Effective Date: September 2013
[Grab your reader’s attention with a great quote from the document or use this space to emphasize a key
point. To place this text box anywhere on the page, just drag it.]
(Exam Outline)
Effective Date: September 1, 2013
1
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited Rev 5.15.15. V15
September 2013
Effective Date: September 2013
Impartiality Statement
(ISC)² is committed to impartiality by promoting a bias and discrimination free environment for
all members, candidates, staff, volunteers, subcontractors, vendors, and clients. (ISC)²’s board
of directors, management and staff understand the importance of impartiality in carrying out its
certification activities, manage conflict of interest and ensure the objectivity of its certification.
If you feel you have not received impartial treatment, please send an email to notice@isc2.org
or call +1.727.785.0189, so that we can investigate your claim.
Non-Discrimination Policy
(ISC)² is an equal opportunity employer and does not allow, condone or support discrimination
of any type within its organization including, but not limited to, its activities, programs, practices,
procedures, or vendor relationships. This policy applies to (ISC)² employees, members,
candidates, and supporters.
Whether participating in an (ISC)² official event or certification examination as an employee,
candidate, member, staff, volunteer, subcontractor, vendor, or client if you feel you have been
discriminated against based on nationality, religion, sexual orientation, race, gender, disability,
age, marital status or military status, please send an email to notice@isc2.org or call
+1.727.785.0189, so that we can investigate your claim.
For any questions related to these polices, please contact the (ISC)² Legal Department
at legal@isc2.org.
2
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited Rev 5.15.15. V15
Effective Date: September 2013
This Candidate Information Bulletin provides
•
•
•
•
Exam blueprint to a limited level of detail that outlines major topics and sub-topics
within the domains
Suggested reference list
Description of the format of the items on the exam
Basic registration/administration policies
The ideal candidate should have experience, knowledge and skill in the following areas:
•
•
•
•
•
•
•
•
System authorization processes
Information risk management processes
Systems development experience
Security control testing and continuous monitoring
IT security/information assurance
Information security policy
Technical and/or auditing experience within U.S. Federal government agencies (e.g.,
U.S. Department of Defense etc.), financial institutions, healthcare providers, auditing
and/or consulting organizations.
Strong familiarity with NIST and OMB publications
Candidates must meet the following requirements prior to taking the CAP examination:
•
•
•
•
•
Submit the examination fee
A candidate is required to have a minimum of two years of cumulative paid full-time
security professional work experience in one or more of the seven domains of the
(ISC)² CAP CBK;
Valid professional experience includes the direct application of appropriate Security
Authorization (formally Certification & Accreditation) knowledge performed as a
practitioner, auditor, or contractor
Attest to the truth of his or her assertions regarding professional experience, and
legally commit to abide by the (ISC)² Code of Ethics (Section 3).
Before candidates are allowed to take the test at testing centers, they must respond
“Yes” or “No” to the following four questions regarding criminal history and related
background:
1. Have you ever been convicted of a felony; a misdemeanor involving a
computer crime, dishonesty, or repeat offenses; or a Court Martial in military
service, or is there a felony charge, indictment, or information now pending
against you? (Omit minor traffic violations and offenses prosecuted in juvenile
court).
3
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited Rev 5.15.15. V15
Effective Date: September 2013
2. Have you ever had a professional license, certification, membership or
registration revoked, or have you ever been censured or disciplined by any
professional organization or government agency?
3. Have you ever been involved, or publicly identified, with criminal hackers or
hacking?
4. Have you ever been known by any other name, alias, or pseudonym? (You
need not include user identities or screen names with which you were publicly
identified).
4
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited Rev 5.15.15. V15
Effective Date: September 2013
CAP Candidate Information Bulletin Overview
The Certified Authorization Professional (CAP) is an information security practitioner who
champions system security commensurate with an organization’s mission and risk tolerance,
while meeting legal and regulatory requirements.
The Office of Management and Budget (OMB) first mandated systems authorization in OMB
Circular A-130, Appendix III in 1987 by stating that “all general support systems and major
applications must be authorized prior to the system or application being placed in operation”.
The Federal Information Security Management Act (FISMA) of 2002 renewed focus on systems
authorization with associated OMB oversight and reporting requirements and National Institute
of Standards and Technology (NIST) implementation guidance.
