CISSP concentrations: How ISSAP, ISSMP & ISSEP have changed
On October 23, 2023, ISC2 issued a major change directly impacting the ISSAP, ISSEP and ISSMP certifications. Previously, they were all CISSP specializations, meaning you had to get your CISSP before taking their respective exams. However, as of October 23, 2023, the ISC2 removed the CISSP as a requirement.
This means each certification is no longer an extension of CISSP. In other words, instead of being called CISSP-ISS(x)P, they are now standalone certs.
Earn your CISSP, guaranteed!
How does the change impact certification candidates?
The fact that these are no longer CISSP concentrations means you can earn your ISSAP, ISSEP or ISSMP certifications without getting your CISSP first. For many, this has significant benefits, such as:
- You can get your ISSAP, ISSEP and ISSMP certification faster without passing the CISSP exam first.
- You can earn your ISSAP, ISSEP and ISSMP cert by itself, which enables you to demonstrate skills in a particular discipline, such as security architecture, engineering or management.
In a way, the change also elevates the import of the ISSAP, ISSEP and ISSMP certifications. Instead of merely being appendages of CISSP, they now stand on their own, shoulder-to-shoulder, so to speak, with their former "parent."
For a candidate, this also means that when you earn your ISSAP, ISSEP or ISSMP certifications, you can make a powerful statement regarding your qualifications. You unequivocally demonstrate your experience as a security architect, engineer or manager. If an organization is searching for someone with one of these niche skills, one of these certs could push your resume to the top of the pile.
Steps to certification
Despite the change to the requirements, the steps to earning your ISSAP, ISSEP or ISSMP are generally the same.
Step 1: Experience
To qualify for the ISSAP, ISSEP or ISSMP certifications, you still need to meet a few basic requirements, specifically when it comes to experience. If you already have your CISSP, you only need two years of cumulative, full-time experience working in one or more domains in your target certification.
If you don't already have your CISSP, you need seven cumulative years working in two or more domains. If you have a degree in computer science, IT or a similar field — or an ISC2-approved credential — that may fulfill one of the required seven years of experience. You also may be able to count part-time work and internships.
Step 2: Register with Pearson VUE and schedule the exam
If you meet the first round of qualifications, you'll next need to take an exam. You'll start by creating an account on Pearson VUE. When you set up an account, you must complete an examination agreement, which means you will adhere to the ISC2 code of ethics. You'll also need to review the candidate's background questions. Finally, you'll pay the fee of $599 (or equivalent in other currency).
Step 3: Prep for, take and pass the exam
In preparation for the exam, you can either develop a study plan or enroll in certification training prep from ISC2 or a licensed training provider. Training providers like Infosec offer live training online, in a classroom or privately on-site for groups.
The exam format for each credential is 3 hours to answer 125 multiple-choice questions. To successfully pass, you'll need to earn 700 points on a 1,000-point scale. A panel of subject matter experts (SMEs) who are ISC2 volunteers establish the passing score.
Step 4: Endorsement
After passing the exam, you will need to go through the endorsement process. You have nine months from the date of passing your exam to complete your endorsement. The endorsement requires a sign-off by an ISC2-certified professional who is an active member.
After the endorsement approval, you'll pay a single annual maintenance fee (AMF). ISC2 uses these fees to support the costs of maintaining certifications. The cost is $125, and it's due annually. It's one cost, no matter the number of certifications you earn.
Maintaining certification
Along with the yearly AMF, you'll also need to complete 20 CPEs every year for each concentration. Every three years, you'll need to renew your certification.
How do these concentrations differ from CISSP certification?
These certifications differ from CISSP certifications because they each have a specific focus, namely architecture, engineering or management. They are no longer directly tied to the CISSP, other than the CISSP can contribute to the experience requirements.
To truly highlight the differences between CISSP concentrations and the standard CISSP certification, we'll delve into what each of the three concentrations covers.
ISSAP
The ISSAP certification deals specifically with information security architecture, which is a key differentiating factor if you're considering ISSEP vs. ISSAP. Earning this certification demonstrates your knowledge of developing, designing, and analyzing security solutions. Further, it proves you are proficient in providing risk-based guidance to key decision-makers to enable organizational goals.
