Foundational
Level 1 · no prereqsEntry-point exam for newcomers to cybersecurity — five domains, no experience required.
ISC2 Certification Practice Exams
Associate
Level 2 · 1 year exp.Hands-on practitioner credential for IT admins moving into security operations.
Professional
Level 3 · 2–5 years exp.Senior credentials spanning broad infosec leadership, cloud, GRC, and secure software.
CISSP Concentrations
CISSP + 2 yrs or 7 yrsDeep CISSP specializations: architecture, engineering (NSA-developed), and management.
Brand new to cybersecurity
Start with CC Certified in Cybersecurity. Foundational, no experience required, $199 USD, 4–6 weeks of prep. Covers five domains — security principles, BCDR & incident response, access controls, network security, and security operations. A résumé signal that you're ramping up; not a senior-role credential on its own.
You have IT admin background, going into hands-on security
Skip ahead to SSCP Systems Security Certified Practitioner. Designed for operators and admins who implement and monitor security controls — IDS/IPS, identity, cryptography, incident response. Requires 1 year of paid work experience in one of the seven SSCP domains; without it you become an Associate of ISC2 and gain time to earn the experience.
Several years of security experience, going senior
CISSP is the ISC2 flagship and the most widely-recognized senior security credential in the industry. Eight CBK domains spanning governance, risk, architecture, network security, IAM, software security, and security operations. CAT format: 100–150 questions in up to 3 hours, scaled 700/1000 to pass, $749 USD. Requires 5 years of cumulative paid full-time experience in 2 or more of the 8 domains; a 4-year degree or one of the ISC2-approved credentials waives 1 year. Without the experience you pass as Associate of ISC2 and have 6 years to earn it. CISSP holders in the US typically earn $120K–$160K.
Specialized into cloud, GRC, or secure software
Pick the professional credential that matches your role. All three sit at CISSP-adjacent salary bands once paired with experience:
- CCSP — cloud security architecture and operations. Six domains. Requires 5 years of IT experience including time in cloud security; CISSP can substitute for the entire CCSP experience requirement.
- CGRC — governance, risk, and compliance. Seven domains focused on authorizing information systems under recognized risk frameworks — heavily used in U.S. federal and regulated sectors. 2 years of experience required.
- CSSLP — secure software development lifecycle. Eight domains covering software security from requirements through deployment and retirement.
Already CISSP, going for a vertical specialization
The three CISSP Concentrations add depth in a specific direction. Each accepts either CISSP + 2 years of relevant experience, or 7 years cumulative without holding CISSP first:
- ISSAP — Security Architecture. Four domains: GRC; infrastructure security; IAM & authentication; design verification.
- ISSEP — Security Engineering. Developed in conjunction with the U.S. National Security Agency (NSA); approved under U.S. DoDM 8140 for federal cybersecurity roles.
- ISSMP — Security Management. Six domains aligning security with governance, risk, supply-chain assurance, and resilience planning.
How ISC2 recertification works
All ISC2 certifications are valid for 3 years and are renewed via Continuing Professional Education (CPE) credits + Annual Maintenance Fee (AMF) — you do not retake the exam. CISSP requires 120 CPE credits per 3-year cycle (40 per year). CC carries the lowest AMF ($50 USD/year); other ISC2 certifications carry a higher AMF — check the ISC2 fee schedule for current amounts. Letting CPE or AMF lapse moves your status to inactive and eventually revokes the credential.
Why ISC2 credentials matter
ISC2 is one of the few certification bodies whose credentials are ANAB-accredited under ISO/IEC 17024 and approved under U.S. DoDM 8140 for federal cybersecurity workforce roles — that combination drives strong recognition in defense, federal, and regulated industries. CISSP in particular is the closest thing to a universal trust signal for senior security hiring.
Which ISC2 certification should I start with?
For beginners, start with the Certified in Cybersecurity (CC) — it has no experience prerequisites and covers five foundational security domains. Once you have several years of paid security work, pursue CISSP for a broad leadership credential or CCSP for cloud-focused roles.
What is the most recognized ISC2 certification?
CISSP (Certified Information Systems Security Professional) is the most globally recognized ISC2 certification. It is widely regarded as the gold standard for senior security professionals and is approved under U.S. DoDM 8140 for U.S. Department of Defense cybersecurity roles.
How does the CISSP CAT exam format work?
CISSP uses Computerized Adaptive Testing (CAT). You'll see between 100 and 150 questions in up to 3 hours, with the difficulty of each question adapting to your previous answers. You cannot go back to revise a previous question — once you submit, it is final. A scaled score of 700 out of 1000 is required to pass.
Do I need work experience for ISC2 certifications?
CC has no experience requirement. CISSP requires 5 years of cumulative, paid, full-time experience across 2 or more of the 8 CISSP CBK domains; one year can be waived with an approved 4-year degree or with one of the ISC2-approved credentials. CCSP requires 5 years of IT experience, with a portion in cloud security. Candidates who pass without meeting the experience requirement become an Associate of ISC2 and have time (up to 6 years for CISSP) to gain the required experience.
How much does the CISSP exam cost?
The CISSP exam costs $749 USD. The CC exam is $199. ISC2 lists other certifications in the $249–$599 range; check the official ISC2 exam pricing page for your specific exam. After passing, all certifications require an Annual Maintenance Fee plus ongoing CPE credits to stay active.
What is the difference between CISSP and CCSP?
CISSP covers broad information security across 8 CBK domains including governance, risk, cryptography, and physical security — ideal for security architects and managers. CCSP focuses on cloud security architecture, design, and operations across 6 domains — ideal for cloud security engineers. Many professionals earn both certifications.
Are these practice exams really free?
Yes! Each exam page offers 10 free practice questions with detailed explanations. No credit card required. For access to premium practice exams with hundreds of questions per certification, consider our premium courses.
How does ISC2 recertification work?
All ISC2 certifications are valid for 3 years. Unlike vendor exams, ISC2 credentials are renewed by submitting Continuing Professional Education (CPE) credits and paying an Annual Maintenance Fee (AMF) — you do not retake the exam. CISSP holders submit 120 CPE credits per 3-year cycle (40 per year).
What is the Associate of ISC2?
If you pass a CISSP, CCSP, SSCP, CSSLP, or CGRC exam but do not yet have the required work experience, ISC2 grants you Associate of ISC2 status. You then have a defined window — 6 years for CISSP candidates — to earn the required experience and convert your status to the full credential.
How long does it take to prepare for the CISSP?
Most candidates spend 12-16 weeks preparing for CISSP with 1-2 hours of daily study. CC takes 4-6 weeks. CCSP and other professional certifications typically require 8-12 weeks. Your timeline depends on existing security experience.