In August 2009, NIST released revision 3 of Special Publication 800-53: Security Controls for
Federal Information Systems and Organizations. Then in February 2010, NIST released revision 1 of
Special Publication 800-37: Guide for Applying the Risk Management Framework to Federal
Information Systems: A Security Life Cycle Approach. These two documents form the building
blocks for the emerging harmonized control taxonomy and security authorization processes,
respectively, that now govern across all federal government agencies. While numerous NIST
and OMB publications constitute the CAP exam targeted for release in November 2010 (see
reference guide on page 11), the seven domains for this exam conceptually mirror the NIST
system authorization process. A candidate must understand and be able to apply knowledge
in each domain to be successful. This includes synthesizing material from many sources in order
to be successful. The CAP domains are:
1. Risk Management Framework (RMF)
2. Categorization of Information Systems
3. Selection of Security Controls
4. Security Control Implementation
5. Security Control Assessment
6. Information System Authorization
7. Monitoring of Security Controls
5
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited Rev 5.15.15. V15
Effective Date: September 2013
1) RISK MANAGEMENT FRAMEWORK (RMF)
Overview
Security authorization of a system is a result of a tiered risk management approach to evaluate
both strategic and tactical risk. The authorization process is primarily driven by the application of
NIST’s Risk Management Framework (RMF). The RMF process identifies security controls, which
are commensurate with risk, vulnerabilities, countermeasures and determines residual risks. The
residual risks are evaluated and deemed either acceptable or unacceptable. The system may
be deployed only when the residual risks are acceptable to the enterprise.
Key Areas of Knowledge
A. Describe the Risk Management Framework (RMF)
A.1
A.2
A.3
A.4
Distinguish between applying risk management principles and satisfying
compliance requirements
Identify and maintain information systems inventory
Explain the importance of securing information
Understand organizational mission and operations
B. Describe and Distinguish between the RMF Steps
B.1
B.2
B.3
B.4
B.5
B.6
Categorize information system
Select security controls
Implement security controls
Assess security controls
Authorize information system
Monitor security controls
C. Identify Roles and Define Responsibilities
C.1
C.2
C.3
C.4
C.5
C.6
C.7
C.8
Head of agency (Chief Executive Officer)
Risk executive (Function)
Chief information officer
Information owner/steward
Senior information security officer
Authorizing official
Authorizing official designated representative
Common control provider
6
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited Rev 5.15.15. V15
Effective Date: September 2013
C.9
C.10
C.11
C.12
C.13
Information system owner
Information system security officer
Information security architect
Information system security engineer
Security control assessor
D. Understand and Describe How the RMF Process Relates to:
D.1
D.2
D.3
D.4
D.5
D.6
D.7
Organization-wide risk management
Enterprise and information security architecture
Information System boundaries
Authorization decisions
Security control assessor independence
Security controls in external environments (e.g., third-party, cloud)
Security control allocation (e.g., resources, common controls, component level)
E. Understand the Relationship between the RMF and System Development Life
Cycle (SDLC)
E.1
E.2
Promote security integration within SDLC (e.g., policy, procedures, standards)
Collaborate with stakeholders (e.g., integrated project teams, architects,
developers, management)
F. Understand Legal, Regulatory, and Other Security Requirements
F.1
F.2
F.3
F.4
Federal information security and privacy legislation
Office of Management and Budget (OMB)
Committee on National Security Systems (CNSS)
National Institute of Standards and Technology (NIST) publications
7
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited Rev 5.15.15. V15
Effective Date: September 2013
2) CATEGORIZATION OF INFORMATION SYSTEMS
Overview
Categorization of an information system is based on an impact analysis. It is performed to
determine the types of information included within the security authorization boundary, the
security requirements for the information types, and the potential impact on the organization
resulting from a security compromise. The result of the categorization is used as the basis for
developing the security plan, selecting security controls, and determining the risk inherent in
operating the system.
Key Areas of Knowledge
A. Categorize the System
A.1
A.2
A.3
A.4
A.5
A.6
A.7
Identify the information types
Determine confidentiality, integrity, and availability values
Determine potential impact on organizations and individuals
Categorize information types
Categorize information system
Document categorization in the Security Plan (SP)
Perform Privacy Threshold Analysis and Privacy Impact Assessment
B. Describe the Information System (Including the Security Authorization
Boundaries)
C. Register the System
8
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited Rev 5.15.15. V15
Effective Date: September 2013
3) SELECTION OF SECURITY CONTROLS
Overview
The security control baseline is established by determining specific controls required to protect
the system based on the security categorization of the system. The baseline is tailored and
supplemented in accordance with an organizational assessment of risk and local parameters.
The security control baseline, as well as the plan for monitoring it, is documented in the security
plan (SP).
Key Areas of Knowledge
A. Identify and Document Common (Inheritable) Controls
C. Select, Tailor, and Document Security Controls
E. Develop Security Control Monitoring Strategy
D.
F.
H.
G. Review and Approve SP
9
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited Rev 5.15.15. V15
B.
Effective Date: September 2013
4) SECURITY CONTROL IMPLEMENTATION
Overview
The security controls specified in the security plan are implemented after taking into account
the minimum organizational assurance requirements. The security plan describes how the
controls are to be employed within the information system and its operational environment. The
security assessment plan documents the methods for testing controls and the expected results
throughout the system life-cycle.
