LeadershipVendor-neutralEC-Council· issued from US

CCISO

Certified Chief Information Security Officer

Executive leadership — governance, program mgmt, finance, and strategic planning for security.

Official page at EC-Council ↔ Compare with another cert

Exam fee

$999

Ongoing

$0/yr AMF · 40 CPE/yr

Study time

80–160 hrs

Delivery

Online proctored

Validity

3 yrs (renewal cycle)

› Quality score

11.0 / 40

Four-axis SecProve rubric, each 0–10. SecProve editorial assessment — each axis carries a written justification so you can push back on any single call without dismissing the whole score.

Blueprint rigor

How well-defined and rigorous the exam blueprint is.

Five 'domains' but written as marketing prose more than testable objectives. Heavy reliance on essay/application gating.

3.5/10

Practical evidence

Hands-on labs / written reports vs pure MCQ.

No lab. Case-study questions are recognition-style.

1.0/10

Currency & upkeep

How aggressively content is kept current with the field.

EC-Council update cadence is opaque; field-changes filter in slowly.

3.0/10

Market recognition

How often this signal actually moves a hiring decision.

Recognised mostly inside the EC-Council ecosystem; CISSP / CISM dominate the executive signal market. [Holders: 4k, 2024-12] [DoD 8140 listed]

3.5/10

› Market signals

public, citable inputs to the recognition score

Holders worldwide

4,000

as of 2024-12 · source

DoD 8140 baseline

Listed

CSSP-Manager

› Built for these roles

CISO / Deputy CISO (aspirant)Director of SecuritySecurity Program Manager

› Exam format

150 multiple-choice questions over 2.5 hours, English. Application essay required to qualify. Heavy emphasis on case-study scenarios drawn from real CISO programs.

Passing score

72% (scaled)

Retake policy

Fee: $999 per attempt

Wait: 30d between attempts

30-day wait between attempts. EC-Council application + experience verification required before scheduling.

› Recertification

120 EC-Council ECE credits over three years (avg 40/yr). No annual maintenance fee.

› NICE Framework work roles

The NIST NICE work-role IDs this cert maps to. NICCS lookup.

OG-WRL-007OG-WRL-002OG-WRL-014

Recognition

GlobalUS

Exam languages

› Core domains covered

The 2 domains this cert is centrally about. Passing the exam demonstrates working knowledge of each.

A18Security Leadership

Cyber risk quantification, board communication, security program development, budget & ROI.

A1Governance, Risk & Compliance

Risk frameworks (NIST RMF, ISO 31000, FAIR), policy development, audit, regulatory compliance, third-party risk.

› Also touched

Present in the blueprint but not the primary focus — you’ll be introduced but shouldn’t expect depth.

A25Security Architecture & Engineering

Reference architectures, control frameworks (NIST SP 800-53, CIS Controls), secure-by-design patterns, threat modeling, trust-boundary design, technology standards.

C7AI Governance & Risk

EU AI Act compliance, NIST AI RMF, AI risk assessment, model cards, algorithmic auditing, AI incident response.

A12Data Security, Privacy & Protection

Data classification, encryption-at-rest/in-transit, DLP, tokenization, privacy-by-design, plus the regulatory stack (GDPR, CCPA, HIPAA) that sets the bar.