Cybersecurity Certifications in the Quantum Era: Which Ones Are Actually Preparing You

A practitioner holding a CISSP, a CISM, and a GIAC GSEC in 2026 has credentials that satisfy most employer qualification frameworks, including DoD 8140.03. Put that same practitioner in charge of their organisation's post-quantum cryptography migration programme and they will find that none of those credentials tells them how to select between ML-KEM-768 and ML-KEM-1024, how to conduct a cryptographic inventory, or how to calculate HNDL exposure across a heterogeneous infrastructure.

This is not a minor gap. NIST published the post-quantum standards in August 2024: ML-KEM (FIPS 203), ML-DSA (Module-Lattice-Based Digital Signature Algorithm, FIPS 204), and SLH-DSA (Stateless Hash-Based Digital Signature Algorithm, FIPS 205). Regulatory deadlines are running. DORA (Regulation EU 2022/2554), which applies to financial entities and their critical ICT providers operating within the EU, began enforcement in January 2025. NSA CNSA 2.0 transition timelines are active for national security systems. The certification landscape has not kept pace with any of it.

What follows is a plain assessment of where each major credential stands, without overstating the gap or understating the progress.

A Taxonomy of Current Coverage

Category 1: Has PQC Content in 2026 (supplementary, not core examination)

ISC2 Quantum Computing Fundamentals (CPE course). ISC2 launched a continuing education course covering quantum computing principles, quantum threats to RSA and ECDH, and introductory PQC concepts. It earns CPE credits toward CISSP and SSCP maintenance. It does not lead to a separate credential. The course provides awareness-level content. A practitioner who completes it will understand why ML-KEM exists. They will not know how to deploy it, how to run a cryptographic inventory, or how to assess HNDL exposure. That distinction matters for anyone making hiring or training decisions based on the credential (ISC2 course catalogue, 2026).

ISACA PQC Playbook 2026 and Journal content. ISACA published a PQC Playbook and a Volume 1 2026 Journal article addressing the governance dimensions of PQC migration: risk management framing, regulatory alignment with DORA and NIS2, and board communication on quantum risk. This is genuine value for CISM and CRISC holders who need to manage migration programmes from a governance perspective. It does not address algorithm selection (FIPS 203/204/205), cryptographic inventory methodology, or implementation architecture. The content is CPE material, not integrated into examination frameworks (ISACA PQC Playbook, 2026; ISACA Journal Vol. 1, 2026).

Category 2: Adjacent Coverage (cryptography domain present; quantum gap within it)

CISSP (ISC2). Domain 3 (Security Architecture and Engineering) includes asymmetric key cryptography, PKI, and key management principles. The 2024 Common Body of Knowledge gives a practitioner the conceptual vocabulary to understand why RSA is quantum-vulnerable and why PQC migration is necessary. It does not name ML-KEM, ML-DSA, or SLH-DSA. It does not cover the HNDL risk assessment, migration roadmap methodology, or the NIST SP 1800-38 four-phase migration framework. A CISSP-holder arrives at a PQC migration engagement knowing the problem framing. They need additional training to specify or deliver the programme (ISC2 CISSP Examination Outline 2024; NIST SP 1800-38A, NCCoE, 2024).

CISM (ISACA). The Risk Management domain provides frameworks applicable to any emerging technology threat, including quantum risk. A CISM-holder can manage a PQC migration programme from a governance perspective and communicate quantum risk to the board. They will need a technical counterpart with specific PQC competency to manage the implementation track (ISACA CISM Exam Content Outline 2025).

CompTIA Security+ SY0-701. Domain 1.4 (Cryptographic Solutions) explicitly names "post-quantum cryptography" as a topic — examined in SY0-701 (2023). This is the most direct PQC reference in any foundational certification currently in circulation. The depth is awareness-level: the examination recognises that classical public-key algorithms are quantum-vulnerable, but does not address algorithm selection, FIPS 203/204/205, or migration methodology. Security+ holders arrive at the conversation knowing PQC exists. The gap between that awareness and deployment competency is where the risk lives (CompTIA Security+ SY0-701 Exam Objectives, 2023; confirm domain carryover if SY0-702 is released).

GIAC GSEC. The cryptography and network security domains include fundamentals of asymmetric cryptography and some quantum threat awareness content in recent revisions. The coverage is awareness-level. GSEC does not address PQC algorithm deployment, ML-KEM/ML-DSA, or migration sequencing (GIAC GSEC Certification Information, 2025-2026).

Category 3: Silent on Quantum

CEH (EC-Council v13) and GIAC GPEN. Both are offensive security credentials focused on penetration testing methodology and exploitation techniques. Neither addresses post-quantum cryptography, HNDL risk, or migration methodology. This is not a design failure. CEH and GPEN are not cryptography credentials. Quantum cryptographic risk is outside their domain in the same way that driver licensing does not cover aviation. A practitioner with either credential needs an entirely separate pathway to address quantum cryptographic risk (EC-Council CEH v13 curriculum; GIAC GPEN Certification Information).