Key Areas of Knowledge
A. Implement Selected Security Controls
B. Document Security Control Implementation
10
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited Rev 5.15.15. V15
Effective Date: September 2013
5) SECURITY CONTROL ASSESSMENT
Overview
The security control assessment follows the approved plan, including defined procedures, to
determine the effectiveness of the controls in meeting security requirements of the information
system. The results are documented in the security assessment report.
Key Areas of Knowledge
A. Prepare for Security Control Assessment
A.1
A.2
A.3
A.4
Establish objectives and scope
Establish points of contact, provide notifications and timelines
Select security control assessor (e.g., independence, competency)
Collect and review artifacts (e.g., previous assessments, system documentation,
policies)
B. Develop Security Control Assessment Plan
B.1
B.2
Determine security assessment methods and level of effort
Obtain necessary approvals (e.g., security assessment plan, rules of
engagement, resources)
C. Assess Security Control Effectiveness
C.1
C.2
Apply standard assessment methods (e.g., examine, interview, test)
Collect and inventory assessment evidence
D. Develop Initial Security Assessment Report (SAR)
D.1
D.2
D.3
Analyze assessment results
Determine root causes of identified weaknesses
Propose remediation actions
E. Review Interim SAR and Perform Initial Remediation Actions
E.1
E.2
E.3
Determine initial risk responses
Apply initial remediations
Reassess and validate the remediated controls
F. Develop Final SAR and Optional Addendum
11
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited Rev 5.15.15. V15
Effective Date: September 2013
6) INFORMATION SYSTEM AUTHORIZATION
Overview
Any residual risk identified during the security control assessment are evaluated and a decision
is made to authorize the system to operate, deny its operation, or remediate the deficiencies.
Associated documentation is prepared and/or updated depending on the authorization
decision.
Key Areas of Knowledge
A. Develop Plan of Action and Milestones (POAM) (e.g., Resources, Schedule,
Requirements)
B. Assemble Security Authorization Package
C. Determine Risk
D. Determine the Acceptability of Risk
E. Obtain Security Authorization Decision
12
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited Rev 5.15.15. V15
Effective Date: September 2013
7) MONITORING OF SECURITY CONTROLS
Overview
After an Authorization to Operate (ATO) is granted, ongoing continuous monitoring is performed
on identified security controls as well as the physical environment in which the system operates.
Changes to the system or its operational environment are documented and analyzed. The
security state of the system is reported to designated officials. Significant changes will cause the
system to re-enter the security authorization process. Otherwise, the system will continue to be
monitored on an ongoing basis in accordance with the organization’s monitoring strategy.
Key Areas of Knowledge
A. Determine Security Impact of Changes to System and Environment
B. Perform Ongoing Security Control Assessments (e.g., Continuous Monitoring,
internal and external assessments)
C. Conduct Ongoing Remediation Actions (resulting from incidents,
vulnerability scans, audits, vendor updates, etc)
D. Update Key Documentation (e.g., SP, SAR, POAM)
E. Perform Periodic Security Status Reporting
F. Perform Ongoing Risk Determination and Acceptance
G. Decommission and Remove System
13
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited Rev 5.15.15. V15
REFERENCES
Document
5 U.S.C. 552a (as
amended)
Version
N/A
CNSS Instruction No. 1253
CNSS Instruction No. 1253F
Attachment 1
Version 1
Title/Subject
Privacy Act of 1974
Security Categorization and
Control Selection for National
Security Systems
Committee on National Security
Systems Instruction (CNSSI) No.
