Effective Date: April 2013

(Exam Outline) Effective Date: April 2013

1 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12

April 2013

Effective Date: April 2013

Impartiality Statement (ISC)² is committed to impartiality by promoting a bias and discrimination free environment for all members, candidates, staff, volunteers, subcontractors, vendors, and clients. (ISC)²’s board of directors, management and staff understand the importance of impartiality in carrying out its certification activities, manage conflict of interest and ensure the objectivity of its certification. If you feel you have not received impartial treatment, please send an email to [email protected] or call +1.727.785.0189, so that we can investigate your claim.

Non-Discrimination Policy (ISC)² is an equal opportunity employer and does not allow, condone or support discrimination of any type within its organization including, but not limited to, its activities, programs, practices, procedures, or vendor relationships. This policy applies to (ISC)² employees, members, candidates, and supporters. Whether participating in an (ISC)² official event or certification examination as an employee, candidate, member, staff, volunteer, subcontractor, vendor, or client if you feel you have been discriminated against based on nationality, religion, sexual orientation, race, gender, disability, age, marital status or military status, please send an email to [email protected] or call +1.727.785.0189, so that we can investigate your claim. For any questions related to these polices, please contact the (ISC)² Legal Department at [email protected].

2 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12

Effective Date: April 2013

1)

SECURITY LEADERSHIP AND MANAGEMENT ......................................................................................5

Overview .......................................................................................................................................................5 Key Areas of Knowledge ........................................................................................................................6 2)

SECURITY LIFECYCLE MANAGEMENT ..................................................................................................9 Overview ...................................................................................................................................................9 Key Areas of Knowledge ........................................................................................................................9

3)

SECURITY COMPLIANCE MANAGEMENT......................................................................................... 11 Overview ................................................................................................................................................ 11 Key Areas of Knowledge ..................................................................................................................... 11

4)

CONTINGENCY MANAGEMENT ....................................................................................................... 12 Overview ................................................................................................................................................ 12 Key Areas of Knowledge ..................................................................................................................... 12

5)

LAW,ETHICS AND INCIDENT MANAGEMENT ................................................................................... 14 Overview ................................................................................................................................................ 14 Key Areas of Knowledge ..................................................................................................................... 14

REFERENCES ............................................................................................................................................... 15 SAMPLE EXAM QUESTIONS ....................................................................................................................... 18 GENERAL EXAMINATION INFORMATION ................................................................................................ 20 Computer Based Test (CBT) .................................................................................................................... 20 Registering for the Exam .......................................................................................................................... 20 Scheduling a Test Appointment ............................................................................................................. 21 Day of the Exam ....................................................................................................................................... 24 Any questions? .......................................................................................................................................... 29

3 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12

Effective Date: April 2013 ISSMPs are CISSPs who specialize in establishing, presenting, and governing information security programs demonstrating management and leadership skills. They direct the alignment of security programs with the organization’s mission, goals, and strategies in order to meet enterprise financial and operational requirements in support of its desired risk position. The purpose of the CISSP-ISSMP certification examination is to recognize professional information security managers who have obtained expertise and experience appropriate to manage an enterprise’s information security program. The CISSP-ISSMP is a leader of the organization’s information security program and typically holds a job title such as Chief Information Security Officer, Information Security Director, or Enterprise Security Manager. This Candidate Information Bulletin provides the following: • Exam blueprint to a limited level of detail that outlines major topics and sub-topics within the domains • Suggested reference list • Description of the format of the items on the exam, and • Basic registration/administration policies • General Exam Information – for computer based testing and paper based testing. Candidates should review this section accordingly. Candidates for the CISSP-ISSMP must:  Be a CISSP in good standing  Demonstrate 2 years of cumulative paid full-time work experience in one or more domains of this concentration  Pass the CISSP-ISSMP examination  Maintain the credential in good standing along with the underlying CISSP • Before candidates are allowed to take the test at testing centers, they must respond “yes” or “No” to the following four questions regarding criminal history and related background: 1. Have you ever been convicted of a felony; a misdemeanor involving a computer crime, dishonesty, or repeat offenses; or a Court Martial in military service, or is there a felony charge, indictment, or information now pending against you? (Omit minor traffic violations and offenses prosecuted in juvenile court). 2. Have you ever had a professional license, certification, membership or registration revoked, or have you ever been censured or disciplined by any professional organization or government agency? 3. Have you ever been involved, or publicly identified, with criminal hackers or hacking? 4. Have you ever been known by any other name, alias, or pseudonym? (You need not include user identities or screen names with which you were publicly identified).

