2014 ANNUAL REPORT

INSPIRING A SAFE AND SECURE

CYBER WORLD
(ISC)² ANNUAL REPORT 2014

TABLE OF CONTENTS
Page
Message from the (ISC)² Executive Director......................................... 1
Our History................................................................................ 3
Professionalizing the Workforce....................................................... 6
The Future of Information Security.................................................... 8
Benefits of (ISC)² Membership......................................................... 10
Certification Career Path............................................................... 11
(ISC)² Foundation........................................................................ 12
2014 Highlights.......................................................................... 14
Financials................................................................................. 20
(ISC)² Fact Sheet......................................................................... 39
 MESSAGE FROM THE (ISC)2
EXECUTIVE DIRECTOR

On behalf of the (ISC)² Board of Directors and staff, I present the

2014 Annual Report. This will be my first annual report as the
(ISC)² executive director. I was named to the position by the Board
in December, 2014, and had served as chief operating officer at
(ISC)² for two years previously. As executive director and the public
face of (ISC)², I take my role very seriously. It is for that reason, in
collaboration with the Board of Directors, that we wanted this annual
report to reflect transparency.

For the first time ever, the (ISC)² Annual Report includes audited
financial statements. As a not-for-profit 501(c)(6), (ISC)² is not
required by government standards or mandates to produce an annual
report or publicize financials, but we believe it is important to provide
our members and constituents with a clear, accurate picture of the
organization. Going forward, it will be our regular practice to provide an
annual report on the work we are doing in pursuit of the (ISC)² vision to
inspire a safe and secure cyber world.

This annual report is a testament to the work being done in fulfillment

of our mission, and features salient highlights of 2014. The impressive history of (ISC)² is also prominent
in our annual report, as 2014 was the 25th anniversary of the organization. Achieving a global membership
of 100,000 is another important feat that reflects the significance of the work that we do at (ISC)².

As the recognized global leader in the field of information security education and certification, (ISC)² has
an obligation to its membership and to the industry. With all the changes in technology and the evolving
threat landscape, we will continue to work for our members, government, industry and academia to secure
information and deliver value to society.

I want to express my appreciation for the support we receive from members in performance of our duties.
Your contributions to the success of (ISC)² are truly appreciated.

Best regards,

David P. Shearer, CISSP, PMP

(ISC)² Executive Director

1
 OUR HISTORY

“(ISC)² is the largest not-for-profit membership

body of certified information and software
security professionals worldwide with members
in more than 160 countries.”

The year 2014 marked Exceeding 100,000 members

the 25th anniversary of is a grand landmark, but,
(ISC)², International it does not define the
Information System (ISC)² brand. As a result of
Security Certification deliberated strategy sessions,
Consortium, Inc. In 1989, (ISC)² has evolved from being
“The Consortium” was solely a certifying body to
formed among several an organization dedicated
professional organizations to to education, collaboration,
create a global information and allegiance to our
security certification process membership.
to address the need for
standardized curriculum for Our exams have moved
the burgeoning profession. from multiple choice,
paper-based to computer-
(ISC)² began operations, based-testing (CBT) with
shored up by two for-profit advanced format items
organizations, with only and embedded simulation.
one employee, a group of (ISC)² educational programs professionals throughout
dedicated board members, have evolved to delivery their careers, (ISC)²
and several other important via an online learning certifications are among the
volunteers. Over time, their management system (LMS) first information technology
creation, the CISSP, became with modernized materials. credentials to meet the
the first ANSI accredited Educational materials are stringent requirements of
international IT security also available from Amazon, ISO/IEC Standard 17024,
credential. iTunes, online LMS, and a a global benchmark for
mobile app. assessing and certifying
(ISC)² has expanded from personnel.
a handful of passionate (ISC)² is the largest not-
volunteers and 500 for-profit membership body
applicants for the first of certified information
CISSP® credential, to a and software security
professional staff with more professionals worldwide with
than 100,000 credential members in more than 160
holders worldwide. countries. The global leader
in certifying and educating
information security

3
 History of (ISC)²®

As we celebrate 25 years of
service, we reflect on the
achievements of our founders
“(ISC)² takes great pride in its reputation built on and members and how they’ve
shaped the information security
25 years of trust, integrity, and professionalism.” profession. (ISC)² has expanded
from a handful of passionate
volunteers and 500 applicants
for the first CISSP® credential, to
a professional staff serving over
100,000 members worldwide
from Antigua to Zimbabwe.
1988
“The Consortium” was formed
among several professional
organizations to create a global
information security certification
process for professionals and
address the need for standard
curriculum for the burgeoning
profession. A series of strategy
and planning meetings were held
at Idaho State University and in
Salt Lake City.
Headquartered in the (ISC)² takes great pride in
United States, with offices 1989
its reputation built on 25
• (ISC)² was established as a
in London, Hong Kong, years of trust, integrity, and not-for-profit corporation.
Beijing, and Tokyo, (ISC)² professionalism. In addition, • The first president of the
is recognized for Gold (ISC)²: Consortium was named.
Standard certifications • The first CBK prototype was
• Sets rigorous and completed.
and world class education
mandatory requirements for
programs in the form of 1990
continuing education;
vendor-neutral education • The first CBK working
products and career • Requires credential holders committee was formed.
services. (ISC)² credentials to adhere to and support a 1992
are essential to both Code of Ethics that ensures • The CBK committee finalized
individuals and employers the integrity and reputation creation of the CBK’s general
contents.
for the seamless safety and of the profession; and
protection of information 1994
assets and infrastructures. • Works directly with • The CISSP credential
was established and the first
practicing information
exam was launched.
(ISC)² offers education security leaders and • U.S. Postal Service was the
programs and services based visionaries to continually first organization
on its CBK®, a compendium refine and strengthen to contract with (ISC)² for
of information and software credentialing requirements certification.
security topics. The CBK and exams to meet the ever- 1997
is the Common Body of evolving security needs of • (ISC)² Board of Directors
Knowledge that defines government and industry. began overseeing all
global industry standards, operations.
serving as a framework of
terms and principles.

