International Information Systems Security Certification Consortium, a.k.a. “(ISC)2 offers Certified Information Systems Security Professional (“CISSP”). Much of this article may be a bit focused on that particular certification.

Completion of an exam may lead to a person achieving a designation called “Associate of (ISC)2”, which expires in six years. (Note that the “Associate of (ISC)2” does not appear to be automatically granted, as the “How to Get a CISSP Certification” refers to a person being able to become an associate within nine months of the date of the exam.)

A person with this “Associate of (ISC)2” designation can get the status of CISSP by meeting certain requirements (and so that is recommended to be done for people who have passed the exam). The most time consuming of these CISSP Professional Experience Requirements are to have years of experience in the industry. In basic theory, the requirement is five years, although there are options to reduce that requirement down to four years (such as if a person has the CompTIA Security+). Waiver for CISSP mentions some such available options, and clarifies: “The five years of experience must be the equivalent of actual fulltime Information Security work (not just Information Security responsibilities for a five year period); this requirement is cumulative” meaning that the required time may have come from a single period of employment, or from multiple different periods of time. There may be other requirements as well, such as (ISC)2 Candidate Background Qualifications.


At least some certifications, including the CISSP, can expire. To prevent that, there may be a need to pay Annual Maintenance Fees (“AMF”s), such as $85/year for CISSP, or $65 or $100 for other certifications.

Additionally, a person may need to obtain Continuing Professional Education Credits (“CPE”s). A CPE involves engaging in (authorized) activities and roughly corresponds to one hour of work, with some activities being worth more. For instance, Wikipedia's article on “Certified Information Systems Security Professional”: “Ongoing certification” section states that preparing “training for others is weighted at 4 CPEs/hour, published articles are worth 10 CPEs, and published books 40 CPEs.”

For example, the CISSP requires 20 CPEs each year, and requires 60 more CPEs (for a total of 120 CPEs) to be obtained over a three year period. Of those 120 CPEs, at least 80 of them must be “Group A” CPEs. There may be additional requirements, such as 20 of the CPEs “to be in the specific area of engineering” for someone who takes the ISSEP concentration, as noted by (ISC)2 PDF file about CPEs.

(ISC)2 PDF file about CPEs provides some details, including referring people: “For more information on CPEs and detailed guidelines, visit http://www.isc2.org/cpes.” That web page seems to require a login.

Maintaining an (ISC)2 Certification has stated, “(ISC)2 has made it easier than ever for members to obtain their CPE credits on a regular basis, offering access to live educational events around the world, as well as online seminars (available exclusively to (ISC)2 members) that can be taken in the comfort of one’s home or office.” (Actually, the quoted text had hyperlinks: the (ISC)2 PDF file about CPEs may also have URLs to resources.)