4 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12

Effective Date: April 2013

1)

SECURITY LEADERSHIP AND MANAGEMENT

Overview The Security Leadership and Management domain assesses the candidate’s fundamental skills and knowledge in managing an organization’s information security program. It is built upon the concepts of information security from an organizational perspective and emphasizes information security’s role in supporting the overall goal of the organization. In this domain emphasis is placed on application and management of appropriate processes and technologies to achieve organizational goals and objectives for information security. The CISSP-ISSMP candidate should have an understanding of: • Collaborating with organizational leaders to develop, document and enforce information security strategies and governance. • Developing information security goals and objectives in support of organizational missions, goals and objectives. • Developing and maintaining policies and procedures for achieving goals and objectives. • Working successfully across organizational, political, regulatory or market boundaries. • Utilizing risk management principles in problem solving and goal prioritization, including, threat and impact assessment, and risk mitigation. • Developing key performance indicators and meaningful metrics to monitor and assess the effectiveness of the security program. • Assisting organizational leaders in determining data classification and establishing efficient, effective controls. • Participating in the change control process to manage the security implications of proposed changes. • Managing the security aspects of contracts and procurement of managed services. • Determining information security training and awareness goals and overseeing implementation of an organizational information security training and awareness program that includes: information security policy, roles and responsibilities, acceptable use of system resources, regulatory compliance, incident detection and response, and information security processes and procedures. 5 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12

Effective Date: April 2013 • Using sound management practices to administer the security program, its staff and its budget.

Key Areas of Knowledge 1.A Understand Security’s Role in the Organization’s Culture, Vision and Mission 1.A.1

Define information security program vision and mission

1.A.2

Align security with organization's goals and objectives

1.A.3

Understand business processes and their relationships

1.A.4

Describe the relationship between organization culture and security

1.B Align Security Program with Organizational Governance 1.B.1

Understand the organizational governance structure

1.B.2

Understand the roles of key stakeholders

1.B.3

Recognize sources and boundaries of authorization

1.B.4

Define the security governance structure

1.C Define and Implement Information Security Strategies 1.C.1

Identify security requirements from business initiative

1.C.2

Evaluate the capacity and capability to implement security strategies

1.C.3

Manage implementation of security strategies

1.C.4

Review and maintain security strategies

1.D Manage Data Classification 1.D.1

Sensitivity

1. D.2

Criticality

1.E Define and Maintain Security Policy Framework 1.E.1

Determine applicable external standards

1.E.2

Establish internal policies

1.E.3

Garner/build organizational support for policies

6 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12

Effective Date: April 2013

1.E.4

Direct development of and approve procedures, standards, guidelines and baselines

1.E.5

Ensure periodic review of security policy framework

1.F Manage Security Requirements in Contracts and Agreements 1.F.1

Evaluation of service management agreements (e.g., risk, financial)

1.F.2

Governance of managed services (e.g., "infrastructure, software, platform" as a service)

1.F.3

Understand impact of organizational change (e.g., mergers and acquisitions, outsourcing, divestitures)

1.F.4

Monitor and enforce compliance with contractual agreements

1.G Develop and Maintain a Risk Management Program 1.G.1

Understand enterprise risk management objectives

1.G.2

Evaluate risk assessment results

1.G.3

Communicate security business risk to management

1.G.4

Determine and manage the appropriate countermeasures and make recommendations

1.G.5

Obtain management acceptance and support of residual risk

1.H Manage Security Aspects of Change Control 1.H.1

Integrate security requirements with change control process

1.H.2

Identify stakeholders

1.H.3

Oversee documentation and tracking

1.H.4

Assure policy compliance

1.I Oversee Security Awareness and Training Programs 1.I.1

Promote security programs to key stakeholders

1.I.2

Identify training needs by target segment

1.I.3

Monitor and report on effectiveness of security awareness and training programs

1.J Define, Measure, and Report Security Metrics 1.J.1

Identify KPIs

7 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12

Effective Date: April 2013

1.J.2

Relate KPIs to the risk position of the organization

1.J.3

Use metrics to drive security program development

1.K Prepare, Obtain, and Administer Security Budget 1.K.1

Manage and report financial responsibilities

1.K.2

Prepare and secure annual budget

1.K.3

Understand economic environment

1.L. Manage the Security Organization (e.g., define roles and responsibilities, determine FTEs, performance evaluation) 1.M. Understand Project Management Principles (e.g., time, scope, and cost relationship, work breakdown structure)