1253F Attachment 1, SECURITY
OVERLAYS TEMPLATE
URL
http://www.gpo.gov/fdsys/pkg/USCODE-2012title5/pdf/USCODE-2012-title5-partI-chap5subchapII-sec552a.pdf
https://www.cnss.gov/CNSS/openDoc.cfm?r+Ox
ARDnN62CpEixiRnDXg==
Date
December 31,
1974
March 27, 2014
https://www.cnss.gov/CNSS/openDoc.cfm?y35c
nV5LNwIdwKxf3yZjCw==
August 27, 2013
CNSS Policy No. 22 (as
amended)
Policy on Information Assurance
Risk Management for National
Security Systems
https://www.cnss.gov/CNSS/openDoc.cfm?Es4F2
WDznpmuK0fNJEFjiQ==
January 2012
Department of Defense
Instruction (DODI) 8500.01
Cybersecurity
http://www.dtic.mil/whs/directives/corres/pdf/85
0001_2014.pdf
March 14, 2014
Department of Defense
Instruction (DODI) 8510.01
Risk Management Framework
(RMF) for DoD Information
Technology (IT)
http://www.dtic.mil/whs/directives/corres/pdf/85
1001_2014.pdf
March 12, 2014
Standards for Security
Categorization of Federal
Information and Information
Systems
http://csrc.nist.gov/publications/fips/fips199/FIPSPUB-199-final.pdf
FIPS 199
14
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited Rev 5.15.15. V15
February 1, 2004
Minimum Security Requirements
for Federal Information and
Information Systems
FIPS 200
Document
NIST SP 800-18
NIST SP 800-30
NIST SP 800-34
Version
Rev.1
Rev.1
Rev. 1
NIST SP 800-37
Rev.1
NIST SP 800-39
Final
NIST SP 800-40
Rev. 3
NIST SP 800-41
Rev. 1
NIST SP 800-47
NIST SP 800-50
Final
Title/Subject
Guide for Developing Security
Plans for Information Technology
Systems
Guide for Conducting Risk
Assessments
Contingency Planning Guide for
Federal Information Systems
Guide for Applying the Risk
Management Framework to
Federal Information Systems: A
Security Life Cycle Approach
Managing Information Security
Risk
Guide to Enterprise Patch
Management Technologies
Guidelines on Firewalls and
Firewall Policy
Security Guide for
Interconnecting Information
Technology Systems
Building an Information
Technology Security Awareness
and Training Program
http://csrc.nist.gov/publications/fips/fips200/FIPS200-final-march.pdf
URL
http://csrc.nist.gov/publications/nistpubs/800-18Rev1/sp800-18-Rev1-final.pdf
http://csrc.nist.gov/publications/nistpubs/800-30rev1/sp800_30_r1.pdf
http://csrc.nist.gov/publications/nistpubs/800-34rev1/sp800-34-rev1_errata-Nov11-2010.pdf
March 1, 2006
Date
February 1, 2006
September, 2012
November 11,
2010
http://nvlpubs.nist.gov/nistpubs/SpecialPublicati
ons/NIST.SP.800-37r1.pdf
February 22, 2010
http://csrc.nist.gov/publications/nistpubs/80039/SP800-39-final.pdf
http://nvlpubs.nist.gov/nistpubs/SpecialPublicati
ons/NIST.SP.800-40r3.pdf
http://csrc.nist.gov/publications/nistpubs/800-41Rev1/sp800-41-rev1.pdf
http://csrc.nist.gov/publications/nistpubs/80047/sp800-47.pdf
http://csrc.nist.gov/publications/nistpubs/80050/NIST-SP800-50.pdf
15
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited Rev 5.15.15. V15
March 2011
July 2013
September 2009
August 1, 2002
October, 2003
NIST SP 800-53
Document
Rev. 4
Version
NIST SP 800-53A
Rev. 4
NIST SP 800-55
Rev. 1
NIST SP 800-59
NIST SP 800-60
Rev. 1
NIST SP 800-61
Rev. 2
NIST SP 800-64
Rev. 2
NIST SP 800-83
NIST SP 800-88
NIST SP 800-92
Rev. 1
Rev. 1
Security and Privacy Controls for
Federal Information Systems and
Organizations
Title/Subject
Assessing Security and Privacy
Controls in Federal Information
Systems and Organizations:
Building Effective Assessment
Plans
Performance Measurement
Guide for Information Security
Guideline for Identifying an
Information System as a National
Security System
Guide for Mapping Types of
Information and Information
Systems to Security Categories:
(2 Volumes) - Volume 1: Guide
Volume 2: Appendices
Computer Security Incident
Handling Guide
Security Considerations in the
System Development Life Cycle
Guide to Malware Incident
Prevention and Handling for
Desktops and Laptops
Guidelines for Media Sanitization
Guide to Computer Security Log
Management
http://nvlpubs.nist.gov/nistpubs/SpecialPublicati
ons/NIST.SP.800-53r4.pdf
URL
April 2013
Date
http://nvlpubs.nist.gov/nistpubs/SpecialPublicati
ons/NIST.SP.800-53Ar4.pdf
December 2014
http://csrc.nist.gov/publications/nistpubs/800-55Rev1/SP800-55-rev1.pdf
http://csrc.nist.gov/publications/nistpubs/80059/SP800-59.pdf
http://csrc.nist.gov/publications/nistpubs/800-60rev1/SP800-60_Vol1-Rev1.pdf
http://csrc.nist.gov/publications/nistpubs/800-60rev1/SP800-60_Vol2-Rev1.pdf
http://nvlpubs.nist.gov/nistpubs/SpecialPublicati
ons/NIST.SP.800-61r2.pdf
http://csrc.nist.gov/publications/nistpubs/800-64Rev2/SP800-64-Revision2.pdf
July 1, 2008
August 2003
August 2008
August, 2012
October 1, 2008
