Frequently Asked Questions
The certified security awareness and culture professional is an educator and communicator who applies human centric methods to create communication, processes, practices, and strategies to improve the security knowledge, beliefs, and behaviors of the audience. This leader advocates for best practices, monitors compliance with mandated awareness training objectives, and reports program effectiveness to stakeholders. The professional communicates ongoing program efficacy to stakeholders by identifying a content and testing strategy and communications plan while collecting and monitoring relevant metrics. The security awareness and culture professional supports the mission and goals of the organization to keep it secure and reduce risk by building and sustaining a high functioning security culture.
The SACP Certification Council recommends that candidates interested in taking the SACP certification examination have the following experiences in security awareness and culture:
- establishing or administering security awareness or education programs;
- possessing an understanding of how to define program success criteria to organizational management;
- identifying and administering metrics and providing narrative evidence to report the outcomes; and,
- understanding how success criteria maps to the overall corporate risk management goals and outcomes.
ii. Candidates may have backgrounds in cybersecurity, behavioral science, marketing, communications, general IT, legal, HR, and training and organizational development may have experience in security awareness and should map their experiences to the examination blueprint to determine areas they need to prepare for.
iii. The SACP Certification Council recommends candidates establish and/or administer a security awareness and culture program with a minimum of one (1) year prior to applying for the SACP certification examination. The candidate experience should encompass facilitating aspects of security awareness and education; communicating with persons within the organization to create the culture of awareness; and evaluating and validating if the security awareness program aligns with the organization’s culture and risk tolerances.
Please review the Code of Professional Responsibility for earning the SACP certification.
Disclaimer: Certification organizations may make recommendations about acceptable qualifications without requiring applicants to document their experiences in a formal application. This is offered as guidance. The exam will test out candidates. It’s important to be clear to candidates about what experiences lead to success, and those that do not. The certification organization may not make inferences about a candidate’s success or likeliness of success based on the information it provides.
At one of 5,700 Pearson Vue Testing Centers spanning across 190 countries.
Candidates must pass the SACP exam and agree to the SACP Professional Responsibilities agreement.
Candidates have 180 days from their application date to complete the SACP Exam.
There are 7 sections on the SACP exam, which can be viewed on the Exam Information page.
During initial 2021 administrations it is necessary to collect sufficient statistical data (Exam Validity) about exam and item performance. As a result, and during the early exam period, candidates will receive scores in approximately 4-6 weeks. Eventually, candidates will receive results immediately after finishing the exam.
As a certifying body and a vendor-neutral provider, H Layer Credentialing does not provide education or training. It is anticipated that training and education will be provided by an increasing number of organizations over time.
It is suggested that candidates review the exam blueprint to see what topics are covered on the exam. Then use this as a basis for identifying areas to study. It is also recommended that you review the “What are the requirements for earning the SACP certification” to make sure you have practical experience across blueprint.
Below is a list of references used to assist with question development. H Layer Credentialing does not endorse any specific books or references.
- Carpenter, Perry (2020). Transformational Security Awareness. Indianapolis, IN: John Wiley and Sons
- Ciampa, Mark (2016). Security Awareness: Applying Practical Security in Your World. Boston, MA: Cengage Learning
- Dimov, Daniel (2015, December 10). Budgeting for Security Awareness: Who – What – When – Where – Why – How much. https://resources.infosecinstitute.com/topic/budgeting-for-security-awareness-who-what-when-where-why-how-much/
- Gardner, B. & Thomas, V. (2014). Building an Information Security Awareness Program. Waltham, MA: Syngress
- Grimes, Roger (2019). A Data-Driven Computer Defense: A way to improve any computer defense. Independently published
- Hadnagy, C. & Schulman, S. (2021). Human Hacking: Win Friends, Influence People, and Leave Them Better Off for Having Met You. New York, NY: Harper
- Hayden, Lance (2016). People-Centric Security: Transforming Your Enterprise Security Culture. New York, NY: McGraw Hill
- Herold, Rebecca (2011). Managing an Information Security and Privacy Awareness and Training Program. Boca Raton, FL: Taylor and Francis
- KnowBe4, (2021, February 12). Comprehensive Anti-Phishing Guide (e-book), https://info.knowbe4.com/comprehensive-anti-phishing-guide
- Roer, Kia (2015). Build a Security Culture. Cambridge, UK: IT Governance Publishing
- Schober S. & Schober C. (2019). Cybersecurity Is Everybody's Business: Solve the Security Puzzle for Your Small Business and Home. Metuchan: Scottschober.com Publishing
- Schroeder, Jordan (2017). Advanced Persistent Training: Take your security awareness program to the next level. Apress
SACP certification is awarded for a period of three (3) years. Certified individuals must recertify by earning Continuing Professional Education (CPE) (Option 1), or by taking and passing the certification examination within the last year of the certification cycle (Option 2).
Recertification is based on the concept of maintaining competence in the field of security awareness, and CPE earned must relate to the domains (competency requirements) of the SACP certification examination. Certified individuals are encouraged to review the domains of the examination to make sure the CPE activities they select relate to the domains. Therefore, it is incumbent upon the certified individual to demonstrate the CPE activities relate to maintaining competence as a SACP.
Certified individuals must submit a $65 Annual Maintenance Fee (AMF) and agree to uphold and abide by the Code of Professional Responsibility.
A minimum of thirty (30 CPEs) must be earned within the three (3) year certification cycle, and in accordance with the following parameters.
1 CPE = 50 minutes of participation in a learning event. CPE must be reported in 50-minute increments.
CPEs must be earned in the following categories:
- 10 CPEs in cybersecurity
- 20 CPEs in multi-disciplinary domains e.g. behavioral science, communications, general IT, HR, legal, marketing, training and organizational development, and participation as a subject-matter-expert in examination development and maintenance activities.
- Pay for, take, and pass the SACP certification examination.