cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
CraginS
Defender I

Understanding Associate of (ISC)2 Status

This note is to encourage all members of (ISC)2 to understand the nature of Associate status and give advice on how to avoid potentially misleading use of the term, especially in resumes, LinkedIn profiles, and communications with human resources staff.

 

Summary:
1. Associate of (ISC)2 is not a certification; it is a category of (ISC)2 membership for individuals seeking their first certification from the Consortium by passing one of the exams but still working toward the professional experience requirement.
2. There is no such thing as an “Associate CISSP’ or “Associate of CISSP” (or any other certification).
3. Imprecise use of the terminology by an Associate may be interpreted as an apparent claim to a certification not yet received, a violation of the Code of Ethics, resulting in the Associate being barred from certification.

 

Information here is based on

 

An Associate of (ISC)2 is a member of (ISC)2 who has passed any one of six certification exams (CISSP, SSCP, CCSP, CAP, CSLLP, or HCISPP) and paid dues to join the organization, but not yet accumulated sufficient work experience to seek endorsement to (ISC)2 for certification.

 

Certification applicants who already have the required professional experience before taking one of the exams do not pass through Associate status. They move straight into the endorsement process, and become members upon receiving their first certification from (ISC)2.

 

There is no such thing as “Associate CISSP,” or “Associate CSLLP,” or “Associate of CISSP.” All Associates of (ISC)2 have the same membership status. However, the (ISC)2 staff does keep records to identify which certification each Associate is working towards by having passed a specific exam. Thus, you may see references to an Associate of (ISC)2 leading to CISSP, or similar language.

 

Using language in a resume, profile, or biography that includes the name of a certification in a manner that could lead a non-member of (ISC)2 to infer you hold that certification may be a violation of the second canon of the Code of Ethics, “Act honorably, honestly, justly, responsibly, and legally.” Should a formal complaint to the Ethics Committee on such usage result in a finding of violation, the Associate may be barred for life from ever being certified by (ISC)2.

 

TIdbits from History

 

When founded, the International Information Systems Security Certification Consortium - (ISC)2 - had only about a half a dozen members: professional organizations who banded together to have one broadly accepted certification instead of each operating their own.
The organizations were the following: “the Canadian Information Processing Society, the Computer Security Institute, the Data Processing Management Association (two special interest groups), Idaho State University, the Information Systems Security Association, and the International Federation for Information Processing.” (https://www.isc2.org/About)
There were no individual memberships; the organizations were the members, not those certified by the Consortium.

 

Some years later the ISC)2 Board moved to convert the Consortium into its own professional organization, separate from the founding groups, with all certified CISSPs and SSCPs as members. At that time there were no other certifications managed by (ISC)2.

 

In the early 2000’s another professional organization, ISACA, created a new certification to work along with their longstanding Certified Information Systems Auditor (CISA) certification, the CIS Manager (CISM). The CISA is for line-level auditors. The CISM was designed for managers overseeing the work of CISAs. While there was no apparent intent by ISACA to poach on (ISC)2 territory, it was apparent that the qualifications for CISM were very close to those for CISSP. In fact, during the first year many CISSPs could attain CISM by a grandfathering process, without taking an exam. Reacting to the CISM, (ISC)2 created a new membership status of Associate of (ISC)2, which required passing the CISSP (not SSCP) exam, but not requiring any professional experience in the field. At the same time, eligibility to take the CISSP exam was changed removing the work experience requirement. The idea at the time was to capture young security professionals into the (ISC)2 CISSP pipeline before they had five years experience, ready to choose between CISSP, CISM, or both.

 

In the years since, (ISC)2 has introduced several additional certifications, now a total of six. The Board further broadened the concept of an Associate of (ISC)2 as a member pursuing a “Path to Certification” for a first certification from (ISC)2 any one of the six certifications. The name of the member status has remained the same as originally established, but now has a broader meaning to support all the available certifications. Nonetheless, posts in the Community of (ISC)2 forums by (ISC)2 staff make it apparent that the staff now maintains records to link each Associate with the certification being sought.

 

[https://cragins.blogspot.com/2018/08/understanding-associate-of-isc2-status.html[

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
38 Replies
AlecTrevelyan
Community Champion

You can find all of the answers to your questions in the links I've posted below, but I've also included some relevant pieces of information for you...

 

https://www.isc2.org/Certifications/CISSP/Experience-Requirements

 

A candidate who doesn’t have the required experience to become a CISSP may become an Associate of (ISC)² by successfully passing the CISSP examination. The Associate of (ISC)² will then have six years to earn the five years required experience.

 

https://www.isc2.org/Certifications/SSCP/experience-requirements

 

A candidate who doesn’t have the required experience to become an SSCP may become an Associate of (ISC)² by successfully passing the SSCP examination. The Associate of (ISC)² will then have two years to earn the one year required experience.

 

If you aren't able to earn one year of experience in at least one of the seven domains of the SSCP (1. Access Controls, 2. Security Operations and Administration, 3. Risk Identification, Monitoring, and Analysis, 4. Incident Response and Recovery, 5. Cryptography, 6. Network and Communications Security, 7. Systems and Application Security) in your current job then perhaps you could also work part time in a security role?

 

Part-Time Experience: Your part-time experience cannot be less than 20 hours a week and no more than 34 hours a week.

 

1040 hours of part-time = 6 months of full time experience
2080 hours of part-time = 12 months of full time experience

 

Or another option would be if you have a suitable bachelor's degree (or whatever your regional equivalent is):

 

Candidates may satisfy the one year work experience requirement if they earn a degree from an accredited college or university or regionally equivalent education program. For purposes of certification, (ISC)² looks for the following characteristics of an approved cybersecurity degree:

 

1) The degree originates from a cybersecurity program which addresses cyber, information, software and infrastructure security topics within its requirements;

 

OR

 

2) Is one of the following preapproved degree programs:

 

Computer Science
Computer Engineering
Computer Systems Engineering
Management Information Systems (MIS)
Information Technology [IT]

 

The list of preapproved degree programs will be updated periodically.

