ISC2 Privacy Policy

ISC2 Privacy Policy

Last Modified: August 15, 2023

ISC2 (“We”) respect your privacy and are committed to protecting it through our compliance with this policy.
This policy describes the type of information we may collect from you or that you may provide when you visit the website www.isc2.org (our “Website”) and our practices for collecting, using, maintaining, protecting and disclosing that information.
This policy applies to information we collect:

  • On this Website
  • In email, text, and other electronic messages between you and this Website.
  • From your registration for an ISC2 examination through Pearson VUE
  • When you interact with our advertising and applications on third-party websites and services if those applications or advertising include links to this policy.

It does not apply to information collected by:

  • Us offline or through any other means, including on any other website operated by ISC2 or any third party; or
  • Any third party (including affiliates) including through any application or content (including advertising) that may link to or be accessible from the Website.

Please read this policy carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our policies and practices, your choice is not to use our Website. By accessing or using this Website, you agree to this policy. This policy may change from time to time (see Changes to Our Privacy Policy). Your continued use of this Website after we make changes is deemed to be acceptance of those changes, so please check the policy periodically for updates.

Information We Collect About You and How We Collect It
We collect several types of information from and about users of our Website, including information:

  • By which you may be personally identified, such as name, postal address, email address, telephone number, place of employment, gender, date of birth, or any other identifier by which you may be contacted online or offline ("personal information"); and
  • That is about you but individually does not identify you, such IP address, browser type, operating system, top viewed and visited pages and links from our Website, top entry and exit points, number of form completions, time spent on pages, top downloads, top keywords used offsite to lead customers to our Website, information collected via cookies, and other information such as system activity, crashes, and hardware settings (“usage data”). Generally, we do not consider usage data as personal information because usage data by itself usually does not identify an individual. Personal information and usage data may be linked together. Different types of usage data may also be linked together and once linked, may identify an individual person. Also, some usage data may be personal information under applicable law; and
  • That you published or display (hereinafter, "posted") on public areas of the Website or transmitted to other users of the Website or third parties (“user contributions”).
  • About your internet connection, the equipment you use to access our Website, and usage details.

You provide data to us when you engage ISC2 or its Website. Such activities may include, but are not limited to:

  • Sign up to become a Candidate or become a registered user on the site;
  • Join as an ISC2 certification holder;
  • Register for virtual, in-person events, or conferences;
  • Download our publications or materials which are offered for free;
  • Register for a certificate or certification exam;
  • Contact Sales or Member Support, or provide information to us relating to our services; 
  • Submit a review or file an ethics complaint against a member; 
  • Fill out a form or have a badge scanned at an ISC2 booth at an event;
  • Complete training or other services with a business partner or third-party provider of ISC2 authorized services; and
  • Send other communications to ISC2.

How We Process Your Information
We use the personal information that we collect to operate, improve, and personalize the Website and services including but not limited to member services, customer services, customize our advertising and marketing, to detect, prevent and mitigate fraudulent or illegal activities. You agree that we may use your personal information as follows:

  • to provide services to you;
  • to fulfil any other purpose for which you provided it;
  • to operate, improve and personalize the products and services we offer, and to give each user a more consistent and personalized experience when interacting with us;
  • for customer service, security, to detect fraud or illegal activities, or and for archival and backup purposes in connection with the provision of the services;
  • to verify your certification status with ISC2
  • to communicate with you, either via email, telephone, text (SMS) messages (if applicable based on your consent), postal mail, or otherwise as authorized by you to inform you about the services, special offers, etc. Message and data rates may apply.
  • to better understand how users’ access and use the website and services, for the purposes of trying to improve the Website and services and to respond to user preferences, including language and location customization, personalized help and instructions, or other responses to users' usage of the services;
  • to help us develop our new products and services and improve our existing products and services;
  • to provide users with advertising and direct marketing that is more relevant to you;
  • to enforce our Website Access Policy or other applicable policies; and
  • to assess the effectiveness of and improve advertising and other marketing and promotional activities on or in connection with the services.
  • for any other purpose with your consent.

Personal information you provide depends on how you interact with ISC2:

A. Membership and Account Creation

When you become a member or create an account on our Website, we collect information including, but not limited to, your first name, last name, email, phone, mailing address, billing address, and employment information (including employer and title).   We process your information for customer and membership administration to deliver or notify you of member benefits, inform you of ISC2 events, request participation in surveys related to the cybersecurity industry, and other activities or opportunities associated with your ISC2 account.

We also ask members to voluntarily provide additional information, such as demographic data and other related personal information.  We may use this information to understand our members’ needs and interests to better tailor our products and services to meet your needs.

We rely on fulfilment of contract as the lawful basis for processing your membership and account data.