8 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12

Effective Date: April 2013

2)

SECURITY LIFECYCLE MANAGEMENT

Overview The Security Lifecycle Management domain assesses the candidate’s knowledge and skill in integrating information security principles and processes into new business initiatives, as well as the System Development Life Cycle (SDLC), including the operations and maintenance and disposal phases. Security must be included from the early stages of all projects to identify and manage vulnerabilities and remediate risks. The candidate should have an understanding of: • The organization’s operating environment and threats and vulnerabilities that could have a negative impact on business functions. •

Emerging trends in technologies and operating environments (e.g., cloud computing).

•

Collaborating with organizational leaders to identify and assess risks associated with new initiatives.

•

Overseeing processes to define, document, and test information security requirements as part of new initiatives.

•

Using configuration management to minimize the risk of introducing new vulnerabilities.

•

Developing processes and procedures for identifying and remediating vulnerabilities.

Key Areas of Knowledge 2.A. Manage the Integration of Security into the System Development Lifecycle (SDLC) 2.A.1

Identify lifecycle processes within the organization

2.A.2

Integrate information security gates (decision points) and milestones into lifecycle

2.A.3

Monitor compliance with the lifecycle

2.A.4

Oversee the configuration management process

2.B. Integrate New Business Initiatives into the Security Architecture 2.B.1

Participate in development of business case for new initiatives to integrate security

9 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12

Effective Date: April 2013

2.B.2

Address impact of new business initiatives on security (e.g., cloud, big data)

2.C. Define and Oversee Comprehensive Vulnerability Management Programs (e.g., vulnerability scanning, penetration testing, threat analysis) 2.C.1 Classify assets, systems, and services based on criticality to business 2.C.2 Prioritize threats and vulnerabilities 2.C.3 Oversee security testing 2.C.4 Remediate vulnerabilities based on risk

10 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12

Effective Date: April 2013

3)

SECURITY COMPLIANCE MANAGEMENT

Overview The Security Compliance Management domain assesses the candidate’s knowledge and skill in establishing, managing, and overseeing a process to help monitor, assess and enforce compliance with security policies and procedures. The process should include meaningful metrics, identify acceptable exceptions and report status to senior managers. The candidate should also understand audit goals and procedures and should be able to help prepare for and participate in both internal and external audits and respond to audit findings.

Key Areas of Knowledge 3.A Validate Compliance with Organizational Security Policies and Procedures 3.A.1

Define a compliance framework

3.A.2

Implement validation procedures outlined in framework

3.A.3

Utilize and report on security compliance metrics

3.B Manage and Document Exceptions to the Compliance Framework 3.C Coordinate with Auditors and Assist with the Internal and External Audit Process 3.C.1

Preparation

3.C.2

Scheduling (e.g., availability, mitigation timeline)

3.C.3

Evaluation (e.g., validate findings, assess impact, provide comments, and resolution)

3.C.4

Formulate response

11 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12

Effective Date: April 2013

4)

CONTINGENCY MANAGEMENT

Overview The Contingency Management domain assesses the candidate’s knowledge and skill in planning and implementing processes for reducing the impact of adverse events, such as natural or man-made disasters, virus outbreak, or equipment failure. The candidate should possess the necessary knowledge and skill to assist organizational leaders in identifying key business functions and information assets, as well as developing, maintaining and implementing recovery strategies. Planning for disasters must take into account business priorities and goals as well as resources needed to maintain or restore capabilities.

Key Areas of Knowledge 4.A Oversee Development of Contingency Plans 4.A.1

Address challenges related to the business continuity process (e.g., time, resources, verification)

4.A.2

Address challenges related to the disaster recovery process (time, resources, verification)

4.A.3

Coordinate with key stakeholders

4.A.4

Understand organizational drivers & policies

4.A.5

Oversee Business Impact Analysis (BIA) process

4.B Guide Development of Recovery Strategies 4.B.1

Identify and analyze alternatives

4.B.2

Recommend and coordinate strategies

4.B.3

Assign security roles and responsibilities

12 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12

Effective Date: April 2013

4.C Manage Maintenance of the BCP and DRP plans (e.g., lessons learned, architecture changes) 4.C.1

Plan testing, evaluation, and modification

4.C.2

Determine survivability and resiliency capabilities

4.C.3

Manage recovery process

13 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12

Effective Date: April 2013

5)

LAW,ETHICS AND INCIDENT MANAGEMENT

Overview The Law, Ethics and Incident Management domain assesses the candidate’s knowledge and understanding of laws and regulations that apply to the organization, as well as the implications of non-compliance. The candidate should possess the necessary knowledge and skill in developing processes for managing security incidents, coordinating with law enforcement and legal authorities, identifying and applying ethical guidelines and keeping the organization’s management informed of real or potential impacts. This domain assesses the core knowledge and skill that is widely accepted across most jurisdictions.

