ISC2

International Information System Security Certification Consortium, or ISC2, is a non-profit organization which specializes in training and certifications for cybersecurity professionals. It has been described as the “world's largest IT security organization”.^[1]

International Information System Security Certification Consortium, Inc.

ISC2 logo
Abbreviation	ISC2
Formation	1989
Type	501(c)(6) organization
Purpose	Cybersecurity professional association
Headquarters	Alexandria, Virginia, U.S.
Membership	635,000+
Website	www.isc2.org

History

In the mid-1980s, a need for a standardized, vendor-neutral certification program for information security professionals was identified. In November 1988, the Data Processing Management Association's Special Interest Group for Computer Security (SIG-CS) brought together several organizations to form a consortium to address this need. This led to the formation of ISC2 in mid-1989 as a non-profit organization.

The first working committee to establish a Common Body of Knowledge (CBK) was formed in 1990, and the first version of the CBK was finalized in 1992. This work laid the foundation for the organization's first certification, the Certified Information Systems Security Professional (CISSP), which was launched in 1994.^[2]

The organization continued to expand its certification offerings over the years:

• The Systems Security Certified Practitioner (SSCP) was introduced in 2001.
• The Certified in Governance, Risk and Compliance (CGRC) was launched in 2023.^[3]
• The Certified Secure Software Lifecycle Professional (CSSLP) was introduced in 2008.^[4]
• The Certified Cloud Security Professional (CCSP), co-developed with the Cloud Security Alliance, was launched in 2015.^[5]

ISC2 also expanded its global presence, opening a regional office for Europe, the Middle East, and Africa (EMEA) in London in 2001, and an Asia-Pacific office in Hong Kong in 2002.^[6] The first ISC2 Security Congress conference was held in 2011, the same year its charitable arm, the ISC2 Foundation (now the Center for Cyber Safety and Education), was launched.

In 2022, ISC2 announced a major initiative to address the cybersecurity workforce gap, including the “One Million Certified in Cybersecurity” program, which provides free entry-level Certified in Cybersecurity (CC) certification education and exams.^[7] In 2023, the organization underwent a rebrand, changing its preferred abbreviation from ISC2 to ISC2.^[8]

Certifications

ISC2 offers a range of certifications aimed at different levels of experience and specializations within the information security field.

Foundational

• Certified in Cybersecurity (CC): An entry-level certification for individuals seeking to start a career in cybersecurity. It requires no prior work experience and covers foundational security principles, business continuity, access controls, network security, and security operations.^[9]

Professional

• Certified Information Systems Security Professional (CISSP): A globally recognized standard for experienced security professionals. It is aimed at security managers and leaders and requires at least five years of cumulative, paid work experience in two or more of the eight CBK domains, which include Security and Risk Management, Asset Security, and Security Architecture and Engineering.^[10] It has several concentrations:
  • CISSP-ISSAP (Information Systems Security Architecture Professional)^[11]
  • CISSP-ISSEP (Information Systems Security Engineering Professional)^[12]
  • CISSP-ISSMP (Information Systems Security Management Professional)^[13]

• Systems Security Certified Practitioner (SSCP): For IT administrators, network security engineers, and security analysts with hands-on technical security responsibilities. It requires at least one year of cumulative, paid work experience in one or more of the seven CBK domains, such as Access Controls, Security Operations and Administration, and Cryptography.^[14]

• Certified Cloud Security Professional (CCSP): A certification focused on cloud security, designed for professionals in IT, cybersecurity, and cloud architecture. It requires at least five years of cumulative IT experience, including three years in information security and one year in one of the six CCSP domains, which cover cloud concepts, data security, platform security, and legal risk.^[15]

• Certified in Governance, Risk and Compliance (CGRC): Formerly the Certified Authorization Professional (CAP), this certification is for personnel involved in authorizing and maintaining information systems within the Risk Management Framework (RMF). It is targeted at professionals responsible for formalizing processes to assess risk and establish security documentation. It requires at least two years of cumulative, paid work experience in one or more of the seven domains of the CGRC CBK.^[16]

• Certified Secure Software Lifecycle Professional (CSSLP): A certification focused on application security and secure software development. It is intended for software developers, engineers, and architects. It requires a minimum of four years of cumulative, paid work experience in one or more of the eight domains of the CSSLP CBK, such as Secure Software Concepts, Requirements, and Testing.^[17]

Governance

ISC2 is governed by a Board of Directors, which is composed of 13 members elected by the ISC2 membership. The Board provides strategic direction and oversight for the organization. Elections are held annually to fill open seats, and members vote to select from a slate of qualified candidates. The Board is led by a Chairperson, who is elected by the directors to preside over meetings and guide the Board's activities. The day-to-day operations of the organization are managed by a Chief Executive Officer (CEO), who is appointed by and reports to the Board of Directors.^[18]

The organization's structure and procedures are defined in its official Bylaws. All ISC2 members, associates, and candidates must adhere to the ISC2 Code of Ethics. The code mandates that individuals act honorably, honestly, justly, responsibly, and legally. It serves as a framework for professional conduct, and violations can lead to an investigation and potential sanctions, including the revocation of certifications.

Advocacy and Research

ISC2 is involved in advocacy efforts and regularly publishes research on the state of the cybersecurity workforce. Key publications include:

• ISC2 Cybersecurity Workforce Study: An annual report that analyzes the size of the workforce gap, trends in the profession, and challenges faced by practitioners.^[19]
• ISC2 Security Congress: An annual conference for security professionals.^[20]

The organization actively engages with governments and policymakers to shape cybersecurity-related laws, regulations, and frameworks globally, with specific advocacy efforts in the United States, United Kingdom, Canada, and the European Union. It partners with government agencies, such as the U.S. Department of Defense, to align its certifications with governmental workforce requirements like the DoD 8140 Directive.^[21]

Through its Global Academic Program, ISC2 partners with universities and colleges to integrate professional certifications into academic curricula, providing institutions with research support and curriculum development resources to prepare students for cybersecurity careers.^[22] Its charitable arm, the Center for Cyber Safety and Education, focuses on public outreach and educational programs to improve cyber safety for the general public.

See also

• List of computer security certifications
• SANS Institute
• ISACA
• CompTIA