Security Awareness and Culture Professional Certification Exam

About the Exam

About the Exam

This vendor-neutral certification recognizes professionals who work and exhibit competency in the development, assessment, management and maintenance of Security Awareness Programs.

Cost & Timeline

Anyone that registers to take the SACP™ Exam will have 180 days from date of approval to pass the exam with a final scaled score of 300 or higher. The fee for applying for the SACP Certification Exam is $369.

Individuals that do not pass the exam on the first attempt will have to wait 30 days and pay a retest fee of $269 for all subsequent exam attempts.

Any individual that exceeds the 180-day exam timeline will have to re-apply for the exam and pay all applicable fees.

Candidates who fail the examination may retest again after a 30-day waiting period (from the last examination attempt). Candidates shall pay all applicable fees and continue to meet the eligibility requirements in effect at the time of the re-test following the waiting period.

Score Results

At completion of the exam candidates will receive scores.

Become a recognized leader in the security awareness and culture profession.

Earn the Security Awareness and Culture Professional (SACP)™ credential and demonstrate your competency to design and lead security awareness programs that build a sustained security-awareness culture.

Exam Sections

The SACP Exam consists of 7 Sections and 120 questions relating to the development, implementation, and monitoring of a security awareness program. Ten questions are experimental and 110 will be scored to evaluate candidate competency. Individuals who do not pass the exam will receive a score breakdown, similar information to the table below, with the candidate's performance in percentages for each section to help focus areas of study. No graded exam or exam answers will be given out under any circumstance. The purpose of the exam is to determine proficiency in areas of security awareness and is not intended to provide diagnostic feedback.

Exam Domain Weights

2021 SACP Examination Blueprint©

Examination Blueprint Effective 2/15/2021.

Define Organization's Security Awareness Strategy


  1. Review Organization's Mission and Goals
  2. Review Risk Assessment Reports
  3. Review Risk Management Reports
  4. Document and Validate Compliance Objectives
  5. Review Previous Threats and Incidents
  6. Identify and Communicate with Stakeholders
  7. Assess Threat Landscape
  8. Establish Business Needs and Benefits
  9. Build Business Case for Security Awareness Strategy
  10. Obtain Authorizations for Program (e.g., Legal, HR, Executives)
  11. Establish the Security Awareness Program Charter
  12. Evaluate Organizational Security Culture to Identify Areas of Alignment or Possible Disconnect
  13. Participate in Developing Policies Pertaining to Non-compliance

Provide Security Awareness Training and Education to End Users


  1. Establish Target Audience
  2. Determine Key Learning Objectives
  3. Determine the Delivery Method
  4. Define Content Based on Audience (e.g., Social, Environmental, Regional)
  5. Determine Schedule and Cadence for Training
  6. Create and Curate Content
  7. Conduct Training
  8. Track Training Compliance Against Target(s)
  9. Measure Learning Outcomes
  10. Implement Improvements Based on Feedback and Previous Run Cycles

Reinforce Security Awareness with Communications


  1. Identify Key Content/Messaging
  2. Adapt Communication to Target Audience
  3. Align Communication with Brand/Company Culture
  4. Determine Modality and Channel of Communication
  5. Coordinate Scheduling of Communications with Stakeholders
  6. Research and Deliver Applicable Security Awareness Subject Matter (e.g., incidents, solutions, preventions, statistics, reinforcement)
  7. Identify Potential Cultural/Organizational Misalignment
  8. Draft Communications for Stakeholder Review and Approval
  9. Finalize Communications
  10. Distribute Communications
  11. Validate and Report Efficacy (e.g., Reach, Engagement, Behavior Change, Culture)

Assess User Behavior


  1. Define Learning Objectives
  2. Determine and Validate Baseline Level of Awareness
  3. Select Appropriate Behavioral Interventions Based on Contextualized Factors (e.g., Environmental, Social Factors)
  4. Select and Implement the Most Effective Testing Tool(s) for the Environment
  5. Determine Schedule and Cadence for Testing
  6. Design an Assessment to Measure User Behavior
  7. Run the Assessment(s)
  8. Provide Feedback to Users
  9. Report Results to Stakeholders (e.g., track, disclose)
  10. Monitor Behavioral Risks (e.g., secure shredding, password practices, badging, reporting)

Define and Validate Awareness Metrics


  1. Define Participation Metrics
  2. Compare Pre and Post Behaviors
  3. Align Awareness Methods with Risks
  4. Define Compliance Metrics (e.g., policies, procedures, laws/regulations, contractual)
  5. Manage Program Budget (e.g., budgeting, program, administration)

Monitor Effectiveness of Security Awareness Program


  1. Collect Results of Awareness Initiatives (e.g., training completion, simulation results)
  2. Compare Awareness Initiative Results with Goals
  3. Identify Gaps Between Results and Program Goals
  4. Identify and Implement Activities for Continuous Improvement to Close Gaps
  5. Evaluate Returns on Investment (e.g., Financial, Behavioral, Time, Level of Effort, Risk Reduction)

Report Status of Compliance and Outcomes


  1. Identify Impact of and Remediation for Non-compliance
  2. Identify Categories of Reporting (e.g., individual, department, entity)
  3. Identify and Report Data Needs by Stakeholder (e.g., customization of reports, formatting)
  4. Report User Activity to Stakeholders (e.g., upper management, auditors)
  5. Provide Evidence to Support Compliance Metrics (e.g., policies, procedures, laws/regulations, contractual)

Information about Scores, Scaling and Equating

SACP uses a scaled score to report scores on the Security Awareness and Culture Professional exam. Scaled scores are conversions of scores from one scale to another. Certification Bodies frequently use scaled scores to report candidate scores because the actual passing percentage or the number of test questions that a candidate must answer correctly to pass may change based upon the difficulty of the examination. It would not be fair to candidates if some candidates had to obtain a 70% to pass on a very easy test while others had to obtain a 70% to pass on a very hard test. Thus, the passing percentage is adjusted to account for the minor differences in test form difficulty.

To illustrate, let’s say a candidate must answer 71.5 or 72 of 110 scored test items correctly to pass the exam. This converts to a percentage score of 65%. SACP would scale that number to a 300 and scaled score 300 and higher would pass the examination.

To pass the SACP examination, the candidate must obtain a scaled score of 300. The actual passing score (raw score and percent score) was determined using a passing score study on a single form of the examination or statistical equating. The passing score study considered the characteristics of the examination (such as the difficulty of the test items) and used modified Angoff and Hofstee methodologies in a facilitated SME group meeting, to establish at what point (passing-score or cut-score) at which the group of experts deemed a score higher would represent knowledge to be competent and a score lower would represent a lack of knowledge to be competent. Subsequent forms of the examination are statistically equated to a previous form to assure a fair passing score regardless of exam form difficulty.

Diagnostic Score Reports

SACP provides diagnostic score reports to non-passing candidates. The diagnostic score reports provide data regarding the percentage of items correct in each of the domains. Candidates are cautioned about making inferences based on the diagnostic scores since there may not be sufficient items in each of the domains for accurate inferences.