What is the CISSP-ISSAP? Information Systems Security Architecture Professional [updated 2021]

Daniel Brecht
July 21, 2021 by
Daniel Brecht

As technology is evolving and organizations face new challenges to secure information from the ever-increasing cyberthreats, certified professionals are trained and specialized in helping achieve all-new security goals. One of the most acclaimed certifications focused on computer system security is the CISSP (Certified Information Systems Security Professional).

A “CISSP who specializes in designing security solutions and providing management with risk-based guidance to meet organizational goals” is an ISSAP (Information Systems Security Architecture Professional). The ISSAP is one of three specialized credentials that build upon the CISSP. It highlights expertise to “facilitate the alignment of security solutions within the organizational context (e.g., vision, mission, strategy, policies, requirements, change and external factors).”

The CISSP-ISSAP is a vendor-independent certification program by the International Information Security Certification Consortium, or ISC2. The certification is for CISSP professionals who want to build on their expertise in information security architecture. First, you will have to gain at least two years of cumulative, paid and full-time work experience in one or more of the six domains of ISC2’s CISSP-ISSAP common body of knowledge (CBK). Only those who meet the prerequisites can sit for the ‘experience-based questions’ exam. 

Earn your CISSP, guaranteed!

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Who should you earn the ISSAP certification?

This credential ideally suits those professionals who are placed in critical roles and generally design, develop and analyze a complete security plan. Typically, ISSAP certification is for CISSP certified experts working for positions such as, but not limited to, the following:

  • Chief information security officer
  • Chief technology officer
  • Business analyst
  • System architect
  • Network designer 

What are the ISSAP domains?

Domain 1. Architect for governance, compliance and risk management: 17%

  • Determine legal, regulatory, organizational and industry requirements
  • Manage risk

Domain 2. Security architecture modeling: 15%

  • Identify security architecture approach
  • Verify and validate design (e.g., functional acceptance testing (FAT), regression)

Domain 3. Infrastructure security architecture: 21%

  • Develop infrastructure security requirements
  • Design defense-in-depth architecture
  • Secure shared services (e.g., wireless, e-mail and voice over internet protocol (VoIP), unified communications (UC) etc.)
  • Domain name system (DNS) and network time protocol (NTP)
  • Integrate technical security controls
  • Design and integrate infrastructure monitoring
  • Design infrastructure cryptographic solutions
  • Design secure network and communication infrastructure (e.g., a virtual private network (VPN), internet protocol security (IPsec), transport layer security (TLS) etc.)
  • Evaluate physical and environmental security requirements

Domain 4. Identity and access management (IAM) architecture: 16%

  • Design identity management and lifecycle
  • Design access control management and lifecycle
  • Design identity and access solutions

Domain 5. Architect for application security: 13%

  • Integrate software development life cycle (SDLC) with application security architecture (e.g., requirements traceability matrix (RTM), security architecture documentation and secure coding)
  • Determine application security capability requirements and strategy (e.g., open-source, cloud service providers (CSP) and software as a service (SaaS)/infrastructure as a service (IaaS)/platform as a service (PaaS) environments)
  • Identify standard proactive controls for applications (e.g., Open Web Application Security Project (OWASP) and more)

Domain 6. Security operations architecture: 18%

  • Gather security operations requirements (e.g., legal, compliance, organizational and business requirements)
  • Design information security monitoring (e.g., security information and event management (SIEM), insider threat, threat intelligence, user behavior analytics and incident response (IR) procedures)
  • Design business continuity (BC) and resiliency solutions
  • Validate business continuity plan (BCP)disaster recovery plan (DRP) architecture
  • Design incident response (IR) management

For more details on the exam domains and subdomain changes, review the CISSP-ISSAP domain refresh guide. A job task analysis instigated a content refresh to reflect the most pertinent cybersecurity architecture issues.

What skills are tested by the ISSAP exam?

The ISSAP exam will verify your skills by testing your ability to:

  • Create an information security architecture that meets the requirements of governance, compliance and risk management
  • Evaluate security architecture models and frameworks
  • Develop an infrastructure security program
  • Produce an identity and access management architecture
  • Integrate security principles into applications development
  • Design a security operations architecture

What is involved with the ISSAP exam?

Below are details of the ISSAP exam in brief:

  • Length of exam: three Hours
  • Exam format: multiple-choice questions
  • Number of questions: 125
  • Passing grade: 700 out of 1,000
  • Language: English
  • Test center: Pearson Vue testing center

How do I register for an ISSAP exam?

To register yourself for an ISSAP exam, carry out the following steps:

  1. Create an account with Pearson VUE, the exclusive, global administrator of all ISC2 exams
  2. Select the ISC2 certification exam you are pursuing
  3. Schedule your exam and testing location
  4. Pay for the test online ($599/EUR 555/GBP 479)
  5. Once the application is approved, read the ISC2 examination agreement and fully understand and accept your obligations; in addition, review all ISC2 exam policies and procedures before the test day

Additional fee info:

  • Rescheduling exam: $50/35£/40€
  • Canceling exam: $100/70£/80€

To reschedule or cancel your exam appointment, contact Pearson VUE. “If you do not sit for your exam within 365 days of your initial scheduled exam date, your exam fee will NOT be refunded.”

Members only pay a single annual maintenance fee (AMF) of $125 to support the ongoing development. This is regardless of how many certifications they earn. Recertification is accomplished by earning continuing professional education (CPE) credits, of which 20 CPE credits of the total number of Group A CPEs required in the CISSP three-year cycle must be directly related to your concentration.

What are the best ISSAP study resources?

You can get ready for the CISSP-ISSAP exam by reviewing relevant domains and topics of the ISSAP certification exam outline, which was last updated in October 2020.

Below are other study resources for ISSAP exam preparation:

  • "Official ISC2 Guide to the ISSAP CBK, Second Edition"
  • ISSAP Self-Paced Training Course
  • Official ISSAP Flash Cards
  • ISC2 Certification Prep Kit for the CISSP-ISSAP
  • CISSP-ISSAP Training Course Outline

Study tips for the ISSAP exam

The ISSAP exam, which is part of the CISSP certification family, can best position yourself for success in an IT security career. Here are some helpful study tips that will help you prepare for the exam efficiently and in a short span of time.

  • Make a study schedule. You must prepare for all six domains in-depth; dividing your time into days or weeks for each domain will help you achieve the targets and not fall behind in preparation.
  • Prepare a summary. Note down all important points and make summary notes for yourself for later reference and to keep things fresh in mind.
  • Practice exam questions will help you develop an understanding of how an actual exam is. The more you practice, the more confident you will be while attempting the timed exam and learn to divide your time evenly for all questions.

Earn your CISSP, guaranteed!

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Earning the ISSAP certification 

The ISSAP certification, part of the CISSP suite, adds an extra badge of knowledge and experience for those working in information security architecture (and those planning on information security architecture as a career). Certified ISSAPs are highly in demand, for they play a lead role in IT security departments as systems and solution architects. They usually have leadership responsibilities and jobs that range from non-management to the upper managerial tier of the organization. 

There are only 2,147 CISSP-ISSAP certified individuals worldwide, with 1,311 based in the United States (as of Jan. 1, 2021). Will you be added to the list? Look at the average ISSAP salary in 2021 to see how this credential can benefit your career and earning potential.



Daniel Brecht
Daniel Brecht

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.