Beruflich Dokumente
Kultur Dokumente
(Exam Outline)
Effective Date: February 1, 2012
1
April 15, 2015
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
Impartiality Statement
(ISC)² is committed to impartiality by promoting a bias and discrimination free environment for
all members, candidates, staff, volunteers, subcontractors, vendors, and clients. (ISC)²’s board
of directors, management and staff understand the importance of impartiality in carrying out its
certification activities, manage conflict of interest and ensure the objectivity of its certification.
If you feel you have not received impartial treatment, please send an email to notice@isc2.org
or call +1.727.785.0189, so that we can investigate your claim.
Non-Discrimination Policy
(ISC)² is an equal opportunity employer and does not allow, condone or support discrimination
of any type within its organization including, but not limited to, its activities, programs, practices,
procedures, or vendor relationships. This policy applies to (ISC)² employees, members,
candidates, and supporters.
Whether participating in an (ISC)² official event or certification examination as an employee,
candidate, member, staff, volunteer, subcontractor, vendor, or client if you feel you have been
discriminated against based on nationality, religion, sexual orientation, race, gender, disability,
age, marital status or military status, please send an email to notice@isc2.org or call
+1.727.785.0189, so that we can investigate your claim.
For any questions related to these polices, please contact the (ISC)² Legal Department
at legal@isc2.org.
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
The Systems Security Certified Practitioner (SSCP) is an ANSI accredited, internationally recognized
information security certification designed for experienced information security and information
technology practitioners. The SSCP examination measures the competence of candidates against
an internationally accepted common body of knowledge encompassing seven (7) security
domains including Access Controls; Security Operations & Administration; Risk Identification,
Monitoring and Analysis; Incident Response and Recovery; Cryptography; Network and
Communications Security; and Systems and Application Security.
The Systems Security Certified Practitioner (SSCP) Credential is the ideal certification for those with
proven technical skills and practical, hands-on security knowledge in operational IT roles. It provides
confirmation of a practitioner’s ability to implement, monitor and administer IT infrastructure in
accordance with information security policies and procedures that ensure data confidentiality,
integrity and availability. The SSCP is geared toward individuals who may hold technical and
engineering related information technology positions.
In order to be considered for the SSCP credential, candidates are required to have a minimum
of one year of cumulative paid full-time work experience in one or more of the seven domains
of the (ISC)2 SSCP CBK®.
Candidates must also respond to the following four (4) questions regarding criminal history and
related background information and provide an explanation for any questions answered in the
affirmative (any such explanations will be evaluated during the endorsement process).
1. Have you ever been convicted of a felony; a misdemeanor involving a computer crime,
dishonesty, or repeat offenses; or a Court Martial in military service, or is there a felony
charge, indictment, or information now pending against you? (Omit minor traffic
violations and offenses prosecuted in juvenile court).
2. Have you ever had a professional license, certification, membership or registration
revoked, or have you ever been censured or disciplined by any professional organization
or government agency?
3. Have you ever been involved, or publicly identified, with criminal hackers or hacking?
4. Have you ever been known by any other name, alias, or pseudonym? (You need not
include user identities or screen names with which you were publicly identified).
SSCP Candidates must also attest to the truth of their assertions regarding professional
experience, and legally commit to abide by the (ISC)² Code of Ethics (Section 3).
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
1) ACCESS CONTROLS
Overview
The first domain of the SSCP credential addresses access controls which may be loosely defined
as the mechanisms that govern the access to resources and the operations that may be
performed on those resources. Resources, within the context of the SSCP exam, may include
physical resources, computer systems or information. The entities for which this access is
managed may be users, software or other computer systems.
An access control system ordinarily includes mechanisms that provide for identification,
authentication, authorization and auditing. SSCP candidates are expected to understand the
underlying principles of access control systems and how to implement, manage and secure
those systems.
SSCP candidates must have a thorough understanding of the identity management lifecycle
including authorization, proofing, provisioning, maintenance and entitlement. Candidates will
also be tested on their understanding of and on their ability to implement and manage various
types of access control frameworks including mandatory, discretionary, role and attribute
based.
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
Overview
The security operations and administration domain addresses basic security concepts and the
application of those concepts in the day to day operation and administration of enterprise
computer systems and the information that they host.
