and experience related to healthcare data protection regulations and the protection of patient data.
CAP (Certification and Accreditation Professional): Jointly developed by the U.S. Department of State’s Office of Information Assurance and (ISC)2, the CAP credential reflects the skills required to assess risk and establish security requirements for complex systems and environments.
CISSP concentrations
(ISC)2 has developed follow-on certifications (think accessories) that accompany your CISSP. (ISC)2 calls these certifications concentrations because they represent the three areas you may choose to specialize in:
ISSAP (Information Systems Security Architecture Professional): Suited for technical systems security architects
ISSEP (Information Systems Security Engineering Professional): Demonstrates competence for security engineers
ISSMP (Information Systems Security Management Professional): About security management (of course!)
All the concentrations require that you first be a CISSP in good standing, and each has a separate exam. Read about these concentrations and their exams on the (ISC)2 website at www.isc2.org/Certifications/CISSP-Concentrations.
Non-(ISC)2 certifications
Organizations other than (ISC)2 have security-related certifications, one or more of which may be right for you. None of these certifications competes directly with CISSP, but some of them overlap with CISSP somewhat.
Nontechnical/nonvendor certifications
Many other certifications are not tied to specific hardware or software vendors. Some of the best include
CISA (Certified Information Systems Auditor): Consider this certification if you work as an internal auditor or your organization is subject to one or more security regulations, such as Sarbanes-Oxley, HIPAA, GLBA, or PCI. ISACA manages this certification. Find out more about CISA at www.isaca.org/cisa.
CISM (Certified Information Security Manager): Similar to (ISC)2’s Information Systems Security Management Professional (ISSMP) certification (which we talk about in the section “CISSP concentrations” earlier in this chapter), you may want the CISM certification if you’re in security management. Like CISA, ISACA manages this certification. Read more about it at www.isaca.org/cism.
CRISC (Certified in Risk and Information Systems Control): This certification concentrates on organization risk management, controls, and information security. Find out more at www.isaca.org/crisc.
CGEIT (Certified in the Governance of Enterprise IT): Look into this certification if you want to demonstrate your skills and knowledge in the areas of IT management and governance. Effective security in an IT organization depends on governance, which involves the management and control of resources to meet long-term objectives. You can find out more about CGEIT at www.isaca.org/cgeit.
CDPSE (Certified Data Privacy Solutions Engineer): This relatively new certification from ISACA is all about technical skills within the growing privacy profession. For more information, visit www.isaca.org/cdpse.
CPP (Certified Protection Professional): Primarily a security management certification, CPP is managed by ASIS International. The CPP certification (www.asisonline.org/certification) designates people who have demonstrated competence in all areas constituting security management.
PSP (Physical Security Professional): ASIS International also offers this certification, which caters to professionals whose primary responsibility focuses on threat surveys and the design of integrated security systems. Read more at www.asisonline.org/certification.
CIPP (Certified Information Privacy Professional): The International Association of Privacy Professionals (IAPP) has this and other country-specific privacy certifications for security professionals with knowledge and experience in personal data protection. Find out more at https://iapp.org/certify/cipp (login required).
CIPP/US (Certified Information Privacy Professional/U.S.): Privacy in the United States is growing fast, and IAPP has developed a U.S. version of the CIPP. Read more at https://iapp.org/certify/cippus.
CIPP/C (Certified Information Privacy Professional/Canada): Privacy in Canada is growing in importance, so much that IAPP has a Canadian version of CIPP. Find out more at https://iapp.org/certify/cippc.
CIPP/E (Certified Information Privacy Professional/Europe): Privacy in Europe is so important in our industry that the IAPP has developed a version of the CIPP especially for European privacy matters. See more at https://iapp.org/certify/cippe.
CIPP/A (Certified Information Privacy Professional/Asia): IAPP has an Asia version of the CIPP certification that focuses on privacy laws and practices in Asian countries. Find out more at https://iapp.org/certify/cippa.
CIPM (Certified Information Privacy Manager): This certification is designed for privacy program leaders in organizations; it focuses on building a privacy team and privacy operations. Find out more at https://iapp.org/certify/cipm.
CCISO (Certified Chief Information Security Officer): This certification demonstrates the skills and knowledge required for the typical CISO position. Read more at https://ciso.eccouncil.org.
CBCP (Certified Business Continuity Planner): A business continuity planning certification offered by the Disaster Recovery Institute. You can find out more at https://drii.org/certification/cbcp.
DRCE (Disaster Recovery Certified Expert): This certification recognizes knowledge and experience in disaster recovery planning. For more information about DRCE and related certifications, visit www.bcm-institute.org/certification.
PMP (Project Management Professional): A good project manager — someone you can trust with organizing resources and schedules — is a wonderful thing, especially on large projects. The Project Management Institute (www.pmi.org) offers this certification.
PCI QSA (Payment Card Industry Qualified Security Assessor): The Payment Card Industry Security Standards Council developed the QSA certification for professionals who audit organizations that store, transmit, or process credit card data. This certification is for PCI auditors. Find out more at www.pcisecuritystandards.org.
PCI