B. Exam Registration and Results

When you register for an ISC2 exam, we collect information including, but not limited to, name, address (including city, state, country), employer, position, date of birth, demographic information (including ethnicity, gender, language), educational training program, educational background, and data around your need for the certification.  This data must match details that can be provided on a government issued ID as detailed in our exam day procedures.  ISC2 may also collect information pertaining to any special accommodations you may request.  Once submitted, this information will be shared with the ISC2 exam provider.  At the exam center, the ISC2 exam provider will collect additional information from exam candidates, including photographs and palm vein pattern. ISC2’s exam providers use this information to verify your identity and for exam security and fraud purposes.  The ISC2 exam provider is the data controller of that information, and it is not shared with ISC2. After your exam, ISC2 will collect your exam results and will conduct a forensics analysis of each exam. 

We rely on fulfilment of contract as the lawful basis for processing your exam data.

C. Training

If you participate in ISC2 training, you may sign up directly through our Website, in which case we collect the same information that is detailed in section A [Membership and Account Creation]. You may, alternatively, sign up for training – or be signed up for training – by or through a third party such as one of our Official Training Partners, or your own employer. You may also request information on training offers, whether ISC2 training or through a third-party provider.  We may use independent contractors to conduct the training and third parties to provide the training venue. Your personal information will be stored and may also be shared with our training partners, trainers, and/or the venue hosting the event. ISC2’s agreement with our Official Training Partners prohibits them from sharing your information other than to provide you with ISC2 products and services. 

We rely on fulfillment of contract as the lawful basis for processing your training data. We also rely on legitimate interest to process your request for information on training offers.   

D. Virtual and In-Person Events

If you register for an event and you already have an account, we will access the personal information in your account to provide you with information and services associated with the event. We may also ask for additional demographic information during the registration process.

In some cases, ISC2 may partner with a provider to host ISC2 events.  In such a case, we may ask you to sign up for one of our events and we will collect the following information: name, email, company, position, industry, address, phone number, meal preferences and other relevant information.  We use this information for badge printing, tracking your CPE credits, tailoring sessions to our audience needs, and related purposes connected with the event.  We also use the information for billing purposes if you do not pay at the time of registration.

We rely on fulfillment of contract as the lawful basis for processing your personal information in relation to events and conferences.

E. Communications

ISC2 processes your data to provide you with the goods or services you have requested or purchased from us, including, but not limited to, customer and membership services, events, training, webinars and certificatio. We use this information to refine our goods and services to better tailor them to your needs and to communicate with you about the purchased services, services ISC2 offers that may assist you in your career or otherwise help your professional development. ISC2 needs to process your personal information to fulfill an order for goods or services – including membership services, with all the attendant benefits and professional opportunities that ISC2 provides.

We rely on legitimate interest as the lawful basis for processing data to better understand the needs, concerns, and interests of ISC2 members and customers so ISC2 can operate optimally as an association and as a business.

F. Payment and purchase information

You may choose to purchase goods or services from ISC2. Typically, payment information is provided directly by users via the Website into the PCI/DSS-compliant payment processing service. ISC2 does not process or store the card information. Occasionally, members or customers ask ISC2 employees to, on their behalf, enter payment information into the PCI/DSS-compliant payment processing service. We strongly encourage you not to submit this information by email. When ISC2 employees receive payment information from customers or members, it is entered as instructed and then deleted or destroyed.

ISC2’s e-commerce system collects shipping and billing information to fulfill customer orders. ISC2 relies on the legitimate interest basis for processing this personal information.

G. Information from Third Parties

Third parties that assist us with our business operations also collect information (including personal information and usage data) about you through the services and share it with us. For example, our vendors collect and share information with us to help us detect and prevent fraud and collect information regarding your registration for ISC2 training or an ISC2 certification exam.

Our Website may offer you the ability to use social media in conjunction with certain services. When you access the services through social media, the services may, depending on your privacy settings, have access to information that you have provided to the social media platform. We may use this information for the purposes described in this Privacy Policy or based on your privacy settings on the applicable social media service; we will comply with the privacy policies of the social media platform, and we will only collect and store such personal information that we are permitted to collect by those social media platforms.


Information from Automatic Data Collection Technologies.
As you navigate through and interact with our Website, we may use automatic data collection technologies to collect certain information about your equipment, browsing actions, and patterns, including:

  • Details of your visits to our Website, including traffic data, location data, logs, and other communication data and the resources that you access and use on the Website.
  • Information about your computer and internet connection, including your IP address, operating system, and browser type.

