- What the GICSP Actually Tests
- Exam Format: Questions, Time, and Delivery
- The Seven Exam Domains Explained
- Open-Book Rules and What They Really Mean
- Registration, Fees, and the Activation Window
- Passing Score and Scoring Mechanics
- Who Hires GICSP Holders and Why It Matters
- Structuring Your Preparation Around the Domains
- Certification Validity and Renewal
- Frequently Asked Questions
- The GICSP exam contains 82-115 questions, including hands-on CyberLive items, with a 3-hour time limit.
- You must score at least 71% to pass on any attempt activated on or after November 19, 2018.
- The exam is open-book but allows printed materials only - no electronic devices, no internet.
- The $999 exam fee includes a 120-day activation window; retakes cost approximately $899.
What the GICSP Actually Tests
The Global Industrial Cyber Security Professional (GICSP) certification is governed by GIAC - the Global Information Assurance Certification - and developed through collaboration with a global industry consortium of organizations that design, deploy, operate, and maintain industrial automation and control system (ICS/SCADA) infrastructure. That origin matters enormously for candidates: this is not a generic cybersecurity credential repurposed for industrial settings. It was built from the ground up to reflect the real-world demands of securing operational technology (OT) environments.
What separates the GICSP from most IT security certifications is its explicit bridge between three professional worlds: information technology, engineering, and cybersecurity. A qualified candidate is expected to understand how a Modbus packet works at the protocol level, why the Purdue Reference Model shapes network segmentation decisions, and how to apply a defensible security architecture inside a facility that cannot afford downtime. That combination - technical depth across IT and OT simultaneously - is what makes the credential both difficult and genuinely valuable.
The certification is ANAB ISO/IEC 17024 accredited, meaning it meets an internationally recognized standard for personnel certification. For candidates in regulated industries like energy, water, or manufacturing, that accreditation can be a formal requirement rather than just a resume differentiator.
Exam Format: Questions, Time, and Delivery
Question Count and Type
The GICSP exam presents between 82 and 115 questions. This variable range is intentional - GIAC uses a scaled format that can shift slightly based on psychometric calibration of that specific exam version. All questions are multiple-choice in their base format, but the exam also includes CyberLive items: hands-on, practical tasks delivered inside a live virtual environment. CyberLive questions require candidates to actually perform actions - such as analyzing a packet capture, reviewing a network diagram, or identifying a configuration vulnerability - rather than simply selecting a memorized answer.
The presence of CyberLive items is a critical distinction. Candidates who prepare exclusively through flashcard-style memorization often find these questions unexpectedly difficult. Practical preparation - working through real ICS scenarios, reading actual protocol documentation, and using GICSP practice tests that include scenario-based questions - is not optional if you want to perform confidently on exam day.
Time Limit
You have exactly 3 hours to complete the exam. With up to 115 questions in 180 minutes, that averages to roughly 94 seconds per question. CyberLive items typically require more time than standard multiple-choice questions, so effective time management means moving quickly on knowledge-recall items to preserve time for hands-on tasks.
Delivery Options
The exam is available through two channels: ProctorU remote proctoring, which allows you to test from a controlled home or office environment, or Pearson VUE onsite testing at a physical test center. Both options enforce strict security protocols. For remote proctoring, your environment must be cleared of prohibited materials before the session begins - a particular consideration given the open-book rules discussed below.
| Delivery Method | Location | Open-Book Materials | Scheduling Flexibility |
|---|---|---|---|
| ProctorU (Remote) | Home or office | Printed notes allowed; room must be verified | High - schedule online anytime |
| Pearson VUE (Onsite) | Physical test center | Printed notes brought to center | Dependent on center availability |
The Seven Exam Domains Explained
GIAC does not publish exact percentage weightings for the GICSP domains, but the structure of the exam clearly reflects the full ICS security lifecycle - from understanding what you are protecting, to detecting and responding when something goes wrong. Candidates must demonstrate competency across all seven domains.
Domain 1: ICS Components, Architecture, and Protocols
The foundational layer. Candidates must understand PLCs, RTUs, HMIs, DCS systems, engineering workstations, and the communication protocols that connect them.
- Modbus, DNP3, EtherNet/IP, Profibus, and OPC protocol mechanics
- Purdue Reference Model and ICS network zone segmentation
- Physical topology vs. logical architecture distinctions
Domain 2: ICS Security Governance and Risk Management
This domain addresses frameworks, standards, and the organizational structures that govern ICS cybersecurity decisions.
