A Brilliant Example of “Cert Error Damage Control”

In her most recent (12/2/2010) blog posting at GoCertify.com entitled “CISSP Exam Scoring Error Revealed,” Anne Martinez describes the right — indeed, some might argue the only — way to handle a scoring error on that important and much-coveted information security certification.

First, the facts of the matter: owing to some scoring errors on CISSP exams handled in the period from October 15-21, 2010, some CISSP candidates who failed the exam received notices that they’d passed (bad enough) while others who’s actually passed the exam got notices that they’d failed (worse still). According to Executive Director Hord Tipton’s 11/18/2010 blog on this subject, this error occured during the period when (ISC)² “…implemented a new scoring interface as part of our transition to a new exam delivery and scoring provider.”

If you ask me, the way (ISC)² handled this situation provides a textbook example of how to handle any serious breach of performance in a certification operation (and indeed, for any kind of public organization that must rely on trust and confidence to maintain its reputation). First, they acknowledged their error and explained how it happened. Second, they apologized for the mistake and explained how they were able to verify that they had checked for and identified every instance where the error had an impact on exam candidates. Third, they explained what steps they took to prevent such an occurrence from repeating.

What they did fourth, however, shows the kind of good faith in dealing with the public that I wish every business would demonstrate. For those candidates who received erroneous pass notifications, (ISC)² is offering a refund of their exam fee, the opportunity to retake the exam at no charge, and a free online CISSP CBK seminar (CBK stands for “Common Body of Knowledge,” the 10 information domains that constitute the topics and concepts about which candidates are tested). Those candidates who passed but received erroneous failure notices will be exempted from paying annual maintenance fees for their cert for the next year (through the end of 2011, that is), and may request (ISC)² to expedite processing of endorsements and experience verifications so that they will earn their CISSP credentials as quickly as the (ISC)² can manage to grant them.

Here’s Hord Tipton’s apology for the situation, which also shows appropriate humility and understanding for the situation of affected exam candidates:

Before I provide the details on how this happened and what we are doing to rectify the situation, I wish to publicly offer our heartfelt apologies to the candidates who received the incorrect exam results.  We understand the high-level of difficulty the CISSP exam presents to professionals and how hard candidates work to obtain their certifications to reap its many benefits, including better job opportunities and salaries.  During this tough economic climate, we realize that the certification has become even more desired by information security professionals and critical to obtain.  As a credential-holder myself, I know how heart-wrenching the exam process can be. We deeply regret any personal distress that may have been caused by these erroneous notifications.  I speak not just for myself, but for all (ISC)² employees and board members.

Heads up, cert program operators! If you want to take a lesson on how to handle a screw-up, you could do a lot worse than to construct a playbook around the way that the (ISC)² handled this situation. Too bad it happened in the first place, but you can hardly fault them for their subsequent follow-up. Bravo!