CASP+ vs. CISSP: Which certification should you get in 2022?
The CompTIA Advanced Security Practitioner (CASP+) and ISC2 Certified Information Systems Security Professional (CISSP) are both advanced-level certifications that validate your skills in maintaining the security of information systems and networks. While similar, they have different goals that tend to align with different career paths.
Which certification is best for you? We break it down below.
What should you learn next?
CISSP vs. CASP+
The CISSP certification exam uses a Computerized Adaptive Testing (CAT) format to evaluate a professional’s understanding of cybersecurity strategy and hands-on implementation experience. It evaluates the technical skills to design, execute and manage the overall security posture of an organization. It's most applicable for experienced security practitioners, cybersecurity managers and executives.
The CASP+ certification uses multiple-choice and performance-based questions to evaluate a professional's ability to implement solutions to make an organization more resilient while complying with cybersecurity policies and frameworks. It's most applicable to advanced cybersecurity practitioners, architects and engineers, but not necessarily managers.
You can better understand how ISC2 and CompTIA view these certifications by looking at the common job roles associated with each certification.
- Chief information security officer
- Chief information officer
- Director of security
- IT director/manager
- Security systems engineer
- Security analyst
- Security manager
- Security auditor
- Security architect
- Security consultant
- Network architect
- Security architect
- Senior security engineer
- SOC manager
- Security analyst
Both are also DoD 8570 approved certifications for different job roles:
- Information Assurance Technical (IAT) Level III
- Information Assurance Management (IAM) Level II and III
- Information Assurance System Architect and Engineer (IASAE) I and II
- Information Assurance Technical (IAT) Level III
- Information Assurance Management (IAM) Level II
- Information Assurance System Architect and Engineer (IASAE) I and II
As you can see, the CISSP applies to a broader range of cybersecurity roles, including a number of more leadership-focused roles, whereas the CASP+ is more technical-focused.
CISSP vs. CASP+ exam domains
Each of the exams is broken into a number of key areas, or domains. The CISSP exam covers eight domains, and the CASP+ exam covers four.
- 1.0 Security and risk management (15%)
- 2.0 Asset security (10%)
- 3.0 Security architecture and engineering (13%)
- 4.0 Communication and network security (13%)
- 5.0 Identity and access management (13%)
- 6.0 Security assessment and testing (12%)
- 7.0 Security operations (13%)
- 8.0 Software development security (11%)
- 1.0 Security architecture (29%)
- 2.0 Security operations (30%)
- 3.0 Security engineering and cryptography (26%)
- 4.0 Governance, risk and compliance (15%)
However, you can get a better sense of the certification goals by looking at the objectives within each domain. (See the full CASP+ exam outline and CISSP exam outline for even more detail.) Let's take a look at the shared domain of security operations to see how they compare.
- 7.1 Understand and comply with investigations
- 7.2 Conduct logging and monitoring activities
- 7.3 Perform Configuration Management (CM) (e.g., provisioning, baselining, automation)
- 7.4 Apply foundational security operations concepts
- 7.5 Apply resource protection
- 7.6 Conduct incident management
- 7.7 Operate and maintain detective and preventative measures
- 7.8 Implement and support patch and vulnerability management
- 7.9 Understand and participate in change management processes
- 7.10 Implement recovery strategies
- 7.11 Implement Disaster Recovery (DR) processes
- 7.12 Test Disaster Recovery Plans (DRP)
- 7.13 Participate in Business Continuity (BC) planning and exercises
- 7.14 Implement and manage physical security
- 7.15 Address personnel safety and security concerns
- 2.1 Given a scenario, perform threat management activities
- 2.2 Given a scenario, analyze indicators of compromise and formulate an appropriate response
- 2.3 Given a scenario, perform vulnerability management activities
- 2.4 Given a scenario, use the appropriate vulnerability assessment and penetration testing methods and tools
- 2.5 Given a scenario, analyze vulnerabilities and recommend risk mitigations
- 2.6 Given a scenario, use processes to reduce risk
- 2.7 Given an incident, implement the appropriate response
- 2.8 Explain the importance of forensic concepts
- 2.9 Given a scenario, use forensic analysis tools
The CISSP exam objectives are broader and include more manager-level tasks. The CASP+ exam objectives are more focused on performing and implementing various technical controls and tools.
Patrick Lane, director of products at CompTIA, explained the difference in a recent Infosec Edge webcast on CASP+, the CISSP is less hands-on and includes more governance than the CASP+. "A CISO might have the skills in the CISSP," Lane said, "while the architect who is working with the CISO would have CASP+. They would be the ones who work with the CISO, determine what the architecture needs to be and then actually lead the teams to then implement that."
CISSP vs. CASP exam format
The exams have a slightly different format:
- CASP+ exam: Maximum of 90 questions; the test length is 165 minutes. CASP+ is available in English and Japanese. Requires 75 Continuing Education Units (CEUs) in three years to renew certification
- CISSP exam: 100-150 multiple choice and advanced innovative item questions; the test length is three hours. CISSP CBT is available only in English. However, the exam is also available in French, German, Brazilian Portuguese, Spanish, Japanese, Simplified Chinese and Korean in the linear fixed form format that will consist of 250 items with a time limit of six hours. Requires 120 CPE credits in three years to renew certification
CISSP vs. CASP+ experience requirements
One of the key differences between the CISSP and CASP+ certifications is the experience requirements.
CISSP requires candidates to have a minimum of five years of cumulative, paid, full-time work experience in two or more of the eight CISSP CBK domains — or four years of experience if you meet the CISSP experience waiver requirements. If you don't possess the required experience for CISSP, you can become an Associate of ISC2 by successfully passing the exam. At that point, you'll have up to six years to earn the required experience.
CompTIA CASP+ does not have an experience requirement, but CompTIA does recommend candidates have a minimum of 10 years of general hands-on IT experience, with at least five years of broad hands-on security experience in order to be successful.
Benefits of CISSP
CISSP is one the most valued information security certifications globally and can help professionals compete for information security jobs both in the United States and abroad; as the majority of employers value this certification and are aware of its rigorous requirements, certified practitioners might gain a competitive edge and stand out over other candidates. Also, according to ISC2, the average salary of CISSP-certified professionals is $131,030 and ISC2 members report earning 35% more than non-members. ISC2 also reports that CISSP is the most required security certification on LinkedIn.
CISSP-certified professionals are security practitioners, security managers or executives with at least five years of information security experience. From CISOs to network architects, CISSPs are leaders who are always ready for information security challenges.
Benefits of CASP+
CASP+ focuses on the cybersecurity technical and practical aspects of hands-on enterprise security, incident response and architecture to help organizations find solutions to complex security problems; thus, it can help you prove that you not only know what the job entails but how to do it. CASP+ covers security architecture and engineering and qualifies professionals to assess cyber readiness within an enterprise and implement the proper solutions needed to make it resilient.
What should you learn next?
As information security threats rise globally, organizations look for senior IT security staff to help them protect the integrity of their IT infrastructure. CASP+ is a great way for advanced IT practitioners to show that they have the needed knowledge and skills to qualify them for many vacancies and well-paid positions.
They might appear similar, but different certifications measure different skill sets. Also, although they may lead to comparable jobs and might overlap in the organizational roles, the CASP+ certification is more 'hands-on' and highlights the technical skills of the certified professional. The CISSP certification is more managerial than technical, with skills that might not be specific to a particular job but give access to a wider variety of advanced positions. Nevertheless, either certification can provide a great range of opportunities in cyber and information security.