4
2000 Global Information • (ISC)² launched its • (ISC)² Global Academic
• Hired the first managing Security Workforce professional networking site - Program created to
director and a Study. InterSeC. focus on education, research
professional management • (ISC)²’s membership consists and outreach.
2005
team. of over 60,000 members • Inaugural (ISC)² Security
• CAP® credential was
in more than 130 countries. Congress EMEA.
2001 launched.
• 100,000 (ISC)² members.
• Opened EMEA office in • Declared 2005 the “Year 2010
London. of the Information Security • CSSLP exam became
• Harold F. (Hal) Tipton Award Professional.” computer-based exam.
was established. • Established the Affiliated Local • CISSP won SC Magazine
THE CONSORTIUM
• Launched the SSCP® Interest Group (ALIG) program Award for “Best Professional
credential. • Published the Career Guide Training Program.”  
The initial groups that joined
to the Information Security • The Application Security
2002 together to form (ISC)² included:
Profession. Advisory Board was formed.
• Opened Asia-Pacific office in
• The Government Advisory
Hong Kong. 2011 Canadian Information
Board was started.
• (ISC)² Institute was • (ISC)² Education wins SC Processing Society
established. 2006 Magazine Award for “Best
• Featured on the cover of CIO • SSCP received ANSI Professional Training Computer Security Institute
Magazine. Accreditation for Program.” 
• Recognized its 10,000th ISO/IEC 17024. • Inaugural (ISC)² Security Data Processing Management
member. • Launched “Safe and Secure Congress in Orlando, Florida Association
• Expanded information security Online” program with Childnet • (ISC)² Foundation was
education to Europe and Asia. in the United Kingdom. established with 220 Safe Idaho State University
• Received inaugural SC and Secure Online
2003
Magazine Award for “Best Volunteers. Information Systems Security
• Recognized as one of the
Professional Training • (ISC)² Chapter Program was Association
industry’s top IT certifications
Program.” launched.
in Certification Magazine.
• Initiated the America’s International Federal for
• Launched the Associate 2007
Information Security Information Processing
of (ISC)² and CISSP • Launched (ISC)² e-Symposium
Leadership Awards (AM-ISLA®).
concentrations. Webcast.
• The Latin America Advisory
• Formed the first Advisory • Won SC Magazine Award
Board was formed.
Board. for “Best Professional Training (ISC)² FOUNDERS
• Initiated the Government Program” for second 2012
Information Security consecutive year. • All (ISC)² examinations move Sandra M. Lambert, CISSP-ISSMP
Leadership Awards (GISLA®). • Initiated the Asia-Pacific to CBT (computer-based- Dr. Philip Fites
• Established the Information Information Security testing).
Security Scholarship. Leadership Achievements Sally Meglathery, CISSP
2013
(AP-ISLATM). Harold “Hal” F. Tipton,
2004 • CCFP® credential was launched.
• Opened Japan office in Tokyo. 2008 • HCISPPTM credential was CISSP-ISSAP, ISSMP
• Released inaugural publication • Launched the InfoSecurity launched. Martin Kratz
of Information Systems. Professional magazine to • The CSSLP became qualified
Security, The (ISC)² Journal. members. for use under the Michael J. Corby, CISSP
• Asia-Pacific Advisory Board • Published the Hiring Guide U.S. Department of Defense Professor Corey Schou, Ph.D.,
created. to the Information Security (DoD) 8570.1 mandate. Fellow of (ISC)²
• North American Advisory Profession. • (ISC)² reached 100th chapter
Board created. • CSSLP® credential was milestone. J.D. Fluckiger, CISSP
• CISSP earns ANSI launched. • Headquarters office moved to Richard “Rick” C. Koenig, CISSP
accreditation for ISO/ • Won inaugural SC Magazine Clearwater, Florida.
IEC Standard 17024. Award for “Best Professional James H. Finch
2014
• Developed the Security Events Certification Program.” Carolyn V. Deverin
• 25th Anniversary
Conference Series. • Launched the (ISC)² Security
• For the fourth time, (ISC)² Gilbert Hedger
• (ISC)² corporate headquarters blog.
CISSP credential recognized
moved to Palm Harbor,
2009 as the “Best Professional
Florida.
• The (ISC)² Online Resource Certification Program” for the
• Launched first (ISC)² Resource
Guide was launched to the 2014 SC Magazine Awards.
Guide for Today’s Information
public.
Security Professional.
• Started the (ISC)² ThinkTank
• Released inaugural
Roundtable. 5

 PROFESSIONALIZING
THE WORKFORCE

“(ISC)² works to ensure that information

security professionals are equipped to act
against emerging security threats.”

There is also an increase possess broad knowledge

in threats driven by the of their fields along with
rapid introduction of new sound professional judgment.
technologies that don’t (ISC)² credential holders
have security “baked in” are part of an elite group –
the product development professionals who are sought
process. The numbers after because they are the
of organized attacks are highest quality employees in
increasing and changing the industry. 
from individuals flexing their
own skills to interconnected In order to maintain security
groups of criminals who within your organization,
share information and you have to encompass
conduct coordinated attacks. people and processes, not
just technology. Information
(ISC)² works to ensure security professionals must
that information security be highly adaptable in
professionals are equipped learning and applying new
There has been an to act against emerging skills, technologies, and
unprecedented amount security threats.  With procedures. Building a strong
of data breaches that are over 90% of cybersecurity defense means building a
game-changing in their problems caused by people, workforce that has the skills
size and scope. Breaches (ISC)² believes in focusing to handle the vast majority
have caused disquiet in the beyond hardware and of threats to data. What is the
minds of consumers and software as sole solutions. best line of defense? Well-
cost companies millions We rely on another trained and certified people
of dollars’ worth of bad approach: professionalizing who are capable of recognizing
publicity, damage to brands, the information security and mitigating threats.
and cost of mitigation workforce.
and restoration. As long as
there is valuable personal (ISC)² is dedicated to
information, security will be professionalizing the security
at risk. workforce by providing
companies and organizations
with the assurance that their
staff has been tested on
industry best practices and

6
 THE FUTURE OF
INFORMATION SECURITY

“In the future, security will be seen as a

fundamental building block of IT-driven
programs, and security risks will be factored
into the business equation as business
imperatives.”

In information security, we Technology has lost many

have always recognized battles for defenders, but the
the need to be ahead of the losses teach us a valuable
game by anticipating the next lesson:
threat, the next way of doing
business, and the next big The capabilities of
technology. technology are extremely
limited unless they are
In the future, security will supported by security
be seen as a fundamental professionals who are strong
building block of IT-driven in numbers and honed in
programs, and security their skills. Armed with
risks will be factored into this lesson, we believe that
the business equation as the tide for information
business imperatives. Driven security will turn – and
by awareness at the topmost the defenders with the
levels of the executive strongest skills will have the
suite, IT managers will also advantage, even in the face
rely more heavily on their of challenges.
security teams, integrating
security into business-critical
initiatives such as mobility,
application development,
and business intelligence.
And, there will be a stronger
understanding of the value
of security to the business,
making security a more
important part of tomorrow’s
plans and budgets.

8
 Benefits of (ISC)² Membership

“As an (ISC)² member, you’re part of a

globally recognized network of information
security professionals.”

As an (ISC)² member, you’re Chapter Membership

part of a globally recognized Opportunities:
network of information • Engage in leadership roles.  
security professionals. You
have access to a full spectrum • Participate in co-sponsored
of global resources, educational events with other industry
tools, and peer networking associations.
opportunities, as well as • Assist (ISC)² initiatives
industry event discounts and by speaking at industry
much more. events or writing articles
for publications.
Anyone involved in the
information security • Participate in local
profession will attest that community outreach
peer networking is an projects or public service
invaluable resource.  (ISC)² to educate people about
chapters provide members information security.
with the opportunity to build • Receive special discounts
(ISC)² is the voice of the a local network of peers to on (ISC)² programs and
profession. Through our share knowledge, exchange affiliated events.
global team of staff and resources, and collaborate on
volunteers, (ISC)² is poised projects.
to represent the industry and
to be the advocate for the Being a member of an (ISC)²
profession. (ISC)² certification chapter has its benefits. Not
gives you the backing, the only will you gain a sense of
education, the colleagues, fellowship with colleagues
and the networking system in your profession, you will
to face risks and threats also be able to network and
head-on. exchange ideas with fellow
(ISC)² credential holders and
other information security
professionals in your local
area. 

10
 CERTIFICATION CAREER PATH

What do
Architecture Engineering Management
information security
professionals need
to succeed?

While there is no
magic silver bullet,
having the right mix Advanced Technical Information Security Knowledge
of education and
Specialized Security Knowledge
training is the key
to success.

Cyber Forensics

Software Security

Healthcare

System Authorization

Foundational Technical Information Security Knowledge

Associate of (ISC)2

College

High School

Grade School
ula
Co

pu
ric
m

ter u r
S ciences C
 (ISC)² FOUNDATION

“Through the (ISC)² Foundation, the 100,000

highly skilled members of (ISC)² are devoted to
empowering students, teachers, and the general public to
secure their online lives with cybersecurity education and
awareness programs in their communities.”

