Clar Rosso and Casey Marks in the Inside ISC2 webinar, as shown on a mobile deviceClar Rosso, ISC2 CEO and Casey Marks, Chief Product Officer and VP, ISC2 tecently hosted the latest in our new Inside ISC2 webinar seriesa quarterly series designed to give members a glimpse of the latest developments from inside the association, as well as an opportunity to ask questions. The March 23 session included milestones from the first quarter, as well as a deep dive into ISC2's process for developing exams and certifications.

Q1 Recap

Rosso kicked off the discussion with a recap of the association’s response to the pandemic, and its transition to online learning. Recognizing that 2021 still means travel restrictions for most people, (ISC)² is increasing its free online courses and increasing its webinar program by 40%, as well as introducing a hybrid, virtual and in-person, ISC2 Security Congress in October 2021. More than 27% of members enrolled in online, on-demand courses in the last two years since they first became available, and almost 300,000 CPE credits were issued. The association also rolled out its first Spanish-translation course in 2020 and plans to introduce additional translated courses throughout 2021.

To drive member value, the association also established a Global Diversity, Equity and Inclusion initiative, a new Member Communications team and is re-examining and enhancing how it engages with local chapters and academic institutions.

The Five Stages of ISC2's Exam Development Cycle

Marks then offered a detailed look into why and how ISC2 routinely updates its credential exams so that they remain “current and challenging, but not tricky.” The rigorous, methodical process applies to all nine of the organization’s certification exams, takes 15 months at minimum and consists of five main stages including job task analysis, item mapping, item writing, standard setting and publishing.

“Our exams are not developed in an ivory tower, or only by ISC2   staff," said Marks. “They are developed by you, the practitioners, to reflect the dynamics and changing issues that you see every day out in the field.”

ISC2 certifications are mature, ranging from five years old up to 30 years old, and exams refresh every three years to reflect the most pertinent issues professionals face, unless there has been a shift significant enough to speed up the cycle.

The first phase of the cycle is a 6-to-9-month process called the Job Task Analysis (JTA). The JTA is derived from input and feedback from ISC2 members who understand the dynamic, real-world changes to the cybersecurity landscape.

“Our exams are not designed to be ‘bleeding edge,’ but cutting edge. We want to give every candidate an opportunity to respond to exam items effectively and correctly,” added Marks.

After JTA, the next phases in the cycle are Item Mapping (2 to 3 months) and Item Writing (4 to 6 months) where ISC2 maps the actual current job tasks performed by certified members to the content of each credentialing exam and the CPE credits required to maintain certification. The association also ensures that the topics covered by exams align with the Common Body of Knowledge (CBK) which is a comprehensive framework of all the relevant subjects a security professional should be familiar with, including skills, techniques and best practices. This is done through group workshops and surveys, where members are asked to weigh in on activities that security professionals should be doing.

A detailed content outline (DCO) is then shared with the general public including ISC2 education group and then the process progresses to the standard setting and publishing phases.

“We are always holistically assessing our portfolio,” said Marks. “We look at generalist and specific roles-based and specialized needs. We always ask: Do we tackle this content currently? Would a security professional be expected to know these things? Then we take all that information in, and do a gap analysis. Is this covered and how is it covered? Can we offer it through PDI? It’s an ongoing process.”

When asked about the status of the pilot online proctoring program for ISC2 certification exams, Rosso explained that the organization wants to “make all of our exams and certifications as accessible in the marketplace,” but that it’s extremely “important to retain the integrity, security and quality of our programs.” The organization will review the pilot test results of 1500 exams administered in February, and see what they show to determine what the path forward is. Responding to a similar question about computerized adaptive testing, Marks noted that ISC2 is building robust item banks and hopes to be able to offer more in the future.

Chart demonstrating ISC2 Exam Development Cycle

Getting Involved

When asked how members could get more involved in the process, Marks stated, “Exams don’t happen without you. Our staff facilitates and guides, but we do have opportunities for all of our credential holders to get involved in exam development workshops, item writing sessions, special interest surveys as well as volunteering with events or speaking.” Rosso reminded members that volunteering fulfills CPE credits and is “a great way to give back.”

Interested members can learn more about exam development on our website (member login required) at or by emailing