Key Areas of Knowledge 5.A Understand the Impact of Laws that Relate to Information Security 5.A.1 Understand global privacy laws (e.g. customer, employee) 5.A.2 Understand legal footprint of the organization (e.g., trans border data flow) 5.A.3 Understand export laws 5.A.4

Understand intellectual property laws (e.g., trademark, copyright, patent, licensing)

5.A.5 Manage liability (e.g., downstream and upstream/direct and indirect)

5.B Develop and Manage the Incident Handling and Investigation Processes 5.B.1

Establish and maintain incident handling process

5.B.2

Establish and maintain investigation process

5.B.3

Quantify and report the financial impact of incidents and investigations to senior management

5.C Understand Management Issues as They Relate to the (ISC)² Code of Ethics

14 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12

Effective Date: April 2013

REFERENCES This reference list is NOT intended to be an all-inclusive collection representing the CISSP® Core Body of Knowledge (CBK®). Its purpose is to provide candidates a starting point for their studies in domains which need supplementary learning in order to complement their associated level of work and academic experience. Candidates may also consider other references, which are not on this list but adequately cover domain content. Note: (ISC)2 does not endorse any particular text or author and does not imply that any or all references be acquired or consulted. (ISC)2 does not imply nor guarantee that the study of these references will result in an examination pass.

15 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12

Effective Date: April 2013

Reference

Author

A Practical Guide to Security Assessments, 2004

Sudhanshu Kairab

Asset Protection and Security Management Handbook, 2003

James Walsh

Building a global Information Assurance Program, 2005

Raymond J. Curts, Douglas E. Campbell

Building an Information Security Awareness Program, 2001

Marck B.Desman

Business Continuity Management: Building an Effective Incident Management Plan, 2009

Michael Blyth

Computer Forensics, Computer Crime Scene Investigation 2nd Ed. 2005

John R. Vacca

Computer Security Art and Science, 2002

Matt Bishop

Corporate Resiliency: Managing the Growing Risk of Fraud and Corruption, 2009

Toby J. Bishop, Frank E. Hydoski

The Definitive Handbook of Business Continuity Management, 2010

Andrew Hiles

Disaster Recovery Planning: Preparing for the Unthinkable 3rd Ed. 2003

Jon William Toiga

Enterprise Security Architecture: A Business-Driven Approach, 2005

John Sherwood, Andrew Clark, David Lynas

EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 1995

European Parliament, Council of the European Union

Information Assurance - Managing Organizational IT Security Risks, 2002

Joseph G. Boyce, Dan W. Jennings

Information Security Management Handbook Series, 1998, 2000, 2001, 2003, 2005,2006, 2007, 2008

Harold F. Tipton, Micki Krause

Inside the Security Mind, 2003

Kevin Day

ISO/IEC 27001:2005 - Information technology -- Security techniques -Information security management systems -- Requirements.

ISO

ISO/IEC 27002:2005 - Information technology - Security techniques Code of practice for information security management.

ISO

ISO/IEC 27003:2010 - Information technology - Security techniques Information security management system implementation guidance

ISO

ISO/IEC 27004:2009 - Information technology - Security techniques Information security management - Measurement

ISO

16 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12

Effective Date: April 2013

ISO/IEC 27005:2011- Information technology - Security techniques Information security risk management

ISO

ISO/IEC 29100:2011 - Information technology - Security techniques Privacy framework

ISO

IT Governance: A Manager's Guide to Data Security and ISO 27001 / ISO 27002, 2008

Alan Calder, Steve Watkins

IT Security Risking the Corporation, 2003

Linda McCarthy

Managing an Information Security and Privacy Awareness Training Program, 2005

Rebecca Herold

The New School of Information Security, 2008

Adam Shostack, Andrew Stewart

NIST Special Publication 800-30, July 2002 or later, Risk Management Guide for Information Technology Systems http://csrc.nist.gov/publications/PubsSPs.html

Gary Stoneburner, Alice Goguen, and Alexis Feringa

NIST Special Publication 800-35, October 2003 or later, Guide to Information Technology Security Services, http://csrc.nist.gov/publications/PubsSPs.html

Grance, Hash, Stevens, O'Neal, Bartol

NIST Special Publication 800-47, August 2002 or later, Security Guide for Interconnecting Information Technology Systems http://csrc.nist.gov/publications/PubsSPs.html

Grance, Hash, et al.