- IEC 62443, NERC CIP, and NIST SP 800-82 standards
- Risk assessment methodologies applied to OT environments
- Security policies, asset inventory, and lifecycle management
Domain 3: ICS Network Security Monitoring and Incident Response
Candidates must understand how to detect anomalies in ICS traffic and respond to incidents without disrupting physical processes.
- Passive network monitoring tools and ICS-aware SIEM platforms
- Incident response planning specific to OT environments
- Forensic considerations unique to industrial control systems
Domain 4: IT/OT Convergence and Security
The intersection of enterprise IT and operational technology - where most modern ICS vulnerabilities originate.
- Challenges of applying IT security controls to OT systems
- Secure remote access architectures for ICS environments
- Patch management constraints in availability-critical systems
Domain 5: ICS Attack Surfaces and Methods
Understanding how adversaries target industrial systems - from initial access through to process manipulation.
- Common attack vectors: spear phishing, supply chain, removable media
- Malware targeting ICS: Stuxnet, CRASHOVERRIDE, TRITON/TRISIS
- Living-off-the-land techniques in OT environments
Domain 6: ICS Security Controls and Countermeasures
The practical implementation of defensive measures within the constraints of industrial operations.
- Network segmentation, DMZ design, and data diodes
- Application whitelisting and endpoint hardening for ICS hosts
- Backup, recovery, and resilience planning for OT systems
Domain 7: Physical Security for ICS Environments
Unlike most IT certifications, the GICSP explicitly tests physical security - because in ICS environments, physical access is often the most consequential attack vector.
- Physical access controls for substations, control rooms, and field devices
- Tamper detection and environmental monitoring
- Integration of physical and cyber security programs
Open-Book Rules and What They Really Mean
The GICSP is an open-book exam - but this fact misleads more candidates than it helps. The allowed materials are printed documents only. No laptops, no tablets, no smartphones, and no internet access are permitted under any circumstances during the exam.
More importantly, the exam is not designed to reward people who brought the right printout. The CyberLive items and the scenario-based multiple-choice questions test applied judgment and hands-on skill. You cannot look up the correct answer to a question asking you to identify a malicious Modbus command in a live packet capture - you need to actually understand what you are looking at.
Registration, Fees, and the Activation Window
The standalone GICSP exam attempt costs $999 USD. If you do not pass and need to retake, the retake fee is approximately $899. A standalone practice test - separate from the two practice exams bundled with the SANS ICS410 course - is available for $399.
Once you purchase the exam attempt, you have a 120-day activation window in which to schedule and sit the exam. This window begins from the date of purchase, not the date you schedule your appointment. Candidates who underestimate preparation time and let this window expire must repurchase at full price.
If you are pursuing the recommended training path, the SANS ICS410: ICS/SCADA Security Essentials course typically costs around $8,780 and includes two GIAC practice tests when bundled with an exam attempt. That bundle represents the most structured path to the exam, though it is not a formal prerequisite. GIAC recommends ICS410 training alongside one to five years of IT or OT experience with familiarity in industrial control systems. For a detailed comparison of training paths, see our guide to GICSP Training Options 2026: Courses and Self-Study Paths.
Passing Score and Scoring Mechanics
The minimum passing score is 71% for all exam attempts activated on or after November 19, 2018. GIAC does not publicly disclose overall pass rates for the GICSP, so candidates should not rely on assumptions about difficulty based on unofficial forums. Plan to exceed the threshold rather than aim for it.
At 115 questions and a 71% threshold, that means a candidate must answer approximately 82 questions correctly to pass the highest-question-count version of the exam. At 82 questions, approximately 59 correct answers are required. The variable question count means you cannot know exactly how many correct answers you need until after the exam - reinforcing the value of genuine domain mastery over score calculation strategies.
Key Takeaway
A 71% passing threshold may sound achievable, but the combination of CyberLive hands-on items, scenario-based questions across seven ICS-specific domains, and a 3-hour time constraint makes genuine preparation non-negotiable. Review the full GICSP Exam Format 2026 details to plan your time allocation on exam day.
Who Hires GICSP Holders and Why It Matters
The GICSP is recognized across sectors where industrial control systems underpin critical operations: energy and utilities, oil and gas, water and wastewater treatment, manufacturing, transportation infrastructure, and building automation. Federal agencies and defense contractors in the United States frequently list it as a preferred or required credential for ICS-focused cybersecurity roles.