Safe and Secure Online The Foundation has also

The Safe and Secure awarded over US$400,000
Online® program educates in scholarships to students
vulnerable publics about pursuing a degree in
cybersecurity safety. (ISC)² cybersecurity.
experts have developed
programs designed for (ISC)² Foundation
age groups between 7-10 Scholarships
and 11-14 that empower The Foundation is
them and their parents committed to encouraging
with the knowledge and high school students and
skills they need to protect undergraduates to enter
themselves online. Thanks the field of information
to the dedication of our security. The Foundation
uniquely skilled and also supports post-graduate
qualified members who students who are conducting
have volunteered their time, game-changing research, and
hundreds of thousands of provides vouchers for (ISC)²
(ISC)² strives to reach children have learned how certification exams to ensure
students from grade school to protect themselves from that qualified faculty are
through college to foster cyberbullying, malware, available to prepare students
the next generation of spam, and phishing. to enter the workforce.
professionals with Operating in the U.S.A.,
mentoring, networking and Canada, the U.K., Hong Scholarships:
education programs. Kong, Switzerland, Ireland,
Through the (ISC)² • Women’s Scholarship 
and India, Safe and Secure
Foundation, the 100,000 • Undergraduate Scholarship  
Online is rapidly growing in
highly skilled members • Graduate Scholarship 
size, scope, and geography.
of (ISC)² are devoted • Harold F. Tipton
to empowering students, Memorial Scholarship
Since the Safe and Secure
teachers, and the general • U.S.A. Cyber Warrior
Online program began in
public to secure their online Scholarship  
2006, more than 1,200 (ISC)²
lives with education • University of Phoenix
member volunteers have
and awareness programs (ISC)² Scholarship  
helped close to 150,000
in their communities. • Faculty Vouchers  
children learn how to protect
• MITRE STEM CTF:
themselves and become
Cyber Challenge
responsible digital citizens.
12
Through innovative thought As a result of the
leadership and research constantly changing
initiatives, (ISC)² stays at regulatory environment and
the forefront in validating increasingly sophisticated
the impact of professional threats, (ISC)² monitors
certification on business and the threat horizon on
government. Committed to behalf of the dynamic
maintaining its leadership information security
role as the trusted advisor workforce that’s faced
to the information security with dramatic shifts.
workforce, through the
Foundation, (ISC)² provides
the industry with timely,
actionable intelligence.

In the “2013 Global

Information Security
Workforce Study,” (ISC)²
revealed that even in the best
of times, most enterprises
are severely short-staffed –
there simply aren’t enough
well-qualified security
professionals in the industry.

In addition, most
organizations are finding
a severe shortage of the
specialized skills they need
to maintain their defenses;
for example, application
security, forensics, and industry-
specific skills such as HIPAA
in the healthcare industry and
PCI in the retail space.
 2014 HIGHLIGHTS

“The goal of GAP is to develop and nurture

academic relationships and partnerships that
establish a position on the future of IT education
and certification while influencing the preparedness
of future IT/cybersecurity professionals.”

professionals through our structure. The Personnel

credentials. At the 2014 RSA Certification Accreditation
Conference in San Francisco, Committee (PCAC) finalized
the CISSP was recognized the accreditation of our
as the “Best Professional credentials for the next five
Certification Program.” This years.
was the fourth SC Magazine
Award recognizing the (ISC)² was one of the first
CISSP for best professional organizations to receive ANSI
certification. accreditation under ISO/
IEC Standard 17024. As
The launch of our new the framework by which
e-Symposium platform certification agencies
was another notable measure themselves, it
achievement. Through outlines a process for
this platform, the member improvement so that
experience is enhanced certification bodies may
because it offers easier continue to improve and
The first quarter of 2014 accessibility with more enhance the quality of their
marked the beginning of functionality, while providing services.
a new year with renewed CPE credits. All assessments
efforts to secure (ISC)² as and certificates will be kept We added a new quality service
the leader in educating and within member profiles. In for members in August. The
certifying information security the event of a CPE audit, the Hybrid Learning Solution is
professionals. member will have easy access the first of its kind to offer two
to this information. modes of training for the price
(ISC)² was honored to of one and includes official
again be recognized by SC In July, assessors were study guides and an exam
Magazine for our efforts assigned to (ISC)² to audit voucher, at no additional cost.
to build a stronger security our ANSI accreditation
workforce and to strengthen status. The on-site audit is At (ISC)², we know that a
the core knowledge of conducted by ANSI only successful career path starts with
information security once in five years. The education. Through the Global
assessors reviewed all of our Academic Program (GAP), (ISC)²
psychometric reports, policies collaborates with an ever-expanding
and procedures as well as our network of academic partners
management and financial

14
to establish a joint framework
for delivering essential skills
to support the growth of a
qualified information security
workforce.  The goal of GAP
is to develop and nurture
academic relationships and
partnerships that establish a
position on the future of IT
education and certification
while influencing the
preparedness of future IT/
cybersecurity professionals.
Industry-academic cooperation
can bridge the workforce gap
between the large demand
for qualified cybersecurity
professionals and the amount
of skilled professionals who
are prepared for the market.

During 2014, (ISC)² offered

a series of events on
emerging issues, trends, and
hot button topics, featuring
expert speakers and unique
networking opportunities. 
 “You are a member of the largest, greatest, and
most respected IT security organization in the
world. Looking forward, I encourage you to
remain committed to advancing the industry
and the work of (ISC)².”
– Hord Tipton, CISSP

SecurePortland and 5 CFR 410.404, per the

SecureRotterdam U.S. Office of Personnel
SecureSanAntonio Management (OPM).
SecureSanDiego OPM’s approval serves as
SecureSDLC – Austin affirmation of (ISC)²’s role
SecureSingapore and contributions toward
SecureSweden professionalizing the industry.
SecureTampa
In December, (ISC)² held
The (ISC)² Security Congress the inaugural Security
and the ASIS International Congress EMEA in London.
Annual Seminar and Exhibits The latest development
were held September 29- in (ISC)²’s successful
October 2 at the Georgia and growing program of
World Congress Center in conferences and events
Atlanta. Through this event, around the world, (ISC)²
ASIS and (ISC)² leveraged Security Congress EMEA
joint expertise and resources is the second major
(ISC)2 SecureEvents were to present two events in international event developed
held around the globe: the same location with an by (ISC)² to showcase
overarching goal: to provide current thinking on trends
CyberSecure Pakistan security professionals with and emerging issues from
CyberSecureGov the knowledge, technology, the information security and
SecureAsia@Beijing and networking opportunities cyber risk professions.
SecureBrasil they need to excel in their
SecureCharlotte careers and secure their (ISC)² forged collaborative
SecureCleveland organizations’ people, relationships worldwide
SecureDallas property, and data.
SecureDusseldorf with academic institutions,
SecureFribourg government agencies,
At this year’s Security
SecureHongKong corporate philanthropies, and
Congress, 80 sessions
SecureIberia other associations to further
were presented under nine
SecureJohannesburg education tracks. (ISC)² the cause for certification,
SecureMiami Security Congress was education, and to inspire a
SecureMiddleEast officially identified as a safe and secure cyber world.
SecurePhiladelphia qualified U.S. government
SecurePoland training activity in accordance
with 5 U.S.C., chapter 41
16
(ISC)² Executive Director
Retires