Ethical considerations in general, and the (ISC)2 Code of Ethics in particular, provide the
backdrop for any discussion of information security and SSCP candidates will be tested on both.
Information security professionals often find themselves in positions of trust and must be beyond
reproach in every way.
Several core principles of information security stand above all others and this domain covers
these principles in some depth. It can be said that the CIA triad of confidentiality, integrity and
availability forms the basis for almost everything that we do in information security and the SSCP
candidate must not only fully understand these principles but be able to apply them in all
situations. Additional security concepts covered in this domain include privacy, least privilege,
non-repudiation and the separation of duties.
Asset management constitutes an important part of the security operations and administration
domain. In the context of the SSCSP exam, assets include personnel, facilities, hardware,
software and information. Asset management topics include the systems development
lifecycle (SDLC), hardware, software, and all aspects of data management including storage,
transmission, destruction, and data loss prevention (DLP).
The security operations and administration domain also includes the implementation and
assessment of security controls which is a broad category that covers everything from creating
security policies and procedures to the implementation and operation of technical security
controls such as authentication and access control mechanisms.
The importance of change management processes and procedures to the IT enterprise cannot
be underestimated and an effective change management program will help preserve system
integrity and interoperability. SSCP candidates will be tested on all aspects of configuration
and change management.
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
Overview
IT Risk management involves the identification, evaluation and prioritization of potential threats
to enterprise computing systems and the subsequent systematic and continuous application of
resources to monitor and manage those threats and otherwise reduce the probability and
potential impact to the organization. The risk identification, monitoring and analysis domain
includes risk management concepts, assessment activities, and monitoring terminology,
techniques and systems.
The SSCP candidate must have a thorough understanding of the IT risk management process
and candidates will be tested in the areas of risk visibility and reporting, risk management
concepts, risk assessment, risk treatment and audit findings.
Security assessment activities, for the purposes of the risk identification, monitoring and analysis
domain, include internal and external security assessments and compliance audits, penetration
testing, and all aspects of vulnerability assessment including discovery, compliance and
remediation.
Logging and monitoring encompasses an essential part of the risk identification, monitoring and
analysis domain and the candidate will be tested on events of interest, source systems and all
aspects of logging including log integrity and preservation, aggregation, configuration of event
sources and event correlation systems. Candidates must also know how to use and interpret
packet capture and network traffic analysis tools.
Logging and monitoring is not terribly useful in risk reduction if the output of the logging and
monitoring mechanisms and systems that have been employed is not continuously evaluated
and the SSCP candidate will be tested on their ability to analyze and interpret monitoring results
and to act or report on their findings.
10
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
11
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
Overview
History has shown that, in spite of our best efforts, security incidents can and will happen and
yet incidence response and recovery is often one area of information security that is not
adequately addressed. Security practitioners, and organizations in general, must place equal
or greater emphasis on incident response plans and procedures over the preventative
measures employed to circumvent them. The long term survivability of the enterprise may well
depend on it. Moreover, the Security Practitioner is the individual most often found at the
forefront of any security incident.
The incident response and recovery domain tests the SSCP candidate on their ability to properly
implement and exercise incident handling processes and procedures that provide for a rapid,
consistent and methodological approach to addressing security incidents. Candidates will be
tested on the various aspects of incident handling including discovery, escalation, reporting,
response and prevention.
Because security practitioners are often responsible for or most closely associated with many
targets of security related incidents, their knowledge of and ability to support forensic
investigations cannot be underestimated. SSCP candidates will be tested on their ability to
support forensic investigations through identification, preservation, collection, examination,
analysis and presentation.
Disaster Recovery Planning (DRP) provides a set of processes and procedures to be invoked in
the event of a disaster that may be either man-made or the result of an act of nature. The
disaster recovery plan typically includes emergency procedures, provisions for alternate
processing facilities, backup and redundancy procedures as well as plans for post-disaster
recovery.
Business continuity planning includes an analysis of potential threats and the criticality of
information systems and the organization’s tolerance for interruptions to normal business
operations. Processes and procedures are then developed which satisfy the resulting
requirements and minimize the impact of natural and man-made disasters on the organization.
The security practitioner plays a key role in the development, implementation, maintenance
and testing of both disaster recovery and business continuity plans and the SSCP candidate will
be tested on both.