CISSP-ISSAP domains and weighting:
- Domain 1. Architect for governance, compliance, and risk management (17%)
- Domain 2. Security architecture modeling (15%)
- Domain 3. Infrastructure security architecture (21%)
- Domain 4. Identity and access management (IAM) architecture (16%)
- Domain 5. Architect for application security (13%)
- Domain 6. Security operations architecture (18%)
Are you a good fit for ISSAP?
ISC2 notes that ISSAP is an appropriate credential for chief security architects or analysts. The roles it fits best with are those with a consultative or analytical process of information security.
Ideally, you should pursue ISSAP if you want to be an SME in your field and are plotting a path for your career that includes incremental growth in responsibility and salary. (Get your free Cybersecurity salary guide for more salary data.)
What are the learning objectives for ISSAP?
ISC2 lists the following ISSAP exam outline for each domain:
Domain 1
- Determine legal, regulatory, organizational and industry requirements
- Manage risk
Domain 2
- Identify security architecture approach
- Verify and validate design (e.g., Functional Acceptance Testing (FAT), regression)
Domain 3
- Develop infrastructure security requirements
- Design defense-in-depth architecture
- Secure shared services (e.g., wireless, email, voice over internet protocol (VoIP), unified communications (UC), Domain Name System (DNS), network time protocol (NTP))
- Integrate technical security controls
- Design and integrate infrastructure monitoring
- Design infrastructure cryptographic solutions
- Design secure network and communication infrastructure (e.g., virtual private network (VPN), internet protocol security (IPsec), transport layer security (TLS))
- Evaluate physical and environmental security requirements
Domain 4
- Design identity management and lifecycle
- Design access control management and lifecycle
- Design identity and access solutions
Domain 5
- Integrate software development life cycle (SDLC) with application security architecture (e.g., requirements traceability matrix (RTM), security architecture documentation, secure coding)
- Determine application security capability requirements and strategy (e.g., open source, cloud service providers (CSP), software as a service (SaaS)/infrastructure as a service (IaaS)/platform as a service (PaaS) environments)
- Identify common proactive controls for applications (e.g., Open Web Application Security Project (OWASP))
Domain 6
- Gather security operations requirements (e.g., legal, compliance, organizational and business requirements)
- Design information security monitoring (e.g., security information and event management (SIEM), insider threat, threat intelligence, user behavior analytics, incident response (IR) procedures)
- Design business continuity (BC) and resiliency solutions
- Validate business continuity plan (BCP)/disaster recovery plan (DRP) architecture
- Design incident response (IR) management
ISSEP
The ISSEP focuses on information systems security engineering. Earning the certification demonstrates you know how to apply systems engineering principles and processes practically. It also represents your ability to integrate security across the infrastructure. ISC2 developed the concentration in partnership with the U.S. National Security Agency (NSA).
ISSEP domains and weighting
- Domain 1. Systems security engineering foundations (25%)
- Domain 2. Risk management (14%)
- Domain 3. Security planning and design (30%)
- Domain 4. Systems implementation, verification, and validation (14%)
- Domain 5. Secure operations, change management and disposal (17%)
Are you a good fit for ISSEP?
Most pursuers of ISSEP certification are senior systems engineers, information assurance systems engineers, information assurance officers, information assurance analysts and senior security analysts. If those are your areas of specialty and interest, you can move ahead in your career and increase your by earning ISSEP.
Earn your CISSP, guaranteed!
What are the learning objectives for ISSEP?
ISC2 lists the following ISSEP exam outline for each domain:
Domain 1
- Apply systems security engineering fundamentals
- Execute systems security engineering processes
- Integrate with applicable system development methodology
- Perform technical management
- Participate in the acquisition process
- Design trusted systems and networks (TSN)
Domain 2
- Apply security risk management principles
- Address risk to the system
- Manage risk to operations
Domain 3
- Analyze the organizational and operational environment
- Apply system security principles
- Develop system requirements
- Create system security architecture and design
Domain 4
- Implement, integrate and deploy security solutions
- Verify and validate security solutions
Domain 5
- Develop a secure operations strategy
- Participate in secure operations
- Participate in change management
- Participate in the disposal process
ISSMP
The ISSMP centers around security management. Holding this certification represents that you can establish, present and govern information security programs. It also shows your management and leadership skills.
