This note is to encourage all members of (ISC)2 to understand the nature of Associate status and give advice on how to avoid potentially misleading use of the term, especially in resumes, LinkedIn profiles, and communications with human resources staff.
1. Associate of (ISC)2 is not a certification; it is a category of (ISC)2 membership for individuals seeking their first certification from the Consortium by passing one of the exams but still working toward the professional experience requirement.
2. There is no such thing as an “Associate CISSP’ or “Associate of CISSP” (or any other certification).
3. Imprecise use of the terminology by an Associate may be interpreted as an apparent claim to a certification not yet received, a violation of the Code of Ethics, resulting in the Associate being barred from certification.
Information here is based on
An Associate of (ISC)2 is a member of (ISC)2 who has passed any one of six certification exams (CISSP, SSCP, CCSP, CAP, CSLLP, or HCISPP) and paid dues to join the organization, but not yet accumulated sufficient work experience to seek endorsement to (ISC)2 for certification.
Certification applicants who already have the required professional experience before taking one of the exams do not pass through Associate status. They move straight into the endorsement process, and become members upon receiving their first certification from (ISC)2.
There is no such thing as “Associate CISSP,” or “Associate CSLLP,” or “Associate of CISSP.” All Associates of (ISC)2 have the same membership status. However, the (ISC)2 staff does keep records to identify which certification each Associate is working towards by having passed a specific exam. Thus, you may see references to an Associate of (ISC)2 leading to CISSP, or similar language.
Using language in a resume, profile, or biography that includes the name of a certification in a manner that could lead a non-member of (ISC)2 to infer you hold that certification may be a violation of the second canon of the Code of Ethics, “Act honorably, honestly, justly, responsibly, and legally.” Should a formal complaint to the Ethics Committee on such usage result in a finding of violation, the Associate may be barred for life from ever being certified by (ISC)2.
TIdbits from History
When founded, the International Information Systems Security Certification Consortium - (ISC)2 - had only about a half a dozen members: professional organizations who banded together to have one broadly accepted certification instead of each operating their own.
The organizations were the following: “the Canadian Information Processing Society, the Computer Security Institute, the Data Processing Management Association (two special interest groups), Idaho State University, the Information Systems Security Association, and the International Federation for Information Processing.” (https://www.isc2.org/About)
There were no individual memberships; the organizations were the members, not those certified by the Consortium.
Some years later the ISC)2 Board moved to convert the Consortium into its own professional organization, separate from the founding groups, with all certified CISSPs and SSCPs as members. At that time there were no other certifications managed by (ISC)2.
In the early 2000’s another professional organization, ISACA, created a new certification to work along with their longstanding Certified Information Systems Auditor (CISA) certification, the CIS Manager (CISM). The CISA is for line-level auditors. The CISM was designed for managers overseeing the work of CISAs. While there was no apparent intent by ISACA to poach on (ISC)2 territory, it was apparent that the qualifications for CISM were very close to those for CISSP. In fact, during the first year many CISSPs could attain CISM by a grandfathering process, without taking an exam. Reacting to the CISM, (ISC)2 created a new membership status of Associate of (ISC)2, which required passing the CISSP (not SSCP) exam, but not requiring any professional experience in the field. At the same time, eligibility to take the CISSP exam was changed removing the work experience requirement. The idea at the time was to capture young security professionals into the (ISC)2 CISSP pipeline before they had five years experience, ready to choose between CISSP, CISM, or both.
In the years since, (ISC)2 has introduced several additional certifications, now a total of six. The Board further broadened the concept of an Associate of (ISC)2 as a member pursuing a “Path to Certification” for a first certification from (ISC)2 any one of the six certifications. The name of the member status has remained the same as originally established, but now has a broader meaning to support all the available certifications. Nonetheless, posts in the Community of (ISC)2 forums by (ISC)2 staff make it apparent that the staff now maintains records to link each Associate with the certification being sought.
Thank you for the informative synopsis. I showed this to a member of my team today who will be sitting for the exam in the next few weeks seeking the Associate of (ISC)2 designation. Your write up gave him a very clear understanding of proper use and limitations. Nicely done!
@CraginSThank you for sharing this! For people like me who recently passed the CISSP exam and are but still working toward the professional experience requirement how should the completion of the exam be properly displayed on a resume/CV? Or should it be displayed at all?
Thank you again for your insight!
@ReubenB asked, "For people like me who recently passed the CISSP exam and are but still working toward the professional experience requirement how should the completion of the exam be properly displayed on a resume/CV? "
Understand that this is my personal opinion, and not an official (ISC)2 answer.
