Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Recent

What Comes After CISSP? Top Certifications to Advance Your Career

C
Christopher Porter Training Camp
Published
Read Time 9 min read
What Comes After CISSP? Top Certifications to Advance Your Career

Last updated June 2026.

Passing the CISSP is the moment a lot of security professionals have spent years working toward. Then the next morning arrives, and the question flips from how do I pass it to what comes next. That is where a surprising number of strong careers stall. Not for lack of ambition, but for lack of a plan.

The instinct is to collect more letters. More certifications, more acronyms after your name, more lines on the resume. I have watched that instinct cost good people real time and money for a return that never arrived. The professionals who pull ahead after the CISSP are not the ones holding the most credentials. They are the ones who chose the right next one on purpose.

Here is how to think about that choice, and the three honest directions it usually points.

Every pilot files a flight plan before takeoff. You pick the destination first, then the heading that gets you there. A stack of certifications with no destination is just fuel burned circling the field.


Pick the Destination Before the Credential

The professionals who get the most out of a second or third certification work backward. They start from the role they actually want in three to five years, then earn the credential that role asks for. The credential follows the goal. It does not replace it.

There is a simple exercise I give people who ask me this. Pull up ten job postings for the title you want next. Read the requirements. The certifications that keep showing up are your shortlist. Those that never appear, no matter how popular they are this quarter, are not your problem to solve. That single hour of reading beats months of studying for the wrong exam.


Three Honest Directions After CISSP

After the CISSP, most careers branch one of three ways. Into leadership, deeper into the technical work, or into a specialty domain the market is paying a premium for. None is better than the others. The right one is the one that matches where you want to be standing in a few years.

🧭 Three Post-CISSP Directions
LEADERSHIP

CISM, ISSMP, CGEIT, PMP. For the move toward security program leadership and the CISO track, where the job is governance, risk, and running people and budgets.

TECHNICAL

OSCP, ISSAP, CompTIA PenTest+, CompTIA SecurityX. For the people who want to stay hands-on and go deeper, not trade the keyboard for a calendar full of meetings.

SPECIALIST

CCSP, AWS and Azure security, ISSEP, CDPSE. For owning a domain the market is short on, cloud security and privacy engineering chief among them.

The Leadership Direction

If your next title has the word manager or director in it, the credentials that matter shift toward governance and business. The CISM from ISACA is the natural pairing with a CISSP, built around security program management and risk rather than technical depth. ISSMP is the ISC2 advanced management credential for the same track. CGEIT speaks to board-level IT governance, and the PMP earns its place here because running a security program is running projects, a skill that rarely gets taught on the technical path. If you are weighing the first move toward management, our breakdown of CISSP versus CISM is a good place to start.

The Technical Direction

Plenty of strong engineers have no interest in management, and the market still pays them well. The OSCP is the offensive credential that earns respect because it is graded on what you can actually break into, not what you can recall. ISSAP covers security architecture for people who design the systems rather than run the team. On the CompTIA track, PenTest+ validates hands-on penetration testing and SecurityX sits at the advanced technical tier for architects and senior engineers. One correction worth making here, because a lot of older guides still get it wrong. ISSAP, ISSEP, and ISSMP used to be CISSP concentrations that required the CISSP first. ISC2 changed that in October 2023. All three are standalone certifications now, with refreshed exams in August 2025, so you can pursue them directly if you have the experience. Our deep dive on ISSAP versus ISSEP versus ISSMP walks through which one fits which role.

The Specialist Direction

Work moved to the cloud, and the talent has not fully caught up, which is why cloud security credentials command a clear premium. The CCSP is the vendor-neutral cloud security certification that pairs cleanly with a CISSP, and the AWS and Azure security specialties add platform-specific depth on top. ISSEP focuses on security engineering and carries real weight in federal and defense work. CDPSE covers privacy engineering, which keeps gaining ground as privacy regulation expands worldwide. If governance and compliance is the direction pulling at you, our roundup of the best certifications for GRC careers maps that lane in detail.


How to Choose Without Guessing

Once you know the direction, four questions separate a smart pick from an expensive one. Run any candidate certification through them before you book an exam.