http://dx.doi.org/10.6028/NIST.SP.800-83r1
July 2013
http://nvlpubs.nist.gov/nistpubs/SpecialPublicati
ons/NIST.SP.800-88r1.pdf
http://csrc.nist.gov/publications/nistpubs/80092/SP800-92.pdf
16
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited Rev 5.15.15. V15
December 2014
September 1,
2006
Document
NIST SP 800-100
NIST SP 800-115
NIST SP 800-122
NIST SP 800-128
NIST SP 800-137
NIST SP 800-144
Version
Title/Subject
Information Security Handbook:
A Guide for Managers
Technical Guide to Information
Security Testing and Assessment
Guide to Protecting the
Confidentiality of Personally
Identifiable Information (PII)
Guide for Security-Focused
Configuration Management of
Information Systems
Information Security Continuous
Monitoring for Federal
Information Systems and
Organizations
Guidelines on Security and
Privacy in Public Cloud
Computing
URL
http://csrc.nist.gov/publications/nistpubs/800100/SP800-100-Mar07-2007.pdf
http://csrc.nist.gov/publications/nistpubs/800115/SP800-115.pdf
http://csrc.nist.gov/publications/nistpubs/800122/sp800-122.pdf
Date
October 1, 2006
September, 2008
April 22, 2010
http://csrc.nist.gov/publications/nistpubs/800128/sp800-128.pdf
August 2011
http://csrc.nist.gov/publications/nistpubs/800137/SP800-137-Final.pdf
September 2011
http://csrc.nist.gov/publications/nistpubs/800144/SP800-144.pdf
December 2011
http://www.whitehouse.gov/omb/memoranda_2
004
OMB M-04-04
OMB M-04-15
E-Authentication Guidance
Development of Homeland
Security Presidential Directive
(HSPD) 7 Critical Infrastructure
Protection Plans to Protect
Federal Critical Infrastructures
and Key Resources
Dec 16, 2003
http://www.whitehouse.gov/omb/memoranda_2
004
17
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited Rev 5.15.15. V15
June 17, 2004
Document
Version
OMB Circular A-123
OMB Circular A-130
Section 3541 Title 44 U.S.C.
Chapter 35 Title 44 U.S.C.
(as amended)
Revised,
(Transmittal
Memorandu
m No. 4)
Title IIIInformation
Security
Information
Security
Title/Subject
Management’s Responsibility for
Internal Control
Management of Federal
Information Resources
Federal Information Security
Management Act of 2002
Federal Information Security
Modernization Act of 2014
URL
http://www.whitehouse.gov/omb/assets/omb/cir
culars/a123/a123_rev.pdf
http://www.whitehouse.gov/omb/circulars_a130
_a130trans4
Date
December 21,
2004
November 28,
2000
http://uscode.house.gov/download/pls/44C35.txt
https://www.congress.gov/113/bills/s2521/BILLS113s2521es.pdf
18
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited Rev 5.15.15. V15
January 1, 2002
December 8,
2014
GENERAL EXAMINATION INFORMATION
Computer Based Test (CBT)
Registering for the Exam
Process for Registration Overview
This section describes procedures for candidates registering to sit for a Computer Based
Test (CBT). The test is administered at Pearson VUE Testing centers in the US, Canada,
and other parts of the world.
1. Go to www.pearsonvue.com/isc2 to register for a test appointment.
2. Select the most convenient test center
3. Select an appointment time.
4. Pay for your exam appointment.
5. Receive confirmation from Pearson VUE with the appointment details, test center
location and other relevant instructions, if any.
Please note that your registration information will be transferred to (ISC)² and all
communication about the testing process from (ISC)² and Pearson VUE will be sent to
you via email.
Fees
Please visit the (ISC)² website https://www.isc2.org/certification-register-now.aspx for
the most current examination registration fees.
U.S. Government Veteran’s Administration G.I. Bill
The U.S. Department of Veterans Affairs has approved reimbursement to veterans under
the G.I. Bill for the cost of the Certified Information System Security Professional (CISSP),
the CISSP Concentrations (ISSAP, ISSEP, ISSMP), the Certified Authorizaton Professional
(CAP), and the System Security Certified Practitioner (SSCP) examinations. Please refer
to the U.S. Department of Veterans Affairs Website at www.va.gov for more details.
19
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited Rev 5.15.15. V15
CBT Demonstration
Candidates can experience a demonstration and tutorial of the CBT
experience on our Pearson VUE web page. The tutorial may be found at
www.pearsonvue.com/isc2 .
Scheduling a Test Appointment
Process for Registration Overview
Candidates may register for a testing appointment directly with Pearson VUE (
www.pearsonvue.com/isc2 ). Candidates who do not pass the test will be subject to the
retake policy and must wait the applicable time before they are allowed to re-sit for the
examination.