Executive Director Hord Tipton

announced his retirement,
effective December 31, 2014,
after serving at (ISC)² for 6 ½
years.  During Hord’s tenure,
the organization had grown to
more than 100,000 members
worldwide; introduced
three new certifications
and subsequent education
programs; established a
non-profit Foundation; moved
from paper-based testing to
computer-based testing; and
developed new programs such
as the Chapter Program and
the Global Academic Program. 
(ISC)² Chief Operating Officer
David Shearer was named
to take over the executive
director role beginning
January 1, 2015.
 “The U.S. Department of Defense
recognized the critical need for highly-qualified,
experienced information security personnel
and approved (ISC)² credentials based on the
requirements of DoD 8570.01.”

portal. The NICCS Portal expands the 8570 concept

provides those entering from information assurance
the field or those seeking personnel only to the entire
continuing education a cyberspace workforce. The
trusted resource, knowing draft of 8140 is currently
that all training courses in process, slated for final
listed on the site map to approval and release in
the National Initiative for early 2016. 
Cybersecurity Education
(NICE) Framework and In response to growing
therefore align with global demand, the (ISC)²
national standards. Under Official Training Providers
this initiative, NICE’s (OTP) program was revamped
ultimate goal is to increase to provide better resources
the number of individuals to (ISC)² channels. As the
who complete high-quality program has matured since
security training and it was first introduced, there
In October, (ISC)² announced education programs to attain are more and more training
training for its CISSP®, skills that are in high demand providers requesting to
CISSP-ISSEP®, CISSP- in the national workforce. participate in the program.
ISSAP®, CSSLP®, and (ISC)² also established new
SSCP® certifications on the The U.S. Department of OTP relationships in key
Department of Homeland Defense also recognized strategic markets, including
Security’s National Initiative the critical need for highly- Argentina, China, Uruguay,
for Cybersecurity Careers qualified, experienced Paraguay, Turkey, Australia,
and Studies (NICCS) information security Egypt, and Tunisia.
Portal, a comprehensive personnel, based on
online resource for cyber the requirements of
education and training. DoD 8570.01. (ISC)²
(ISC)² is the first professional certifications are the most
organization to have its broadly based of the
training course information certifications currently
accessible from the DHS approved for use within the
Department of Defense.
DoD Directive 8140
18
Child prodigy, 8-year-old
Reuben Paul, who is also
the founder and CEO of
Prudent Games, spoke at
the (ISC)² Security Congress
(Atlanta).  Reuben gave an
insightful and educational
talk about creating a safe
and secure cyber world for
kids, by kids, and about the
importance of teaching online
security.  He also thanked the
(ISC)² Safe and Secure Online
program for making
a difference.
FINANCIALS

TABLE OF CONTENTS
Page
Independent Auditor’s Report.......................................................... 21
Consolidated Statements of Financial Position..................................... 22
Consolidated Statements of Activities................................................ 23
Consolidated Statements of Functional Expenses.................................. 24
Consolidated Statements of Cash Flows............................................. 26
Notes to Consolidated Financial Statements........................................ 27

(ISC)² Fact Sheet......................................................................... 39

 INDEPENDENT AUDITOR’S REPORT
Mayer Hoffman McCann P.C.
An Independent CPA Firm

The Board of Directors

International Information System Security Certification Consortium, Inc.

We have audited the accompanying consolidated financial statements of International Information System Security
Certification Consortium, Inc. (the “Organization”), which comprise the consolidated statements of financial position as
of December 31, 2014 and 2013, and the related consolidated statements of activities, functional expenses and cash flows
for the years then ended, and the related notes to the consolidated financial statements.
Management’s Responsibility for the Financial Statements
Management is responsible for the preparation and fair presentation of these consolidated financial statements in
accordance with accounting principles generally accepted in the United States of America; this includes the design,
implementation, and maintenance of internal control relevant to the preparation and fair presentation of consolidated
financial statements that are free from material misstatement, whether due to fraud or error.
Auditor’s Responsibility
Our responsibility is to express an opinion on these consolidated financial statements based on our audits. We conducted
our audits in accordance with auditing standards generally accepted in the United States of America. Those standards
require that we plan and perform the audit to obtain reasonable assurance about whether the consolidated financial
statements are free from material misstatement.
An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the consolidated
financial statements. The procedures selected depend on the auditors’ judgment, including the assessment of the risks
of material misstatement of the consolidated financial statements, whether due to fraud or error. In making those risk
assessments, the auditor considers internal control relevant to the entity’s preparation and fair presentation of the
consolidated financial statements in order to design audit procedures that are appropriate in the circumstances, but not
for the purpose of expressing an opinion on the effectiveness of the entity’s internal control. Accordingly, we express no
such opinion. An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of
significant accounting estimates made by management, as well as evaluating the overall presentation of the consolidated
financial statements.
We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit opinion.
Opinion
ln our opinion, the consolidated financial statements referred to above present fairly, in all material respects, the
consolidated financial position of International Information System Security Certification Consortium, Inc. as of
December 31, 2014 and 2013, and the changes in its net assets and its cash flows for the years then ended in accordance
with accounting principles generally accepted in the United States of America.

March 16, 2015

Clearwater, Florida

21
 INTERNATIONAL INFORMATION SYSTEM
SECURITY CERTIFICATION CONSORTIUM, INC. AND SUBSIDIARIES
Consolidated Statements of Financial Position
December 31, 2014 and 2013

Assets 2014 2013

Current assets:
Cash and cash equivalents $ 9,216,809 6,979,799
Event receivables, less allowance for doubtful accounts
of $138,000 and $541,500 in 2014 and 2013, respectively 1,356,138 1,401,583
Certification receivables, less allowance for doubtful accounts
of $690,000 and $700,000 in 2014 and 2013, respectively 3,795,636 3,533,168
Other accounts receivable 474,323 980,216
Prepaid expenses 472,558 369,610

Total current assets 15,315,464 13,264,376

Property and equipment, net 1,510,081 1,633,041

Other assets:
Certificates of deposit - 3,554,818
Investments 17,914,035 12,583,511
Examination question pool, net of amortization
of $3,438,788 and $2,657,805 in 2014 and 2013, respectively 2,054,198 1,802,849
Other 589,419 486,555

Total assets $ 37,383,197 33,325,150

Liabilities and Net Assets

Current liabilities:
Accounts payable and accrued liabilities $ 3,345,802 2,590,447
Deferred revenue 4,895,157 4,286,753
Foreign tax accrual 253,550 253,434

Total current liabilities 8,494,509 7,130,634

Unrestricted net assets:

Undesignated 11,850,770 9,186,465
Board designated:
Capital investments 5,000,000 5,000,000
Long-term investments 12,000,000 12,000,000

Total unrestricted net assets 28,850,770 26,186,465

Temporarily restricted net assets 37,918 8,051

Total net assets 28,888,688 26,194,516

Total liabilities and net assets $ 37,383,197 33,325,150

See accompanying independent auditor’s report and notes to consolidated financial statements.
22
 INTERNATIONAL INFORMATION SYSTEM
SECURITY CERTIFICATION CONSORTIUM, INC. AND SUBSIDIARIES
Consolidated Statements of Activities
For the Years Ended December 31, 2014 and 2013

2014 2013
Unrestricted revenue:
Educational services $ 12,152,600 9,295,875
Professional examinations 11,822,437 10,290,252
Certification renewal fees 8,527,893 8,026,490
In-kind contributions 341,700 338,100
Contributions 119,740 196,185
Investment earnings 449,787 983,900
Other revenue 1,284,956 1,269,413
Foreign currency exchange (142,029) (44,577)

