Take the Steps to Certification

If you’re pursuing an (ISC)² credential, please refer to the following steps that are necessary to obtain certification:

1. Obtain the Required Experience

The years of experience required for certification depends on the particular credential that you are pursuing. Valid experience includes information systems security-related work performed, or work that requires information security knowledge and involves direct application of that knowledge. The experience required for each (ISC)² credential is as follows:

  • SSCP – 1 year of cumulative work experience in 1 or more of the 7 domains of the SSCP CBK 
  • CAP – 2 years of direct, full-time, information systems security certification and authorization professional work experience in 1 or more of the 7 domains of the CAP CBK 
  • CSSLP – A minimum of 4 years of professional experience in the software lifecycle (SDLC) field in 1 or more of the 8 domains of the CSSLP CBK 
  • CISSP – A minimum of 5 years of direct, full-time security professional work experience in 2 or more of the 8 domains of the CISSP CBK ; *One year of work experience may be waived with a four-year or higher college degree or approved credential. 
  • CISSP Concentrations – 2 years of professional work experience in the area of architecture, engineering, or management for the CISSP-ISSAP®, CISSP-ISSEP® , or CISSP-ISSMP® respectively 
  • CCFP – A 4-year college degree leading to a Baccalaureate, or regional equivalent, plus 3 years of full time digital forensics or IT security experience in at least 3 of the 6 domains of the (ISC)² CCFP CBK
    6 years of experience in 3 or more of the (ISC)² CCFP CBK domains; *1 year of work experience may be waived with an approved forensics credential. 
  • HCISPP – A minimum of 2 years of cumulative paid full-time work experience in 1 domain of the credential with the exception that 1 year of the cumulative experience must be in any combination of the first 3 domains in Healthcare (Healthcare Industry, Regulatory Environment in Healthcare, and Privacy & Security in Healthcare). The remaining 1 year of experience can be optionally in any of the remaining 3 HCISPP domains (Information Governance and Risk Management, Information Risk Assessment, and Third Party Risk Management), and does not have to be related to the Healthcare Industry. 
  • CCSP - A minimum of 5 years of cumulative paid full-time information technology experience, of which 3 years must be in information security and 1 year in 1 of the 6 domains of the CCSP examination. Earning the Cloud Security Alliance’s CCSK certificate can be substituted for 1 year of experience in one of the 6 domains of the CCSP examination. Earning (ISC)²’s CISSP credential can be substituted for the entire CCSP experience requirement.
  • Associate of (ISC)² – If you do not meet the professional experience requirements for the credential you wish to pursue, you may still become an Associate of (ISC)². To do so, you will need to register for and pass the credential examination.

2. Study for the Exam

(ISC)² has developed several creative methods to help you achieve the knowledge necessary to obtain an (ISC)² certification.

  • CBK Training Seminars - (ISC)² annually offers over 600 in-classroom seminars worldwide to help you review and refresh your knowledge of information security. Official (ISC)² CBK Training Seminars are only conducted by (ISC)² authorized instructors, each of whom is up-to-date on the latest information security-related developments and is an expert in credential-specific domains. Or, you can sign up for (ISC)²’s Live OnLine courses, available over the Internet in real-time – a convenient way to take advantage of our proven review seminars from your laptop or desktop anywhere in the world.
  • (ISC)² Official Textbooks - Written by a team of subject matter experts, (ISC)² official textbooks are the most updated publications reflecting the latest in information security knowledge.
  • Exam Outlines – Exam Outlines have been developed by (ISC)² to provide you with basic information about the domains covered in each specific examination.

3. Schedule the CBT Exam

  • Create an account at Pearson Vue  and schedule your exam.
  • Complete the Examination Agreement, attesting to the truth of your assertions regarding professional experience, and legally committing to the adherence of the (ISC)² Code of Ethics.
  • Submit the examination fee.

4. Pass the Exam

Pass the examination with a scaled score of 700 points or greater. Read the Exam Scoring FAQs .

5. Complete the Endorsement Process

Once you are notified that you have successfully passed the examination, you will be required to have your application endorsed before the credential can be awarded. An endorsement form for this purpose must be completed and signed by an (ISC)² certified professional who is an active member, and who is able to attest to your professional experience. With the Endorsement Time limit, you are required to become certified within 9 months of the date of your exam OR become an Associate of (ISC)². If you do not become certified or an Associate of (ISC)² within nine (9) months of the date of your exam you will be required to retake the exam in order to become certified. (ISC)² can act as an endorser for you if you cannot find a certified individual to act as one. Please refer to the Endorsement Assistance Guidelines for additional information about the endorsement requirements.

6. Maintain the Certification

Recertification is required every three years, with ongoing requirements to maintain your credentials in good standing. This is primarily accomplished through continuing professional education (CPE) credits. More information on qualifying CPEs will be available upon certification. All certfications also require an annual maintenance fee. For more details, please visit our certification pages for CISSP, SSCP, CAP, CSSLP, CCFP, HCISPP or CCSP.

Audit Notice*

Passing candidates will be randomly selected and audited by (ISC)² prior to issuance of any certificate. Multiple certifications may result in a candidate being audited more than once.