“I just started working in the field of information security. What kind of certificate should I get?” I have got the CISSP. What certification should I take again? ” These questions are often asked by information security practitioners, mainly because there are more than 42 security-related certificates of over 200 related IT certificates.

This paper provides the guidance of information security experts on the best security certificate, which can add value to the career of staff in the field of information security.

When considering which certification should choose, the following three aspects can help guide the decision-making: (1) the required years of experience( 2) Career route( 3) Complementary practice. Let’s discuss it in detail one by one.

1: Required Years of Experience 

Some certifications require a certain number of years of practical experience to participate in the certification examination. For example, the certification provided by the International Information System Security Certification Association (ISC2), which organizes CISSP(Certified Information Systems Security Professional) and other certification examinations; There is also certification provided by the information systems audit and Control Association (ISACA), which organizes CISA  Certified Information Systems Auditor and other certification examinations. A certified information system security expert (CISSP) needs at least four years of relevant experience in two of the ten knowledge areas defined by ISC2. A Certified Information Security Manager (CISM) requires eight years of relevant experience. In contrast, SCCP can be applied after one year of relevant experience. CompTIA and SANS provide basic safety certification without working experience.


(1) at the beginning of your career, you should choose Security + or one of the basic SANS certifications. This is the best way to quickly learn the basic practice of information security without relevant field experience or working years required for other certifications.

(2) if you are a security expert and have at least four years of experience in two of the ten fields, you must choose CISSP. Most job descriptions above entry-level require candidates to have CISSP certification, or certification is preferred.

2: Career Route

If you are addict to technical work or you enjoy solving problems, a technical career path may be suitable for you. The main technical focus is to track malicious traffic. Certification will complement the technical environment in which you work.

If you prefer to apply your business wisdom of leadership, management, and application to information security, the business of information security maybe your career route. You can focus on auditing, governance, risk, or other areas.


(1) for technology-oriented security experts, you can choose Cisco Certified Network Engineer (CCNA) with CCNA security certification, which can improve your skillset. For event handling (SANS GIAC / IH) or obtaining (GCFA) certificate, it is a good foundation for the company to identify malware or prevent and detect intrusion.

(2) For business-oriented security experts, it is best to choose a CISSP training course, and then consider one of the following certifications:  Certified Information System Auditor (CISA), Certified Information Security Manager (CISM), certified corporate IT administrator (CGEIT), risk and information system control certification (CRISC) or certified information privacy expert (CIPP). CISA’s complementary value to CISSP is particularly important because it can help you understand how auditors think. That knowledge can be used to plan effective strategies for your information security projects.

3: Complementary Practice

With at least three certifications under your belt, your career will develop well, but you may want to continue to learn more about certifications and March to safety experts. So, how do you choose at this time? Once you have established a solid certification track and added value to becoming an expert through diversified certificates, my answer is no more.


(1) technical experts interested in becoming architects can continue to obtain the open organization architecture framework (TOGAF) certification. Compared with ISC2 information system security architecture expert (CISSP’s ISSAP), TOGAF can make you understand the overall physical picture of enterprise architecture, rather than a local practice.

(2) Strategic practitioners can choose the project management expert (PMP) certification of the project management association, the business process modeling certification of BPMInstitute.org, or the Six Sigma certification applicable to various training companies. These certifications can help you tailor some huge processes sometimes related to information cyber security and audit.

Key points to keep in mind:

Here are some key points to keep in mind throughout your career:

(1) Review all your certifications every two years to see if they are no longer applicable or become closer to your career. Eliminate those that are no longer valuable, maintain those that are still valuable, and consider obtaining new certifications that become relevant or can help you achieve your future career goals.

(2) Make a strategy for easy access to continuing professional education credits (CPE), which is required to maintain the validity of the certificate. Webcast learning or industry conference communication are good ways to obtain CPE.

(3) Always pay attention to the certification required by the job description in the company.
Read more for the cisa vs cissp article.