Exam Appointment
Test centers may fill up quickly because of high volume and previously scheduled
special events. Pearson VUE testing centers also serve candidates from other entities;
thus waiting to schedule the testing appointment may significantly limit the options for
candidate’s desired testing dates at the closest center available.
Scheduling for a Testing Appointment
Candidates may schedule their appointment online at (ISC)² CBT Website located at
www.pearsonvue.com/isc2. Candidates will be required to create a Pearson VUE
account in order to complete registration. Candidates profile will be transferred to
(ISC)² and becomes part of the candidate’s permanent record. Candidates will be
able to locate test centers and select from a choice of available examination
appointment times at the Pearson VUE website.
Candidates may also register over the telephone with a CBT registration specialist.
Please refer to ‘Contact Information’ for local telephone numbers for your region.
20
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited Rev 5.15.15. V15
Rescheduling or Cancellation of a Testing Appointment
If you wish to reschedule or cancel your exam appointment, you must contact Pearson
VUE at least 48 hours before the exam date by contacting Pearson VUE online
(www.pearsonvue.com/isc2), OR at least 24 hours prior to exam appointment time by
contacting Pearson VUE over the phone. Canceling or rescheduling an exam
appointment less than 24 hours via phone notification, or less than 48 hours via online
notification is subject to a forfeit of exam fees. Exam fees are also forfeited for no-shows.
Please note that Pearson VUE charges a 50 USD/35 £/40 € fee for reschedules, and 100
USD/70 £/80 € fee for cancellations.
Reschedules and cancellations may be done at the (ISC)² CBT Candidate Website
(www.pearsonvue.com/isc2) or via telephone. Please refer to ‘Contact Information’ for
more information and local telephone numbers for your region.
Late Arrivals or No Shows
If the candidate does not arrive within 15 minutes of the scheduled exam starting time,
he or she has technically forfeited his or her assigned seat.
If the candidate arrives late (after 15 minutes of his/her scheduled appointment), it is up
to the discretion of the testing center as to whether or not the candidate may still take
the exam. If the test administrator at the testing location is able to accommodate a
late arriving candidate, without affecting subsequent candidates’ appointments,
he/she will let the candidate to sit for the exam and launch his/her exam.
Any/all attempts are made to accommodate candidates who arrive late. However, if
the schedule is such that the test center is not able to accommodate a late arrival, the
candidate will be turned away and his/her exam fees will be forfeited.
If a candidate fails to appear for a testing appointment, the test result will appear in the
system as a No-Show and the candidate’s exam fees will be forfeited.
Procedure for Requesting Special Accommodations
Pearson VUE Professional Centers can accommodate a variety of candidates’ needs,
as they are fully compliant with the Americans with Disability Act (ADA), and the
equivalent requirements in other countries.
21
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited Rev 5.15.15. V15
Requests for accommodations should be made to (ISC)² in advance of the desired
testing appointment. Once (ISC)² grants the accommodations request, the candidate
may schedule the testing appointment using Pearson VUE’s special accommodations
number. From there, a Pearson VUE coordinator will handle all of the arrangements.
PLEASE NOTE: Candidates that request special accommodations should not schedule
their appointment online or call the main CBT registration line.
22
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited Rev 5.15.15. V15
What to Bring to the Test Center
Proper Identification
(ISC)² requires two forms of identification, a primary and a secondary, when checking in
for a CBT test appointment at a Pearson VUE Test Center. All candidate identification
documents must be valid (not expired) and must be an original document (not a
photocopy or a fax).
Primary IDs: Must contain a permanently affixed photo of the candidate, along with the
candidate’s signature.
Secondary IDs: Must have the candidate’s signature.
Accepted Primary ID (photograph and signature, not expired)
 Government issued Driver’s License or Identification Card
 U.S. Dept of State Drivers License
 U.S. Learner’s Permit (card only with photo and signature)
 National/State/Country Identification Card
 Passport
 Passport Cards
 Military ID
 Military ID for spouses and dependents
 Alien Registration Card (Green Card, Permanent Resident Visa)
 Government Issued local language ID (plastic card with photo and signature
 Employee ID
 School ID
 Credit Card* (A credit card can be used as a primary form of ID only if it
contains both a photo and a signature and is not expired. Any credit card can
be used as a secondary form of ID, as long as it contains a signature and is not
expired. This includes major credit cards, such as VISA, MasterCard, American
Express and Discover. It also includes department store and gasoline credit
cards.