Average annual compensation for GICSP holders is approximately $104,852 USD, reflecting the specialized skill set the certification validates. The roles associated with this credential are not entry-level IT security positions. They include ICS security analyst, OT security engineer, industrial cybersecurity consultant, and critical infrastructure protection specialist.
Employers value the GICSP specifically because it signals that a candidate understands both sides of the IT/OT boundary - which is where most serious ICS incidents originate. A candidate who only holds a general IT security certification may lack the operational context to work safely in an industrial environment. The GICSP's explicit coverage of Domain 7 (Physical Security for ICS Environments) and Domain 4 (IT/OT Convergence) addresses competencies that IT-only credentials simply do not test.
Structuring Your Preparation Around the Domains
Generic study methodology has limited value for the GICSP without domain-specific context. The following timeline applies spaced repetition and active recall techniques to the actual GICSP domain structure for a candidate with moderate ICS background and 8-10 study hours per week.
Domains 1 and 4: Architecture and IT/OT Convergence
- Study ICS protocol mechanics (Modbus, DNP3, EtherNet/IP) and build your reference tables
- Map the Purdue Reference Model zones and their security implications
- Review secure remote access architectures and patch management constraints in OT
Domains 2 and 7: Governance, Risk, and Physical Security
- Work through IEC 62443, NERC CIP standards, and NIST SP 800-82 summaries
- Study physical access control models for ICS environments
- Build your printed reference index for governance frameworks
Domains 5 and 6: Attack Surfaces and Defensive Controls
- Review major ICS malware case studies: Stuxnet, CRASHOVERRIDE, TRITON
- Study data diode design, DMZ architecture, and application whitelisting in OT
- Practice scenario-based questions on attack identification and mitigation
Domain 3 and Full Practice Tests
- Focus on network monitoring tools and ICS incident response procedures
- Complete at least two timed, full-length GICSP practice exams under exam conditions
- Review all incorrect answers by domain to identify remaining gaps
Certification Validity and Renewal
The GICSP certification remains valid for 4 years from the date of passing. Renewal requires either earning 36 continuing professional education (CPE) credits during that period and paying a $499 renewal fee, or retaking the current version of the GICSP exam.
CPE credits can be earned through a wide range of qualifying activities including attending ICS security conferences (S4, ICS-CERT workshops, SANS ICS Summit), publishing technical content, completing additional training, and participating in security research. Given that the ICS threat landscape evolves rapidly - new vulnerabilities, updated standards, emerging attack techniques - the 4-year validity and CPE requirement serve a genuine purpose rather than being a purely commercial renewal mechanism.
Frequently Asked Questions
The GICSP exam contains between 82 and 115 questions. The variable count reflects GIAC's psychometric scaling across exam versions. All items are multiple-choice in format, and the exam includes CyberLive hands-on practical items embedded within that count.
The minimum passing score is 71% for all exam attempts activated on or after November 19, 2018. GIAC does not publicly disclose how individual questions are weighted, so candidates should aim to demonstrate strong competency across all seven domains rather than targeting the minimum threshold.
Yes, but only printed materials are permitted. No electronic devices, smartphones, tablets, or internet access are allowed under any circumstances. The exam's CyberLive and scenario-based questions test applied skills that cannot be answered by looking something up - genuine preparation is essential regardless of what notes you bring.
There are no formal prerequisites for the GICSP exam. GIAC recommends SANS ICS410 training alongside one to five years of IT or OT experience with ICS familiarity. The ICS410 course bundle includes two GIAC practice tests and costs approximately $8,780. Candidates with strong existing ICS backgrounds sometimes pursue self-study paths instead - see our article on GICSP Training Options 2026: Courses and Self-Study Paths for a full comparison.
The 120-day activation window begins on the date of purchase. If you do not schedule and sit the exam within that window, the attempt expires. You would need to repurchase an exam attempt at the full $999 fee. Scheduling your exam date early in the window - even if you plan to study up to it - prevents accidental expiration.
Ready to Start Practicing?
Test your GICSP knowledge with scenario-based practice questions covering all seven exam domains - including CyberLive-style items designed to reflect the actual exam format. Identify your gaps before exam day, not during it.
Start Free Practice Test