GUIDELINES FOR SUBMITTING CONTINUING PROFESSIONAL EDUCATION (CPE) CREDITS

Transcription

1 GUIDELINES FOR SUBMITTING CONTINUING PROFESSIONAL EDUCATION (CPE) CREDITS (ISC) 2 CISSP Recertification Guidelines (rev. 8-06) Page 1 of 16

2 CONTENTS Introduction... 3 CPE Record Keeping... 4 CPE Credit Requirements... 5 Direct Information Systems Security Activities [Group A Credits]... 5 Professional Skills Activities [Group B Credits]... 5 Professional Development... 5 Qualifying Activities... 6 How CPE Credits are Calculated... 8 Educational Courses and Seminars... 8 Conferences... 8 Professional Association Chapter Meetings... 8 Vendor Presentations... 8 Completing a Higher Academic Course... 8 Providing Security Training... 8 Publication of A Security Article or Book... 9 Board Service for a Professional Security Organization... 9 Self-Study, Computer-Based Training [CBT], Web Casts... 9 Read Information Security Book / Subscribe to Information Security Magazine... 9 Submission/Publication of Information Security Book Review Government/Public Sector Volunteer Work Submission of CPE Credits CPE Record-Keeping and Audits Reporting CPE Activity Additional Information (ISC) 2 CISSP Recertification Guidelines (rev. 8-06) Page 2 of 16

3 INTRODUCTION CISSPs are required to earn and submit a minimum of 120 CPE credits during each 3- year certification cycle. Excess CPEs earned during the final six months of your cycle can be carried over to your next certification period. CPEs earned through a Trusted CPE Provider will be automatically submitted on your behalf, if you provided your Member ID # during registration. (Trusted CPE Providers normally publicize their status in promotional materials.) CPE s earned from a Trusted CPE Provider are typically exempt from audit. However, in keeping with good security practice, you are encouraged to maintain an audit trail of your earned CPEs for your personal records. Use the following online form to submit CPE credits for your (ISC)² credential. Please submit one activity at a time. Combining multiple activities in a submission may result in errors in submission. CPE Submission Form (ISC) 2 CISSP Recertification Guidelines (rev. 8-06) Page 3 of 16

4 CPE RECORD KEEPING Do not send (ISC)² verification of your earned CPEs. However, you should retain verification of CPEs for at least 12 months after your previous certification cycle expires in the event of an audit. (ISC)² performs audits as required to verify the authenticity of claimed CPE credits. (ISC)² may ask for sufficient evidence of your CPE credits at any time. (ISC) 2 CISSP Recertification Guidelines (rev. 8-06) Page 4 of 16

5 CPE CREDIT REQUIREMENTS The CPE requirements are intended to help ensure that CISSPs continue to maintain their competencies following initial certification. To maintain CISSP certification, a total of 120 CPEs are required every three years. Of these 120 CPEs, at least 80 must be directly related to the information systems security profession (Group A) and be within the 10 domains of information security. The remaining 40 credits may be drawn from other forms of professional skills development (Group B) or general education. CPE Requirements for Concentrations As part of the 120 CPEs required for CISSPs, those who hold one or more concentration certifications (i.e., ISSEP, ISSMP, ISSAP ) must earn 20 CPEs directly relating to each concentration area. That is, the 20 CPEs for each concentration are a component of the total 120 CPE credits required for CISSP certification and are not additional CPE requirements. EXAMPLE: If a CISSP has two concentration certifications, such as an ISSAP and an ISSEP, he or she must submit 20 CPEs relating to the domains of the Architecture Concentration, as well as 20 CPEs relating to the domains of the Engineering Concentration, as part of his or her 120 CPE total. Please note: Concentrations run concurrently with the underlying CISSP certification expiration date. However, a concentration holder is not required to start earning CPEs toward his or her concentration area(s) until the start of the 3-year certification cycle beginning after receipt of the concentration. The two groups of CPE credits are described in more detail below: Direct Information Systems Security Activities [Group A Credits] Group A credits are given for completion of activities which relate directly to the information systems security profession. Generally, this consists of work or activities in the areas covered by the 10 domains of the CISSP CBK. Professional Skills Activities [Group B Credits] Group B credits are given for completion of activities which enhance a CISSP s overall professional skills, education, knowledge or competency. These include professional development programs, such as professional speaking or management courses. While these activities do not apply directly to the field of information security, these skills are vital in the growth of all professionals and (ISC)² recognizes their value to the CISSP. (ISC) 2 CISSP Recertification Guidelines (rev. 8-06) Page 5 of 16

6 Professional Development While not a requirement, it is recommended that a CISSP gain CPEs for recertification in at least six of the 10 domains. Adhering to this recommendation will help ensure that the CISSP's management capabilities grow and mature over time, in part through exposure to a broader range of topics. Please click on any of the following subjects to find out more about CPE credit requirements: Qualifying Activities How CPE Credits are Calculated Submission of CPE Credits CPE Record-Keeping and Audits Reporting of CPE Activity (ISC) 2 CISSP Recertification Guidelines (rev. 8-06) Page 6 of 16