12
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
13
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
5) CRYPTOGRAPHY
Overview
The cryptography domain encompasses the protection of information, both while in motion
and at rest, by altering that information to ensure its integrity, confidentiality and authenticity.
The SSCP candidate will be tested on their understanding of fundamental cryptographic
concepts and the requirements for its use.
SSCP candidates must understand the legal and regulatory requirements and limitations with
regard to the use cryptography and cryptographic systems. They must have a thorough
understanding of secure protocols and participate in end user training.
14
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
15
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
Overview
The network and communications security domain encompasses the network architecture,
transmission methods, transport formats, control devices, and the security measures used to
maintain the confidentiality, integrity and availability of information so transmitted over both
private and public communication networks.
A Security Practitioner cannot expect to manage the security of a network or an enterprise
without a strong knowledge of network fundamentals including network topologies, the TCP/IP
protocol suite, the OSI and TCP models, IP addressing, switching and routing, and the domain
name system (DNS). The SSCP candidate’s knowledge in these areas will be directly tested and
is also a prerequisite for more advanced topics in this and other domains.
Additionally, the candidate is expected to have a thorough understanding of network access
control in general and remote access in particular. Logical and physical segmentation of
networks and encryption is used extensively in securing network communications and the
Security Practitioner must have a thorough understanding of each.
It is only with these fundamentals in place that the Security Practitioner can move on to the
business of configuring and securing networks. Advanced topics in this domain include, router
and switch operation and configuration, firewalls and proxies, wireless technologies and WAN
optimization. The candidate will be tested in all of these and other areas. The Practitioner must
be able to not only operate and configure these devices in securing the enterprise, but to
secure the devices themselves from attack as well.
16
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
17
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
Overview
The Security Practitioner often plays a pivotal role in protecting the enterprise against malicious
code and activity, particularly as it relates to end point security. Consequently, the SSCP
candidate is expected to be well versed in common attack vectors and associated counter
measures. The nature of endpoints is itself continuously changing with the proliferation of
mobile devices and remote users and the Security Practitioner must be equipped to manage
and secure all manner of devices deployed in almost any environment.
Rapid advances in virtualization technology coupled with shared storage and its widespread
adoption has radically transformed the information technology landscape. Organizations now
benefit from the more efficient use of resources, scalability, and portability that virtualization
provides but are also challenged by new virtualization-specific attack vectors and the security
concerns inherent in this new landscape. The SSCP candidate must have a solid understanding
and working knowledge of virtualization technologies and of the security benefits and
challenges that they present.
The past several years has seen extraordinary growth in the area of Cloud Computing fueled, at
least in part, by the advances in virtualization and storage technologies discussed above.
Cloud Computing offers subscribers almost unlimited possibilities but also presents some
formidable challenges with regard to information security. The Security Practitioner must have a
thorough knowledge of cloud concepts and the security implications of outsourced IT in
general.
Technological advances in our ability to collect and store information, both structured and
unstructured, has given rise to data sets so large that they are not easily managed. The
information that can be derived from such massive data sets is impressive. The tools required to
secure, store and process this information must be equally impressive. The SSCP candidate
should be familiar with big data systems and the security issues associated with them.
18
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
B. Implement and Operate Endpoint Device Security (e.g., virtualization, thin clients,
thick clients, USB devices)
B.1 HIDS
B.2 Host-based firewalls
B.3 Application white listing
B.4 Endpoint encryption
B.5 Trusted platform module
B.6 Mobile device management (e.g., COPE, BYOD, telework)
B.7 Secure browsing (e.g., sandbox)
C. Operate and Configure Cloud Security
C.1 Operation models (e.g., public, private, hybrid)
C.2 Service models (e.g., DNS, email, proxy, VPN)
C.3 Virtualization (e.g., hypervisor)
Legal and privacy concerns (e.g., surveillance, data ownership, jurisdiction,
C.4
eDiscovery)
C.5 Data storage and transmission (e.g., archiving, recovery, resilience)
Third-party/outsourcing requirements (e.g., SLA, data portability, data
C.6
destruction, auditing)
D. Secure Big Data Systems
D.1 Application vulnerabilities
D.2 Architecture or design vulnerabilities
E. Operate and Secure Virtual Environments
E.1 Software-defined networking
E.2 Hypervisor
E.3 Virtual appliances
E.4 Continuity and resilience
E.5 Attacks and countermeasures
E.6 Shared storage
19
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
REFERENCES
The SSCP exam is based on a common body of knowledge that is recognized internationally
and the exam content is based on a job task analysis conducted as recommended by
ISO/IEC/ANSI 17024 standards. Questions included in the examination are developed by item
writers who are subject matter experts in the field from information gained through their
practical experience. Such information is validated against reference materials including (ISC)
²’s own common body of knowledge, textbooks, articles, standards and regulations. The
following supplemental reference list is not intended to be all inclusive and (ISC) ² makes no
assertion that the use of this list or knowledge of the subject matter within will result in the
successful completion of the examination. Nor does (ISC) ² endorse any particular text or
author. Candidates are encouraged to supplement their education and experience by
reviewing relevant resources that pertain to common body of knowledge and finding
information for areas in which they find themselves to be deficient.
