Role-based, not a mandatory ladder

ISC2 Certification Roadmap: CISSP, CCSP and Security Paths

There is no single required order for ISC2 certifications. Start with your experience level, then select a broad security, cloud, architecture, engineering, management, secure software or GRC path.

Experience and role alignment

Seven Practical ISC2 Certification Pathways

Entry-level

CC → SSCP

Use CC to establish core security principles without an experience prerequisite. Move toward SSCP when your work centers on operational security administration and you can meet its experience requirement.

Broad leadership

CISSP

Choose CISSP when your work spans organization-wide security risk, architecture, networks, IAM, assessment, operations and software security. It is not positioned as a beginner credential.

CISSP practice course

Cloud specialization

CCSP

Choose CCSP for vendor-neutral cloud architecture, data, platform, application, operations and compliance responsibilities. An active CISSP can substitute for the official CCSP experience requirement.

Free CCSP questions and August 2026 update

Advanced CISSP paths

ISSAP / ISSEP / ISSMP

Select architecture, engineering or management based on your actual senior responsibilities. ISC2 also provides a seven-year alternative experience pathway for these concentrations.

Compare concentration practice courses

Secure SDLC

CSSLP

Choose CSSLP when your work integrates security into software requirements, architecture, implementation, testing, deployment, operations and supply-chain decisions.

CSSLP practice course

GRC

CGRC

Choose CGRC for governance, risk management, compliance and authorization work. CertShield does not currently list a CGRC course, so use ISC2's official materials rather than forcing an unrelated practice product.

Build platform depth where your role needs it

Related Cloud and Security Certifications

CCSP is vendor-neutral. Pair it with a platform certification only when your work requires implementation depth: AWS Certified Security – Specialty SCS-C03 or Google Professional Cloud Security Engineer. For AI-security work, explore CompTIA SecAI+ CY0-001; for AI governance, compare IAPP AIGP.

Roadmap questions

CISSP and CCSP Path FAQs

Should I take CISSP before CCSP?

ISC2 does not require CISSP before the CCSP exam. However, an active CISSP substitutes for the entire CCSP experience requirement. Choose based on role scope and verify official eligibility.

Is CC the best ISC2 starting point?

For newcomers, CC is ISC2's entry-level certification and has no required work experience. SSCP can fit practitioners moving into hands-on security operations.

Are ISSAP, ISSEP and ISSMP only available to CISSP holders?

ISC2 lists both a CISSP-in-good-standing pathway and an alternative seven-year experience pathway. Read the current outline for the concentration you are considering.

Does a practice exam replace required experience?

No. Practice questions can support knowledge assessment but do not replace work-experience, endorsement, ethics, CPE or maintenance requirements.

Source of truth