ISC2 CSSLP exam details and process

Dan Virgillito
September 8, 2021 by
Dan Virgillito

CSSLP (Certified Secure Software Lifecycle Professionals) is one of the most popular application-security-related certifications available. It shows organizations you have the advanced technical knowledge and skills necessary to authorize, authenticate and audit throughout the SDLC (Software Development Lifecycle) by leveraging policies, procedures and best practices established by ICS2 and cybersecurity industry experts.

To validate your knowledge of secure coding and application access control best practices, you need to pass the CSSLP exam. Below is an overview of how the CSSLP exam works, how to register for it, and the steps to become CSSLP certified.


What Is the CSSLP exam?


The CSSLP exam is a rigorous test geared towards professionals who’ll have a role in creating software using secure programming practices. It’s also a pathway to skill validation for those asked to secure an organization’s software from security threats like cross-site scripting or code injections. The CSSLP exam evaluates candidates across eight domains they need to master based on their professional education and experience.


What are the CSSLP exam topics?


The CSSLP exam questions cover the eight topics/domains present in the CSSLP CBK. Here’s a list with appropriate exam weight:

  1. Secure software concepts: 10 percent

Example areas: Core concepts, security design principles



  • Secure software requirements: 14 percent

Example areas: Detect and analyze privacy requirements, create abuse and misuse cases 



  • Secure software architecture and design: 14 percent

Example areas: Conduct threat modeling, perform security design and architecture review



  • secure software implementation: 14 percent

Example areas: Evaluate code for security risks, securely integrate components



  • Secure software testing: 14 percent

Example areas: Track and classify security errors, perform validation testing



  • Secure software lifecycle management: 11 percent

Example areas: Create security metrics, implement continuous improvement



  • Secure software deployment, operations, maintenance: 12 percent 

Example areas: Support incident response, perform vulnerability management



  • Secure software supply chain: 11 percent

Example areas: Analyze security of third-party software, verify provenance and pedigree


What is the CSSLP exam format?


 The CSSLP exam features 125 questions in multiple-choice question format. Candidates have three hours to complete it, with 700 out of 1000 points required to pass the exam. (ISC)² requires candidates to complete the CSSLP exam in a Pearson VUE testing center. (ISC)² doesn’t provide the scores for candidates who pass the exam. However, it shares a breakdown of domains in proficiency levels with those who fail. 

 Plenty of CSSLP exam questions test candidates’ knowledge of terms and concepts, so make sure to focus on the theoretical part in your exam preparation. 


How much does the CSSLP exam cost?


The CSSLP exam costs U.S. $599 in most countries, though currencies vary in some locations. For instance, standard registration in the UK is GBP 479, while candidates from Europe need to pay EUR 555 to undertake the exam.

The fee to reschedule the exam is U.S. $50/EUR 40/GBP 35. For canceling it, you’ll need to pay U.S. $100/EUR 80/GBP 70.


How to pass the CSSLP exam


The best way to pass the CSSLP exam is to prepare for it adequately. Some valuable resources to help candidates study and prepare for the exam include the Official (ISC)² Guide to the CSSLP, 2nd edition, and the (ISC)² Flashcards, which cover the knowledge required for the eight domains.

You’ll also find practice questions, in-depth explanations, and valuable tips in the “CSSLP All-in-One Exam Guide.” Additionally, the “Essential CSSLP Exam Guide'' audiobook can be a great help for your preparation. It breaks down the essential information by functional roles in an organization, not by the eight domains. It’s different and handy for CSSLP learning.

Further, training providers like Infosec can provide you with the most up-to-date course content through either live boot camps or on-demand training. This option is ideal for preparing candidates for the CSSLP exam via extensive labs and hands-on courses.

After taking the exam, you’ll get your unofficial exam results before leaving the Pearson test center. If you pass, you’ll get an email with your official scores and start the endorsement process to validate that you have the relevant work experience to get the CSSLP certification. Applications must be digitally signed and endorsed by an (ISC)²-certified professional. For those who don’t know an (ISC)² professional, the (ISC)² can act as an endorser in good standing.

Once the endorsement application is approved, you’ll receive an email asking you to pay your AMF (Annual Maintenance Fee). Once that’s done, you’ll officially start your membership cycle.


What happens if I fail my CSSLP exam?


If you don’t pass the exam on the first attempt, you may retake it after 30 test-free days. If you don’t clear the exam on your second attempt, you can retest after 60- test-free days from your most recent attempt. For a third failed attempt and all subsequent retakes, candidates may retest after 90 test-free days from their most recent exam attempt.

According to the (ISC)² exam retake policy, you can attempt the CSSLP exam a maximum of four times in 12 months. Candidates can pursue CSSLP along with other (ISC)² certifications.


How to register for the CSSLP exam


Registering for the CSSLP exam is straightforward: 

  • Make an account with Pearson VUE, the global administrator of (ISC)² exams.
  • Choose the CSSLP certification.
  • Schedule your exam and testing center with Pearson VUE.

(ISC)² also recommends candidates carefully review all exam procedures and policies to avoid any last-minute surprises and get familiar with the whole exam process. 


How do I become CSSLP certified?


To attain the CSSLP certification, you must have a minimum of four years of professional experience as a “software development lifecycle professional” in one or more domains of the CSSLP Common Body of Knowledge. Those with three years of SDLC professional work experience in one of the domains with a degree resulting in a Baccalaureate (or regional equivalent) in IT, Computer Science or related fields can also undertake the CSSLP exam. Candidates must score 700 out of 1000 points on the exam to receive the CSSLP certification from (ISC)².

If you don’t have enough experience to become CSSLP certified, you can still undertake the exam. Passing it would make you an associate of (ISC)². You’ll then have a five-year window to get the required four-year experience. You can learn more about how to account for internships and part-time work here.


Benefits of a CSSLP certification


You’ve now learned everything there is to know about the CSSLP exam. Taking and clearing it is the first step towards earning a CSSL certification.

As a certified CSSLP, you can expect to earn a good salary and find opportunities to progress in your career. Salaries, however, may vary depending on your experience, location and job title.





Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.