Total unrestricted revenue 34,557,084 30,355,638

Operating expenses:
Educational services 6,573,320 5,484,448
Professional examinations 4,043,890 3,519,278
Marketing and communications 2,469,851 2,160,381
General and administrative 18,838,735 18,355,978
Value added taxes (30,378) (243,346)
Recovery of foreign income tax - (11,626)

Total expenses 31,895,418 29,265,113

Release of temporarily restricted funds 2,639 -

Change in unrestricted net assets 2,664,305 1,090,525

Temporarily restricted revenue:

Contributions 32,506 8,051

Total temporarily restricted revenue 32,506 8,051

Release of restrictions (2,639) -

Change in temporarily restricted net assets 29,867 8,051

Change in net assets 2,694,172 1,098,576

Net assets at beginning of year 26,194,516 25,095,940

Net assets at end of year $ 28,888,688 26,194,516

See accompanying independent auditor’s report and notes to consolidated financial statements.
23
 INTERNATIONAL INFORMATION SYSTEM
SECURITY CERTIFICATION CONSORTIUM, INC. AND SUBSIDIARIES
Consolidated Statements of Functional Expenses
For the Years Ended December 31, 2014 and 2013

Supporting Services
Program Services Fundraising Administrative Total

Educational services $ 6,573,320 - - 6,573,320

Professional examinations 4,043,890 - - 4,043,890
Marketing and communications:
Advertising and marketing 1,699,412 1,423 25,853 1,726,688
Advisory boards 65,367 - - 65,367
Public relations/outreach 649,540 50 28,206 677,796

2,414,319 1,473 54,059 2,469,851

General and administrative:

Amortization 991,246 - - 991,246
Bad debts 109,794 - - 109,794
Bank fees 689,562 - 37,501 727,063
Contract labor 1,138,277 - 10,160 1,148,437
Depreciation 80,318 - 598,483 678,801
Employee benefits and taxes 779,263 1,350 474,114 1,254,727
Employee salaries and wages 4,559,443 14,687 2,829,699 7,403,829
Facility rental and catering 12,761 - 8,771 21,532
Impairment of intangibles 233,165 - - 233,165
International maintenance 180,247 - 54,661 234,908
Membership development 608,648 - - 608,648
Other 102,888 - 187,394 290,282
Professional fees 887,001 8,498 486,363 1,381,862
Rent 40,713 - 807,864 848,577
Scholarships 146,968 - - 146,968
Supplies 219,559 - 619,132 838,691
Telephone and internet 40,028 - 86,451 126,479
Training 53,166 - 47,276 100,442
Travel 736,531 45 627,762 1,364,338
Website/server maintenance 55,726 - 273,220 328,946

11,665,304 24,580 7,148,851 18,838,735

Value added taxes - - (30,378) (30,378)

$ 24,696,833 26,053 7,172,532 31,895,418

See accompanying independent auditor’s report and notes to consolidated financial statements.
24
 INTERNATIONAL INFORMATION SYSTEM
SECURITY CERTIFICATION CONSORTIUM, INC. AND SUBSIDIARIES
Consolidated Statements of Functional Expenses
For the Years Ended December 31, 2014 and 2013

Supporting Services
Program Services Fundraising Administrative Total

Educational services $ 5,484,448 - - 5,484,448

Professional examinations 3,519,278 - - 3,519,278
Marketing and communications:
Advertising and marketing 1,412,501 - - 1,412,501
Advisory boards 85,679 - - 85,679
Public relations/outreach 662,201 - - 662,201

2,160,381 - - 2,160,381

General and administrative:

Amortization 1,444,925 - - 1,444,925
Bad debts 666,081 - - 666,081
Bank fees 582,746 - 35,434 618,180
Contract labor 1,908,537 - 3,577 1,912,114
Depreciation - - 726,436 726,436
Employee benefits and taxes 566,284 909 471,377 1,038,570
Employee salaries and wages 3,146,494 11,145 2,769,353 5,926,992
Facility rental and catering - - 42,340 42,340
Impairment of intangibles 60,055 - - 60,055
International maintenance - - 141,758 141,758
Membership development 567,135 - - 567,135
Other 1,356 19 269,685 271,060
Professional fees 622,099 8,397 631,656 1,262,152
Rent - - 786,359 786,359
Scholarships 113,074 - - 113,074
Supplies 273,893 - 554,806 828,699
Telephone and internet - - 149,021 149,021
Training - - 142,855 142,855
Travel 851,965 4 622,808 1,474,777
Website/server maintenance - - 183,395 183,395

10,804,644 20,474 7,530,860 18,355,978

Value added taxes - - (243,346) (243,346)

Recovery of foreign income tax - - (11,626) (11,626)

$ 21,968,751 20,474 7,275,888 29,265,113

See accompanying independent auditor’s report and notes to consolidated financial statements.
25
 INTERNATIONAL INFORMATION SYSTEM
SECURITY CERTIFICATION CONSORTIUM, INC. AND SUBSIDIARIES
Consolidated Statements of Cash Flows
For the Years Ended December 31, 2014 and 2013

2014 2013

Cash flows from operating activities:

Change in net assets $ 2,694,172 1,098,576
Adjustments to reconcile change in net assets
to net cash provided by operating activities:
Depreciation and amortization 1,670,047 2,171,361
Impairment of intangibles 233,165 60,055
Provision for bad debts 109,794 666,081
Loss on disposal of assets 21,910 3,249
Realized and unrealized gain on investments (6,337) (652,616)
In-kind contributions capitalized as question pool
development intangible (203,250) (211,450)
(Increase) decrease in operating assets:
Events, certifications, and other accounts receivable 179,076 (1,451,311)
Prepaid expenses (102,948) 97,358
Other assets (102,864) 23,341
(Decrease) increase in operating liabilities:
Accounts payable and accrued liabilities 755,355 296,086
Deferred revenue 608,404 382,915
Foreign tax accrual 116 (223,144)

Net cash provided by operating activities 5,856,640 2,260,501

Cash flows from investing activities:

Purchases of property and equipment (616,328) (1,027,248)
Proceeds from sale of property and equipment 38,577 8,000
Question pool development costs (1,272,510) (1,111,963)
Purchase of investments (11,474,469) (14,701,211)
Proceeds from sale of investments 6,150,282 8,430,681
Proceeds from maturities of certificates of deposit, net 3,554,818 4,067,481

Net cash used in investing activities (3,619,630) (4,334,260)

Net change in cash and cash equivalents 2,237,010 (2,073,759)

Cash and cash equivalents at beginning of year 6,979,799 9,053,558

Cash and cash equivalents at end of the year $ 9,216,809 6,979,799

Supplemental disclosures:
Recovery of foreign income tax $ - (11,626)

See accompanying independent auditor’s report and notes to consolidated financial statements.
26
 INTERNATIONAL INFORMATION SYSTEM
SECURITY CERTIFICATION CONSORTIUM, INC. AND SUBSIDIARIES
Notes to Consolidated Financial Statements
December 31, 2014 and 2013

(1) Organization

International Information System Security Certification Consortium, Inc. and Subsidiaries (the
Consortium) is a nonprofit organization organized in the state of Massachusetts. The Consortium
establishes international standards of excellence within the field of information systems security
and provides certification to individuals in the profession. It also provides educational services to
various entities and its certification holders around the world. Its corporate headquarters are located
in Clearwater, Florida.