NIST Special Publication 800-55 rev 1 or later, July 2008 Performance Measurement Guide for Information Security http://csrc.nist.gov/publications/PubsSPs.html

Chew, Swanson, Stein, Bartol, Brown, Robinson

NIST Special Publication 800-100, October 2006 or later, Information Security Handbook: A Guide for Managers http://csrc.nist.gov/publications/PubsSPs.html

Pauline Bowen, Joan Hash, Mark Wilson

The Practice of Network Security, 2003

Allan Liska

Surviving and Thriving in Uncertainty: Creating The Risk Intelligent Enterprise, 2010

Frederick Funston, Stephen Wagner

17 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12

Effective Date: April 2013

SAMPLE EXAM QUESTIONS 1. Which of the following methods of training users in security awareness is BEST for employees?

(A)

Offer textual information regarding security awareness to the employees

(B)

Provide the employees with a video concerning security awareness

(C)

Demonstrate security awareness practices to the employees

(D)

Make a web-based presentation on the subject of security awareness available to the employees

Answer: C

2.

A hostile code has made an initial entry into a company’s enterprise. Given this scenario, which stage of the lifecycle does the hostile code now enter in order to become suitable for infection?

(A)

Propagation

(B)

Dormancy

(C)

Payload delivery

(D)

Triggering event

Answer: A

18 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12

Effective Date: April 2013 3.

Which of the following is the MOST effective way to ensure that a new system being developed will have adequate security when it is implemented?

(A)

Add security controls after the system development and functional testing have been completed in order to reduce costs

(B)

Complete the system design before developing security requirements to ensure that all design elements are considered

(C)

Integrate security functions into the lifecycle beginning with the initiation stage and consider security during all other stages

(D)

Develop security controls separately from other system components to maintain separation of duties and test them just before implementation

Answer: C

19 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12

Effective Date: April 2013

GENERAL EXAMINATION INFORMATION Computer Based Test (CBT) Registering for the Exam Process for Registration Overview This section describes procedures for candidates registering to sit for a Computer Based Test (CBT). The test is administered at Pearson VUE Testing centers in the US, Canada, and other parts of the world. 1. Go to www.pearsonvue.com/isc2 to register for a test appointment. 2. Select the most convenient test center 3. Select an appointment time. 4. Pay for your exam appointment. 5. Receive confirmation from Pearson VUE with the appointment details, test center location and other relevant instructions, if any. Please note that your registration information will be transferred to (ISC)² and all communication about the testing process from (ISC)² and Pearson VUE will be sent to you via email.

Fees Please visit the (ISC)2 website https://www.isc2.org/certification-register-now.aspx for the most current examination registration fees.

U.S. Government Veteran’s Administration G.I. Bill The U.S. Department of Veterans Affairs has approved reimbursement to veterans under the G.I. Bill for the cost of the Certified Information System Security Professional (CISSP), the CISSP Concentrations (ISSAP, ISSEP, ISSMP), the Certification and Accreditation Professional (CAP), and the System Security Certified Practitioner (SSCP) examinations. Please refer to the U.S. Department of Veterans Affairs Website at www.va.gov for more details.

20 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12

Effective Date: April 2013

CBT Demonstration Candidates can experience a demonstration and tutorial of the CBT experience on our Pearson VUE web page. The tutorial may be found at www.pearsonvue.com/isc2 .

Scheduling a Test Appointment Process for Registration Overview Candidates may register for a testing appointment directly with Pearson VUE ( www.pearsonvue.com/isc2 ). Candidates who do not pass the test will be subject to the retake policy and must wait the applicable time before they are allowed to re-sit for the examination.

Exam Appointment Test centers may fill up quickly because of high volume and previously scheduled special events. Pearson VUE testing centers also serve candidates from other entities; thus waiting to schedule the testing appointment may significantly limit the options for candidate’s desired testing dates at the closest center available.