Accepted Secondary ID (contains signature, not expired)
 U.S. Social Security Card
 Debit/(ATM) Card
 Credit Cards
 Any form of ID on the primary list
23
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited Rev 5.15.15. V15
Name Matching Policy
Candidate’s first and last name on the presented identification document must exactly
match the first and last name on the registration record with Pearson VUE. If the name
the candidate has registered with does not match the name on the identification
document, proof of legal name change must be brought to the test center on the day
of the test. The only acceptable forms of legal documentation are marriage licenses,
divorce decrees, or court sanctioned legal name change documents. All documents
presented at the test center must be original documents. If a mistake is made with a
name during the application process, candidates should contact (ISC)² to correct the
information well in advance of the actual test date. Name changes cannot be made
at the test center or on the day of the exam. Candidates who do not meet the
requirements presented in the name matching policy on the day of the test may be
subject to forfeiture of testing fees and asked to leave the testing center.
Examination Agreement and Non-Disclosure Agreement
All candidates must agree to the terms listed in (ISC)2’s Examination Agreement. The
agreement is located at
https://www.isc2.org/uploadedfiles/education/cbt%20examination%20agreement.pdf.
Prior to starting the exam, all candidates are also required to accept the (ISC)² nondisclosure agreement (NDA), and are required in the computer to accept the
agreement prior to being presented with exam questions. If the NDA is not accepted by
the candidate, or refused to accept within the time allotted, the exam will end, and the
candidate will be asked to leave the test center. No refund of exam fees will be given.
For this reason, all candidates are strongly encouraged to review the non-disclosure
agreement prior to scheduling for, or taking the exam. The agreement is located at
www.pearsonvue.com/isc2/isc2_nda.pdf.
24
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited Rev 5.15.15. V15
Day of the Exam
Check-In Process
Plan to arrive at the Pearson VUE testing center at least 30 minutes before the
scheduled testing time. If you arrive more than 15 minutes late to your scheduled
appointment, you may lose your examination appointment. For checking-in:




You will be required to present two acceptable forms of identification.
You will be asked to provide your signature, submit to a palm vein scan, and
have your photograph taken. Hats, scarves and coats may not be worn in the
testing room, or while your photograph is being taken.
You will be required to leave your personal belongings outside the testing
room. Secure storage will be provided. Storage space is small, so candidates
should plan appropriately. Pearson Professional Centers assume no
responsibility for candidates’ personal belongings.
The Test Administrator (TA) will give you a short orientation, and then will escort
you to a computer terminal. You must remain in your seat during the
examination, except when authorized to leave by test center staff. You may
not change your computer terminal unless a TA directs you to do so.
Raise your hand to notify the TA if you
o
o
o
o
believe you have a problem with your computer.
need to change note boards.
need to take a break.
need the administrator for any reason.
25
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited Rev 5.15.15. V15
Breaks
You will have up to six hours to complete the CISSP, and up to four hours to complete the CSSLP
and up to three hours to complete the following examinations:
 SSCP
 CAP
 HCISPP
 ISSAP
 ISSEP
 ISSMP
Total examination time includes any unscheduled breaks you may take. All breaks count
against your testing time. You must leave the testing room during your break, but you may not
leave the building or access any personal belongings unless absolutely necessary (e.g. for
retrieving medication). Additionally, when you take a break, you will be required to submit to a
palm vein scan before and after your break.
Examination Format and Scoring
®

The CISSP examination consists of 250 multiple choice questions with four (4) choices
each.

The CSSLP examination consists of 175 multiple choice questions with four (4) choices
each.
The HCISPP examination contains 125 multiple choice questions with four (4) choices
each.
The CCFPSM examination contains 125 multiple choice questions with four (4) choices
each.
The SSCP® examination contains 125 multiple choice questions with four (4) choices
each.
The ISSAP®, ISSEP®, and ISSMP® concentration examinations contain 125, 150, 125
multiple choice questions respectively with four (4) choices each.
The Certified Authorization Professional (CAP®) examination contains 125 multiple choice
questions with four (4) choices each. Also, administered in computers.





®
There may be scenario-based items which may have more than one multiple choice
question associated with it. These items will be specifically identified in the test booklet.
26
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited Rev 5.15.15. V15
Each of these exams contains 25 questions which are included for research purposes only.
The research questions are not identified; therefore, answer all questions to the best of your
ability. There is no penalty for guessing, so candidates should not leave any item unanswered.
Examination results will be based only on the scored questions on the examination. There
are several versions of the examination. It is important that each candidate have an
equal opportunity to pass the examination, no matter which version is administered. Subject
Matter Experts (SMEs) have provided input as to the difficulty level of all questions used in the
examinations. That information is used to develop examination forms that have comparable
difficulty levels. When there are differences in the examination difficulty, a mathematical
procedure called equating is used to make the difficulty level of each test form equal.
Because the number of questions required to pass the examination may be different for each
version, the scores are converted onto a reporting scale to ensure a common standard. The
passing grade required is a scale score of 700 out of a possible 1000 points on the grading
scale.
