Top of Page
 

Thinking about CAP or CISSP? Here’s How They Compare.

Comparing Cybersecurity Certifications: Which is right for you?

Two globally recognized choices in the (ISC)² certification catalog are the Certified Authorization Professional (CAP) and Certified Information Systems Security Professional (CISSP) credentials. Both certifications are held by experts deeply skilled and experienced in cybersecurity. But what are the key distinctions you should consider if you’re weighing which one to pursue?

CAP’s Evolution

CAP was developed and launched in 2005 by (ISC)² as a credential focused on the Certification & Authorization (C&A) process following the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP). It was first updated when the U.S. government changed DIACAP to the Risk Management Framework and the terms C&A were replaced by Assessment & Authorization (A&A).

The decision was made to expand CAP in 2021 to reflect the more diverse day-to-day work of professionals earning the credential. What started out as certification primarily for U.S. government professionals using the Risk Management Framework (RMF) is now also for professionals working in the private sector and organizations around the world.

CISSP Gets It Started

Today’s broad portfolio of (ISC)² cybersecurity certifications started with CISSP. It launched in 1994 and is now considered the global gold standard. In 2005, CISSP became the first credential in the field of information security to meet the requirements of the ISO/IEC Standard 17024. More recently, CISSP has fulfilled requirements for the U.S. Department of Defense (DoD) workers (Directive 8570.1) to obtain a commercial certification credential accredited by the American National Standards Institute (ANSI).

Comparing Each of Their Roles

CAP-certified security professionals have proven their skills in effectively advocating for risk management solutions to authorize systems that will support an organization’s mission within regulatory-mandated requirements.

CISSP-certified professionals have been evaluated on their knowledge, skills, and ability to design, engineer and manage an organization’s security posture.

While a CISSP-credentialed professional has strong general knowledge of one regulatory requirement over another, the CAP professional has a more in-depth understanding of each and how to meet or exceed requirements for an organization’s compliance. In a real-world scenario, based on a cost-benefit analysis and risk appetite, a CISSP professional may understand different methods to achieve an organization’s acceptable level of security – however, some of those methods may not be considered adequate in environments from a CAP expert’s point of view.

Domains

CAP CISSP

Information Security Risk Management Program

Security and Risk Management

Scope of the Information System

Asset Security

Selection and Approval of Security and Privacy Controls

Security Architecture and Engineering

Implementation of Security and Privacy Controls

Communication and Network Security

Assessment/Audit of Security and Privacy Controls

Identity and Access Management

Authorization/Approval of Information System

Security Assessment and Testing

Continuous Monitoring

Security Assessment and Testing

Software Development Security

What are examples of roles for each credential?

The CAP is ideal for IT, information security and information assurance practitioners who work in Governance, Risk and Compliance roles and have a need to understand, apply and/or implement a risk management program for IT systems within an organization. CAP roles include information security officer, information security engineer, information security manager, risk manager/analyst, information assurance practitioner, and governance, risk, and compliance engineer.

The CISSP is ideal for information security professionals seeking to prove their understanding of cybersecurity strategy and hands-on implementation. It shows you have the advanced knowledge and technical skills to design, develop and manage an organization’s overall security posture. CISSP roles include CIO/CISO, security or IT director, security or network architect/engineer, security manager, security analyst/auditor, systems engineer, and security consultant.

Are they accredited?

CAP is ANSI-accredited for the ISO/IEC Standard 17024. In addition, CAPs are DoD 8570.01 approved and listed in two categories: IAM Level I and IAM Level II.

CISSP is ANSI-accredited for the ISO/IEC Standard 17024. In addition, CISSPs are DoD 8570.01 approved and listed in five categories: IAT Level III, IAM Level II, IAM Level III, IASAE I and IASAE II.

What level of professional experience is required?

CAP candidates must have a minimum of two years’ cumulative work experience in one or more of the seven domains of the CAP Common Body of Knowledge (CBK®). Candidates without the required experience may become an Associate of (ISC)² by successfully passing the CAP examination. The Associate of (ISC)² will then have three years to earn the two years of required experience.

CISSP candidates must have a minimum of five years’ cumulative paid work experience in two or more of the eight domains of the CISSP Common Body of Knowledge (CBK®). Earning a four-year college degree or regional equivalent or an additional credential from the (ISC)² approved list will satisfy one year of the required experience. Education credit will only satisfy one year of experience. A candidate without the required experience may become an Associate of (ISC)² by successfully passing the CISSP examination. The Associate of (ISC)² will then have six years to earn the five years required experience.

Certification and Maintenance Details

CAP CISSP

Length of Exam

3 hours/125 multiple-choice questions

3 hours/100-150 multiple-choice and advanced innovative questions

Passing Score

700 out of 1,000

700 out of 1,000

Exam Fee

$599 USD

$749 USD

Annual Maintenance

$125 USD

$125 USD

CPEs

60 credits over 3 years

120 credits over 3 years

What’s the earning potential of each?

Certification Magazine’s 2021 salary survey ranks CAP at No. 27 on its list of most lucrative certifications with an average draw of $135,430 USD annually. CISSP ranks No. 11 with an average annual salary of $149,690.

What about SSCP? How is the certification different from CAP and CISSP?

The Systems Security Certified Practitioner (SSCP) certification provides confirmation of a practitioner’s ability to implement, monitor and administer IT infrastructure in accordance with cybersecurity policies and procedures that ensure data confidentiality, integrity, and availability. It is ideal for IT administrators, managers, and network security professionals responsible for the hands-on operational security of their organization’s critical assets.

SSCP requires less experience in the field than CAP and CISSP. To qualify, candidates need only one year of cumulative, paid work experience in one or more of the seven domains of the (ISC)² SSCP Common Body of Knowledge (CBK®).

How CAP Certification Can Help You Succeed

Earning the globally recognized CAP certification is a proven way to build your career. The vendor-neutral credential shows you have the advanced knowledge and technical ability to formalize processes to assess risk and establish security documentation within a broad range of risk management frameworks.

Achieving CAP certification provides the added benefit of membership in (ISC)², the world’s largest nonprofit association of cybersecurity professionals, more than 160,000 members strong. (ISC)² provides members with professional development courses through the Professional Development Institute (PDI); continuing professional education through industry events like Security Congress; technical webinars covering evolving cybersecurity trends; and benefits, such as the (ISC)² Community and InfoSecurity Professional magazine.

Learn more about how CAP expertise in security frameworks mitigates and manages emerging risks.

Get The Guide

Or, download your copy of The Ultimate Guide to the CAP and start your journey toward certification today.

Ok