The accompanying consolidated financial statements include the accounts of International

Information System Security Certification Consortium, Inc. (ISC)² and its wholly-owned
subsidiaries: International Information Systems Security Certification Consortium Limited, Hong
Kong (Hong Kong Company) and International Information Systems Security Certification
Consortium Limited, United Kingdom (UK Company), as well as the (ISC)² Charitable and
Educational Foundation, Inc. (Foundation) which is a segregated fund within the Consortium. All
intercompany transactions have been eliminated. The Hong Kong Company and the UK Company
were organized to enable business transactions in Hong Kong and the United Kingdom,
respectively. The Foundation was established as a segregated fund within the Consortium for
exclusively charitable purposes.

(2) Summary of Significant Accounting Policies

(a) Cash and Cash Equivalents

The Company considers all short-term investments with original maturities of three months
or less to be cash equivalents.

(b) Event and Certification Receivables

Event and certification receivables are recorded at realizable value net of an allowance for
doubtful accounts. The allowance is estimated from historical performance and projection of
trends. Accounts that are more than 120 days past due are put on credit hold. Event and
certification receivables are written off when deemed uncollectible. Event and certification
receivables may be charged a fee for interest if the account remains in a delinquent status.
Interest income is recorded upon billing.

(c) Prepaid Expenses

Prepaid expenses consist primarily of insurance premiums and software maintenance. These
items are expensed pro rata over the contract period in which the Consortium receives the
benefits.

27
 INTERNATIONAL INFORMATION SYSTEM
SECURITY CERTIFICATION CONSORTIUM, INC. AND SUBSIDIARIES
Notes to Consolidated Financial Statements
December 31, 2014 and 2013

(2) Summary of Significant Accounting Policies - Continued

(d) Property and Equipment

Property and equipment with an estimated life greater than one year are recorded at cost and
depreciated using the straight-line method of depreciation over the estimated useful lives of
the underlying assets.

(e) Certificates of Deposit

The Consortium invests funds in excess of immediate operating needs in certificates of

deposit. The certificates of deposit have maturity dates that range from 18 to 22 months, with
interest rates that range from 0.10% to 0.40%. Certificates of deposit are recorded at cost
which approximates fair value. All income from certificates of deposit is recorded as
investment earnings. Prior to maturity, all certificates of deposit were held by one banking
institution.

(f) Investments

Investments consisting primarily of mutual funds and money funds are measured at fair value
based on quoted market prices. Gains and losses on fair value adjustments are recognized on
the specific identification basis, net of investment expenses. Investments are held at one
financial institution.

(g) Examination Question Pool

The examination question pool consists of costs for developing exam questions that are the
basis for certifications exams. Questions are used on a statistically determined rotating basis
and are updated periodically to provide tests that are statistically unique.

The question pool is being amortized on a straight-line basis over estimated lives of three to
four years.

(h) Impairment or Disposal of Long - Lived Assets

The Consortium reviews long-lived assets for impairment whenever events or changes in
circumstances indicate that the carrying about of an asset may not be recoverable. The
Consortium assesses the recoverability of the cost of the asset based on a review of projected
undiscounted cash flows. In the event an impairment loss is identified, it is recognized based
on the amount by which the carrying value exceeds the estimated fair value of the long-lived
asset. The Consortium recorded a loss from impairment of intangibles of $233,165 and
$60,055 during the years ended December 31, 2014 and 2013, respectively.

28
 INTERNATIONAL INFORMATION SYSTEM
SECURITY CERTIFICATION CONSORTIUM, INC. AND SUBSIDIARIES
Notes to Consolidated Financial Statements
December 31, 2014 and 2013

(2) Summary of Significant Accounting Policies - Continued

(i) Classification of Net Assets

All net assets, revenues, expenses, gains and losses of the Consortium, including the
Foundation are classified as unrestricted if donor-imposed restrictions have been met during
the same year. Net assets and revenues which are temporarily restricted by the donor for
which the restriction has not been met in the same year are classified as temporarily
restricted. The Consortium had temporarily restricted net assets of $37,918 at December 31,
2014 and $8,051 at December 31, 2013 that were donor-restricted for specific programs of
the Foundation. Board designated amounts represent amounts set aside by the board for
future capital investments and long-term investments.

(j) Revenue Recognition

The Consortium utilizes the accrual basis of accounting. Accordingly, educational services
and professional exams revenue is recognized when services are performed, while
certification revenue is recognized over the life of the certification.

(k) Deferred Revenue

Education service fees received in advance are deferred and recognized over the course of the
training program. Professional examination fees received from certification applicants are
deferred for revenue recognition purposes until the examination has been completed by the
applicants. Certification renewal fees covering future periods, for which payment has been
received, are deferred and recognized as revenue over the period of certification.

(l) Contributions

All contributions are considered to be available for unrestricted use unless specifically
restricted by the donor. Contributions that are restricted by the donor are reported as increases
in unrestricted net assets if the restrictions expire or are otherwise satisfied in the fiscal year
in which the contributions are recognized.

(m) In-Kind Contributions: Donated Services

Contributions of services are recognized if the services received (a) create or enhance an asset
or (b) require specialized skills, are provided by individuals possessing those skills, and
typically need to be purchased if not provided by donation. The value of services is based on
estimated fair value.

29
 INTERNATIONAL INFORMATION SYSTEM
SECURITY CERTIFICATION CONSORTIUM, INC. AND SUBSIDIARIES
Notes to Consolidated Financial Statements
December 31, 2014 and 2013

(2) Summary of Significant Accounting Policies - Continued

(n) Advertising

The Consortium uses external advertising resources. External advertising consists of

promotions, publications, and internet advertising. The Consortium expenses advertising
costs when incurred. Advertising costs incurred during 2014 and 2013 were $752,461 and
$567,272, respectively, and are included in marketing and communication expense.

(o) Income Taxes

The Consortium, excluding the Foundation, is generally exempt from U.S. income taxes
under Section 501(c)(6) of the Internal Revenue Code. The Foundation is generally exempt
from U.S. income taxes under Section 501(c)(3) of the Internal Revenue Code. Information
returns (Forms 990) are filed with the Internal Revenue Service (IRS). The Consortium has
evaluated its tax positions taken for all open tax years and does not believe it has any
uncertain income tax positions as defined by accounting principles generally accepted in the
United States of America for income taxes. The 2011, 2012, and 2013 tax years are open and
subject to examination by the IRS. The Consortium is not currently under audit nor has the
Consortium been contacted by the IRS.

Some foreign operations of the Consortium are subject to foreign income taxes. Foreign taxes
are expensed when incurred. There was no income tax expense related to foreign operations
for the year ended December 31, 2014 as the Consortium has operating losses in foreign
taxing jurisdictions and net operating loss carryforwards of approximately $650,000.
Recovery of foreign income tax related to foreign operations was ($11,626) for the year
ended December 31, 2013 and has been included in recovery of foreign income tax on the
accompanying statements of activities. The Consortium operates in countries where foreign
taxes are not paid, so there may be additional foreign tax jurisdictions that may assess income
taxes to the Consortium.

(p) Use of Estimates

The preparation of financial statements in conformity with accounting principles generally

accepted in the United States of America requires management to make estimates and
assumptions that affect the reported amounts of assets and liabilities and disclosure of
contingent assets and liabilities at the date of the financial statements, and the reported
amounts of revenues and expenses during the reporting period. Actual results could differ
from those estimates.

