How to Become an Associate

1. Determine Certification of Interest

CISSP square logo

SSCP square logo

CCSP square logo

HCISPP square logo

CCFP square logo

CAP square logo

CSSLP square logo


2. Schedule the Exam


3. Pass the Exam

Pass the examination with a scaled score of 700 points or greater. Read the Exam Scoring FAQs. Exam details for each certification are: 

Certification      Length of Exam       Number of Questions    
CISSP 6 hours 250
SSCP 3 hours 125
CCSP 4 hours      125
HCISPP      3 hours 125    
CCFP  4 hours 125
CAP     3 hours      125
CSSLP 4 hours 175

4. Maintain Your Associate Status

Once you pass the exam, you become an associate member of (ISC)², giving you access to member benefits and continuing education opportunities. Maintain your Associate status through earning 15 Continuing Professional Education (CPE) credits each year and paying an Annual Maintenance Fee (AMF) of US$35.

5. Work Toward Certification

To qualify for certification, see the timeframe below to obtain cumulative paid, full-time work experience in the domains of the certification and complete the endorsement process. Once you have achieved the professional experience requirements for the specified certification, begin the Endorsement Process to convert your status from Associate of (ISC)² to CISSP, SSCP, CAP, CSSLP, CCFP, HCISPP, or CCSP status.

Certification       Years to Gain Experience
CISSP Up to 6 years to gain the 5 years CISSP experience required
SSCP Up to 2 years to gain the 1 year SSCP experience required
CCSP Up to 6 years to gain the 5 years CCSP experience required
HCISPP Up to 3 years to gain the 2 years HCISPP experience required
CCFP Up to 7 years to gain the 6 years CCFP experience required
CAP Up to 3 years to gain the 2 years CAP experience required 
CSSLP      Up to 5 years to gain the 4 years CSSLP experience required
Logo Associate
Advance your IT security career


orange line

Value of the Associate of (ISC)² to Bolster Agencies

The scale of the global IT security skills crisis is well documented, but what is its direct impact on cybersecurity with U.S. government agencies?