SecurITyCerts dot Org

       Navigating Security Certifications

Subscribe to SecurITy, our free newsletter

Other Security Certifications

Besides our "Top 3," CISSP, GSEC, and Security+, there are plenty of other infosec certifications that are well worth mentioning.

Information on these certs and the organizations offering them are below. We'll flush this out with more details depending on your interest, and of course as time permits.

The SANS Institute

The SANS Institute offers over 20 different certifications through GIAC, including their most popular:
The GSEC certification.

Information on their Security Essentials Boot Class is here.

Most of the exams are 4 hours and 150 questions, and need to be retaken after 4 years.

Certifications cover a wide area of specialties in information security, including technical, managerial, and legal areas.

Most people who take the exams take the associated SANS Institute class first, although that's not a requirement.

The SANS Institute classes are taught by some of the best in the world; not just guys and gals that really know their stuff, but that excel at teaching it.

The SANS Institute instructors also live it, since they are in the field helping customers. There are no "full time" instructors at SANS.

SANS Institute classes are intense. They have been compared to drinking from a firehose. Many of the classes last 6 days and 5 nights, and no one ever seems to complain about working through the weekend. The SANS audiences are people hungry for knowledge, and some of the best audiences I've ever had!

The SANS Institute is also an accredited educational institution and offers a Masters in Information Security.

A few of the most popular certifications are listed below.
I've included links to the related training as most people who go for the cert take the training, although it's certainly not required.

Certification:       Certified Intrusion Analyst (GCIA)
Related Training: Intrusion Detection In-Depth

Certification:       Security Leadership Certification (GSLC)
Related Training: Security Leadership Essentials

Certification:       Certified Firewall Analyst (GCFW)
Related Training: Perimeter Protection In-Depth

Certification:       Certified Incident Handler (GCIH)
Related Training: Hacker Techniques, Exploits & Incident Handling

Certification:       Certified Forensics Analyst (GCFA)
Related Training: Computer Forensics, Investigation & Response

Certification:       Systems and Network Auditing (GSNA)
Related Training: Auditing Systems, Networks, and Perimeters

Certification:       GIAC Information Security Professional (GISP)
Related Training: Training Program for the CISSP® Certification Exam

SANS also has a very popular CISSP preparatory class with an amazing 98% pass rate!


In addition to their well known CISSP certification, (ISC)² offers additional certifications, none of which are remotely as well known.

These include:

SSCP - Systems Security Certified Practitioner

The SSCP is an intermediate-level certification that many people consider as a CISSP-lite. It is not nearly as well known as the CISPP nor is it well marketed by (ISC)², as they concentrate on CISSP.

The SSCP was established in March 2001, and consists of 125 multiple-choice questions over 3 hours, as compared to 250 multiple-choice questions over 6 hours for the CISSP.

It requires one year of experience, and covers seven domains:

The SSCP certification lasts for three years, and you can renew by retaking the exam or by earning 60 appropriate continuing professional education (CPE) credits.

My suggestion? Don't bother with the SSCP -- it's simply not well known nor well marketed.

CISSP Concentrations

(ISC)² also has concentration certifications, all of which have the CISSP as a prerequisite. These exams are:

CAP - Certification and Accreditation Professional

The CAP certification was co-developed with the U.S. Department of State's Office of Information Assurance, and is for people involved in the "process of certifying and accrediting security of information systems."

The exam consists of 125 multiple-choice questions over 3 hours, and two years of experience in one or more of the five domains of the (ISC)² CAP CBK, which consists of the following domains:

CSSLP - Certified Secure Software Lifecycle Professional

This is the newest offering from (ISC)², with the first exams scheduled for June of 2009. They describe is as "the only certification in the industry that ensures that security is considered throughout the entire software lifecycle."

I hope they do a great job with this as the statement "security is very rarely considered throughout the entire software lifecycle" is a massive understatement!

Certified Ethical Hacker (CEH) - EC-Council

The International Council of Electronic Commerce Consultants, better known as the EC-Council, has a number of certifications. The most popular is the Certified Ethical Hacker certification which they established in March 2003. To be honest, I had never heard of any of their other dizzying array of certifications until I visited their Web site.

The Certified Ethical Hacker certification may just be the fastest growing certification in popularity today.

"Ethical Hacker" is a sexy term for Penetration Tester, which I guess does have some sexual overtones itself.

Optional Certified Ethical Hacker training is available at EC-Council accredited training centers. If the training is skipped, you need proof of two years of infosec experience.

The Certified Ethical Hacker exam can be taken at any Pearson Vue or Prometric testing centers. There are over 2,500 testing centers in 180 countries, so there is likely one convenient to you.

The Exam is currently four hours long and consists of 150 multiple choice questions. It keeps getting longer -- originally it was 50 questions.

EC-Council certifications, including the certified Ethical Hacker, are renewed by earning EC-Council Continuing Education credits (ECEs) and paying an annual maintenance fee.  Twenty ECEs are required yearly and 120 ECE over each three-year period.

ISACA, Information Systems Audit and Control Association

ISACA is an "association of IS professionals dedicated to the audit, control, and security of information systems." They got their start in 1967 and now there are over 86,000 members worldwide and many local chapters.

They have their own certifications which are well known and regarded in the audit community, but not very well known elsewhere.

Their primary certifications are:

CISA, Certified Information Security Auditor

The CISA is the flagship certification of the ISACA. It is an audit professional certification that was established in 1978 and over 60,000 professionals have earned the CISA designation.

The CISA exam is 4 hours long, 200 questions, and multiple choice. It covers six content areas:

The CISA exam is offered at over 200 worldwide locations every December and June. Five years work experience in Information Systems Auditing, Control, Assurance or Security is required for the CISA. This experience must be within the ten year period before the application date for certification or within five years from when the exam is successfully taken. Up to three years may be waived based on experience.

CISA maintenance requires payment of a yearly fee, plus 20 continuing professional education hours yearly and 120 continuing professional education hours over each three-year period.

CISM, Certified Information Security Manager

The CISM is a certification for information security managers. It's management focused and over 10,000 professionals have earned the CISM designation since it was introduced in 2003.

The CISM requires demonstrated knowledge in five functional areas of Information Security:

The CISM exam is offered at the same times and locations as the CISA exam, and experience and maintenance requirements are similar to the CISA.

CGEIT, Certified in The Governance of Enterprise IT

The CGEIT is a relatively new certification covering IT Governance.

In the words of ISACA, it is "specifically developed for professionals who have a significant , management, advisory, or assurance role relating to the governance of IT."

It's also also intended to support the growing business demands related to IT governance, increase awareness of IT governance practices and issues, as well as further define IT governance work and the roles and responsibilities of the people involved.

The CGEIT exam is offered in December and June as are the ISACA's more established CISA and CISM exams. It is four hours long, has experience wand maintenance requirements, and covers the following domains:

Ted Demopoulos at Caesars Palace
Ted Demopoulos,  Caesars Palace