Scheduling for a Testing Appointment Candidates may schedule their appointment online at (ISC)² CBT Website located at www.pearsonvue.com/isc2. Candidates will be required to create a Pearson VUE account in order to complete registration. Candidates profile will be transferred to (ISC)² and becomes part of the candidate’s permanent record. Candidates will be able to locate test centers and select from a choice of available examination appointment times at the Pearson VUE website. Candidates may also register over the telephone with a CBT registration specialist. Please refer to ‘Contact Information’ for local telephone numbers for your region.

Rescheduling or Cancellation of a Testing Appointment If you wish to reschedule or cancel your exam appointment, you must contact Pearson VUE at least 48 hours before the exam date by contacting Pearson VUE online (www.pearsonvue.com/isc2), OR at least 24 hours prior to exam appointment time by contacting Pearson VUE over the phone. Canceling or rescheduling an exam appointment less than 24 hours via phone notification, or less than 48 hours via online notification is subject to a forfeiture of exam fees. Exam fees are also forfeited for no-shows. Please note that, Pearson VUE charges a 50 USD/35 £/40 € fee for reschedules, and 100 USD/70 £/80 € fee for cancellations. 21 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12

Effective Date: April 2013 Reschedules and cancellations may be done at the (ISC)² CBT Candidate Website (www.pearsonvue.com/isc2) or via telephone. Please refer to ‘Contact Information’ for more information and local telephone numbers for your region.

Late Arrivals or No Shows If the candidate does not arrive within 15 minutes of the scheduled exam starting time, he or she has technically forfeited his or her assigned seat. If the candidate arrives late (after 15 minutes of his/her scheduled appointment), it is up to the discretion of the testing center as to whether or not the candidate may still take the exam. If the test administrator at the testing location is able to accommodate a late arriving candidate, without affecting subsequent candidates’ appointments, he/she will let the candidate to sit for the exam and launch his/her exam. Any/all attempts are made to accommodate candidates who arrive late. However, if the schedule is such that the test center is not able to accommodate a late arrival, the candidate will be turned away and his/her exam fees will be forfeited. If a candidate fails to appear for a testing appointment, the test result will appear in the system as a No-Show and the candidate’s exam fees will be forfeited.

Procedure for Requesting Special Accommodations Pearson VUE Professional Centers can accommodate a variety of candidates’ needs, as they are fully compliant with the Americans with Disability Act (ADA), and the equivalent requirements in other countries. Requests for accommodations should be made to (ISC)² in advance of the desired testing appointment. Once (ISC)² grants the accommodations request, the candidate may schedule the testing appointment using Pearson VUE’s special accommodations number. From there, a Pearson VUE coordinator will handle all of the arrangements. PLEASE NOTE: Candidates that request special accommodations should not schedule their appointment online or call the main CBT registration line.

22 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12

Effective Date: April 2013

What to Bring to the Test Center Proper Identification (ISC)² requires two forms of identification, a primary and a secondary, when checking in for a CBT test appointment at a Pearson VUE Test Center. All candidate identification documents must be valid (not expired) and must be an original document (not a photocopy or a fax). Primary IDs: Must contain a permanently affixed photo of the candidate, along with the candidate’s signature. Secondary IDs: Must have the candidate’s signature. Accepted Primary ID (photograph and signature, not expired)  Government issued Driver’s License or Identification Card  U.S. Dept of State Drivers License  U.S. Learner’s Permit (card only with photo and signature)  National/State/Country Identification Card  Passport  Passport Cards  Military ID  Military ID for spouses and dependents  Alien Registration Card (Green Card, Permanent Resident Visa)  Government Issued local language ID (plastic card with photo and signature  Employee ID  School ID  Credit Card* (A credit card can be used as a primary form of ID only if it contains both a photo and a signature and is not expired. Any credit card can be used as a secondary form of ID, as long as it contains a signature and is not expired. This includes major credit cards, such as VISA, MasterCard, American Express and Discover. It also includes department store and gasoline credit cards. Accepted Secondary ID (contains signature, not expired)  U.S. Social Security Card  Debit/(ATM) Card  Credit Cards  Any form of ID on the primary list

23 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12

Effective Date: April 2013

Name Matching Policy Candidate’s first and last name on the presented identification document must exactly match the first and last name on the registration record with Pearson VUE. If the name the candidate has registered with does not match the name on the identification document, proof of legal name change must be brought to the test center on the day of the test. The only acceptable forms of legal documentation are marriage licenses, divorce decrees, or court sanctioned legal name change documents. All documents presented at the test center must be original documents. If a mistake is made with a name during the application process, candidates should contact (ISC)² to correct the information well in advance of the actual test date. Name changes cannot be made at the test center or on the day of the exam. Candidates who do not meet the requirements presented in the name matching policy on the day of the test may be subject to forfeiture of testing fees and asked to leave the testing center.