Technical Issues
On rare occasions, technical problems may require rescheduling of a candidate’s
examination. If circumstances arise causing you to wait more than 30 minutes after your
scheduled appointment time, or a restart delay lasts longer than 30 minutes, you will be
given the choice of continuing to wait, or rescheduling your appointment without an
additional fee.
o If you choose to wait, but later change your mind at any time prior to
beginning or restarting the examination, you will be allowed to take exam
at a later date, at no additional cost.
o If you choose not to reschedule, but rather test after a delay, you will have
no further recourse, and your test results will be considered valid.
o If you choose to reschedule your appointment, or the problem causing the
delay cannot be resolved, you will be allowed to test at a later date at no
additional charge. Every attempt will be made to contact candidates if
technical problems are identified prior to a scheduled appointment.
27
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited Rev 5.15.15. V15
Testing Environment
Pearson Professional Centers administer many types of examinations including some
that require written responses (essay-type). Pearson Professional Centers have no
control over typing noises made by candidates sitting next to you while writing their
examination. Typing noise is considered a normal part of the computerized testing
environment, just as the noise of turning pages is a normal part of the paper-and pencil
testing environment. Earplugs are available upon request.
When the Exam is Finished
After you have finished the examination, raise your hand to summon the TA. The TA will
collect and inventory all note boards. The TA will dismiss you when all requirements are
fulfilled.
If you believe there was an irregularity in the administration of your test, or the
associated test conditions adversely affected the outcome of your examination, you
should notify the TA before you leave the test center.
Results Reporting
Candidates will receive their unofficial test result at the test center. The results will be
handed out by the Test Administrator during the checkout process. (ISC)² will then
follow up with an official result via email.
In some instances, real time results may not be available. A comprehensive statistical
and
psychometric analysis of the score data is conducted during every testing cycle before
scores are released. A minimum number of candidates are required to take the exam
before this analysis can be completed. Depending upon the volume of test takers for a
given cycle, there may be occasions when scores are delayed for approximately 6-8
weeks in order to complete this critical process. Results WILL NOT be released over the
phone. They will be sent via email from (ISC)² as soon as the scores are finalized. If you
have any questions regarding this policy, you should contact (ISC)² prior to your
examination.
28
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited Rev 5.15.15. V15
Exam Irregularities and Test Invalidation
(ISC)2 exams are intended to be delivered under standardized conditions. If any
irregularity or fraud is encountered before, during, or after the administration of the
exam, (ISC)2 will examine the situation and determine whether action is warranted. If
(ISC)2 determines that any testing irregularity or fraud has occurred, it may choose not
to score the answer documents of the affected test taker(s), or it may choose to cancel
the scores of the affected test taker(s).
(ISC)2 may at its sole discretion revoke any and all certifications a candidate may have
earned and ban the candidate from earning future (ISC)2 certifications, and decline to
score or cancel any Exam under any of the circumstances listed in the (ISC)2
Examination Agreement.
Please refer to the (ISC)2 Examination Agreement for further details
(https://www.isc2.org/uploadedfiles/education/cbt%20examination%20agreement.pdf).
Retake Policy
Test takers who do not pass the exam the first time will be able to retest after 30 days.
Test takers that fail a second time will need to wait 90 days prior to sitting for the exam
again. In the unfortunate event that a candidate fails a third time, the next available
time to sit for the exam will be 180 days after the most recent exam attempt. The retake
wait time then resets after the fourth attempt starting again with a 30-day waiting
period.
Recertification by Examination
Candidates and members may recertify by examination for the following reasons ONLY;


The candidate has become decertified due to reaching the expiration of the
time limit for endorsement.
The member has become decertified for not meeting the number of required
continuing professional education credits.
29
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited Rev 5.15.15. V15
Logo Usage Guidelines
(ISC)² is a non-profit membership organization identified as the leader in certifying
individuals in information security.
Candidates who successfully complete any of the (ISC)² certification requirements may
use the appropriate Certification Mark or the Collective Mark, where appropriate, and
the logo containing the Certification Mark or the Collective Mark, where appropriate
(the “Logo”) to identify themselves as having demonstrated the professional experience
and requisite knowledge in the realm of information system security. Please visit the
following link (URL) for more information on logo use:
https://www.isc2.org/uploadedfiles/(ISC)2_Public_Content/Legal _and _Policies/LogoGuidleines.pdf
Any questions?
(ISC)2 Candidate Services
311 Park Place Blvd, Suite 400
Clearwater, FL 33759
Phone: 1.866.331.ISC2 (4722) in the United States
1.727.785.0189 all others
Fax: 1.727.683.0785
30
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited Rev 5.15.15. V15
31
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited Rev 5.15.15. V15