Cheat sheet

ASIS CPP Cheat Sheet

Quick Facts

Exam
ASIS CPP
Credential
Certified Protection Professional
Items
225 (200 scored + 25 pretest)
Time
4 hours
Pass
650 scaled score
Domains
7 weighted domains
Fee
$580 member / $910 nonmember
Provider
Prometric (CBT or remote)
Validity
3 years, 60 CPE credits
Retake
60-day wait, 3 max

ALE Formula

Annualized Loss Expectancy equals SLE times ARO

SLE: cost of one eventARO: events expected per yearALE: yearly loss expectancy totalCompare ALE against control cost

Quantitative vs Qualitative Risk

Quantitative

  • Uses dollar-based loss figures
  • Needs reliable historical loss data
  • Produces ALE, SLE, ARO numbers
  • Best for budget comparison

Qualitative

  • Uses severity and likelihood ratings
  • Works with limited available data
  • Faster risk prioritization tool
  • Less precise for budgeting

Numeric precision versus rapid ranking

Risk Treatment Selection

  1. Reliable loss data availableRun quantitative analysis(ALE equals SLE times ARO)
  2. Data limited or urgentRun qualitative analysis(Severity and likelihood ratings)
  3. Risk is avoidable entirelyChoose risk avoidance(Stop the risky activity)
  4. Risk low, cost highChoose risk acceptance(Owner formally retains risk)
  5. Financial exposure is primaryChoose risk transfer(Insurance or contractual indemnification)
  6. Need to reduce impactChoose risk mitigation(Technology, personnel, process, design)

Risk Formulas

ALE formula
SLE multiplied by ARO
SLE
Dollar loss per single event
ARO
Expected event occurrences per year
Quantitative risk assessment
Uses dollar-based loss figures
Qualitative risk assessment
Uses severity and likelihood ratings

Risk Treatment Options

Avoid, accept, transfer, or mitigate the risk

Avoid: stop the activityAccept: owner retains riskTransfer: shift to third partyMitigate: reduce likelihood or impact

ASIS and ISO Standards

ANSI/ASIS RA.1-2015
Risk assessment PDCA-based model
ANSI/ASIS PSC.1
Private security company operations standard
ANSI/ASIS SPC.1-2009
Organizational resilience management standard
ISO 31000
International risk management guidelines
PDCA cycle
Plan Do Check Act

Finance and ROI

ROI formula
Net gain divided by cost
Payback period
Time to recoup investment cost
CapEx
Multi-year capital asset spending
OpEx
Recurring day-to-day operating expense
Management accounting
Internal decisions, not external reporting

Staffing and Vendors

360-degree feedback
Supervisor, peer, and self input
Coaching
Day-to-day current performance focus
Mentoring
Long-term career development relationship
SLA
Vendor performance terms and metrics
RFP
Formal request for vendor bids

PEACE Interview Model

Planning, Engage, Account, Closure, Evaluation

P: plan interview objectivesE: engage, explain purposeA: get their accountC: close the interviewE: evaluate information gathered

Interview vs Interrogation

Interview

  • Non-accusatory, fact-gathering conversation
  • Used before guilt is known
  • Follows the PEACE model
  • Produces more legally durable information

Interrogation

  • Accusatory, seeks admission or confession
  • Used once evidence points clearly
  • Requires Miranda if custodial
  • Higher false-confession risk overall

Fact-finding versus confession-seeking approach

Interview Path Decision

  1. Subject's role still unclearConduct investigative interview(Non-accusatory, follows PEACE model)
  2. Evidence points to subjectConduct interrogation instead(Accusatory, seeks admission or confession)
  3. Subject is in custodyGive Miranda warning first(Government custodial interrogation only)
  4. Unionized private-sector employeeHonor Weingarten rights request(Union representative may attend)

Investigation Process

Investigative interview
Non-accusatory, fact-gathering conversation
Interrogation
Accusatory process seeking an admission
PEACE model
Non-coercive, five-stage interview framework
Miranda rights
Custodial government interrogation only
Weingarten rights
Union representation request right

Evidence and Surveillance

Chain of custody
Unbroken documented evidence transfer record
Spoliation
Destroying evidence after litigation hold
FAA Part 107
Governs commercial drone surveillance use
Crime scene protection
Secure before documenting or collecting

Proprietary vs Contract EP Teams

Proprietary

  • In-house, institutional knowledge retained
  • Direct control over training
  • Higher loyalty, higher fixed cost
  • Slower to scale up

Contract

  • Outsourced, flexible surge capacity
  • Lower fixed staffing cost
  • Less institutional knowledge retained
  • Quality depends on vendor

In-house control versus outsourced flexibility

Background Screening

FCRA
Governs third-party background check reports
Pre-adverse-action notice
Report copy plus rights summary
Ban-the-box laws
Restrict when criminal history asked
Screening sources
Open source, databases, credit reports

Personnel Protection

Threat assessment
Evaluates workplace violence risk level
Advance work
Survey venue and route first
EP threat analysis
Protectee-specific, continuously updated assessment
Proprietary EP team
In-house, institutional knowledge retained
Contract EP team
Outsourced, flexible surge capacity

CPTED Four Principles

Surveillance, Access control, Territorial reinforcement, Maintenance

S: eyes on spaceA: guides legitimate entryT: signals site ownershipM: broken-windows deterrence effect

Fail-Safe vs Fail-Secure Locks

Fail-Safe

  • Unlocks automatically on power loss
  • Required on most egress doors
  • Prioritizes life safety first
  • Lower physical security posture

