For most people building a cybersecurity career in 2026, the ISC2 certification path is shorter than the marketing makes it sound. It's CC (if you're brand new) → SSCP (if you want a practitioner credential) → CISSP (the flagship) → CCSP (if you end up in cloud). Everything else — concentrations, HCISPP, CGRC — is niche and mostly skippable unless your specific role asks for it.
That said, there's more nuance in the gaps between those credentials than most guides admit. Which ones to skip, when to stack them, and what ISC2's overlap rules actually mean in practice — those are the parts that matter once you start planning.
What ISC2 actually offers
ISC2 rebranded from "(ISC)²" in 2023, though you'll still see the old typography floating around. They run roughly a dozen credentials. Here's the full lineup grouped by where they fit:
| Tier | Credential | Target audience |
|---|---|---|
| Entry | CC (Certified in Cybersecurity) | Career changers, students, zero experience |
| Practitioner | SSCP | 1+ year security practitioners |
| Senior generalist | CISSP | 5+ year security professionals |
| Senior specialist | CCSP | Senior cloud security roles |
| Concentrations | ISSAP / ISSEP / ISSMP | CISSP holders going deeper |
| Vertical | HCISPP | Healthcare security/privacy |
| GRC | CGRC (formerly CAP) | Federal RMF/FedRAMP work |
Four of those — CC, SSCP, CISSP, CCSP — cover something like 95% of what gets pursued in practice. The concentrations and vertical credentials exist for people whose specific roles demand them, and for most candidates they stay forever optional.
Certified in Cybersecurity (CC)
CC is the free entry-level credential ISC2 launched in 2022 as part of their One Million Certified in Cybersecurity pledge. Five domains (Security Principles, BC/DR, Access Control, Network Security, Security Operations), 100 multiple-choice questions, 2 hours, pass at a scaled 700.
The exam is genuinely free. The $50/year AMF is not, but you can let it lapse if you decide not to maintain it.
CC exists for people coming from outside IT. A marketing analyst moving into a GRC role. A teacher pivoting into cybersecurity. Someone finishing a bootcamp. It gives those candidates a legitimate line on their resume before they've got the experience for anything else.
It's not for people already working in IT. If you've got a year of helpdesk or sysadmin work, skip CC and sit for Security+ — or go straight to SSCP if you've already been handling security duties. CC on the resume of an experienced IT pro sometimes reads backwards, like you're collecting entry-level certs instead of moving forward.
SSCP — the one most candidates skip past
SSCP is where the ISC2 path gets interesting. It's a legitimate mid-level credential (seven domains, 125 questions, 3 hours, $249 exam fee) and it's approved for DoD IAT Level II roles, which matters if you're in or adjacent to government work.
But most candidates skip it. The logic is usually "I'll just grind toward CISSP." If you've already got 5+ years of qualifying experience, that logic is fine — CISSP is the credential employers actually search for.
Where skipping SSCP backfires is the 2-4 year experience gap. If you're a SOC analyst with 18 months of experience, you're not eligible for CISSP yet (unless you go through the Associate of ISC2 route and wait out the clock). SSCP fits exactly into that gap. It's the credential that says "I'm a security practitioner" during the years when CISSP is still out of reach.
One pattern I've noticed: people who come up through CompTIA (Security+ → CySA+ → maybe Pentest+) often skip SSCP entirely because it overlaps with what they've already demonstrated. People who came up through non-certification paths — CS degrees, self-taught, military — tend to benefit from SSCP more, because it's often their first formal security credential.
The $249 exam fee and $135/year AMF are real costs. But ISC2 consolidates the AMF once you hold multiple credentials, so adding CISSP later doesn't double your maintenance bill.
CISSP — the one that actually matters
If you pick one ISC2 credential to pursue, pick this one. CISSP is the single most-requested security credential in job listings globally. It's on the DoD 8570 approved list for every level above IAT I. And it's the implicit prerequisite for senior security roles, even when it's not formally required.
Eight domains, covering everything from governance to software development security. The exam is 100-150 questions via computerized adaptive testing (CAT), up to 4 hours, scaled pass at 700. $749 exam fee, $135/year AMF, 120 CPE hours per 3-year cycle.
Experience requirement is 5 years in at least two of the eight domains. A relevant bachelor's or master's degree (or an ISC2-approved credential like SSCP) shaves one year off. The Associate of ISC2 path lets you pass the exam without experience and have up to 6 years to meet it.
Here's the part worth saying clearly: CISSP is primarily a managerial exam, even though it looks technical on paper. The most common failure pattern I've seen is experienced engineers picking the "technically correct" answer instead of the "governance-first" answer. You'll get a question where two answers are both valid, but one starts with "conduct a risk assessment" and the other starts with "implement the patch." CISSP wants the risk assessment answer almost every time.
