Non-(ISC)2 Security-Related Certifications

By Lawrence C. Miller, Peter H. Gregory

Organizations other than International Information System Security Certification Consortium (ISC)2 have security-related certifications, one or more of which may be right for you. None of these certifications directly compete with CISSP, but some of them do overlap with CISSP somewhat.

Non-technical/non-vendor certifications

There are many other certifications available that are not tied to specific hardware or software vendors. Some of the better ones include

  • CISA (Certified Information Systems Auditor): Consider this certification if you work as an internal auditor or your organization is subject to one or more security regulations, such as Sarbanes-Oxley, HIPAA, GLBA, PCI, and so on. The Information Systems Audit and Control Association and Foundation (ISACA) manages this certification. Find out more about CISA.
  • CISM (Certified Information Security Manager): Similar to (ISC)2’s Information Systems Security Management Professional (ISSMP) certification (which we talk about in the section “CISSP concentrations,” earlier in this chapter), you may want the CISM certification if you’re in security management. Like CISA, ISACA manages this certification.
  • CRISC (Certified in Risk and Information Systems Control): This is a relatively new certification that concentrates on organization risk management.
  • CGEIT (Certified in the Governance of Enterprise IT): Look into this certification if you want to demonstrate your skills and knowledge in the areas of IT management and governance. Effective security in an IT organization definitely depends on governance, which involves the management and control of resources to meet long-term objectives. You can find out more about CGEIT.
  • CPP (Certified Protection Professional): Primarily a security management certification, CPP is managed by ASIS International. The CPP certification designates individuals who have demonstrated competency in all areas constituting security management.
  • PSP (Physical Security Professional): ASIS International also offers this certification, which caters to those professionals whose primary responsibility focuses on threat surveys and the design of integrated security systems.
  • CIPP (Certified Information Privacy Professional): The International Association of Privacy Professionals (IAPP) has this and other country-specific privacy certifications for security professionals with knowledge and experience in personal data protection.
  • CIPP/E (Certified Information Privacy Professional/Europe): Privacy in Europe is so important in our industry that the IAPP has developed a version of the CIPP especially for European privacy matters.
  • C|CISO (Certified Chief Information Security Officer): This certification demonstrates the skills and knowledge required for the typical CISO position.
  • CBCP (Certified Business Continuity Planner): A business continuity planning certification offered by the Disaster Recovery Institute. \
  • DRCE (Disaster Recovery Certified Expert): This certification is a recognition of knowledge and experience in disaster recovery planning.
  • PMP (Project Management Professional): A good project manager — someone you can trust with organizing resources and schedules — is a wonderful thing, especially on large projects. The Project Management Institute, offers this certification.
  • PCI-QSA (Payment Card Industry Qualified Security Assessor): The Payment Card Industry Security Standards Council developed the QSA certification for professionals who audit organizations that store, transmit, or process credit card data. This certification is for PCI auditors.
  • PCI-ISA (Payment Card Industry Internal Security Assessor): This certification, also from The Payment Card Industry Security Standards Council, is for security professionals within organizations that store, transmit, or process cardholder data.
  • GIAC (Global Information Assurance Certification): The GIAC family of certifications includes categories in Audit, Management, Operations, and Security Administration. One of the GIAC non-vendor-specific certifications that complement CISSP is the GIAC Certified Forensics Analyst (GCFA) and GIAC Certified Incident Handler (GCIH). There are also several vendor-related GIAC certifications mentioned next.

Technical/vendor certifications

We won’t even pretend to list all the technical and vendor certifications here. But these are some of the well-known vendor-related security certifications:

  • CCIE (Cisco Certified Internetworking Expert) Security: Cisco also offers several product-related certifications for specific products, including ASA firewalls and intrusion prevention systems.
  • Check Point Security Administration certifications: You can earn certifications related to Check Point’s firewall and other security products.
  • C|EH (Certified Ethical Hacker): We know, we know. A contradiction in terms to some, real business value for others. Read carefully before signing. Offered by the International Council of E-Commerce Consultants (EC-Council).
  • E|NSA (Network Security Administrator): Also from EC Council, this is the certification that recognizes the defensive view — as opposed to the offensive view of C|EH.
  • L|PT (Licensed Penetration Tester): Another certification from the EC Council, this takes penetration testing to a higher level than C|EH.
  • C|HFI (Certified Hacking Forensics Investigator): Also from EC Council, this certification recognizes the skills and knowledge of a forensic expert who can detect computer crime and gather forensic evidence.
  • CSFA (CyberSecurity Forensic Analyst): This certification demonstrates the knowledge and skills for conducting computer forensic examinations. Part of the certification exam is an actual forensics assignment in the lab.
  • CompTIA Security+: A security competency certification for PC techs and the like. We consider this an entry-level certification that may not be for you, but you may well advise your aspiring colleagues who want to get into information security that this certification is a good place to start.
  • Security|5: Like Security+, this is an entry-level security competency certification for anyone interested in learning computer networking and security basics.

You can find many other security certifications out there. Use your favorite search engine and search for phrases such as “security certification” to find information.