SSCP and CISSP are both (ISC)² certifications. I get a lot of questions about the two of them, especially about SSCP, as CISSP overshadows it.

CISSP definitely pays better, but that’s not to say SSCP doesn’t have merit.

SSCP doesn’t exactly compete directly with Security+, but when it comes to the government and its DoD 8570 requirement, the two are equivalent. At the pay grades where the DoD accepts Security+, it usually also accepts SSCP. The problem is that Security+ is the one with the name recognition, so even though DISA may say SSCP is OK, your COTR or team lead may not know that and may make you go get Security+ anyway.

CISSP is the more advanced certification of the two. It’s impolite to discuss salary but that’s almost necessary to set expectations, so I’ll talk salary anyway. When I went from being a highly paid Security+ to an entry-level CISSP, my salary went up about 15 percent. Your mileage will vary based on experience. A CISSP with just enough experience to meet the prerequisites can expect to make about what a Security+ with 15-20 years of experience makes.

Although the SSCP doesn’t get much love, I like that it’s administered by (ISC)². If your goal is to eventually get the CISSP, why not take the entry-level test from the same certifying body? CompTIA intends for Security+ to prepare you for the CISSP someday, but I don’t think CompTIA does a good job of preparing you for the way (ISC)² asks questions. Both of them mess with your mind, but CompTIA messes with your mind with poor grammar and spelling. (ISC)² much more closely simulates how people will actually try to slip things past you in the real world.

So, what’s the difference between the tests themselves? The SSCP is half as long as the CISSP, 125 questions versus 250 questions. SSCP also covers 70% of the material CISSP does. Most of the management and paper-pushing elements of CISSP are absent from SSCP. SSCP is hands-on and technical. Some CISSPs are hands-on and technical (I still am, about half the time), but admittedly, some of us are paper pushers.

As for the questions themselves, SSCP will be more straightforward than CISSP. Here’s a study question from my old study material that’s fair game for both tests:

At what temperature does damage start occurring to magnetic media?

You’ll get a lot more questions like that on SSCP than on CISSP. I only recall a small number of questions that straightforward on my CISSP exam. An easy CISSP question is more likely to ask if it’s permissible to store magnetic tapes in a storage unit without air conditioning and why or why not. In a hard question, they’d bury the plan to store tapes in a storage unit in a page or two of text, and other than that and one other detail, it might actually be an OK plan. In order to pick the right answer, you’ll need to know that tapes start degrading at about 100 degrees, and probably two or three other random things.

That’s likely to be the biggest difference you’ll notice between the SSCP and CISSP. An SSCP question may very well ask one or two things. Most CISSP questions are really asking you several things.


3 thoughts on “SSCP vs CISSP

  • March 15, 2018 at 4:22 am

    Is it good to get plan of having CISSP with total experience of 4 years.Since experience counts so much in the field would I be getting appropriate job options then or should I get SSCP first?

    • March 15, 2018 at 3:04 pm

      I think with four years of experience, CISSP probably won’t help a lot. It will also be much more difficult to pass without that experience to draw on. Four years in, when you get a job, it’s because they like something in your experience or they like your potential. I would recommend getting SSCP and/or Security+, since Security+ has better name recognition, get another year or two of experience, then think about CISSP.

      Does that help?


Leave a Reply

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux