Which Cybersecurity Certification Should You Take First? A 2026 Roadmap

The Five Certs at a Glance

Before choosing a path, it helps to see all five credentials side by side. CompTIA Security+ (SY0-701) is the entry point: up to 90 questions in 90 minutes, a pass mark of 750 out of 900, and an exam fee of $425 USD. It uses multiple-choice and performance-based questions delivered at a Pearson VUE centre or online.

The three ISACA professional credentials share the same basic exam structure: 150 questions, four hours, and a pass mark of 450 out of 800, delivered by computer at PSI testing centres or online. Where they differ is cost and domain focus. CISA (Certified Information Systems Auditor) costs $575 USD and covers audit process, IT governance, systems acquisition, operations, and protection of information assets - five domains in total. CISM (Certified Information Security Manager) costs $760 USD and concentrates on four domains: information security governance, risk management, security programme management, and incident management, with Programme Management carrying the largest weight at 33%. CRISC (Certified in Risk and Information Systems Control) also costs $760 USD and maps to four domains: Governance (26%), Risk Assessment (22%), Risk Response and Reporting (32%), and Information Technology and Security (20%).

CISSP (Certified Information Systems Security Professional) from (ISC)2 stands apart in format. It uses Computerised Adaptive Testing (CAT): between 100 and 150 questions in three hours, with a pass mark of 700 out of 1000. The exam costs $749 USD and spans eight domains, from Security and Risk Management through Software Development Security, making it the broadest of the five by scope.

Who Each Certification Is For

Security+ is the right starting point for anyone entering cybersecurity without a specialisation locked in. It suits SOC analysts, IT generalists moving into security, helpdesk professionals seeking to formalise their skills, and anyone who needs a vendor-neutral baseline to satisfy a government or contractor requirement. The five domains - General Security Concepts, Threats and Mitigations, Security Architecture, Security Operations, and Security Programme Management - cover the breadth a generalist needs before committing to a lane.

CISA is built for the IS auditor. If your job involves reviewing controls, assessing IT governance, testing system implementations, or producing audit reports, CISA is the credential your employers and regulators recognise. Its heaviest domains are Information Systems Operations and Business Resilience (26%) and Protection of Information Assets (26%), which mirrors the work of someone who spends their day evaluating whether controls are actually working rather than designing them.

CISM targets the security manager or aspiring CISO - someone who needs to govern a security programme, manage risk at an organisational level, set policy, and lead incident response. The Incident Management domain carries a 30% weight, and the Security Programme domain carries 33%, which signals clearly that this is a practitioner exam for people building and running programmes, not configuring firewalls.

CRISC is purpose-built for the IT risk practitioner. It fits risk analysts, risk managers, and compliance officers whose job is to identify IT risk, design and monitor controls, and report risk posture to governance bodies. The 32% weight on Risk Response and Reporting, and the 26% on Governance, reflects a role that sits between the audit function and the security programme - translating risk findings into board-level decisions.

CISSP is the credential for senior security architects, security directors, and professionals who need to demonstrate mastery across all eight security domains. Its eight-domain structure, spanning everything from cryptographic theory to software development security to physical facility design, makes it appropriate for people who oversee the entire security posture of an organisation rather than owning one part of it. (ISC)2 requires five years of cumulative paid work experience in two or more CISSP domains before you can earn the full certification, making it a professional milestone rather than an entry point.

How Each Exam Thinks

Understanding how each exam is constructed changes how you study. Security+ tests scenario application: you will be asked to choose the right control for a given situation, identify an indicator of compromise, or select the appropriate architecture for a deployment. Performance-based questions, which appear alongside multiple-choice items, may ask you to configure a simulated network or match threat actors to their characteristics. Recall alone does not pass this exam.

CISA, CISM, and CRISC all use multiple-choice questions, but they are not straightforward recall questions. ISACA exams are known for presenting scenarios where multiple answers seem defensible, and the correct answer is the one that best fits what a competent professional would do first, or which option is most aligned with a risk-based approach. CISA questions lean toward audit methodology and evidence: given a finding, what is the auditor's most appropriate action? CISM questions lean toward the managerial perspective: given an incident or a governance gap, what should the security manager prioritise? CRISC questions consistently return to risk quantification and treatment: which option reduces risk most cost-effectively within the organisation's risk appetite?

CISSP is the most cognitively demanding of the five. The CAT format means the exam adapts to your demonstrated ability, serving harder questions as you answer correctly. Questions often present four plausible answers, and the correct one requires synthesising knowledge across domains - a question that looks like it is about access control may actually hinge on a risk management principle. The exam rewards candidates who think like a manager making risk-informed decisions, not like a technician recalling protocol specifications.

Pick Your First Cert: A Decision Path

The question to ask yourself is not which cert looks best on paper, but which one matches your current role and your next job target.

If you are new to cybersecurity - fewer than two years of direct security work, or coming from a general IT background - take Security+ first. It is the most widely recognised entry-level credential, it builds the vocabulary and conceptual foundation that every other certification assumes you have, and the $425 exam fee is the lowest of the five. Do not skip it to chase a professional-level cert. CISA, CISM, CRISC, and CISSP are all built for practitioners who already understand basic security concepts and can apply them in a workplace context.

If you are already working in IS audit, internal audit, or IT compliance and you have at least one to two years in that function, go directly to CISA. You do not need Security+ first - CISA is the credential your hiring managers and clients are asking for, and your audit work already covers the practical experience the certification validates. ISACA requires that CISA candidates verify five years of IS audit, control, or security work experience after passing to achieve the full certification, but you can sit the exam before that experience is complete.

If your role is in security management, policy development, or you are targeting a CISO position, CISM is your path. Again, prior experience in information security is assumed; you should have substance to draw on when the exam asks what a manager would do first. ISACA requires five years of information security work experience for the full CISM certification, with at least three of those years in information security management.

If you work specifically on risk identification, control monitoring, or IT governance, and your deliverables go to boards and risk committees, CRISC fits your role more precisely than CISM. CRISC requires three years of cumulative work experience across at least two of the four CRISC domains for full certification. The 2025 job practice version, effective November 2025, is the current exam.

If you are a senior practitioner with broad security responsibilities - you architect security programmes, lead diverse technical teams, and are accountable for security across the whole organisation - and you have the five years of qualifying experience, CISSP is the appropriate next credential. Some candidates pursue CISSP before CISM or CISA because of its broad scope, but CISM and CRISC provide deeper domain specialisation in management and risk respectively.

The Certification Tiers Mapped to Roles

Thinking of these five credentials as a tiered roadmap makes the sequencing clearer.

At the foundation tier sits Security+ (SY0-701). Target roles: SOC analyst, junior security engineer, IT generalist moving into security, government or defence contractor requiring a baseline credential. Average study time varies by background, but candidates with general IT experience typically need several months of focused preparation.

At the professional tier sit CISA, CISM, CRISC, and CISSP. Each serves a distinct function. CISA is the auditor's credential. CISM is the security manager's credential. CRISC is the risk practitioner's credential. CISSP is the senior architect's and security director's credential.

These professional-level certs are not rigidly sequential with each other - a CISA holder pursuing a management role would move to CISM; a risk analyst without a prior cert could go directly to CRISC without ever sitting Security+. The important constraint is not the order between professional certs but the experience requirement. You need verifiable, relevant work experience to earn the full credential in each case, which means you cannot credential-stack your way to CISSP straight out of a bootcamp.

One practical note on cost: the professional-level certs carry ongoing annual maintenance fees (CPE requirements and annual fees to ISACA or ISC2) in addition to the sitting cost. Factor these into your multi-year planning. CISSP requires 120 CPE credits over three years; CISA, CISM, and CRISC each require 120 CPE hours over three years as well.

Why Exam-Style Practice Matters More Than Memorisation

All five of these exams test application and judgement, not recall. A candidate who has memorised every domain objective can still fail CISM or CRISC if they have not practised reading a scenario and identifying the best course of action from four defensible options. The gap between knowing what a concept is and knowing which concept applies in a given situation is where most candidates lose marks.

The most effective preparation combines studying the official content outline against the blueprint domains, then working through large numbers of realistic practice questions under timed conditions. For Security+, performance-based questions are part of the live exam, so practising with items that mirror that format is not optional. For ISACA exams, practising with scenario-driven questions that require you to reason through the manager's or auditor's perspective - rather than simply identify a definition - reflects what the exam actually demands.

A quality practice question is not just a correct answer with a brief note attached. It should explain why the right answer is correct and, critically, why each wrong answer is wrong. Understanding why the distractor is wrong closes the conceptual gaps that cost marks. When you can explain why option B is weaker than option A, you are reasoning the way the exam expects, not just pattern-matching. That kind of worked explanation on every question, including the ones you get right, is the difference between a candidate who passes comfortably and one who scrapes through or sits again.