Skip Navigation LinksHome Page > Introduction

Introduction

When employing any new staff, it is critical that an organisation matches any potential employee with their requirements. In the information security domain, certification programmes add credibility to a practitioner’s experience and training, allowing employers to confidently determine a practitioner’s suitability to a particular position.

This guide focuses on the organisations and programmes providing information security accreditation:

  • For individuals comparing certification knowledge areas and requirements, this guide helps students and professionals decide which certifications best match their career goals.
  • For organisations, this guide provides information to help small and medium enterprises (SMEs) identify which certifications a professional should hold to successfully perform the organisation’s required duties.

What are Information Security Certifications?

Information security certifications are accreditation programmes organised by a governing body to endorse a candidate’s skill set, knowledge and core understanding of information security topics and technologies. The focus of each security certification varies greatly - from certifications focused on the implementation details of a specific security technology, to endorsing a candidate’s holistic knowledge of high level information security principles and practices.

Certifications are granted after candidates have satisfied a number of requirements, the number and depth of which varies depending on the scope of the certification. All certifications require candidates to pay a fee and pass a testing component, usually in exam or assignment format. Other requirements will often include a minimum amount of experience, completion of a training course, or the holding of prior certifications. Some certifications also have ongoing knowledge development requirements and membership fees.

The information security knowledge required to gain certifications also varies considerably depending on the certification scope. While many certification programmes intend that the knowledge required to achieve accreditation is learnt through professional experience, training programs to achieve certification are available, with either a formal or informal relationship to the certification organisation themselves.

For the purposes of this project, information security certifications have been divided into two (2) main groups: independent certifications, and vendor certifications.

Independent certifications focus on “vendor neutral” security strategies, systems and technologies and are provided by organisations with no vendor affiliation. Rather than certify a practitioner’s ability with specific controls for a given product or product set, vendor neutral certifications endorse a candidate’s understanding of conceptual security knowledge and principles. With a few exceptions, independent certifications do not deal with specific brands or configuration controls for proprietary devices.

Vendor certifications cover a specific proprietary security technology or system, with in depth knowledge and practice on the configuration and handling of these systems. As such, a wide range of vendor certifications exist, with each focusing on specific security products. The certification testing and examinations for vendor certifications are usually created by the proprietors of the system/technology. These certifications are most valid when a specific system/technology is known to be required by an organisation, and in depth operational or applied knowledge is necessary to complete the required security tasks of the organisation or business.

About this website

The developers of the guide would like to thank the APEC Telecommunications Working Group (www.apectelwg.org) and the Australian Department of Communications, Information Technology and the Arts (www.dcita.gov.au) for supporting the development of this resource.

Information used in this resource was obtained from sources believed to be reliable. Certifications were catalogued in detail using publicly available information and were mapped objectively to vendor neutral standards. The information is correct at the time of publication, however SIFT accepts no liability for any errors that may have occurred in the production of this guide. Certification providers may contact SIFT through the related website to request updates to existing certification details or mappings, or to request new certifications be added to the database. For more information see the Providers sections of the related website.