Introduction to the Certified Secure Software Lifecycle Professional (CSSLP)​
Introduction to the Certified Secure Software Lifecycle Professional (CSSLP)​

This course provides an introduction to the CSSLP certification, allowing to you gain a clear understanding of what the certification covers, how to prepare, and some tips for the exam day itself.

Learning Objectives

The objectives of this course are to provide you with an understanding of:

  • The prerequisites required for obtaining the CSSLP certification
  • The 8 different domains which construct the certification and their exam weighting
  • The exam format
  • How to prepare for the exam
  • How to become involved within the community once you have obtained your CSSLP certification
  • How to gain CPE credits

Intended Audience

This course is designed for those looking to take the Certified Secure Software Lifecycle Professional (CSSLP)​ certification


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


Welcome to the Cloud Academy's presentation of the Certified Secure Software Lifecycle Professional, or CSSLP course. 

The CSSLP is a certification created and conferred by the International Information Systems Security Consortium, known as ISC2 for short. This is a unique certification intended for those involved in the software development process, who need to understand how to bring security into the picture, an interesting and important aspect of systems development and operation. This course presents the common body of knowledge upon which the CSSLP is based. Using only the most current sources and information, it will bring insights and knowledge to add to your experience and thus prepare you to successfully take and pass the certification examination. 

Like all high-quality training, this course was developed with a very clear idea of which roles would either require or benefit from the concepts and knowledge that would be covered in it. These roles are the ones found in many public and private organizations that will encounter the security issues and challenges found in systems and software development, whether in a project setting or in an operational one. The CSSLP CBK contains the theory and practical basis for the professionals in such roles to effectively analyze the issues of integration of security into the development life cycle. Having this ability will lead them to develop effective strategies that help achieve project and operational objectives while enabling the balancing of the competing priorities of functionality and security. 

Having the CSSLP credentials signifies that its owner is both skilled and experienced in addressing these complex situations effectively, and thus enabling them to provide much needed support to their team's efforts. As with all professional certifications, the CSSLP has prerequisites that must be met by the candidates before they can begin the process to attain it. Once these are confirmed as met, the candidate can then take the exam. Successful passage is followed by an endorsement affirmation process to validate the necessary experience claimed that will allow the candidate to become the CSSLP. If the required experience amount is not yet at the required level, the candidate will automatically become an associate of ISC-squared, and be given a five-year period to gain the remaining experience needed for full qualification and conferrence of the certification. 

Now, this slide shows the domains of the CSSLP, and this list is current as of September 2020. The current structure shows layering from basic to advanced, each building upon and integrating with the previous domains. This approach is intentional to ensure that the candidate can move through the course and readily grasp the relationship of each unit to the others while introducing more advanced ideas and knowledge with each successive domain. The result is a well-integrated and cohesive training program that communicates the necessary information as contained in the CBK to meet the twin objectives of preparing for the examination and becoming more expert in the process of secure software design and development. 

Now here we have the current breakdown of the domains and their prevalence on the exam itself. Referring to the previous slide and the presented domain structure for just a moment, the order shown is the order which ISC-squared has the domains in currently. This order does not represent a priority of subject area, which is to say that domain one is not in fact more important than domain two, simply because it comes before it. The order appears to be arranged in order to facilitate the optimal learning experience for the attendees, with each succeeding module building on the preceding ones. AS this wheel indicates, domains are presented in roughly equal proportion on the exam. And since, each exam is generated uniquely for each person taking it, these percentages may vary in their exact amounts, but they will not do so greatly from those shown here. To explain, the wheel shows the breakdown of time spent in the interior as indicated on the job task analysis survey done each year by ISC-squared. The certification holders themselves tell ISC-squared how and where they spend their time in the domain areas. And these are then used to configure the test generation engine that produces all the exams given. In this way, the exam presents what the practitioners are actually doing, and this alignment ensures accurate representation and correspondence. 

Now, this slide shows the sources used to prepare this course material. Between these two volumes, the attendees will receive the best foundational launch and the most up-to-date changes available. In each of these, there are practice questions, case studies, and hands-on labs, which provide the readers with all the self-test helps needed to facilitate learning and confirm absorption of each topic. Similarly, they will also confirm areas requiring additional work and study, an equally important thing to ensure the most productive and successful learning experience possible. As is the case with all of the ISC-squared examinations, the question formats presented will vary from the traditional four-option multiple choice to more advanced types. And like all the other exams, the CSSLP is scored by counting only correct answers. This is because correct answers indicate proof of knowledge, or in rare cases, a lucky guess. Incorrect answers can result from many things, not just a lack of knowledge. So counting only correct answers is a more trustworthy measure of what the candidate actually knows and should be credited with. There are also the unscored items, which are questions in their final vetting phase before their inclusion is counting questions or questions used specifically to validate each exam's construction and integrity. This situation also brings out another equally important point. Answer all of the questions. 

So let's talk about how best to prepare. Since you are already here, you already must know that following this course is one of the best steps to take. But there is much you can do and should do to improve your chances of success further. Unfortunately, there is no practice questions companion volume for the CSSLP like there is for some of the other ISC-squared certification courses. However, the questions you will find in the volumes used to create this course will be excellent compensation. Likewise are those found in the CSSLP ultimate guide, which you should be sure to download and read. Also, there are flashcards available online from the ISC2 website at the website address shown. And you should use all of these resources in your preparations. 

Now, once you've attained it, there will be the matter of maintaining it. ISC2 currently requires 90 continuing professional education hours to be acquired over the three-year certification period, ideally, at the rate of 30 credits per year. ISC2 now requires a single annual fee of $125 USD per year. That will cover all ISC2 certifications held. Upholding the code of ethics is every bit as important as these other items. ISC-squared takes this very seriously, as should we all. So the question arises, how do I get buy CPEs to maintain my certification? Well, like many active security professionals, you no doubt have trouble finding time to keep up with your certification training requirements. Still, we all have the responsibility to keep up our credentials. ISC2 is aware that this can be challenging, and so it recognizes many options through which to obtain them. The list shown on this slide presents many of the most popular ways. These include the very popular webinars ISC-squared itself offers, as well as those from other sources like BitSight and Bitglass. Many of these are offered as a single hour live presentation that is also recorded for later listening. Many are free, and are of a length convenient to listen over a lunch hour, during a commute, while on a flight through the plane's wifi. Be sure to wear a headset for that; or after hours. These sessions present moderated discussions of both interest and concern, covering topics like cryptocurrency, ransomware, phishing, and other timely topics. The quality of these programs is typically quite high and the exchanges can be very lively. Oh, did I mention that many are free? 

So in closing out this introduction to the CSSLP, we've covered nearly all of the aspects of the course that a candidate needs to know starting out. Anytime you have questions, be sure you write them down when they occur so that you don't forget. That way, you can be sure to go back and refer to the authoritative sources used for this course and find the answer that you need.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.