The most significant estimates include those used in determining the carrying value of the
allowance for doubtful accounts, amortization life of examination question pool assets, in-
kind revenues, and the foreign tax accrual. Although some variability is inherent in these
estimates, management believes that the amounts presented are adequate.

30
 INTERNATIONAL INFORMATION SYSTEM
SECURITY CERTIFICATION CONSORTIUM, INC. AND SUBSIDIARIES
Notes to Consolidated Financial Statements
December 31, 2014 and 2013

(2) Summary of Significant Accounting Policies - Continued

(q) Reclassifications

Certain reclassifications have been made to the 2013 financial statement presentation to
conform to the 2014 presentation. These reclassifications had no effect on net assets or
changes in net assets.

(r) Subsequent Events

The Consortium has evaluated subsequent events through March 16, 2015, which is the date
the consolidated financial statements were available to be issued.

(3) Foundation Activity

The Foundation was established as a separate fund within the Consortium during 2011. In 2014 and
2013, the Foundation recorded contributions of $320,000 and $250,000, respectively, from (ISC)²
which were eliminated upon consolidation. The Foundation also recorded $152,246 and $204,236
of contributions from outside sources in 2014 and 2013, respectively. In addition, the Foundation
recorded expenses as follows for the years ended December 31:

2014 2013

Program services:
Scholarship programs $ 202,909 148,028
Safe and secure program 108,929 103,564
Research programs 154,227 99,222
Fundraising expenses 26,053 20,474
Administrative expenses 87,540 93,252

$ 579,658 464,540

31
 INTERNATIONAL INFORMATION SYSTEM
SECURITY CERTIFICATION CONSORTIUM, INC. AND SUBSIDIARIES
Notes to Consolidated Financial Statements - Continued

(4) Property and Equipment

Property and equipment and estimated useful lives consist of the following at December 31:

Estimated
2014 2013 Useful Lives

Computer equipment and software $ 2,187,670 4,704,460 3-5 years

Office equipment 29,462 29,462 3 years
Website 93,656 93,656 3 years
Furniture and fixtures 392,692 392,692 7-10 years
Vehicles 46,100 44,207 5 years
Leasehold improvements 232,561 153,124 7 years

2,982,141 5,417,601

Less accumulated depreciation (1,472,060) (3,784,560)

$ 1,510,081 1,633,041

Depreciation expense for the years ended December 31, 2014 and 2013 was $678,801 and
$726,436, respectively.

(5) Investment Earnings

Investment earnings consist of the following for the year ended December 31:

2014 2013

Interest and dividends $ 510,063 383,955

Realized gains 173,625 115,810
Unrealized (losses) gains (167,288) 536,806
Investment fees (66,613) (52,671)

Total $ 449,787 983,900

(6) Fair Value Measurements

The Consortium records fair value measurements according to accounting principles generally
accepted in the United States of America, which define fair value and specify a hierarchy of
valuation techniques. The disclosure of fair value estimates in the hierarchy is based on whether the
significant inputs into the valuation are observable. In determining the level of hierarchy in which
the estimate is disclosed, the highest priority is given to unadjusted quoted prices in active markets
and the lowest priority to unobservable inputs that reflect the Consortium’s significant market
assumptions. The Consortium measures investments at fair value on a recurring basis.

32
 INTERNATIONAL INFORMATION SYSTEM
SECURITY CERTIFICATION CONSORTIUM, INC. AND SUBSIDIARIES
Notes to Consolidated Financial Statements - Continued

(6) Fair Value Measurements - Continued

The following is a brief description of the types of valuation information (inputs) that qualify a
financial asset for each level:

Level 1: Unadjusted quoted market prices for identical assets or liabilities in active markets
which are accessible by the Consortium;

Level 2: Observable prices in active markets for similar assets or liabilities, prices for identical or
similar assets or liabilities in markets that are not active, market inputs that are not
directly observable but are derived from or corroborated by observable market data;

Level 3: Unobservable inputs based on the Consortium’s own judgment as to assumptions a

market participant would use, including inputs derived from extrapolation and
interpolation that are not corroborated by observable market data.

Financial assets classified as Level 1 in the fair value hierarchy include mutual funds and money
funds in 2014 and 2013. These investments are traded on a daily basis in active markets and the
Consortium estimates the fair value of these securities using unadjusted quoted market prices.

A review of fair value hierarchy classification is conducted on an annual basis. Changes in the
observability of valuation inputs may result in a reclassification of levels for certain securities
within the fair value hierarchy.

The Consortium evaluates the various types of financial assets to determine the appropriate fair
value hierarchy based upon trading activity and the observability of market inputs. The Consortium
employs control processes to validate the reasonableness of the fair value estimates of its assets and
liabilities, including those estimates based on prices and quotes obtained from independent third
party sources.

33
 INTERNATIONAL INFORMATION SYSTEM
SECURITY CERTIFICATION CONSORTIUM, INC. AND SUBSIDIARIES
Notes to Consolidated Financial Statements - Continued

(6) Fair Value Measurements - Continued

The following table sets forth by level, within the fair value hierarchy, the Consortium’s assets at
fair value as of December 31, 2014:
Fair Value Measurements at December 31, 2014 Using

Significant
Assets Other
Measured at Observable Observable Significant
Fair Value at Inputs Inputs Inputs
Description 12/31/2014 (Level 1) (Level 2) (Level 3)

Mutual funds:
Mid Cap $ 269,238 269,238 - -
Small Cap 540,502 540,502 - -
Stock Index 2,608,467 2,608,467 - -
Global Listed Infrastructure 505,615 505,615 - -
Value 730,004 730,004 - -
Cap Appreciation 724,434 724,434 - -
Emerging Markets 736,735 736,735 - -
International 1,480,652 1,480,652 - -
Large Cap 487,887 487,887 - -
Fixed-income 5,577,443 5,577,443 - -
Real estate 260,547 260,547 - -
Money funds 3,992,511 3,992,511 - -

$ 17,914,035 17,914,035 - -

The following table sets forth by level, within the fair value hierarchy, the Consortium’s assets at
fair value as of December 31, 2013:
Fair Value Measurements at December 31, 2013 Using

Significant
Assets Other
Measured at Observable Observable Significant
Fair Value at Inputs Inputs Inputs
Description 12/31/2013 (Level 1) (Level 2) (Level 3)

Mutual funds:
Mid Cap $ 252,641 252,641 - -
Small Cap 510,794 510,794 - -
Stock Index 1,520,668 1,520,668 - -
Global Listed Infrastructure 254,988 254,988 - -
Value 633,175 633,175 - -
Cap Appreciation 637,644 637,644 - -
Emerging Markets 864,978 864,978 - -
International 2,528,762 2,528,762 - -
Large Cap 343,051 343,051 - -
Fixed-income 4,273,808 4,273,808 - -
Real estate 248,310 248,310 - -
Commodity linked 315,480 315,480 - -
Money funds 199,212 199,212 - -

$ 12,583,511 12,583,511 - -

34
 INTERNATIONAL INFORMATION SYSTEM
SECURITY CERTIFICATION CONSORTIUM, INC. AND SUBSIDIARIES
Notes to Consolidated Financial Statements - Continued

(7) Concentrations

(a) Credit Risk

The Consortium maintains cash balances at various banking institutions. The accounts are
insured by the Federal Deposit Insurance Corporation (FDIC) up to $250,000. Cash balances
in banks in excess of FDIC insured limits was approximately $8.9 million at December 31,
2014 and $6.7 million at December 31, 2013. These funds could be subject to loss if the
financial institutions were to fail. Management believes the financial institutions are
financially stable and that the funds are secure.