Does it close a real gap? Compare your current credentials against the postings for your target role. Earn the one that fills the hole, not the one that repeats what your CISSP already proves.

Does your industry value it? Financial services, healthcare, government, and tech reward different credentials. A cert that opens doors in one can be background noise in another.

What is the real cost? Add the exam fee, the study time, and the ongoing maintenance. The upkeep is the part people forget, and it stacks up fast once you hold several certifications at once.

Does it set up the move after this one? The best pick solves the next step and lays groundwork for the step after it, so each credential compounds instead of dead-ending.


The Mistakes That Cost People Years

The same handful of errors trip up smart people again and again. Knowing them in advance is most of the cure.

Collecting for the sake of collecting. A wall of certifications with no through-line tells a hiring manager you like passing exams. It does not tell them what you are for. Depth in a direction beats a scattered pile every time.

Chasing whatever is hot. A trending certification is only valuable if it points the way you are already going. Popular and right for you are two different tests, and only one of them pays off.

Forgetting the upkeep. Every credential carries continuing education and renewal costs. Stack four or five without a plan and you have signed up for a part-time job in maintenance fees and CPE credits. Count that bill before you commit, not after.

🎯 The Move That Matters

The CISSP proved you can think like a security leader across the whole field. What comes next should sharpen that range into a direction, whether that is leadership, deep technical work, or a specialty the market is hungry for. Pick the destination, choose the credential that flies you there, and let each one set up the next. That is how a certification stops being a line on a resume and starts being a career. If you want help mapping that path against where you are now, our look at career opportunities after CISSP lays out where these roads actually lead.


Frequently Asked Questions

What certification should I get after the CISSP?

It depends on your direction. Heading into leadership points to CISM or ISSMP. Staying deeply technical favors OSCP, ISSAP, or the CompTIA PenTest+ and SecurityX track. A specialty move usually means CCSP for cloud or CDPSE for privacy. Whichever lane fits, the right answer is the credential that job postings for your target role keep asking for, not the one trending this quarter.

Is CISM or CISSP better?

They serve different goals rather than competing head to head. The CISSP is broad and technical across eight domains. CISM, from ISACA, focuses on security program management, governance, and risk, which makes it the natural pairing for someone moving toward leadership. Many professionals hold both, and the order depends on where your career is headed.

Are ISSAP, ISSEP, and ISSMP still CISSP concentrations?

No. As of October 2023, ISC2 made all three standalone certifications, so you no longer need the CISSP first if you meet the experience requirements on your own. All three also received refreshed exam outlines in August 2025. If you hold the CISSP you need two years of relevant experience to qualify, and without it you need seven.

Is the CCSP worth it after the CISSP?

For anyone working in or moving toward cloud security, yes. The CCSP is the vendor-neutral cloud security credential from ISC2, and it pairs cleanly with the CISSP because the two share an underlying approach to security. As more workloads move to the cloud, the combination of broad security knowledge plus cloud-specific depth is in real demand.

How many certifications should I have?

Enough to tell a clear story about what you do, and no more. A focused set that lines up with your career direction beats a long list with no through-line. Each credential also carries ongoing renewal and continuing education costs, so more is not automatically better once you account for the upkeep.

Does a second certification actually raise your salary?

It can, but the lift comes from the credential matching a role you are targeting, not from the letters alone. A cert that employers in your field actively ask for can move you into a higher band or unlock a role you could not reach before. One that nobody in your lane requires adds very little, no matter how respected it is elsewhere.

Update note (June 2026): This guide was refreshed to reflect ISC2’s October 2023 change making ISSAP, ISSEP, and ISSMP standalone certifications rather than CISSP concentrations, along with the August 2025 exam outline updates. Earlier versions described those three as requiring the CISSP first, the way many certification guides still do. They no longer do.

Christopher Porter

CEO | Training Camp

Christopher D. Porter is a dynamic marketing executive and visionary leader, celebrated as an early adopter of internet technologies for innovative lead generation strategies. Continuing his career as the CEO of one of the leading IT and Cybersecurity Certification Training companies, he has consistently harnessed digital innovation to drive business growth and market transformation.