ISC2 Certification Coverage of ECSF Roles

Download PDF

This pages makes recommendations for learners seeking to understand which ISC2 certifications will help them acquire the knowledge and skills required for roles under ENISA’s European Cybersecurity Skills Framework (ECSF). The recommendations are based on the coverage of knowledge and skills topics for each role, rather than coverage of tasks, and limited to roles where ISC2 certifications provide a high level of coverage.

ECSF Profile Title Recommended Certification Other Relevant Certifications
Chief Information Security Officer
ISSMP
CISSP
Cyber Legal Policy and Compliance Officer
CISSP
CGRCCCSP
Cybersecurity Architect
ISSAP
CSSLPCGRCCISSPCCSP
Cybersecurity Auditor
CGRC
ISSMPCISSP
Cybersecurity Educator
CC
CISSP
Cybersecurity Implementer
SSCP
CSSLP
Cybersecurity Risk Manager
CGRC
CISSPSSCP
Certified in Cybersecurity

Entry-Level

Designed as a starting point for students, young professionals and career-changers, this entry-level cybersecurity certification demonstrates knowledge in the key foundational concepts in information security and requires no work experience – just a passion for cybersecurity and the desire to dive into an exciting field that protects the world from cyber threats.

Required Experience

There are no specific prerequisites to take the exam. No work experience in cybersecurity or formal educational diploma/degree is required.

Typically pursue CC

  • IT professionals
  • Career-changers
  • College students or recent graduates
  • Board-level executives seeking foundational knowledge in cybersecurity

Domains Covered

  • Security Principles
  • Business Continuity (BC), Disaster Recovery (DR) & Incident Response Concepts
  • Access Control Concepts
  • Network Security
  • Security Operations
Learn more about the CC certification
Systems Security Certified Practitioner

Security Administrator

The SSCP is ideal for IT administrators, managers, directors and network security professionals responsible for the hands-on operational security of their organization’s critical assets. It demonstrates advanced technical skills and knowledge to implement, monitor and administer IT infrastructure using security best practices, policies and procedures.

Required Experience

To qualify for the SSCP, candidates must pass the exam and have at least one year of cumulative, paid work experience in one or more of the seven domains of the ISC2 SSCP Common Body of Knowledge (CBK®).

Jobs that typically use SSCP

  • Network Security Engineer
  • IT/Systems/Network Administrator
  • Security Analyst
  • Systems Engineer
  • Security Consultant/Specialist
  • Security Administrator
  • Systems/Network Analyst
  • Database Administrator
  • Individuals operating in a security operations center (SOC) environment performing the role of incident handler, SIEM analyst, forensics specialist, threat intel researcher, etc.

Domains Covered

  • Security Operations and Administration
  • Access Controls
  • Risk Identification, Monitoring and Analysis
  • Incident Response and Recovery
  • Cryptography
  • Network and Communications Security
  • Systems and Application Security
Learn more about the SSCP certification
Governance, Risk and Compliance Certification

Governance, Risk & Compliance

The CGRC is ideal for IT, information security and information assurance practitioners who work in Governance, Risk and Compliance (GRC) roles and have a need to understand, apply and implement a risk management program for IT systems within an organization. It demonstrates advanced knowledge and technical skills to formalize processes to assess risk and establish security documentation.

Required Experience

To qualify for the CGRC, candidates must pass the exam and have at least two years of cumulative, paid work experience in one or more of the seven domains of the ISC2 CGRC Common Body of Knowledge (CBK®).

Jobs that typically use CGRC

  • Authorizing Official
  • Cyber GRC Manager
  • Cybersecurity Auditor/Assessor
  • Cybersecurity Compliance Officer
  • Cybersecurity Architect
  • GRC Architect
  • GRC Information Technology Manager
  • GRC Manager
  • Cybersecurity Risk & Compliance Project Manager
  • Cybersecurity Risk & Controls Analyst
  • Cybersecurity Third Party Risk Manager
  • Enterprise Risk Manager
  • GRC Analyst
  • GRC Director
  • GRC Security Analyst
  • System Security Manager
  • System Security Officer
  • Information Assurance Manager
  • Cybersecurity Consultant

Domains Covered

  • Information Security Risk Management Program
  • Scope of the Information System
  • Selection and Approval of Security and Privacy Controls
  • Implementation of Security and Privacy Controls
  • Assessment/Audit of Security and Privacy Controls
  • Authorization/Approval of Information System
  • Continuous Monitoring
Learn more about the CGRC certification
Certified Secure Software Lifecycle Professional

Software Security

The CSSLP is ideal for software development and security professionals responsible for applying best practices to each phase of the software development lifecycle (SDLC). It demonstrates advanced knowledge and technical skills to effectively design, develop and implement security practices within each phase of the software lifecycle.

Required Experience

To qualify for the CSSLP, candidates must pass the exam and have at least four years of cumulative, paid work experience as a software development lifecycle professional in one or more of the eight domains of the ISC2 CSSLP Common Body of Knowledge (CBK®).

Jobs that typically use CSSLP

  • Software Architect
  • Software Engineer
  • Software Developer
  • Application Security Specialist/Manager/Architect
  • Software Program Manager
  • Quality Assurance Tester
  • Penetration Tester/Testing Manager
  • Software Procurement Analyst
  • Project Manager
  • Security Manager
  • IT Director/Manager

Domains Covered

  • Secure Software Concepts
  • Secure Software Requirements
  • Secure Software Architecture and Design
  • Secure Software Implementation
  • Secure Software Testing
  • Secure Software Lifecycle Management
  • Secure Software Deployment, Operations, Maintenance
  • Secure Software Supply Chain
Learn more about the CSSLP certification
Certified Cloud Security Professional

Cloud Security

The CCSP is ideal for IT and information security leaders seeking to prove their understanding of cybersecurity and securing critical assets in the cloud. It demonstrates advanced technical skills and knowledge to design, manage and secure data, applications and infrastructure in the cloud.