20
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
21
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
22
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
23
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
Blunden, B., (2009). The Rootkit Arsenal: Escape and Evasion in the
Dark Corners of the System
Buffington, J., (2010). Data Protection for Virtual Data Centers
Carlos Serrao, C., V. Aguilera, F. Cerullo, (2010). Web Application
Security: Iberic Web Application Security Conference
Clarke, J., et al, (2009). SQL Injection Attacks and Defense, (2nd
Edition)
Cloud Security Alliance, (2011). Security Guidance For Critical
Areas Of Focus In Cloud Computing V3.0
Davis, M., S. Bodmer, A. LeMasters, (2014). Hacking Exposed:
Malware & Rootkits Secrets & Solutions, (2nd Edition)
Dwivedi, H., Clark, C., Thiel, D., (2010). Mobile Application Security
Garfinkel, S., G. Spafford, A. Schwartz, (2003). Practical Unix &
Internet Security, (3rd Edition)
Grimes, R.A., (2001). Malicious Mobile Code: Virus Protection for
Windows
Hadnagy, C., (2010). Social Engineering: The Art of Human
Hacking
Hoglund, G., J. Bulter, (2005). Rootkits: Subverting the Windows
Systems and Kernel
Application Security Hope, P., B. Walther, (2008). Web Security Testing Cookbook:
Systematic Techniques to Find Problems Fast
Kadrich, M., (2007). Endpoint Security
Ligh, M., S. Adair, B. Hartstein, M. Richard, (2010). Malware
Analyst's Cookbook and DVD: Tools and Techniques for Fighting
Malicious Code
Malin, C.H., E. Casey, J.M. Aquilina, (2008). Malware Forensics:
Investigating and Analyzing Malicious Code
Mather, T., S. Kumaraswamy, S. Latif, (2009). Cloud Security and
Privacy : An Enterprise Perspective on Risks and Compliance
(Theory in Practice)
McGraw, G., G. Hoglund, (2004). Exploiting Software: How to
Break Code
Pfleeger, C.P., S.L. Pfleeger, (2006). Security in Computing, (4th
Edition)
Salomon, D., (2005). Foundations of Computer Security
Skoudis, E. L. Zeltser, (2003). Malware: Fighting Malicious Code
Stuttard, D., M. Pinto, (2011). The Web Application Hacker's
Handbook: Discovering and Exploiting Security Flaws, (2nd Edition)
24
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
Answer: C
________________________________________________________________
2. Which one of the following describes how a polymorphic virus attempts to hide from
antivirus software?
Answer: B
________________________________________________________________
Answer: D
________________________________________________________________
25
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
This section describes procedures for candidates registering to sit for a Computer Based Test
(CBT). The test is administered at Pearson VUE Testing centers in the US, Canada, and other
parts of the world.
1. Go to www.pearsonvue.com/isc2 to register for a test appointment.
2. Select the most convenient test center
3. Select an appointment time.
4. Pay for your exam appointment.
5. Receive confirmation from Pearson VUE with the appointment details, test center
location and other relevant instructions, if any.
Please note that your registration information will be transferred to (ISC)² and all
communication about the testing process from (ISC)² and Pearson VUE will be sent to you via
email.
Fees
CBT Demonstration
26
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
Candidates may register for a testing appointment directly with Pearson VUE (
www.pearsonvue.com/isc2 ). Candidates who do not pass the test will be subject to the retake
policy and must wait the applicable time before they are allowed to re-sit for the examination.