We also may use these technologies to collect information about your online activities over time and across third-party websites or other online services (behavioral tracking). 
The information we collect automatically is statistical data and does not include personal information, but we may maintain it or associate it with personal information we collect in other ways or receive from third parties. It helps us to improve our Website and to deliver a better and more personalized service, including by enabling us to:

  • Estimate our audience size and usage patterns.
  • Store information about your preferences, allowing us to customize our Website according to your individual interests.
  • Speed up your searches.
  • Recognize you when you return to our Website.

Collection of Information Through Cookie Use
We may obtain information about your general internet usage by using a “cookie” file. A cookie is an element of data that a website can send to your browser, which may then be stored on your hard drive. If you do not agree, you can choose to not receive a cookie file by enabling your web browser to refuse cookies or to prompt you before you accept a cookie.
The following types of cookies may be used on our Website:

  1. Strictly Necessary Cookies: These cookies are necessary for our websites to work properly. They are usually only set in response to actions you take such as logging in or completing online forms. You can set your browser to block or alert you about these cookies, but some parts of our sites will not function if these cookies are blocked.
  2. Functionality Cookies: These cookies enable our websites to provide enhanced functionality and personalization by storing your preferences (such as your region that you are in), allowing us to provide enhanced features on our sites, and allowing us to serve you with advertisements for our products and services that may be of interest to you. These cookies may be set by us or by third-party content that we have placed within our pages. If you do not allow these cookies, some of the features on our websites may not function properly and you may not receive a personalized experience when visiting our sites.
  3. Performance Cookies: These cookies allow us to count page visits and traffic sources so we can measure and improve the performance of our sites. They help us to understand which pages are visited most frequently and how visitors interact with our sites. If you do not allow these cookies, we will not receive data related to your visits to our sites.
  4. Targeting Cookies: These cookies may be set through our site by our advertising partners, such as Google. They may be used by these companies to enable them to build a profile of your interests and show relevant advertisements on other sites. These cookies are based on identifying your browser and internet device. If you do not allow these cookies, you will experience a decrease in the targeted advertisements that you see online.
  5. Social Media Cookies: These cookies are used to connect a website to a third-party social media platform. They remember a user’s details after the user signs into a social account from a website. 

All major browsers allow you to block or delete cookies from your system. To learn more about your ability to manage your preferences related to cookies, please consult the privacy features within your browser.

To the extent our Website uses non-essential cookies, we rely on consent as the legal basis for processing the personal information of individuals located in the European Economic Area, United Kingdom, and Switzerland.

Disclosure of Information
We may disclose aggregated information about our users, and information that does not identify any individual, without restriction.
We may disclose personal information that we collect, or you provide, as described in this privacy policy:

  • To our subsidiaries and affiliates.
  • To contractors, service providers, and other third parties we use to support our business and who are bound by contractual obligations to keep personal information confidential and use it only for the purposes for which we disclose it to them.
  • To third parties to market their products or services to you if you have consented to these disclosures. We contractually require these third parties to keep personal information confidential and use it only for the purposes for which we disclose it to them.
  • To fulfill the purpose for which you provide it.
  • For any other purpose disclosed by us when you provide the information.
  • With your consent.
  • For legal purposes: We also may share information that we collect from users, as needed, to enforce our rights, protect our property or protect the rights, property or safety of others, or as needed to support external auditing, compliance and corporate governance functions. We will disclose personal information as we deem necessary to respond to a subpoena, regulation, binding order of a data protection agency, legal process, governmental request or other legal or regulatory process. We may also share personal information as required to pursue available remedies or limit damages we may sustain.
  • Corporate Changes. We may transfer information, including your personal information, in connection with a merger, sale, acquisition or other change of ownership or control by or of us or any affiliated company (in each case whether in whole or in part). When one of these events occurs, we will use reasonable efforts to notify users before your information is transferred or becomes subject to a different privacy policy.

Please note that for the purposes of seeking to provide our users with a better experience and to improve the Website and services, information collected through the Website and services may, subject to user privacy controls, be used in an aggregated or individualized manner. For example, personal information collected during use of one of the website or other services may be used to suggest particular content that can be made available to the user on another of the services or be used to try to present more relevant advertising in another of part of the Website or Services.

Where We Store Your Personal Information
The data we collect from you will be transferred to, and stored in, the United States. It will also be processed by staff operating within the United States who work for us or for one of our suppliers. This includes staff engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services. By submitting your personal information, you agree to this transfer, storing or processing. ISC2 will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy and no transfer of your personal information will take place to an organization or a country unless there are adequate controls in place.  Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access.

Biometric Data
Where permitted by law, ISC2's examination vendor uses biometric data to authenticate those taking its exams.  ISC2 does not collect or store this data.  While neither ISC2 nor its examination vendor retain raw biometric data, the examination vendor does retain, for a period of five years following the person's last contact with the vendor, data based upon an algorithm of the palm scan received when accessing an examination site.  This assists ISC2in assuring the identify of those taking its exams and preventing fraud in the exam process. This data is destroyed after the five-year period and is used for no other purpose. For more information on ISC2’s use of palm vein pattern recognition please click here.