Required Experience

To qualify for the CCSP, candidates must pass the exam and have at least five years of cumulative, paid work experience in information technology, of which three years must be in information security, and one year in one or more of the six domains of the ISC2 CCSP Common Body of Knowledge (CBK®).

Jobs that typically use CCSP

  • Cloud Architect
  • Chief Information Security Officer (CISO)
  • Chief Information Officer (CIO)
  • Chief Technology Officer
  • Engineer/Developer/Manager
  • DevOps
  • Enterprise Architect
  • IT Contract Negotiator
  • IT Risk and Compliance Manager
  • Security Administrator
  • Security Analyst
  • Security Architect
  • Security Consultant
  • Security Engineer
  • Security Manager
  • Systems Architect
  • Systems Engineer
  • SecOps

Domains Covered

  • Cloud Concepts, Architecture and Design
  • Cloud Data Security
  • Cloud Platform & Infrastructure Security
  • Cloud Application Security
  • Cloud Security Operations
  • Legal, Risk and Compliance
Learn more about the CCSP certification
Certified Information Systems Security Professional

Leadership & Operations

The CISSP is ideal for information security leaders seeking to prove their understanding of cybersecurity strategy and hands-on implementation. It demonstrates advanced knowledge and technical skills to design, develop and manage an organization’s overall security posture.

Required Experience

To qualify for the CISSP, candidates must pass the exam and have at least five years of cumulative, paid work experience in two or more of the eight domains of the ISC2 CISSP Common Body of Knowledge (CBK®).

Jobs that typically use CISSP

  • Chief Information Officer
  • Chief Information Security Officer
  • Chief Technology Officer
  • Compliance Manager/Officer
  • Director of Security
  • Information Architect
  • Information Manager/Information Risk Manager or Consultant
  • IT Specialist/Director/Manager
  • Network/System Administrator
  • Security Administrator
  • Security Architect/Security Analyst
  • Security Consultant
  • Security Manager
  • Security Systems Engineer/Security Engineer

Domains Covered

  • Security and Risk Management
  • Asset Security
  • Security Architecture and Engineering
  • Communication and Network Security
  • Identity and Access Management (IAM)
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security
Learn more about the CISSP certification
Information Systems Security Management Professional

Security Management

The Information Systems Security Management Professional (ISSMP) recognizes cybersecurity leaders with expertise in information systems security management. It demonstrates deep management and leadership skills and the advanced knowledge to establish, present and govern information security programs.

Required Experience

There are two ways to earn the ISSMP. Path 1: CISSPs in good standing must have a minimum of two years of cumulative fulltime experience in one or more of the six domains in the current ISSMP exam outline. Path 2: All other candidates must have a minimum of seven years of cumulative full-time experience in two or more of the six domains in the current ISSMP exam outline.

Jobs that typically use ISSMP

  • Chief Information Officer
  • Chief Information Security Officer
  • Chief Technology Officer
  • Senior Security Executive

Domains Covered

  • Leadership and Business Management
  • Systems Lifecycle Management
  • Risk Management
  • Threat Intelligence and Incident Management
  • Contingency Management
  • Law, Ethics and Security Compliance Management
Learn more about the ISSMP certification
Information Systems Security Architecture Professional

Security Architecture

The Information Systems Security Architecture Professional (ISSAP) recognizes cybersecurity leaders with expertise in information systems security architecture. It demonstrates the knowledge and skills to develop, design and analyze security solutions and provide risk-based guidance to meet organizational goals.

Required Experience

There are two ways to earn the ISSAP. Path 1: CISSPs in good standing must have a minimum of two years of cumulative full-time experience in one or more of the six domains in the current ISSAP exam outline. Path 2: All other candidates must have a minimum of seven years of cumulative full-time experience in two or more of the six domains in the current ISSAP exam outline.

Jobs that typically use ISSAP

  • System Architect
  • Chief Information Security Officer (CISO)
  • Chief Information Officer (CIO)
  • Chief Technology Officer (CTO)
  • System and Network Designer
  • Business Analyst
  • Chief Security Officer

Domains Covered

  • Architect for Governance, Compliance and Risk Management
  • Security Architecture Modeling
  • Infrastructure Security Architecture
  • Identity and Access Management (IAM) Architecture
  • Architect for Application Security
  • Security Operations Architecture
Learn more about the ISSAP certification
Information Systems Security Engineering Professional

Security Engineering

The Information Systems Security Engineering Professional (ISSEP) recognizes cybersecurity leaders with expertise in information systems security engineering. It demonstrates the knowledge and skills to incorporate security into projects, applications, business processes and information systems.

Required Experience

There are two ways to earn the ISSEP. Path 1: CISSPs in good standing must have a minimum of two years of cumulative fulltime experience in one or more of the five domains in the current ISSEP exam outline. Path 2: All other candidates must have a minimum of seven years of cumulative full-time experience in two or more of the five domains in the current ISSEP exam outline.

Jobs that typically use ISSEP

  • Senior Systems Engineer
  • Security Systems Engineer
  • Security Officer
  • Senior Security Analyst

Domains Covered

  • Systems Security Engineering Foundations
  • Risk Management
  • Security Planning and Design
  • Systems Implementation, Verification and Validation
  • Secure Operations, Change Management and Disposal
Learn more about the ISSEP certification