The functional currency of the majority of the Consortium’s operations is the U.S. dollar;
however, there are a number of transactions for which the Consortium is paid in foreign
currency (British pounds or Euro).

The Consortium has included the following in cash and event receivables at December 31:

2014

Foreign Exchange
Currency Rate U.S. Dollars

Cash:
Funds in British pounds £ 308,243 1.5575 $ 480,088
Funds in Euro € 161,944 1.2143 196,649

Event receivables:
Funds in British pounds £ 143,979 1.5575 224,247
Funds in Euro € 112,611 1.2143 136,744

$ 1,037,728

2013

Foreign Exchange
Currency Rate U.S. Dollars

Cash:
Funds in British pounds £ 156,597 1.6488 $ 258,197
Funds in Euro € 292,295 1.3766 402,373

Event receivables:
Funds in British pounds £ 224,718 1.6488 370,515
Funds in Euro € 112,473 1.3766 154,830

$ 1,185,915

35
 INTERNATIONAL INFORMATION SYSTEM
SECURITY CERTIFICATION CONSORTIUM, INC. AND SUBSIDIARIES
Notes to Consolidated Financial Statements - Continued

(7) Concentrations - Continued

(a) Credit Risk - Continued

Cash and receivables have been adjusted to reflect the current exchange rate of the U.S. dollar
at December 31, 2014 and 2013. A risk of change in foreign currency rates will remain until
the cash is converted to U.S. dollars or receivables are settled. This risk is not considered
material to the Consortium’s overall consolidated financial statements. Gains and losses that
result from remeasurement are included in income. The effects from foreign currency
translation were gains of $142,029 and $44,577 during 2014 and 2013, respectively.

Event receivables at December 31, 2014 and 2013 include approximately $457,000 and
$909,000, respectively, of receivables due from one significant customer.

(b) Vendors

During 2014 and 2013, the Consortium utilized one vendor for a significant portion of
operations related to sales, marketing services and providing education services. During the
years ended December 31, 2014 and 2013, the Consortium paid this vendor approximately
$6.0 million and 7.2 million, respectively, related to operating services. Approximately
$295,000 and $529,000 were payable to this vendor as of December 31, 2014 and 2013,
respectively.

During 2014 and 2013, the Consortium utilized one vendor for a significant portion of
operations related to test delivery. During the years ended December 31, 2014 and 2013, the
consortium paid this vendor approximately $2.8 million and $2.4 million, respectively.
Approximately $359,000 and $233,000 were payable to this vendor as of December 31, 2014
and 2013, respectively.

(8) Valued-Added Taxes

The Consortium has recorded a liability for value-added tax for services sold in foreign countries.
The bulk of services are sold through independent training partners, which insulate the Consortium
from value-added tax exposure. However, there is a portion of services provided that are not
provided through independent training partners and an accrual has been recorded as an estimate of
tax exposure in these foreign countries. There may be additional foreign tax jurisdictions that may
assess taxes to the Consortium.

In areas where the Consortium collects and remits tax, revenues are recorded net of tax.

36
 INTERNATIONAL INFORMATION SYSTEM
SECURITY CERTIFICATION CONSORTIUM, INC. AND SUBSIDIARIES
Notes to Consolidated Financial Statements - Continued

(8) Valued-Added Taxes - Continued

Value-added taxes for the years ended December 31, 2014 and 2013 consist of the following:

2014 2013

United Kingdom value-added tax $ 10,526 (273)

Japan value-added tax (904) (28,073)
Reduction in general value-added tax reserve (40,000) (215,000)

$ (30,378) (243,346)

The tax accrual for value added taxes at December 31 is as follows:

2014 2013

United Kingdom value-added tax $ 93,550 49,875

Japan value-added tax - 3,559
Other unidentified foreign taxes 160,000 200,000

$ 253,550 253,434

As the Consortium continues to expand and to administer examinations and provide training in
foreign countries, there will be tax exposure to the Consortium. Management is in a continual
process of evaluating that exposure and has set aside a reserve of $160,000 for unidentified tax
liability at December 31, 2014. While the Consortium believes that this reserve is sufficient to
cover unidentified tax liabilities as of December 31, 2014, there is the potential for additional
unrecognized tax consequences.

(9) 401(k) Retirement Plan

The Consortium sponsors a 401(k) retirement plan covering substantially all employees meeting
certain service requirements. The Consortium makes discretionary safe harbor contributions which
vest immediately. Contributions to the plan were $188,964 and $146,234 for the years ended
December 31, 2014 and 2013, respectively.

37
 INTERNATIONAL INFORMATION SYSTEM
SECURITY CERTIFICATION CONSORTIUM, INC. AND SUBSIDIARIES
Notes to Consolidated Financial Statements - Continued

(10) Operating Leases

The Consortium has several leases for office space with expiration dates ranging from July 2017 to
September 2020. Rent expense for these leases totaled $826,332 and $768,836 in 2014 and 2013,
respectively.

Future minimum lease obligations are as follows:

Year Ending December 31:

2015 $ 868,400
2016 931,812
2017 890,891
2018 535,786
2019 551,859
Thereafter 378,482

$ 4,157,230

The Consortium also has lease agreements for various office equipment and office space that are on
month-to-month terms.

Total operating lease expense for the years ended December 31, 2014 and 2013, excluding amounts
for office space, totaled $22,245 and $17,523, respectively.

(11) Future Amortization of Intangible Assets

Intangible assets at December 31, 2014 consist of examination question pool costs. The estimated
future amortization expense for these intangible assets is as follows:

Year Ending December 31:

2015 $ 905,937
2016 721,016
2017 387,147
2018 40,098

$ 2,054,198

38
 (ISC)² FACT SHEET

Our Vision Governance

Inspire a safe and secure The (ISC)² Board of Directors is comprised of information security
cyber world. professionals from around the world representing academia,
private organizations and government agencies. All volunteers and
Our Mission (ISC)²-certified, the Board provides governance and oversight for the
Support and provide organization, grants certifications to qualifying candidates and
members and constituents enforces adherence to the (ISC)² Code of Ethics.
with credentials, resources,
and leadership to secure 2014 (ISC)² Board of Directors
information and deliver Wim Remes, CISSP (Belgium) – Chair
value to society. Corey Schou, Ph.D., CSSLP, Fellow of (ISC)² (USA) – Vice Chair
Greg Thompson, CISSP (Canada) – Treasurer
As of December 1, 2014, Dave Lewis, CISSP (Canada) – Secretary
(ISC)² had the following Diana Lynn-Contesti, CISSP-ISSAP, ISSMP, CSSLP, SSCP (Canada)
member counts: Dan Houser, CISSP-ISSAP, ISSMP, CSSLP, SSCP (USA)
Total Members and Greg Mazzone, CISSP (Australia)
Associates = 101,866 Jennifer Minella, CISSP (USA)
Richard Nealon, CISSP-ISSMP, SSCP (Ireland)
By Region: Professor Howard Schmidt, CISSP, CSSLP (USA)
Jill Slay, Ph.D, CISSP (Australia)
• North America = 70,506 Freddy Tan, CISSP (Singapore)
• APAC = 13,419 Professor Hiroshi Yasuda, CISSP (Japan)
• EMEA = 16,687
• Latin America = 1,254 Connect with (ISC)²
Website: www.isc2.org
Facebook: https://www.facebook.com/isc2fb
Twitter: @ISC2
LinkedIn: www.linkedin.com/company/isc2
INSPIRING A SAFE AND SECURE CYBER WORLD