Professional development

Should you take the CCSP or SSCP before the CISSP?

Greg Belding
November 27, 2024 by
Greg Belding

The Certified Information Systems Security Professional (CISSP) remains the most requested certification for U.S. cybersecurity job openings. As it's considered an advanced certification, many wonder if they should earn other certifications from ISC2 before their CISSP.

Two common ones are the Systems Security Certified Practitioner (SSCP) and Certified Cloud Security Professional (CCSP). In this article, we'll look at both and compare them to the CISSP.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

SSCP

Released by ISC2, the Systems Security Certified Practitioner (SSCP) is intended for those working in systems and network security who develop information security standards, policies and procedures, and manage hardware and software implementation for an organization. The SSCP is fairly broad, as it covers seven domains of knowledge. Below is a list of these domains and their respective exam content weights:

  • Domain 1 - Security concepts and practices (16%)
  • Domain 2 - Access controls (15%)
  • Domain 3 - Risk identification, monitoring and analysis (15%)
  • Domain 4 - Incident response and recovery (14%)
  • Domain 5 - Cryptography (9%)
  • Domain 6 - Network and communications security (16%)
  • Domain 7 - System and application security (15%)

SSCP requirements

Candidates for this certification have several options to meet the experience requirement. SSCP candidates must have a minimum of one year of paid work experience in one of the seven knowledge domains covered by the certification exam. They may also be granted a one-year prerequisite pathway for earning a bachelor’s or master’s degree in cybersecurity. 

Another possible option is that if candidates do not have the work experience or prerequisite pathway, they can earn an Associate of ISC2 by passing the SSCP certification exam and have two years to earn one year of experience. Those who pass the exam must find another ISC2-certified professional and obtain their endorsement.

SSCP exam information

  • Number of questions: 125
  • Length of exam: 3 hours
  • Exam question format: Multiple-choice
  • Passing score: 700 (out of 1000 possible)

The certification was recently updated in September 2024.

CCSP

This certification, also hosted by ISC2, is a vendor-neutral approach to broad cloud security knowledge, including practices, principles, cloud platforms and technologies. Intended for experienced professionals in cloud security, this certification exam covers six CSSP domains of knowledge (along with their respective exam content weights):

  • Domain 1 - Cloud concepts, architecture and design (17%)
  • Domain 2 - Cloud data security (20%)
  • Domain 3 - Cloud platform and infrastructure security (17%)
  • Domain 4 - Cloud application security (17%)
  • Domain 5 - Cloud security operations (16%)
  • Domain 6 - Legal, risk and compliance (13%)

CCSP was updated in 2022, and the number of exam questions and the exam length was reduced in August 2024.

CCSP requirements

Candidates for the Certified Cloud Security Professional (CCSP) certification must have five years of paid work experience in information technology, with three years in information security and one year in at least one of the domains of knowledge this certification exam covers. CCSP candidates can also apply for the Associate of ISC2 if they do not meet the experience requirement. 

Paid internships and part-time work qualify for your work experience. This certification also requires an endorsement from an ISC2-certified professional.

CCSP exam information

  • Number of questions: 125
  • Length of exam: 3 hours
  • Exam question format: Multiple-choice
  • Passing score: 700 (out of 1000 possible)

CISSP

Last is another ISC2 certification — the Certified Information Systems Security Professional (CISSP). This certification is intended for seasoned information security professionals and is highly sought after by organizations looking to take their information security to the next level. 

You must pass a longer certification exam than the others explored above to earn this certification. It covers eight domains of knowledge:

  • Security and risk management
  • Asset security
  • Security architecture and engineering
  • Communication and network security
  • Identity and access management (IAM)
  • Security assessment and testing
  • Security operations
  • Software development security

This certification was updated in April 2024.

CISSP requirements

The requirements for CISSP are steeper than those for the certifications above. CISSP candidates must have at least five years of paid, cumulative work experience in at least two of CISSP’s knowledge domains. Those with a four-year college degree or another ISC2 certification from an approved list can subtract one year of work experience from that requirement. There is also the option to earn an Associate of ISC2, at which point the candidate would have six years to satisfy the experience requirement. 

CISSP exam information

  • Number of questions: 100-150
  • Length of exam: 3 hours
  • Exam question format: Multiple-choice and advanced innovative questions
  • Passing score: 700 (out of 1000 possible)

For more on the CISSP certification, view our CISSP hub.

Certification recommendations

This article will forward two recommendations, one general and the other situation-specific.

General recommendation

As you can see from the exam requirements above, SSCP is an entry-level certification that requires one year of paid work experience. In contrast, both CCSP and CISSP require at least five years of paid work experience, so it should be no surprise that you should earn SSCP first if you want to earn all three certifications. 

Situation-specific recommendation

The proverbial “odd man out” in this progression of certifications is CCSP. While the other two certifications focus on system and network information security, CCSP is unique because it focuses on cloud-based security. 

You need to ask yourself whether you want to become certified in cloud-based security. If you do, I would say to take CCSP before CISSP or concurrently if you think you can handle the workload. 

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Pursuing the right certification 

SSCP, CCSP and CISSP from ISC2 are highly respected information security certifications that can help information security professionals reach new heights in their careers. Before you begin to prepare for these exams, it is essential to realize that they apply to different points in your career and you will have to adjust your timetable for earning these certifications accordingly. 

Read our Cybersecurity certifications and skills ebook to learn more about advancing your cybersecurity career.

Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.