CISSP-ISSAP Introduction, Overview, & CISSP Recap Materials


The Certified Information Systems Security Professional-Information Systems Security Architecture Professional(CISSP-ISSAP) is more than the longest name for a certification known to man. Henceforth the CISSP-ISSAP will be referred to as ISSAP. ISSAP is one of three concentrations of the CISSP available to CISSP holders to further themselves above the CISSP. The most recent (ISC)2 member count said there are 1959 ISSAP holders out there (Source). Additionally, on average ISSAP holders net a 10% higher salary then just CISSP holders, with $144,070 to $131,030 in the US (Source).

There’s a huge gap of training material out there for the ISSAP, which is a part of what makes it so challenging. Unlike the CISSP with a myriad of practice tests, books, and vendors there’s a few forum posts and a book from 2013 by (ISC)2. Since 2013, the domains and content of the test have changed. So we’re going to rectify the gap by going over each domain individually while aligning it to already available training material. We’ll be writing recaps and highlighting what someone might want to expect on the test.

(ISC)2 has it’s speal here on why to take the test.

Disclaimer: I do not have an ISSAP, and this exercise is to help me prepare for it as much as it is to help anyone else.

Becoming an ISSAP

  • Be a CISSP in good standing
  • Have two years relevant fulltime paid work experience
  • Pass the Exam
  • Get Endorsed

» CISSP in Good Standing

Be up to date on annual maintenance fees, continuing professional education requirements, and don’t piss off (ISC)2. If you’re unsure you can check here with the last name and (ISC)2 number. If you’re still nervous just email (ISC)2 at to get an answer from the horse’s mouth.

» 2 Years Work Experience

(ISC)2 defines 2 years of work experience as a total of 24 months. To get credit for a month you have to work a minimum of 35 hours a week for four weeks. They also have an option for how to calculate part-time work here.

The work experience has to be mappable to at least one of the ISSAP domains below. If you get audited, (ISC)2 will want to talk to your supervisor, so don’t stretch the truth and make sure if you do get audited your supervisor is ready for the call.

  • Domain 1. Identity and Access Management Architecture
  • Domain 2. Security Operations Architecture
  • Domain 3. Infrastructure Security
  • Domain 4. Architect for Governance, Compliance, and Risk Management
  • Domain 5. Security Architecture Modeling
  • Domain 6. Architect for Application Security

» Pass the Exam

The ISSAP exam is 125 multiple choice questions over 3 hours taken at a Pearson VUE testing center. A passing score is 700 out of 1000 points. Questions, in traditional (ISC)2 fashion have hidden weights and point values but the domain weights are below. The next 6 blog posts on Baldr will be dissecting each domain, and aligning them to reputable training resources and highlighting important information. (ISC)2 has it’s exam outline here.

  1. Identity and Access Management Architecture 19%
  2. Security Operations Architecture 17%
  3. Infrastructure Security 19%
  4. Architect for Governance, Compliance, and Risk Management 16%
  5. Security Architecture Modeling 14%
  6. Architect for Application Security 15%

» Get Endorsed

Thankfuly you don’t need to know an ISSAP to get endorsed. Any (ISC)2 member in good standing who is able to attest to your experience can endorse you. It’s the exact same process as the CISSP, more information here.

Getting Ready for the Test Outline

Over the next 8 posts we’ll be preparing to take the ISSAP together. An outline of whats to come below. I hope you’re looking forward to it.

  • Week 1: Introduction, Overview, & CISSP Recap Materials
  • Week 2: Domain 1 Identity and Access Management Architecture
  • Week 3: Domain 2 Security Operations Architecture
  • Week 4: Domain 3 Infrastructure Architecture
  • Week 5: Domain 4 Architect for Governance, Compliance, and Risk Management
  • Week 6: Domain 5 Security Architecture Modeling
  • Week 7: Domain 6
    Architect for Application Security
  • Week 8: Recap, Outro, and Last Words of Encouragement

CISSP Recap Materials

The CISSP is a mile wide and an inch deep, and the ISSAP is meant to hone in on the architectural side of security. That being said, before we start worrying about the ISSAP it’s best to re-establish our baseline of terminology, processes, and standards. Please take this week to go through Cybrary’s wonderful 12 Hour CISSP boot camp by Kelly Handerhan, and if you have time flip through Eric Conrad’s 11th Hour CISSP Study Guide. In addition, below is a map of ISSAP to CISSP Domains to kepe in mind while studying.

See you next week.

Leave a Reply

Your email address will not be published. Required fields are marked *