 

Althaeis
Newcomer I

I currently have Associate of (ISC)² Toward SSCP, but I just finished all the cpe requirements across the 3 year cycle, what do I need to do to get it changed to the Certification? or will it happen when I hit the date I originally took the exam?

AlecTrevelyan
Community Champion

Some points you should note:

 

  1. The Associate for SSCP only last for a maximum of 2 years and that's a fixed term as opposed to a revolving cycle - the term "3-year cycle" only applies to the full certification
  2. Associates have a "suggested" annual requirement of 15 CPEs so if you are still an Associate in the second year supposedly you'd still need to submit 15 CPEs even if you'd submitted 30+ in the first year
  3. The purpose of the Associate programme is to allow you to gain the required work experience to qualify for the full certification which for SSCP is 1 year - work experience is gained through employment not through earning CPEs
  4. The point of earning the CPEs is to allow you to keep the Associate status so that you can have time to gain the work experience
  5. Once you have gained the required work experience you need to submit an endorsement application through the member portal and have that application approved to be granted the full certification

 

amandavanceISC2
Moderator

@Althaeis Thank you for your inquiry. I am happy to look into your profile and provide more information on how to request full certification. Please email me directly from your primary email address on file and include your (ISC)² ID number.

 

I look forward to hearing from you.

 

Best Regards,

Amanda Vance

avance@isc2.org

Askiff
Viewer II

So I recently passed the exam in November and there is no information on the next steps or the process. I have co-workers who have passed and said they received a packet and are required to submit their resume and get an endorsement. For an associate member there is no information on anything of the sort. I already have 2 years of experience and a degree but there is no information on if I am supposed to submit that information or anything. Will I receive a packet and require an endorsement and am I just supposed to resubmit for full certificate and keep track of my experience? I do think there should be more information out there on the process once you become an associate other then my required CPEs which is the only information I have.  

Thank you,

Alaura

Kaity
Community Manager

Hello @Askiff - I'm sending you a private message! The associate program can be a bit confusing, but basically, you will have a window of time to earn the necessary experience to submit to the endorsement process to become a full member. More information is available here in the meantime - https://www.isc2.org/Certifications/Associate

Melleive
Newcomer I

How do I get the Associate badge for my CISSP? It said it would appear when my first certification period opened but it’s still not loaded in Acclaim. Also, I still haven’t received any sort of certificate stating I am associate CISSP. I need that for my employer as proof status.  

FHaskell
Viewer II

I passed the CISSP exam but don't have the requisite experience to claim the certificate, putting me in the associate territory. I work for a defense contractor and all our job posts run off of the DoD 8570. This specifically calls for "CISSP (or associate)" in several of their requirements. According to ISC2, this doesn't exist and if I use it I'll get banned. How can I apply to a DoD job with the credentials I have earned, without getting hit for implying I have a certificate that I do not?

CraginS
Defender I


@FHaskell wrote:

I passed the CISSP exam but don't have the requisite experience to claim the certificate, putting me in the associate territory. I work for a defense contractor and all our job posts run off of the DoD 8570. This specifically calls for "CISSP (or associate)" in several of their requirements. According to ISC2, this doesn't exist and if I use it I'll get banned. How can I apply to a DoD job with the credentials I have earned, without getting hit for implying I have a certificate that I do not?


Just apply for the job and, once you are officially designated by (ISC)2 as such, state your status as "Associate of (ISC)2."

The original Associate was only applicable to CISSP, and not to the only other cert  back then, the SSCP. And the original DoD requirement was for CISSP. DoD added the "or Associate" language when they realized they were putting middle managers into positions that needed the cert, were able to pass the exam, but did not have 5/4 years of experience. 

  Since then (ISC)2 has added many more certs, and made the general Associate of (ISC)2 status valid for passing any of the exams, but lacking the experience years. And DoD has failed to update the language in their tables to account for that change.

  SO, as the HQ said, do not use the phrase "Associate CISSP" or anything similar; in fact, fo not use CISSP at all. Claim the properly earned Associate of (ISC)2 and you will be fine. Also, do not put in writing, either in yoru resume or cover letter, which exam you passed ot get Associate status. However, if you have an interview, you can tell them then which certification you are pursuing as an Associate. You can also stay in you resume that you are working toward "professional certification in information assurance," a careful wording that avoids using CISSP.

 

 

Good luck!

 

Craig

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
berninator
Viewer II

There are two things you can do here:

 

1. List what DoD 8570 levels you qualify for on your resume. Such as, "qualified to serve in roles up to IAT Level III, IAM Level III, and IASAE Level II." DISA's guidance is clear - passing the exam is what qualifies you under 8570, not necessarily the actual certification. 

 

2. When you get your Credly badge, put a link to your badge on the resume. The reason why is that your Associate of (ISC)² badge actually lists what exam you passed. In fact, there are seven different Associate of (ISC)² badges on Credly, one for each possible exam. (ISC)² has made it very clear that you are not allowed to use word CISSP anywhere on your resume until you have the actual CISSP cert. However, (ISC)² is also the one who issued you that badge and has stated that you are allowed to include that badge on your LinkedIn and resume. 

 

Are these as good as being able to just outright say "I passed the CISSP exam"? No, definitely not. And you're putting a lot of hope into someone being able to "pick up what you're putting down". But it's pretty much the most you're able to do, so you might as well try.