Exam Appointment
Test centers may fill up quickly because of high volume and previously scheduled special
events. Pearson VUE testing centers also serve candidates from other entities; thus waiting to
schedule the testing appointment may significantly limit the options for candidate’s desired
testing dates at the closest center available.
Candidates may also register over the telephone with a CBT registration specialist. Please refer
to ‘Contact Information’ for local telephone numbers for your region.
Reschedules and cancellations may be done at the (ISC)² CBT Candidate Website
(www.pearsonvue.com/isc2) or via telephone. Please refer to ‘Contact Information’ for more
information and local telephone numbers for your region.
27
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
If the candidate arrives late (after 15 minutes of his/her scheduled appointment), it is up to the
discretion of the testing center as to whether or not the candidate may still take the exam. If the
test administrator at the testing location is able to accommodate a late arriving candidate,
without affecting subsequent candidates’ appointments, he/she will let the candidate to sit for
the exam and launch his/her exam.
Any/all attempts are made to accommodate candidates who arrive late. However, if the
schedule is such that the test center is not able to accommodate a late arrival, the candidate
will be turned away and his/her exam fees will be forfeited.
If a candidate fails to appear for a testing appointment, the test result will appear in the system
as a No-Show and the candidate’s exam fees will be forfeited.
Requests for accommodations should be made to (ISC)² in advance of the desired testing
appointment. Once (ISC)² grants the accommodations request, the candidate may schedule
the testing appointment using Pearson VUE’s special accommodations number. From there, a
Pearson VUE coordinator will handle all of the arrangements.
PLEASE NOTE: Candidates that request special accommodations should not schedule their
appointment online or call the main CBT registration line.
28
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
Proper Identification
(ISC)² requires two forms of identification, a primary and a secondary, when checking in for a
CBT test appointment at a Pearson VUE Test Center. All candidate identification documents
must be valid (not expired) and must be an original document (not a photocopy or a fax).
Primary IDs: Must contain a permanently affixed photo of the candidate, along with the
candidate’s signature.
29
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
All candidates must agree to the terms listed in (ISC)2’s Examination Agreement. The
agreement is located at
https://www.isc2.org/uploadedfiles/education/cbt%20examination%20agreement.pdf.
Prior to starting the exam, all candidates are also required to accept the (ISC)² non-disclosure
agreement (NDA), and are required in the computer to accept the agreement prior to being
presented with exam questions. If the NDA is not accepted by the candidate, or refused to
accept within the time allotted, the exam will end, and the candidate will be asked to leave
the test center. No refund of exam fees will be given. For this reason, all candidates are strongly
encouraged to review the non-disclosure agreement prior to scheduling for, or taking the
exam. The agreement is located at www.pearsonvue.com/isc2/isc2_nda.pdf.
Check-In Process
Plan to arrive at the Pearson VUE testing center at least 30 minutes before the scheduled testing
time. If you arrive more than 15 minutes late to your scheduled appointment, you may lose your
examination appointment. For checking-in:
30
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
when authorized to leave by test center staff. You may not change your computer
terminal unless a TA directs you to do so.
Total examination time includes any unscheduled breaks you may take. All breaks count
against your testing time. You must leave the testing room during your break, but you may not
leave the building or access any personal belongings unless absolutely necessary (e.g. for
retrieving medication). Additionally, when you take a break, you will be required to submit to a
palm vein scan before and after your break.
®
The CISSP examination consists of 250 multiple choice questions with four (4) choices
each.
®
The CSSLP examination consists of 175 multiple choice questions with four (4) choices
each.
The HCISPP examination contains 125 multiple choice questions with four (4) choices
each.
The CCFP examination contains 125 multiple choice questions with four (4) choices each.
The SSCP® examination contains 125 multiple choice questions with four (4) choices
each.
The ISSAP®, ISSEP®, and ISSMP® concentration examinations contain 125, 150, 125
multiple choice questions respectively with four (4) choices each.
The Certified Authorization Professional (CAP®) examination contains 125 multiple choice
questions with four (4) choices each. Also, administered in computers.
31
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
There may be scenario-based items which may have more than one multiple choice
question associated with it. These items will be specifically identified in the test booklet.
Each of these exams contains 25 questions which are included for research purposes only.