ISC2 Certification Verification 
As an organization that certifies individuals in information security, ISC2 is frequently requested to verify whether an individual's assertion that they possess our certification is accurate.  It is an implied duty that ISC2 identify and attest to the certified status of those individuals who do possess our certification. As such, ISC2 will verify whether an individual is certified by ISC2 or not upon receiving sufficient identifying information regarding the subject of the inquiry.  ISC2 also provides a verification process on its Website which lists members based on last name.  This listing provides the name and certification status of the member.  However, under no circumstances is any contact or other information disclosed.

We rely on fulfillment of contract as the lawful basis for processing your personal information in relation to certification verification.

Your Rights
ISC2 is a certification organization and maintains information on those who possess its certifications or have expressed an interest in them.  If you would like to see the information ISC2 retains about you, please see our Privacy Center for information on how to request the information.

You have the right to ask us not to process your personal information for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by not checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting us at membersupport@isc2.org or by updating your marketing preferences.

Accessing and Correcting Your Information; Opt-Out
You can review and change your personal information by logging into the Website and visiting your account profile page. You may also send us an email at membersupport@isc2.org to request access to, correct or delete any personal information that you have provided to us.

To opt-out of Interest-Based Ads, please disable cookies through your browser settings. Click here to learn more about ISC2's use of cookies.

We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect. If you delete your user contributions from the Website, copies of your user contributions may remain viewable in cached and archived pages or might have been copied or stored by other Website users. Proper access and use of information provided on the Website, including user contributions, is governed by our Website Access Policy

Children Under the Age of 13
Our Website is not intended for children under 13 years of age. No one under age 13 may provide any personal information to or on the Website. We do not knowingly collect personal information from children under 13. If you are under 13, do not use or provide any information on this Website or on or through any of its features, make any purchases through the Website, use any of the interactive or public comment features of this Website, or provide any information about yourself to us, including your name, address, telephone number, email address, or any screen name or user name you may use. If we learn we have collected or received personal information from a child under 13 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 13, please contact us at:

ISC2
Attn: Member Support
625 N Washington Street
Suite 400
Alexandria, VA 22314
membersupport@isc2.org
1-866-331-4722

URL Links
This site contains links to other sites; ISC2 is not responsible for any actions or policies of such third parties. Users should check the applicable privacy policy of such a party when providing personally identifiable information.

Notice For Individuals in the European Economic Area
This section only applies to individuals that access or use our Services while located in the European Economic Area, United Kingdom, and/or Switzerland. 
We are a controller with regard to the data we collect.  If you wish to confirm that ISC2 is processing your personal information, or to have access to the personal information ISC2 may have about you, please view our Privacy Center and use the Request Form at the end of the page. 

That form may also be used to request information about the purpose of the processing; the categories of personal information concerned; who else outside ISC2 might have received the data from ISC2; what the source of the information was (if you didn’t provide it directly to the ISC2); and how long it will be stored. You have a right to correct (rectify) the record of your personal information maintained by ISC2 if it is inaccurate. You may request that ISC2 erase that data or cease processing it, subject to certain exceptions. You may also request that ISC2 cease using your data for direct marketing purposes. In many countries, you have a right to lodge a complaint with the appropriate data protection authority if you have concerns about how ISC2 processes your personal information. When technically feasible, ISC2 will—at your request—provide your personal information to you or transmit it directly to another controller.

Reasonable access to your personal information will be provided at no cost to ISC2 members, conference attendees and others upon request made to ISC2 through our Privacy Center Request Form. If access cannot be provided within a reasonable time frame, ISC2 will provide you with a date when the information will be provided. If for some reason access is denied, ISC2 will provide an explanation as to why access has been denied.

For questions or complaints concerning the processing of your personal information, you can email the ISC2’s data protection officer at dpo@ISC2.org. Alternatively, if you are located in the European Union, you can also have recourse to the European Data Protection Supervisor or with your nation’s data protection authority.

Changes to Our Privacy Policy
It is our policy to post any changes we make to our privacy policy on this page. The date the privacy policy was last revised is identified at the top of the page. You are responsible for ensuring we have an up-to-date active and deliverable email address for you, and for periodically visiting our Website and this privacy policy to check for any changes.

Contact Us
If you have any comments on this Privacy Policy or wish to contact ISC2:
1. You can send an email to legal@isc2.org
2. You can send mail to the following postal address:

ISC2
Attn: Legal
625 N Washington Street
Suite 400
Alexandria, VA 22314