T.I.S.P.: Germany's Answer to the CISSP - and a Missed Opportunity

Since 2004, Germany has had its own answer to the American CISSP: the TeleTrusT Information Security Professional, or T.I.S.P. for short. It is issued by TeleTrusT (Bundesverband IT-Sicherheit e.V.), Germany's IT security association - a competence network spanning industry, public administration, consulting, and academia.

---

The underlying idea was as obvious then as it remains today: US certifications such as the CISSP simply do not reflect European standards, German data protection law, or regulatory requirements. The T.I.S.P. was meant to change that - with a curriculum that treats GDPR, NIS, and IT-Grundschutz not as footnotes but as examinable content.

Key Facts

No Seminar Hotel, No Crash Course

One peculiarity that no product description really makes clear: the five-day preparation course is not a recommendation - it is a prerequisite for admission. Anyone who has not completed it is not permitted to sit the exam in the first place. In practice, this means Monday through Friday of intensive training across all modules, with the exam the following Monday. Only a single weekend separates them.

Anyone who takes this course at the Fraunhofer Institute for Secure Information Technology - one of the accredited training providers - gets something many certification courses do not deliver: instructors who engage with the curriculum both practically and scientifically. No pure exam drill, no detached theoretical sparring. Both.

I have held the T.I.S.P. since 2022. Course at Fraunhofer SIT, examination at that time still administered by TÜV. Anyone who considers the certification a little brother to the CISSP underestimates it. The extreme compression of course and examination into less than two weeks is a strain that the CISSP, in this form, simply does not impose. With the CISSP, you can prepare for months, choose your exam date freely, and reschedule multiple times. The T.I.S.P. is stricter, more uncompromising, and, in its exam situation, plainly harder.

Missed Opportunities

The T.I.S.P. has substance. The quality is real.

But even the best substance is of no use if the certificate is effectively absent from the market. Neither in job postings, nor in requirement profiles, nor in legislation: almost no one knows the T.I.S.P.!

Missed Opportunity No. 1: 20 Years, 2,300 Certified Professionals

After more than two decades, the T.I.S.P. community counts around 2,300 certified professionals. The CISSP has more than 170,000 worldwide. This is not a content problem. It is the result of two decades without serious certification marketing.

Anyone posting a job in information security today writes CISSP or CISM into the requirement profile. Not because they have reviewed the T.I.S.P. and found it wanting, but because they are not aware of it at all.

TeleTrusT has built a functioning association network, a loyal community, an annual community meeting. What is missing is a strategy that carries the T.I.S.P. out of this network and into the market. Certifications are market products. Good content alone is not enough.

Missed Opportunity No. 2: NIS-2 Came and Went

Anyone who wants to understand how certifications truly take effect should look to the United States. The CISSP is anchored in DoD Directive 8140 as a requirement for certain cybersecurity roles within the American Department of Defense. Not as a recommendation. As a mandate! The market follows regulatory requirements. Always.

With the transposition of NIS-2 into German law, a comparable opportunity presented itself. Qualification requirements for security officers in critical infrastructures could have anchored the T.I.S.P. as a reference certification. A European certificate that knows European law, serving as the benchmark for European regulation. The logic would have been there. The lobbying work, evidently, was not.

The opportunity has passed unused.

Conclusion

The T.I.S.P. is not a CISSP clone with a European stamp. It is an independent, substantively strong certification that reflects the regulatory reality of the German market better than its American counterpart does. The training quality, at least with providers such as Fraunhofer SIT, speaks for itself.

What it lacks has nothing to do with the certification itself. What is missing is the organization behind it, actively fighting to keep it relevant. In job postings. In tenders. In legislation.

The CISSP has that. The T.I.S.P. does not yet. Whether it ever will depends on whether TeleTrusT finally understands the T.I.S.P. as a market product rather than continuing to administer it as an association project.

---

Tip: A complete, continuously updated overview of the accreditation status of all common cybersecurity certifications is available at certmap.de.