Examination Agreement and Non-Disclosure Agreement All candidates must agree to the terms listed in (ISC)2’s Examination Agreement. The agreement is located at https://www.isc2.org/uploadedfiles/education/cbt%20examination%20agreement.pdf. Prior to starting the exam, all candidates are also required to accept the (ISC)² non-disclosure agreement (NDA), and are required in the computer to accept the agreement prior to being presented with exam questions. If the NDA is not accepted by the candidate, or refused to accept within the time allotted, the exam will end, and the candidate will be asked to leave the test center. No refund of exam fees will be given. For this reason, all candidates are strongly encouraged to review the non-disclosure agreement prior to scheduling for, or taking the exam. The agreement is located at www.pearsonvue.com/isc2/isc2_nda.pdf.

Day of the Exam Check-In Process Plan to arrive at the Pearson VUE testing center at least 30 minutes before the scheduled testing time. If you arrive more than 15 minutes late to your scheduled appointment, you may lose your examination appointment. For checking-in: 

You will be required to present two acceptable forms of identification.

24 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12

Effective Date: April 2013  



You will be asked to provide your signature, submit to a palm vein scan, and have your photograph taken. Hats, scarves and coats may not be worn in the testing room, or while your photograph is being taken. You will be required to leave your personal belongings outside the testing room. Secure storage will be provided. Storage space is small, so candidates should plan appropriately. Pearson Professional Centers assume no responsibility for candidates’ personal belongings. The Test Administrator (TA) will give you a short orientation, and then will escort you to a computer terminal. You must remain in your seat during the examination, except when authorized to leave by test center staff. You may not change your computer terminal unless a TA directs you to do so.

Raise your hand to notify the TA if you • • • •

believe you have a problem with your computer. need to change note boards. need to take a break. need the administrator for any reason.

Breaks You will have up to six hours to complete the CISSP, and up to four hours to complete the CSSLP and CCFP up to three hours to complete the following examinations:  SSCP  CAP  HCISPP  ISSAP  ISSEP  ISSMP Total examination time includes any unscheduled breaks you may take. All breaks count against your testing time. You must leave the testing room during your break, but you may not leave the building or access any personal belongings unless absolutely necessary (e.g. for retrieving medication). Additionally, when you take a break, you will be required to submit to a palm vein scan before and after your break.

25 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12

Effective Date: April 2013

Examination Format and Scoring ®



The CISSP examination consists of 250 multiple choice questions with four (4) choices each.



The CSSLP examination consists of 175 multiple choice questions with four (4) choices each. The HCISPP examination contains 125 multiple choice questions with four (4) choices each. The CCFP examination contains 125 multiple choice questions with four (4) choices each. The SSCP® examination contains 125 multiple choice questions with four (4) choices each. The ISSAP®, ISSEP®, and ISSMP® concentration examinations contain 125, 150, 125 multiple choice questions respectively with four (4) choices each. The Certified Authorization Professional (CAP®) examination contains 125 multiple choice questions with four (4) choices each. Also, administered in computers.

    

®

There may be scenario-based items which may have more than one multiple choice question associated with it. These items will be specifically identified in the test booklet. Each of these exams contains 25 questions which are included for research purposes only. The research questions are not identified; therefore, answer all questions to the best of your ability. There is no penalty for guessing, so candidates should not leave any item unanswered. Examination results will be based only on the scored questions on the examination. There are several versions of the examination. It is important that each candidate have an equal opportunity to pass the examination, no matter which version is administered. Subject Matter Experts (SMEs) have provided input as to the difficulty level of all questions used in the examinations. That information is used to develop examination forms that have comparable difficulty levels. When there are differences in the examination difficulty, a mathematical procedure called equating is used to make the difficulty level of each test form equal. Because the number of questions required to pass the examination may be different for each version, the scores are converted onto a reporting scale to ensure a common standard. The passing grade required is a scale score of 700 out of a possible 1000 points on the grading scale.