I recommend showing your "Associate of (ISC)2" status, appended with a phrase indicating the field your exam covered but not using the certification abbreviation.
if you passed the CISSP exam, say Associate of (ISC)2 specializing in Information Security Leadership & Operations;
if you passed the CCSP, say Associate of (ISC)2 specializing in Cloud Security;
if you passed the CSSLP, say Associate of (ISC)2 specializing in Software Security;
if you passed the SSCP, say Associate of (ISC)2 specializing in IT Administration.
Oh, and congrats on completing the easy part (the exam). Now comes the hard part of actually doing all that work.
Another suggestion: plan your CPE efforts now to meet the full 40/year average, instead of the reduced level required of Associates. Get in the habit of earning CPE at the level you will need for the rest of your time in (ISC)2. If nothing else, spend an hour each week in an online webinar or seminar fo those CPE. There are hundreds of good ones, all free and widely available from a bunch of sources, like (ISC)2, ISSA, SANS, ISACA, as well as numerous vendors like FireEye and Verizon.
I'm trying to do some research into what ISC2's policy is regarding but haven't found anything specific yet.
Sign into the isc2.org site and look in the Members section. The page CPE Overview shows that Associates must earn 15 Type A CPE units each year.
For the full details on CPE requirements, go to the View/Edit CPE page and at the top of the page download the CPE Handbook (19 page pdf).
Finally, a more general word of advice. You said you tried to do some research into ISC2'a policy. However, you missed the series of pages linked here. Hone your information searching skills by thinking about what key words to search for INSIDE a given site, either with that site's Search function or the generic Google search with the in:domain command, such as in:isc2.org CPE in Google. Think about likely key words for your desired information and try several of them. Also, learn to mine the hierarchical menus in the sites, following logical tracks down into the site's information. Drilling down into a site like isc2.org will make you more familiar with how the site admins structured the information and what they have made available. INFOSEC is a fast moving field, and you will need strong google-fu to stay current.
Hi Dr. Shelton,
Thanks for your thoughtful post about one of our unintended best kept secrets (i.e., the Associate of (ISC)² Program).
You are correct that an Associate of (ISC)² is not allowed to misrepresent that the Associate of (ISC)² designation is a certification. As you stated, this would be a violation of a number of our ethical canons, and (ISC)² works hard to maintain the integrity of all aspects of the certification process. Our Association members count on us to do so. As a certification body that is annually assessed against the ISO/IEC 17024 standard, we are also disallowed to represent the Associate of (ISC)² designation as a certification. It’s still a very effective career path program. More on that in a minute.
I should point out that our Associate digital badge will quickly show hiring officials and other interested parties the specific exam the Associate of (ISC)² passed—along with the exam date. The good news is that increasingly organizations are using the Associate of (ISC)² Program for entry level positions for workforce capacity building and succession planning. Today, our Associate of (ISC)² Program is stronger than ever.
Since the Associate of (ISC)² Program was established in 2003, over 15,000 people have held the designation with over 86% of our Associates going on to gain the required experience, completing the endorsement process and holding an (ISC)² certification. Historically, (ISC)² has not done a good job explaining how the program works, and how candidates can leverage the program. Consequently, many candidates who ultimately want to hold one of our certifications like the CISSP, but lack the required experience, do not feel (ISC)² offers a career path. Those looking to make a career change also question whether (ISC)² can provide a career path to enable them to come into the industry. Our Associate of (ISC)² Program became an unintentional best kept secret. We’ve recognized this shortcoming, and we’re doing more outreach about the Associate of (ISC)² Program providing candidates a way to:
We’re proud of our Associates, because they’ve passed a rigorous exam. They are required to complete ongoing continuing professional education (CPEs) credits while they get the required experience. They’ve clearly demonstrated a commitment to life-long learning, and they’re on a predictable path to holding a respected professional certification. We have lots of stories of members (including members of our board of directors) who have leveraged the Associate Program. It works, and as more people learn about it, (ISC)² is able to do a better job helping to fill the growing need for qualified cyber, information, software and infrastructure security professionals.
For those interested in learning more about the Associate of (ISC)² Designation, here’s a fun short video:
Dr. Shelton, thanks again for bringing this up. I hope more people will consider our Associate of (ISC)² program for friends and family members interested in helping us inspire a safe and secure cyber world.
| CEO | www.isc2.org | email@example.com |