If you're a hands-on engineer and your practice test scores are stuck at 75-80% on adaptive exams, that's usually why. It's not a knowledge gap. It's that the exam rewards a specific decision-making posture — the one a CISO would take, not the one a sysadmin would take.
Study timelines vary by background. Someone with 10+ years of broad security work might need 8-12 weeks. Someone newer who's never spent time in Domain 1 (governance, risk, legal) content might need 5-6 months. I've written a longer CISSP study timeline breakdown by experience level if you want specifics.
CCSP — the cloud specialist track
CCSP is the senior cloud security credential. Six domains, 150 questions, 4 hours, $599 exam fee. It sits at roughly the same seniority level as CISSP but specialized: cloud concepts, cloud data security, cloud infrastructure, cloud apps, cloud ops, cloud legal and compliance.
The experience requirement is 5 years of IT with 3 in security and 1 in a CCSP domain — but holding CISSP automatically satisfies the entire experience requirement. That's why the conventional path is CISSP first, then CCSP, not the other way around. Stack order matters when you can knock out two credentials with less experience paperwork.
CCSK (the Cloud Security Alliance credential) counts for one year of the cloud-domain requirement, which helps some candidates qualify faster.
Whether you need CCSP depends on what "cloud-focused" actually means in your career. A cloud security architect at a SaaS company, a DevSecOps lead, a cloud compliance manager — these roles pay attention to CCSP. A general security manager at a company that happens to run some AWS workloads probably doesn't need it; CISSP covers cloud at a high level already. If you're on the fence, the CISSP vs CCSP breakdown walks through the decision in more detail.
Concentrations, HCISPP, CGRC
The CISSP concentrations — ISSAP, ISSEP, ISSMP — are three specialized credentials for CISSP holders. Architecture, engineering, and management respectively. Each requires 2 additional years of experience in its specific area, plus a 125-question exam.
In practice, most CISSP holders never pursue a concentration. The exception is government contractors and DoD engineers, where ISSEP is specifically valued. ISSMP shows up sometimes on the CISO track but isn't required for it.
HCISPP is healthcare-specific — credible if you work in healthcare security or privacy, largely invisible if you don't. CGRC (formerly CAP) is the RMF/FedRAMP credential, valued in federal GRC work and mostly unknown outside of it.
None of these are gates. You pursue them if your specific role calls for them.
How ISC2 credentials stack
Four mechanics worth knowing once you hold more than one credential:
CPE hours overlap. If you hold CISSP (120 CPEs per cycle), CCSP (90), and SSCP (60), you don't earn 270. You earn 120 max, and it counts toward all three. One activity, logged once.
The AMF is consolidated. Hold one credential or five — you pay $135/year total. This is the main reason adding CCSP after CISSP is nearly a no-brainer if cloud is your direction: zero extra maintenance cost.
Experience stacks too. A year of cloud security work counts toward CISSP's "network security" and "security operations" domains and CCSP's cloud domains simultaneously. You're not double-counting; the same experience is just valid under multiple frameworks.
Endorsement is mostly one-and-done. Your first ISC2 credential requires endorsement from an existing ISC2-certified professional. Subsequent credentials usually don't — you're already in good standing.
Which one should you pursue right now
This depends entirely on where you sit today. A few honest calls:
Zero security experience: start with Security+ or CC, build a year of real work, then add SSCP. CC if you have zero IT experience at all. Security+ if you've already got some IT foundation — it's more widely recognized and the pipeline from Security+ into security roles is more established.
1-3 years of security experience: SSCP is the legitimate near-term target. Start eyeing CISSP in parallel — either by plotting when you'll hit the 5-year mark, or by sitting as Associate of ISC2 now and waiting out the clock.
5+ years of security experience: CISSP is the priority. Don't chase anything else first. Once you pass, then consider CCSP (within 6-12 months) if cloud is where your role is heading.
Already hold CISSP: CCSP is the natural next step for cloud-adjacent roles. Concentrations only make sense if your specific job demands one — most don't. If your next move is into a CISO-track role, ISSMP can be useful, but it's optional.
Healthcare or federal work: HCISPP and CGRC exist for a reason, but CISSP is still usually the better first move unless your role is narrowly vertical from day one.
Where to go from here
The ISC2 certification path compounds well. Each credential makes the next easier — experience, endorsement, AMF consolidation all work in your favor. But compounding only works if you pass the exams, and the exams themselves are what most candidates underestimate.
If CISSP is your target, the first useful thing to do isn't to buy a study guide — it's to find out where you actually stand across the eight domains. Most people are wrong about their weak spots, and you can lose weeks studying the wrong ones. LearnZapp's free CISSP diagnostic gives you a per-domain breakdown in about 30 minutes, no signup: take the CISSP diagnostic. Targeting CCSP or SSCP instead? There are free diagnostics for those too — CCSP and SSCP.