The three most-asked-about security certs in my inbox, in order: CISSP, CCSP, CISA. A lot of candidates are trying to pick between them, and the marketing copy from both ISC² and ISACA makes it hard to tell which one matches which career. I spent a weekend last month pulling the 2026 job-market data and writing this decision map.
The one-line summary of each
CISSP — Information security management, broad. For people who want to run security programs or become security architects.
CCSP — Cloud security specifically, half technical and half governance. For people whose work lives in AWS, Azure, or GCP with a compliance lens.
CISA — Audit of information systems. For people whose career is assessing controls, not building or running them.
They are not three tiers of the same cert. They are three adjacent-but-distinct disciplines.
The 2026 salary data
From 90 days of US job postings (2,400+ CISSP tags, 850+ CCSP, 1,600+ CISA):
CISSP median base, US:
- Security Engineer: $148,000
- Security Architect: $178,000
- Security Manager: $165,000
- CISO / VP Security: $220,000+
CCSP median base, US:
- Cloud Security Engineer: $152,000
- Cloud Security Architect: $175,000
- Cloud Compliance Manager: $145,000
CISA median base, US:
- IT Auditor: $98,000
- Senior IT Auditor: $125,000
- Audit Manager: $155,000
- Director of IT Audit: $185,000+
Raw numbers favor CISSP at the top of the range. But salary is not career fit — if your brain lights up when you read an audit report and grinds to a halt when you read a system design doc, you will be miserable as a CISSP holder and thriving as a CISA holder. Pick the match.
The experience requirements
This matters because you cannot just pass the exam; you need the experience to get certified.
CISSP: 5 years of paid, full-time work experience in 2 of 8 domains. 4 years with a qualifying degree or certification. You can pass the exam first and become an Associate of ISC² for up to 6 years while you build experience.
CCSP: 5 years of IT experience, of which 3 years in information security and 1 year in one of the CCSP domains. Holding CISSP waives the full experience requirement. You can pass first and become an Associate as with CISSP.
CISA: 5 years of work experience in IS audit, control, or security. Up to 3 years can be waived for education or credentials. You have 5 years after passing to complete the experience.
Exam mechanics
| Cert | Questions | Time | Format | Pass | Fee | Languages |
|---|---|---|---|---|---|---|
| CISSP | 100–150 | 3h | CAT (adaptive) | 700/1000 | $749 | 8 |
| CCSP | 125 | 4h | Linear | 700/1000 | $599 | 4 |
| CISA | 150 | 4h | Linear | 450/800 | $575–$760 | 11 |
CISSP is the shortest in time but the most cognitively demanding, because CAT escalates difficulty as you answer correctly. CCSP and CISA are linear and feel more predictable.
Study time from the Pruvos cohort
Median hours to pass for candidates with relevant experience:
- CISSP: 140–200 hours
- CCSP: 100–140 hours
- CISA: 90–130 hours
CISSP is the biggest blueprint (eight domains), which is why the study time is longer. CISA is tightly scoped around five audit-specific domains, so candidates with audit background prep faster.
Who should take which
Take CISSP if
- Your career target is security management, security architecture, or BISO / CISO track
- Your current role touches multiple security domains and you want a broad credential
- Government or defense-adjacent work (DoD 8570 / 8140 still lists CISSP)
- You want the widest-recognized credential; non-technical hiring managers know CISSP specifically
Take CCSP if
- Your career lives in cloud — AWS, Azure, or GCP is most of your work
- You need to talk to auditors and compliance teams about cloud security
- You want ISC² credentialing without the full breadth of CISSP
- Your CISSP is already in progress and you want to layer on cloud depth
Fun fact: a CISSP + CCSP stack is a common architect profile. Many CCSP holders did CISSP first and added CCSP 2–3 years later.
Take CISA if
- Your career is audit. IT audit, operational audit, SOX compliance audit
- You work in Big Four or similar consultancy and audit is your practice area
- You are in internal audit at a mid-to-large enterprise
- You want to move into GRC / risk leadership eventually
Side note: CISA + CRISC is the ISACA equivalent of CISSP + CCSP — it is the auditor's dual stack. I will cover CRISC separately later this quarter.
The common mistakes
Mistake 1: Taking CISSP because "it pays more."
Only if the job exists in your market. CISSP for a small-town auditor is a poor fit; CISA opens the relevant doors. Salary range matters less than match to roles.
Mistake 2: Taking CISA for a security engineer role.
CISA is for people who assess controls, not build them. If your role is hands-on security, CISA teaches you the wrong lens. You will spend three months learning to write audit findings, which is not what your manager wants.
Mistake 3: Taking CCSP as the first security cert.
CCSP assumes broad security fundamentals. If this is your first-ever security credential, CISSP or Security+ first. CCSP on top of nothing feels like studying for a marathon when you have never run.
Mistake 4: Trying to stack all three.
You can, and some people do. But the effort-to-payback curve gets worse with each one after the first. Two credentials in deliberately-chosen adjacent areas beats three in an unfocused scatter.
The decision
Answer three questions:
- In the next 3 years, what will I be doing day-to-day? Building and operating security (→ CISSP), cloud-specific security (→ CCSP), or assessing controls (→ CISA)?
- Which credential appears most often in the job postings I want? Go search your target title with each cert as a filter. The numbers are usually clear.
- What does my current job actually need? If your employer sponsors one specifically, that is the signal.
If the three answers point to the same cert, you have your answer. If they disagree, trust #2 — the market tells the truth about which credential opens which door.
One final thing: all three certs are renewals-forever. CISSP costs $125/year AMF + 120 CPE credits per three-year cycle. CCSP is $125/year + 90 CPEs. CISA is $45 ISACA member + $100 CISA-specific + 120 CPE credits per three years. Pick one whose renewal cost you will still want to pay in 10 years. The cert you resent paying to keep active is the cert you regret getting.