26 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12

Effective Date: April 2013

Technical Issues On rare occasions, technical problems may require rescheduling of a candidate’s examination. If circumstances arise causing you to wait more than 30 minutes after your scheduled appointment time, or a restart delay lasts longer than 30 minutes, you will be given the choice of continuing to wait, or rescheduling your appointment without an additional fee. • •

•

If you choose to wait, but later change your mind at any time prior to beginning or restarting the examination, you will be allowed to take exam at a later date, at no additional cost. If you choose not to reschedule, but rather test after a delay, you will have no further recourse, and your test results will be considered valid. If you choose to reschedule your appointment, or the problem causing the delay cannot be resolved, you will be allowed to test at a later date at no additional charge. Every attempt will be made to contact candidates if technical problems are identified prior to a scheduled appointment.

Testing Environment Pearson Professional Centers administer many types of examinations including some that require written responses (essay-type). Pearson Professional Centers have no control over typing noises made by candidates sitting next to you while writing their examination. Typing noise is considered a normal part of the computerized testing environment, just as the noise of turning pages is a normal part of the paper-and pencil testing environment. Earplugs are available upon request.

When the Exam is Finished After you have finished the examination, raise your hand to summon the TA. The TA will collect and inventory all note boards. The TA will dismiss you when all requirements are fulfilled. If you believe there was an irregularity in the administration of your test, or the associated test conditions adversely affected the outcome of your examination, you should notify the TA before you leave the test center.

Results Reporting Candidates will receive their unofficial test result at the test center. The results will be handed out by the Test Administrator during the checkout process. (ISC)² will then follow up with an official result via email.

27 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12

Effective Date: April 2013

In some instances, real time results may not be available. A comprehensive statistical and psychometric analysis of the score data is conducted during every testing cycle before scores are released. A minimum number of candidates are required to take the exam before this analysis can be completed. Depending upon the volume of test takers for a given cycle, there may be occasions when scores are delayed for approximately 6-8 weeks in order to complete this critical process. Results WILL NOT be released over the phone. They will be sent via email from (ISC)² as soon as the scores are finalized. If you have any questions regarding this policy, you should contact (ISC)² prior to your examination.

Exam Irregularities and Test Invalidation (ISC)2 exams are intended to be delivered under standardized conditions. If any irregularity or fraud is encountered before, during, or after the administration of the exam, (ISC)2 will examine the situation and determine whether action is warranted. If (ISC)2 determines that any testing irregularity or fraud has occurred, it may choose not to score the answer documents of the affected test taker(s), or it may choose to cancel the scores of the affected test taker(s). (ISC)2 may at its sole discretion revoke any and all certifications a candidate may have earned and ban the candidate from earning future (ISC)2 certifications, and decline to score or cancel any Exam under any of the circumstances listed in the (ISC)2 Examination Agreement. Please refer to the (ISC)2 Examination Agreement for further details (https://www.isc2.org/uploadedfiles/education/cbt%20examination%20agreement.pdf).

Retake Policy Test takers who do not pass the exam the first time will be able to retest after 30 days. Test takers that fail a second time will need to wait 90 days prior to sitting for the exam again. In the unfortunate event that a candidate fails a third time, the next available time to sit for the exam will be 180 days after the most recent exam attempt. Candidates are eligible to sit for (ISC)² exams a maximum of 3 times within a calendar year.

Recertification by Examination Candidates and members may recertify by examination for the following reasons ONLY;  

The candidate has become decertified due to reaching the expiration of the time limit for endorsement. The member has become decertified for not meeting the number of required continuing professional education credits.

28 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12

Effective Date: April 2013

Logo Usage Guidelines (ISC)² is a non-profit membership organization identified as the leader in certifying individuals in information security. Candidates who successfully complete any of the (ISC)² certification requirements may use the appropriate Certification Mark or the Collective Mark, where appropriate, and the logo containing the Certification Mark or the Collective Mark, where appropriate (the “Logo”) to identify themselves as having demonstrated the professional experience and requisite knowledge in the realm of information system security. Please visit the following link (URL) for more information on logo use: https://www.isc2.org/uploadedfiles/(ISC)2_Public_Content/Legal _and _Policies/LogoGuidleines.pdf

Any questions? (ISC)2 Candidate Services 311 Park Place Blvd, Suite 400 Clearwater, FL 33759 Phone: 1.866.331.ISC2 (4722) in the United States 1.727.785.0189 all others Fax: 1.727.683.0785

29 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12

Effective Date: April 2013

30 © 2015 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial purposes is prohibited. 5.19.15 V12