Fail-Secure

  • Stays locked during power loss
  • Prioritizes asset protection first
  • Needs a separate egress plan
  • Higher physical security posture

Life safety versus asset protection

Physical Control Selection

  1. Need visual incident verificationDeploy CCTV surveillance(Detects; does not delay)
  2. Vehicle-borne threat expectedInstall crash-rated bollards(Match K/M rating to speed)
  3. Door is a life-safety egressSpecify a fail-safe lock(Unlocks automatically on power loss)
  4. Entry needs anti-tailgating controlInstall mantrap with credential(Admits one verified person)

CPTED and Perimeter

CPTED
Four environmental design deterrence principles
Natural surveillance
Visibility discourages hidden criminal activity
Natural access control
Design guides legitimate entry points
Territorial reinforcement
Signals ownership and site boundaries
Maintenance principle
Broken-windows theory deters further disorder
K12/M50 rating
Stops 15,000-lb truck at 50mph

Access Control Metrics

FAR
Wrongly accepts unauthorized person's credential
FRR
Wrongly rejects an authorized person
CER
Point where FAR equals FRR
Fail-safe lock
Unlocks on power loss
Fail-secure lock
Stays locked during power loss
Mantrap
Admits one verified person only

ISO 27001 vs PCI DSS

ISO 27001

  • Covers all organizational information assets
  • Applies to any organization type
  • Certified through independent audit
  • Broad information security management scope

PCI DSS

  • Covers cardholder data environment only
  • Mandatory for card processors
  • Requires MFA on CDE access
  • Narrow, payment-specific compliance scope

General ISMS versus payment-card mandate

InfoSec Standards

ISO/IEC 27001:2022
Information security management system standard
PCI DSS v4.0.1
Cardholder data environment security standard
PII protection principles
Minimization, purpose limit, access, encryption
GDPR breach notice
72 hours to notify authority
GDPR max fine
20 million euros or 4%

InfoSec Controls

CIA triad
Confidentiality, integrity, and availability
MFA
Requires multiple authentication factor types
Encryption
Protects data at rest, transit
Least privilege
Minimum access necessary for role
Penetration testing
Simulated attack finds security gaps

ICS Command Staff

PIO, Safety, and Liaison Officers report to IC

PIO: media and publicSafety: halts unsafe operationsLiaison: agency point of contactAll three report to IC

RTO vs RPO

RTO

  • Maximum acceptable downtime duration
  • Measured as time to restore
  • Drives recovery team staffing
  • Compared directly against MTD/MAO

RPO

  • Maximum acceptable data loss
  • Measured as time since backup
  • Drives backup frequency decisions
  • Independent of restore time

Downtime tolerance versus data-loss tolerance

BCP Recovery Feasibility Check

  1. BIA not yet doneRun Business Impact Analysis(Sets RTO, RPO, MTD targets)
  2. RTO at or below MTDRecovery plan is viable(Meets outer harm limit)
  3. RTO exceeds the MTDRedesign the recovery plan(Risk of irreversible harm)
  4. Backup frequency still undefinedSet the RPO target(Drives backup interval decisions)

BCP and DR Metrics

RTO
Maximum acceptable downtime for process
RPO
Maximum acceptable data loss window
MTD/MAO
Absolute outer limit before harm
Business Impact Analysis
Sets RTO, RPO, MTD targets
ASIS ORM.1 (2017)
Organizational resilience and continuity standard
ISO 22301:2019
Business continuity management systems standard
NFPA 1600 (2019)
Emergency management and continuity standard

ICS Roles and Phases

Incident Commander
Overall authority over incident objectives
Public Information Officer
Releases information to media, public
Safety Officer
Can halt unsafe field operations
Liaison Officer
Point of contact for agencies
ICS span of control
Ratio 1-to-3 to 1-to-7
Mitigation phase
Reduces long-term risk before events
Recovery phase
Restores normal operations after incident

Common Traps

FAR vs FRR

FAR wrongly accepts intruder FRR wrongly rejects authorized user

Interview vs Interrogation

Interview gathers facts, non-accusatory Interrogation seeks admission, accusatory

RTO vs RPO

RTO limits downtime duration RPO limits data-loss window

Fail-Safe vs Fail-Secure

Fail-safe unlocks, protects life Fail-secure locks, protects assets

ALE vs SLE

SLE is one-event dollar loss ALE is SLE times ARO

ISO 27001 vs PCI DSS

27001 covers all info assets PCI DSS covers cardholder data only

Proprietary vs Contract Staffing

Proprietary keeps institutional knowledge in-house Contract offers staffing surge flexibility

Last Minute

  1. 1.225 items: 200 scored, 25 pretest
  2. 2.4-hour exam via Prometric CBT
  3. 3.Passing score is 650 scaled
  4. 4.Weights: 22-15-9-11-16-14-13 percent
  5. 5.Eligibility: 7-6-5 years by degree
  6. 6.APP credential cuts experience one year
  7. 7.Retake: 60-day wait, 3 max
  8. 8.Certification lasts 3 years, 60 CPE
  9. 9.Fee: $580 members, $910 nonmembers
  10. 10.ALE equals SLE times ARO
  11. 11.RTO must not exceed MTD
  12. 12.CPTED has four design principles
  13. 13.FAR and FRR cross at CER
  14. 14.PEACE model replaces confrontational interrogation
  15. 15.GDPR breach notice: 72 hours
  16. 16.PCI DSS v4.0.1 fully mandatory now
Same family resources

Explore More ASIS International Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.