The research questions are not identified; therefore, answer all questions to the best of your
ability. There is no penalty for guessing, so candidates should not leave any item unanswered.
Examination results will be based only on the scored questions on the examination. There
are several versions of the examination. It is important that each candidate have an
equal opportunity to pass the examination, no matter which version is administered. Subject
Matter Experts (SMEs) have provided input as to the difficulty level of all questions used in the
examinations. That information is used to develop examination forms that have comparable
difficulty levels. When there are differences in the examination difficulty, a mathematical
procedure called equating is used to make the difficulty level of each test form equal.
Because the number of questions required to pass the examination may be different for each
version, the scores are converted onto a reporting scale to ensure a common standard. The
passing grade required is a scale score of 700 out of a possible 1000 points on the grading
scale.
Technical Issues
On rare occasions, technical problems may require rescheduling of a candidate’s examination.
If circumstances arise causing you to wait more than 30 minutes after your scheduled
appointment time, or a restart delay lasts longer than 30 minutes, you will be given the choice
of continuing to wait, or rescheduling your appointment without an additional fee.
• If you choose to wait, but later change your mind at any time prior to beginning or
restarting the examination, you will be allowed to take exam at a later date, at
no additional cost.
• If you choose not to reschedule, but rather test after a delay, you will have no
further recourse, and your test results will be considered valid.
• If you choose to reschedule your appointment, or the problem causing the delay
cannot be resolved, you will be allowed to test at a later date at no additional
charge. Every attempt will be made to contact candidates if technical problems
are identified prior to a scheduled appointment.
Testing Environment
Pearson Professional Centers administer many types of examinations including some that
require written responses (essay-type). Pearson Professional Centers have no control over typing
noises made by candidates sitting next to you while writing their examination. Typing noise is
considered a normal part of the computerized testing environment, just as the noise of turning
pages is a normal part of the paper-and pencil testing environment. Earplugs are available
upon request.
32
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
If you believe there was an irregularity in the administration of your test, or the associated test
conditions adversely affected the outcome of your examination, you should notify the TA
before you leave the test center.
Results Reporting
Candidates will receive their unofficial test result at the test center. The results will be handed
out by the Test Administrator during the checkout process. (ISC)² will then follow up with an
official result via email.
In some instances, real time results may not be available. A comprehensive statistical and
psychometric analysis of the score data is conducted during every testing cycle before scores
are released. A minimum number of candidates are required to take the exam before this
analysis can be completed. Depending upon the volume of test takers for a given cycle, there
may be occasions when scores are delayed for approximately 6-8 weeks in order to complete
this critical process. Results WILL NOT be released over the phone. They will be sent via email
from (ISC)² as soon as the scores are finalized. If you have any questions regarding this policy,
you should contact (ISC)² prior to your examination.
(ISC)2 exams are intended to be delivered under standardized conditions. If any irregularity or
fraud is encountered before, during, or after the administration of the exam, (ISC)2 will examine
the situation and determine whether action is warranted. If (ISC)2 determines that any testing
irregularity or fraud has occurred, it may choose not to score the answer documents of the
affected test taker(s), or it may choose to cancel the scores of the affected test taker(s).
(ISC)2 may at its sole discretion revoke any and all certifications a candidate may have earned
and ban the candidate from earning future (ISC)2 certifications, and decline to score or cancel
any Exam under any of the circumstances listed in the (ISC)2 Examination Agreement.
Please refer to the (ISC)2 Examination Agreement for further details
(https://www.isc2.org/uploadedfiles/education/cbt%20examination%20agreement.pdf).
33
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
Retake Policy
Test takers who do not pass the exam the first time will be able to retest after 30 days. Test
takers that fail a second time will need to wait 90 days prior to sitting for the exam again. In the
unfortunate event that a candidate fails a third time, the next available time to sit for the exam
will be 180 days after the most recent exam attempt. Candidates are eligible to sit for (ISC)²
exams a maximum of 3 times within a calendar year.
Recertification by Examination
Candidates and members may recertify by examination for the following reasons ONLY;
The candidate has become decertified due to reaching the expiration of the time limit
for endorsement.
The member has become decertified for not meeting the number of required continuing
professional education credits.
Any questions?
34
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9
Effective Date: April 15, 2015
35
© 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited. 5.19.15 V9