CPP Exam Facts & Format
Key Takeaways
- The CPP exam contains 225 total items: 200 scored questions plus 25 unscored pretest questions randomly distributed throughout, per the ASIS Certification Handbook.
- Candidates have four hours to complete the CPP exam, delivered by Prometric at a test center or through the remote-proctored ProProctor platform.
- A scaled score of at least 650 (on a 200-800 scale) is required to pass the CPP exam.
- CPP eligibility requires at least three years in responsible charge, plus seven years of security experience (six with a bachelor's degree, five with a master's).
- CPP certificants must recertify every three years by earning 60 Continuing Professional Education (CPE) credits tied to the certification's domains.
What Is the CPP?
The Certified Protection Professional (CPP®) is ASIS International's board certification in security management, widely regarded as the "gold standard" for senior security leaders. ASIS International -- the world's largest membership association for security management professionals -- has offered the CPP for more than 40 years. Earning a CPP demonstrates broad, senior-level competence across the entire security function: program leadership, business operations, investigations, personnel protection, physical security, information security, and crisis management. It is not a specialist credential in any one of those areas; it certifies the ability to lead across all seven.
Because CPP is a board certification rather than a course-completion certificate, it is earned solely by meeting strict, experience-based eligibility requirements and then passing a single proctored exam -- there is no mandatory training component. ASIS does publish a recommended reference set (the Protection of Assets manual plus seven ASIS Standards and Guidelines, including the Security and Resilience in Organizations standard and the Workplace Violence Prevention and Intervention standard) that its own item writers use to source correct answers, but studying those materials is optional, not required for eligibility.
Exam Format at a Glance
The CPP exam is a single computer-based, multiple-choice exam -- everything is tested in one sitting rather than split across separate exam parts:
- 225 total items: 200 "live" (scored) questions plus 25 unscored pretest questions distributed randomly throughout the exam
- Four-hour time limit, which accounts for time spent on the unscored pretest items
- Four answer choices per question, exactly one correct
- Delivered through Prometric, either at a physical test center or through Prometric's remote-proctored ProProctor platform on a candidate's own computer
- Offered in English or Spanish (Spanish-language exams include an English translation and a Spanish-speaking proctor)
- No scheduled breaks -- the exam clock continues running if a candidate steps away
Because the 25 pretest items are indistinguishable from live items, every question should be treated as if it counts toward the score.
The Seven Domains and Their Weights
The CPP Body of Knowledge (BoK) organizes the exam into seven domains. Each domain's weight approximates the share of the 200 scored questions it contributes -- and should approximate the share of a candidate's study time (more on this in Section 0.2).
| # | Domain | Weight |
|---|---|---|
| 1 | Security Principles and Practices | 22% |
| 2 | Business Principles and Practices | 15% |
| 3 | Investigations | 9% |
| 4 | Personnel Security | 11% |
| 5 | Physical Security | 16% |
| 6 | Information Security | 14% |
| 7 | Crisis Management | 13% |
| -- | Total | 100% |
Security Principles and Practices is the largest single domain, reflecting the CPP's emphasis on program leadership, risk assessment, and Enterprise Security Risk Management. Investigations, at 9%, is the smallest weighted domain -- but still represents roughly 18 scored questions on a typical form.
Eligibility Requirements
CPP eligibility is experience-based rather than education-based, though holding a degree reduces the required years of security experience. All three paths require at least three years in responsible charge of a security function -- meaning the applicant had authority to make independent decisions and take independent action on a security-related project or process, without necessarily supervising others.
| Education | Security experience required | Responsible charge |
|---|---|---|
| No degree | 7 years (6 years if you already hold the APP) | 3 years |
| Bachelor's degree or equivalent | 6 years (5 years if you already hold the APP) | 3 years |
| Master's degree or equivalent | 5 years (4 years if you already hold the APP) | 3 years |
Additional requirements include full-time employment in a security-related role, no criminal conviction that would reflect negatively on the security profession, and agreement to abide by the ASIS Certification Code of Professional Responsibility.
Scoring and Passing
CPP results are reported as a scaled score, not a raw percentage or raw point total. Scaled scoring converts the number of correctly answered questions into a standardized scale -- commonly cited as 200 to 800 -- that accounts for item difficulty, so performance is comparable across different exam forms. A scaled score of at least 650 is required to pass. Unanswered items are scored identically to wrong answers, so candidates should answer every question; there is no penalty for an informed guess.
Fees, Retesting, and Recertification
As of 2026, the CPP application fee is $580 for ASIS members and $910 for nonmembers; both figures include a nonrefundable $160 processing fee, and reduced Emerging Market rates apply in qualifying countries. Approved candidates get up to three attempts within a one-year eligibility window, with at least 60 days required between attempts; each retest costs $480. Candidates who fail three times, or whose one-year eligibility window lapses, must submit a new application.
Once earned, the CPP designation does not expire automatically, but it must be recertified every three years by completing 60 Continuing Professional Education (CPE) credits tied to the certification's domains -- earned through ASIS conferences, instruction, authorship, volunteer service, membership, or other approved categories.
How many total items appear on the CPP exam, and how many of those are scored?
A candidate holds a bachelor's degree and has never held the APP certification. Under CPP eligibility rules, how much security experience -- including responsible charge -- is required?