SSCP and CISSP are both (ISC)² certifications. I get a lot of questions about the two of them, especially about SSCP, as CISSP overshadows it.

CISSP definitely pays better, but that’s not to say SSCP doesn’t have merit.

SSCP doesn’t exactly compete directly with Security+, but when it comes to the government and its DoD 8570 requirement, the two are equivalent. At the pay grades where the DoD accepts Security+, it usually also accepts SSCP. The problem is that Security+ is the one with the name recognition, so even though DISA may say SSCP is OK, your COTR or team lead may not know that and may make you go get Security+ anyway.

CISSP is the more advanced certification of the two. It’s impolite to discuss salary but that’s almost necessary to set expectations, so I’ll talk salary anyway. When I went from being a highly paid Security+ to an entry-level CISSP, my salary went up about 15 percent. Your mileage will vary based on experience. A CISSP with just enough experience to meet the prerequisites can expect to make about what a Security+ with 15-20 years of experience makes.

Although the SSCP doesn’t get much love, I like that it’s administered by (ISC)². If your goal is to eventually get the CISSP, why not take the entry-level test from the same certifying body? CompTIA intends for Security+ to prepare you for the CISSP someday, but I don’t think CompTIA does a good job of preparing you for the way (ISC)² asks questions. Both of them mess with your mind, but CompTIA messes with your mind with poor grammar and spelling. (ISC)² much more closely simulates how people will actually try to slip things past you in the real world.

So, what’s the difference between the tests themselves? The SSCP is half as long as the CISSP, 125 questions versus 250 questions. SSCP also covers 70% of the material CISSP does. Most of the management and paper-pushing elements of CISSP are absent from SSCP. SSCP is hands-on and technical. Some CISSPs are hands-on and technical (I still am, about half the time), but admittedly, some of us are paper pushers.

As for the questions themselves, SSCP will be more straightforward than CISSP. Here’s a study question from my old study material that’s fair game for both tests:

At what temperature does damage start occurring to magnetic media?

You’ll get a lot more questions like that on SSCP than on CISSP. I only recall a small number of questions that straightforward on my CISSP exam. An easy CISSP question is more likely to ask if it’s permissible to store magnetic tapes in a storage unit without air conditioning and why or why not. In a hard question, they’d bury the plan to store tapes in a storage unit in a page or two of text, and other than that and one other detail, it might actually be an OK plan. In order to pick the right answer, you’ll need to know that tapes start degrading at about 100 degrees, and probably two or three other random things.

That’s likely to be the biggest difference you’ll notice between the SSCP and CISSP. An SSCP question may very well ask one or two things. Most CISSP questions are really asking you several things.


One thought on “SSCP vs CISSP

Comments are closed.

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux