List of Security Certifications

In a previous post I talked about the value of certifications in the information security industry.  As a result of that post a number of people asked me what certifications are available?  Luckily I previously compiled a list of certifications for a study group run by ENISA (the European Network and Information Security Agency).  So if you are looking to get certified in the information security field please find below a list of available certifications and where you can get more information.  Note that the list has been categorised into three sections;More...

  1. Knowledge Based – Certifying an individuals knowledge and skills
  2. Organisational Based – Certifying that an organisation has reached certain standards
  3. Product Based – Certifying that a product or system has been accredited at a certain standard

If there are more certifications that are relevant and not included, or if any of the links are incorrect please let me know by posting a comment. 

Knowledge Based

Computer Associates
Computer Associates Certified eTrust Specialist (CACES)

Computer Security Incident Handler (CSIH)

Cisco Certified Security Professional (CCSP)
Cisco Advanced Security Field Specialist
Cisco Firewall Specialist
Cisco IPS Specialist
Cisco Security Sales Specialist
Cisco Security Solutions and Design Specialist
Cisco VPN Specialist
Cisco VPN/Security Sales Specialist

Certified Internet Web
CIW Security Analyst
CIW Security Professional

CompTIA Security+

Global Information Assurance Certification (SANS)
GIAC, various
GIAC Security Essentials Certification (GSEC)

GIAC Certified Firewall Analyst (GCFW)
GIAC Certified Intrusion Analyst (GCIA)
GIAC Certified Incident Handler (GCIH)
GIAC Certified Windows Security Administrator (GCWN)

GIAC Certified UNIX Security Administrator (GCUX)
GIAC Information Security Officer (GISO)
GIAC Systems and Network Auditor (GSNA)
GIAC Security Leadership Certificate (GSLC)
GIAC IT Security Audit Essentials (GSAE)
GIAC Gold Standard Certificate (GGSC-0100)

Information Systems Audit and Control Association (ISACA)
Certified Information System Auditor (CISA)
Certified Information Security Manager (CISM)

International Information Systems Security Certification Consortium (ISC2)
Certified Information Systems Security Professional (CISSP)
Systems Security Certified Practitioner (SSCP)
Certification and Accredication Professional

CISSP Concentrations
ISSEP®: Information Systems Security Engineering Professional
ISSAP®: Information Systems Security Architecture Professional
ISSMP®: Information Systems Security Management Professional

International Organisation for Standardisation
ISO 27001:2005- Lead Auditor Course

Microsoft Certified Systems Engineer: Security (MCSE: Security)

Ethical Hacker
Computer Hacking Forensic Investigator
Licensed Penetration Tester
Certified Network Defence Architect
Network Security Administrator

Certified Security Analyst
Certified Secure Programmer and Certified Secure Application Developer

Security 5

Disaster Recovery Institute International
Associate Business Continuity Professional
Certified Functional Continuity Professional
Certified Business Continuity Professional
Master Business Continuity Professional

The International Society of Forensic Computer Examiners
Certified Computer Examiner

Critical Infrastructure Institute
PCIP (Professional in Critical Infrastructure Protection)

Security University
Security University Software Security Engineer Certification

The Association of Certified Fraud Examiners
Certified Fraud Examiner
Certified Security Compliance Specialist

Learning Tree
Network Security Certified Professional
Enterprise and Web Security Certified Professional

High Tech Crime Network
Certified Computer Crime Investigator [Advanced]
Certified Computer Crime Investigator [Basic]
Certified Computer Forensic Technician [Basic]
Certified Computer Forensic Technician [Advanced]

Espionage research Institute
Certified Counterespionage & Information Security Manager

Certified Electronic Evidence Collection Specialist Certification
Certified Forensic Computer Examiner Certification

eBusiness Process Solutions
Certified Cyber-Crime Expert (C3E)

Cyber Enforcement Resources Inc.
Basic Internet Investigation
Intermediate Internet Investigation

Advanced Internet Investigation

Cyber Security Institute
CyberSecurity Forensic Analyst (CSFA)
CyberSecurity Institute Certified Instructor (CSICI)

Field Certified™ Security Specialist (FCSS™)

Security Certified Program
Security Certified Network Professional (SCNP)
Security Certified Network Architect (SCNA)

Security for Business (S4B)
SCNP — Security Certified Network Professional
SCNA — Security Certified Network Architect

The CWSP® (Certified Wireless Security Professional) certification

SPS – Symantec Product Specialist
STA – Symantec Technology Architect

SCSE – Symantec Certified Security Engineer
SCSP – Symantec Certified Security Practitioner

RSA Certified Security Professional
RSA SecurID Certified Administrator (RSA SecurID CA)
RSA Certified Instructor (RSA/CI)

RSA Certified Systems Engineer (RSA/CSE)

TICSA Professional Certification


MCSE: Security on Microsoft Windows Server 2003
MCSA: Security on Microsoft Windows Server 2003

ITIL Certifications for Individuals
ITIL Foundation Level Certification
ITIL Practioner Level Certification
ITIL Management Level Certification

Technology/Product Certification

Verified By Visa, Payment Card Industry (PCI) Data Security Standard


American Institute of Certified Public Accountants (AICPA)
SysTrust, WebTrust


BITS Financial Services Roundtable
BITS Products Certification (based on CC)

ITSEC JIL (joint interpretation library)
CC (ISO 15408); CCEVS (US),

Certified Senders Alliance

Trust Site Seal, Verified Domain, GeoCode

ICSA Labs Product Certification

Institute of Electrical and Electronic Engineers (IEEE)
Wireless security standards 802.1x

Internet Engineering Task Force (IETF)
Public-Key Infrastructure Exchange (PKIX), Public Key Cryptography Standards (PKCS)

NSS Labs
NSS Approved, NSS Gold, NSS Tested

SiteAdvisor (automatic website rating)

various; see link (note site is in German)


VeriSign Secured Seal

Virus Bulletin
VB100% award

International Telecommunication Union (ITU)

Center for Internet Security
CIS Certified Security Software Products

Enterprise Certification
Business partner Certification

Application Certification
Perimeter Certification

Organisational Certifications

American Society for Industrial Security (ASIS)
CPP — Certified Protection Professional

Bundesamt für Sicherheit in der Informationstechnik (BSI)

Prosoft Learning Corporation
CIW Security Analyst

International Organisation for Standardisation (ISO)
ISO27001, ISO 13335, ISO17799
ISO 20000 IT Service Management Standard (has controls for security and business continuity)
ISO/TR 13569:2005 – Financial services — Information security guidelines

Information Systems Security Association (ISSA)
Generally Accepted Information Security Principles (GAISP)

International Systems Security Engineering Association (ISSEA)
Systems Security Engineering Capability Maturity Model (SSE-CMM) = ISO 21827

ITIL Security Management
Note that organisations cannot be certified against ITIL as ITIL is not a standard but a Framework

National Institute of Standards and Technology (NIST)
NIST 800-53, NIST 800-40, 800-14
NIST Special Publication 800-37 – Guide for the Security Certification and Accreditation of Federal Information Systems

Security Certified Program
Security Certified Program

Information Security Forum (ISF)
Standard of Good Practice for Information Security

Chartered Accountants of Canada (CICA)
ITCG: Information Technology: Control Guidelines 1998

ITSEC or Common Criteria formal evaluation and certification
CLAS and the ITPC Qualification

Webtrust, Systrust


  1. […] For a list of other security standards and certifications check out our earlier posting on the List of Security Certifications. […]

  2. […] You can then look at other certifications once you feel more confident. Now I am not one that gets all excited about certifications as I believe that it in someone’s ability to deliver on the technology rather than being able to pass an exam. But certifications do give you some credibility, especially with those tasked with hiring consultants/contractors as all they want is someone who fits a certain profile. I explain more of my thoughts on certification schemes and I also compiled a list of all the certifications relating to security that I could find. […]

  3. maverick says:

    I was looking through the “product/technology certification” section. We are an early stage start-up, evaluating whether we should certify our product.

    I could not find pricing information readily available on any of the websites, except CIS Security which has a Certification Membership fee of $15,000.

    Would you be able to give me a very ballpark estimate on this? The product we are looking to get certified is a mobile phone based solution for two factor authentication.

    Any help/advice would be greatly appreciated.

  4. Brian Honan says:

    Hi Maverick

    Getting a product certified can be a very expensive and tricky process. I do not have any data on costs to hand, perhaps others reading the Blog may be able to help?

    However, as someone that evaluates security products and services for customers I often take claims of certification with a pinch of salt. If someone claims to be certified I make as assessment on;
    (a) How reputable that certification is within the industry
    (b) What the scope, or within what parameters, was the certification granted
    (c) Do those parameters still remain relevant to the product or service I am now looking at?

    The problem with product certification is the certification process itself can take a long time and is done only against the configuration used by the certifying body. This same configuration may not be the one I use on my production systems so therefore the certification is not relevant to me anymore. Also due to the time taken to get certification, the version of the software/hardware/service I am using may be a later one and not the same one that was certified.

    So I would advise for your company to review what value would you get from getting your product certified?
    Do your customers require that your product is certified? If so, what standards are important to your customers?
    Does the returns justify the cost involved in getting certified?
    What additional overhead will be required from your company with regards to resources having to provide various documentation etc.?
    And finally how relevant will the certification be for your product and how can you ensure that the certification remains relevant to the product that you are using?

    Sometimes better returns can be spent on ensuring your product meets your customers’ requirements and getting solid references that you can use for other customers.

    I hope that helped, if not please feel free to contact me at brian(dot)honan(at)bhconsulting(dot)ie


  5. Spy Guy says:

    You missed several certifications that we offer plus three certifications from the Technolytics Institute that I hold.

    We offer certificate programs in Cyber Warfare, Enterprise Risk Management, and 17 other programs plus we offer a design your own certificate program.

    I have the following three certifications from Technolytics.

    Certified Physical and Information Security Consultant

    Certified Physical and Information Security Management

    Certified Chief Security Officer

  6. çeviri says:

    nice article. thanks for the addresses

  7. […] The full report. is available on ENISA’s website.  If you look in the reference section you will see they refer this blog and my post, which was developed as the result of the workshop in November ‘07, listing the various information security certification schemes that are available. […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.