7 Qualifying Activities Continuing Professional Education credits are given for experience exceeding that of normal on-the-job training or experience. For instance, while time spent independently preparing an information security presentation for a community organization would qualify for Group A CPE credits, an equivalent amount of time spent on the job preparing a client presentation would NOT qualify. Typically, education qualifying for CPE credits will be gained outside the workplace. The following are some of the types of activities that qualify for continuing education in the two categories. These activities are not intended to be a complete listing, as many other events, such as graduate work in an appropriate academic field, may also qualify. Each activity not previously awarded CPE credits will be reviewed by (ISC)² to determine if it should qualify. Direct IS Security Activities [Group A Credits] Professional Skills Activities [Group B Credits] Access Control Application Security Business Continuity and Disaster Recovery Planning Cryptography Information Security and Risk Management Legal, Regulations, Compliance and Investigations Operations Security Organizational behavior Strategic planning Programming languages & techniques Tools and techniques Interpersonal communications skills Interviewing techniques Team development skills Physical (Environmental) Security Security Architecture and Design Telecommunications and Network Security (ISC) 2 CISSP Recertification Guidelines (rev. 8-06) Page 7 of 16

8 Examples of work-related activities that do not qualify for CPEs include: preparing presentations for internal employees; writing for internal publications; providing internal consulting; work completed by consultants for clients; etc. When you submit credits online, the domain field you select will be used to determine Group A vs. Group B credits. Activity falling under one of the domains of the CBK will qualify as Group A credits. Activities that do not fall under one of the domains of the CBK qualify as Group B credits, without explicit authorization through (ISC)². (ISC) 2 CISSP Recertification Guidelines (rev. 8-06) Page 8 of 16

9 How CPE Credits are Calculated CPE credits are weighted by activity. Below are common categories of activities and the amount of credits CISSPs can earn for each. Activities not shown may still be submitted for CPE credit, but will be reviewed by the Recertification Committee for consideration and approval. Typically, the CISSP will earn 1 CPE credit for each hour spent engaged in an educational activity. However, some activities are worth more CPEs, due to the depth of study or ongoing commitment involved. Educational Courses and Seminars CISSPs earn 1 CPE credit for each hour of attendance at a training course or educational seminar. Conferences CISSPs earn 1 CPE credit for each hour of attendance at a conference. Security conferences qualify as Group A CPEs. Other educational conferences qualify as Group B CPEs. Professional Association Chapter Meetings CISSPs earn 1 CPE credit for each hour of attendance at a professional association chapter meeting. Vendor Presentations CISSPs earn 1 CPE credit for each hour of attendance at a vendor meeting or presentation. The presentation must have an educational aspect with regard to security methodology, technology or practice. Pure sales presentations are not considered CPE activities. Completing a Higher Academic Course CISSPs earn 1 CPE credit per hour spent in class. Credit will only be given on passing the course successfully. Providing Security Training CISSPs earn CPE credits for the initial preparation of courseware, lectures, or training material. The time spent preparing materials for each hour of presentation is valued at 4 CPE credits (e.g., a one hour presentation = 4 CPE s, a two hour presentation = 8 CPE s). CISSPs are not granted CPEs for time spent presenting the course, lecture or training. (ISC) 2 CISSP Recertification Guidelines (rev. 8-06) Page 9 of 16

10 Publication of A Security Article or Book CISSPs earn CPE credits for contributing original work to the professional corpus. First publication of a security-related article will earn the author(s) 10 CPE credits. Publication of a security-related book will earn 40 CPE credits. Board Service for a Professional Security Organization CISSPs can earn up to 40 CPE credits per year of service on the boards of professional security organizations. Credits will be granted based on the CISSPs level of contribution, as determined by the board of the relevant organization. CPE credits will be given for those performing volunteer work on behalf of (ISC)², either serving as a board member, committee member, item writing contributor, or other type of approved volunteer activity. The (ISC)² board of directors will determine the amount of CPE credits earned for such activity and will submit credits on behalf of the CISSP. Self-Study, Computer-Based Training [CBT], Web Casts Self-Study, Computer-Based Training [CBT] and/or Web Casts credits can be earned by completing a self-study program, computer-based training, or viewing a Web Cast. Study material and validated documentation of completion, such as a certificate or diploma, must be retained for auditing purposes. For Web Casts, you will want to retain a screen shot with the Web Cast information or any from the Web Cast provider. The Web Cast provider or course developer will sometimes supply the stated time required to complete a course. If not, use your best judgment to determine the appropriate number of hours/cpes for these activities, where one hour = one CPE. Read Information Security Book / Subscribe to an Information Security Magazine Reading an information security book or subscribing to an information security magazine will be worth 5 CPE credits. Credit in this category will be limited to one book per year and one magazine subscription per year for a total of 10 CPEs per year. Members should provide and retain "proof-of-possession" of the book and/or magazine by submitting the appropriate information in electronic form when completing the CPE submission form. This proof should include Title, Author (book) / Publisher (magazine), and ISBN number (book only) at a minimum. If audited, CISSP should provide proof of (ISC) 2 CISSP Recertification Guidelines (rev. 8-06) Page 10 of 16

