative paid work experience in at least one of the exam’s domains. There are also fewer domains on this exam (seven versus eight for CISSP):

  • Healthcare industry (12%)
  • Information governance in healthcare (5%)
  • Information technologies in healthcare (8%)
  • Regulatory and standards environment (15%)
  • Privacy and security in healthcare (25%)
  • Risk management and risk assessment (20%)
  • Third-party risk management (15%)

There are 125 questions on the three-hour exam, and the passing score is the same: 700 out of 1,000. The certification is also valid for three years but requires fewer CPEs to maintain — 60 compared to 120 for CISSP.


HCISPP is one of the newer (ISC)² credentials, introduced in 2013, whereas CISSP has been available since 1994. Besides the depth of the exam, prerequisite experience, cost of certification and number of CPEs for recertification, there are two fundamental differences between these two certs:

  • The knowledge covered by CISSP is more technical, with a lot of the focus on security controls and operations. The HCISPP exam, on the other hand, puts more emphasis on healthcare regulatory issues, data governance and risk management.
  • Most of the principles in the HCISPP exam are specific to healthcare or viewed through the lens of a healthcare context. There’s also a lot more emphasis placed on privacy rather than security.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Deciding the best path for you

Suppose you’re starting your information security career. In that case, an HCISPP certification can help you grow in healthcare security. Still, the limited certification scope makes it less valuable if you decide to move into a different sector. For those who love the healthcare field and plan a long-term tenure in it, this credential will help enhance their skills and become more competitive. And if you’ve been in healthcare IT for a long time, this is a good step toward higher management or risk management roles.

But if you already have some of the experience required for the CISSP and want to keep your options broad, you are better off with a CISSP certification. It’s not only applicable across IT sectors, but also gives you a much better technical foundation. Since the CISSP credential doesn’t have much crossover with HCISPP in terms of domains covered, you may want to consider the latter as a next step once you decide on maintaining longevity in the healthcare industry.



Rodika Tollefson
Rodika Tollefson

Rodika Tollefson splits her time between journalism and content strategy and creation for brands. She’s covered just about every industry over a two-decade career but is mostly interested in technology, cybersecurity and B2B topics. Tollefson has won various awards for her journalism and multimedia work. Her non-bylined content appears regularly on several top global brands’ blogs and other digital platforms. She can be reached at