CompTIA CySA+, ISACA CDPSE, ISACA CRISC. CySA+ addresses threat detection and SOC operations. CDPSE covers privacy-focused data engineering. CRISC covers enterprise risk and information systems control. None addresses quantum risk as a named competency. ISACA's PQC Playbook does not integrate into the CDPSE or CRISC examination frameworks.

Category 4: Emerging or Announced

EC-Council Certified Quantum Computing Professional (CQCP). An awareness and conceptual-level programme covering quantum computing principles and introductory PQC concepts. Not a practitioner deployment credential. Positioned appropriately for awareness-building, not for practitioners who need to specify or deliver migration programmes (EC-Council course catalogue, 2026).

GIAC/SANS FOR528 (Quantum Security). Announced. Availability status as of publication requires verification against the current SANS catalogue. If live, its scope and qualification level should be reviewed before treating it as a practitioner credential for PQC migration work.

Three Misconceptions That Lead Practitioners and Hiring Managers Astray

"CISSP covers cryptography, so the quantum piece is covered." CISSP Domain 3 gives you the conceptual framework. The gap between understanding that elliptic curve cryptography is quantum-vulnerable and knowing how to migrate a PKI infrastructure to ML-DSA is the work of an entire programme. Understanding the problem is not the same as having the competency to solve it. In every PQC migration engagement I have worked on, a CISSP-holder who has not had additional quantum-specific training can define the risk accurately but cannot sequence the remediation independently.

"ISC2 released a quantum course, so ISC2 is handling this." ISC2 published a CPE continuing education course. You cannot sit an examination that tests your ability to specify a hybrid PQC deployment scheme, select between ML-KEM parameter sets, or complete a cryptographic inventory methodology. CPE credit and certification are different things. The course is a useful awareness step. It is not a qualification.

"Wait until certifications catch up." This is the operationally consequential misconception. Regulatory frameworks including DORA (EU financial sector ICT risk management), NSA CNSA 2.0 (US national security systems), and NIS2 (EU critical infrastructure) create operational urgency that outpaces certification update cycles. NIS2's transposition deadline was October 2024, though national implementation varies across EU Member States (DORA, Regulation EU 2022/2554; NSA CNSA 2.0, September 2022; NIS2 Directive 2022/2555). There is no regulatory provision that pauses compliance deadlines while certification bodies update their examination frameworks. Organisations subject to these requirements cannot defer the competency gap until ISC2, ISACA, or CompTIA revise their CBK updates. The gap between the regulatory timeline and the certification update cycle is the risk itself.

What This Means for Hiring Managers and Procurement Teams

A hiring manager screening for a "PQC migration lead" using DoD 8140.03 qualification requirements will find that no combination of currently required certifications guarantees the competency they actually need. As of mid-2026, no major vendor-neutral certification offers a full professional-level PQC deployment credential. As of the November 2023 manual and available addenda, DoD 8140.03 does not specify quantum-readiness competencies as a distinct qualification category; the manual references CISSP, CISM, CEH, CompTIA Security+, and GIAC credentials for workforce qualification (DoD 8140.03, November 2023).

For procurement and supply chain compliance teams, the same logic applies. A contractor holding CISSP and CISM satisfies DoD 8140.03 qualification requirements. That does not mean they can run a PQC migration programme. The qualification framework has not caught up with the skill requirement. Organisations cannot shortcut the identification of PQC-competent practitioners by looking at credential lists. They need to assess actual knowledge of FIPS 203/204/205, migration methodology, and HNDL risk assessment directly.

Where This Leaves the Practitioner

The certification bodies are moving in the right direction. ISACA's PQC Playbook and ISC2's CPE course represent genuine acknowledgement of the gap. CompTIA naming post-quantum cryptography in Security+ SY0-701 is a signal that the ecosystem is responding. The direction is correct. The pace does not align with regulatory enforcement timelines that are already running.

A practical starting point for gauging your own gaps is the PQC Readiness Checklist, which maps competency requirements against the FIPS 203/204/205 migration lifecycle. For practitioners who need the competency now, the path is not waiting for examination framework updates. It is supplementing existing credentials with a programme that actually covers FIPS 203/204/205, cryptographic inventory methodology, and HNDL risk assessment at practitioner depth. QSECDEF's certificated training programme covers this material at the depth required for practitioners deploying migration programmes, not at awareness level. It is the natural complement to the governance and management competencies that CISSP and CISM provide. QSECDEF professional membership provides access to the full training curriculum alongside the practitioner community working through the same problems.


Steven Vaile is Director at Quantum Security Defence. He advises organisations on post-quantum cryptography readiness, cryptographic migration planning, and quantum threat assessment. He is a regular speaker at international quantum security events.

View on LinkedIn | View Team | QSecDef Events