11 possession, such as the actual book, a sales receipt, invoice, library record, copy of magazine subscription form/payment, etc. If you subscribe to one of the following magazines, the magazine, as a Trusted CPE Provider, will automatically submit the five CPEs to (ISC) 2 on your behalf: The (ISC) 2 Journal (qualifies as a magazine subscription) Information Security Magazine InfoSecurityToday Magazine CPEs for the above magazine subscriptions will be posted for new subscriptions or renewals. These CPEs will be submitted by the magazine publisher and may not be added by the member. If you subscribe to other information security magazines, you must submit your CPEs through the (ISC) 2 Website. Completion of and submission of an original book review (see below) to (ISC) 2 will be worth an additional 5 CPE credits, and will constitute sufficient proof, even in the absence of other proof. (ISC) 2 CISSP Recertification Guidelines (rev. 8-06) Page 11 of 16

12 Submission/Publication of Information Security Book Review CISSPs will be awarded a maximum of 5 points per year (one book) for book review accepted and published on the (ISC)² Website. (ISC)² will determine award of points and appropriateness of book reviews for publishing and notify you of same by . By submitting a book review, you grant (ISC)² permission and license to post your review on their Website and use it in any way they deem appropriate for distribution with proper attribution to you. (ISC)² reserves the right to amend any text it deems questionable, inflammatory, or libelous. Acceptable Books Books suitable for book reviews must be on information security topics. Book Review Content The review must be 500 words or more in length and should include a brief description of the book s contents and an overall evaluation of the entire book. Please keep in mind that other members will be reading your book review. They may use your book review to determine whether a book is worth purchasing or reading. Members should provide and retain proof-of-possession of the book by submitting the appropriate information in electronic form when completing the CPE submission form. This proof should include the book s title, author and ISBN number. If audited, you should provide proof of possession, such as the actual book, a sales receipt, invoice, library record, etc. Completion of and submission of an original book review to (ISC)² will be worth an additional 5 CPE credits, if accepted by (ISC)², and will constitute sufficient proof, even in the absence of other proof. To submit a book review, complete the Information Security Book Review form. You will be redirected to the book review form when you submit this CPE. Government, Public Sector, and other Charitable Organizations Volunteering CPE credits will be given to those performing information security volunteer work for government, public sector, and other charitable organizations. CISSPs earn 1 CPE credit for each hour of volunteer work. You must obtain and retain signed confirmation of the number of hours of volunteer work on the organization s letterhead. (ISC) 2 CISSP Recertification Guidelines (rev. 8-06) Page 12 of 16

13 Submission of CPE Credits There are two ways to submit CPE credits: Complete the Online Form CISSPs are required to have an active address and establish an online CISSP account to submit CPE credits in this manner. Paper submissions are no longer accepted. CPE credits must be submitted using the online form, found on the (ISC)² Website ( In most instances, CPE credits will be processed within a few business days after receipt. CPEs for book reviews that have been approved for publication on the Website may take a week to process. Have a Qualifying Organization (Trusted CPE Provider) Submit Credits on Your Behalf If you provide your Member ID # upon registration with a Trusted CPE Provider, they will submit CPE credits to (ISC)² on your behalf. Please do not resubmit CPE credits for such activities. However, it is your responsibility to confirm submission on a timely basis. It is not necessary to submit more than 120 CPE credits in any three year period. However, excess CPE credits earned in the last six months of your certification cycle will be credited to your next three year cycle. (ISC) 2 CISSP Recertification Guidelines (rev. 8-06) Page 13 of 16

14 CPE Record-Keeping and Audits CISSPs are not required to provide proof of CPE credits on submission. However, they should retain proof of CPE credits earned until 12 months after the cycle in which they were earned. The Recertification Committee can and does perform routine audits on a randomly selected basis to verify CPE credits earned. Proof of your CISSP CPE credits may be asked for at any time by (ISC)². Evidence of CPE credits earned may be in the form of course transcripts, awarded diplomas, certificates or receipts of attendance, copies of official meeting minutes or rosters [that include attendees names], or documentation of registration materials. (ISC) 2 CISSP Recertification Guidelines (rev. 8-06) Page 14 of 16

15 Reporting of CPE Activity Daily Updates For the status of your CPE records and any updates made on a daily basis to your records, please login to the CISSP Services page of the (ISC) 2 Website using your Member ID and password. Annual Transcripts (ISC)² mails transcripts to CISSPs annually on the anniversary of their certification. These transcripts provide a summary of CPE activity for the current certification cycle. (ISC) 2 CISSP Recertification Guidelines (rev. 8-06) Page 15 of 16

16 Additional Information For additional information regarding Continuing Professional Education requirements or credits, please contact CISSP Administration. (ISC) 2 CISSP Recertification Guidelines (rev. 8-06) Page 16 of 16