ISSMP domains and weighting
- Domain 1. Leadership and business management (20%)
- Domain 2. Systems lifecycle management (18%)
- Domain 3. Risk management (19%)
- Domain 4. Threat intelligence and incident management (17%)
- Domain 5. Contingency management (15%)
- Domain 6. Law, ethics and security compliance management (11%)
Are you a good fit for ISSMP?
Those pursuing ISSMP fall into leadership roles, including chief information officers, chief information security officers, chief technology officers or senior security executives. If you hold these titles or are the goal for your career, then ISSMP is an excellent certification that can also boost your salary. To take on a leadership role, you need more than technical skills. You also need to manage things like budget, training and metrics.
What are the learning objectives for ISSMP?
ISC2 lists the following ISSMP exam outline for each domain:
Domain 1
- Establish security's role in organizational culture, vision and mission
- Align security program with organizational governance
- Define and implement information security strategies
- Define and maintain security policy frameworks
- Manage security requirements in contracts and agreements
- Oversee security awareness and training programs
- Define, measure and report security metrics
- Prepare, obtain and administer security budgets
- Manage security programs
- Apply product development and project management principles
Domain 2
- Manage integration of security into system development lifecycle (SDLC)
- Integrate new business initiatives and emerging technologies into the security architecture
- Define and oversee comprehensive vulnerability management programs (e.g., vulnerability scanning, penetration testing, threat analysis)
- Manage security aspects of change control
Domain 3
- Develop and manage a risk management program
- Conduct risk assessments
Domain 4
- Establish and maintain a threat intelligence program
- Establish and maintain incident handling and investigation programs
Domain 5
- Oversee development of contingency plans
- Guide development of recovery strategies
- Maintain business continuity plan (BCP), continuity of operations plan (COOP) and disaster recovery plan (DRP)
- Manage recovery process
Domain 6
- Understand the impact of laws that relate to information security
- Understand management issues as related to the ISC2 Code of Ethics
- Validate compliance with applicable laws, regulations and industry best practices
- Coordinate with auditors and assist with the internal and external audit process
- Document and manage compliance exceptions
Why earn your ISSAP, ISSEP or ISSMP?
There are several benefits to earning a certification. According to the ISC2, passing an examination "demonstrates proven capabilities and subject-matter expertise beyond that required for" other certifications, such as the CISSP.
This puts you in a prime position for higher-paying positions with more responsibilities and challenges, allowing you to enjoy an even more rewarding career.
Another reason to earn your credentials is to set yourself apart from others. ISC2 certifications are very respected in the cybersecurity industry. Therefore, earning one of these credentials will give you an advantage in a competitive, growing field. Completing these certifications is not necessary for everyone. Balance your career goals against the domains for each concentration to determine if they will fit your needs.
Earn your CISSP, guaranteed!
Which certification is right for you?
Choosing which field to specialize in includes a variety of factors. Each concentration is specific to roles and career paths. The decision for you may include considering:
- Your strengths and required experience
- Career goals
- Opportunities within your current organization and the job market
- What you're passionate about
- Your interest in leadership positions
By defining your goals, strengths and opportunities, you can determine which certification will deliver the most value.
To prepare to pass your test, you have some resources available from Infosec, including the following boot camps:
You can also use Infosec's ebooks to help level up your career. Check out our Cybersecurity Salary Guide and Cybersecurity certifications and skills: A roadmap for mid-career professionals today to start your journey towards a career-boosting certification.
In this Series
- CISSP concentrations: How ISSAP, ISSMP & ISSEP have changed
- CISSP domains overview: Your complete preparation guide
- What is the ISC2 ISSMP (Information Systems Security Management Professional) certification?
- What is the ISC2 ISSEP (Information Systems Security Engineering Professional) certification?
- What is the ISC2 ISSAP (Information Systems Security Architecture Professional) certification?
- CISSP experience waiver: What you need to know
- Mitigating access control attacks in the CISSP exam
- CISSP DoD 8140: What changed from DoD 8570?
- CISSP jobs in 2025: Cybersecurity manager outlook and career opportunities
- Understanding the CISSP exam schedule: Duration, format, scheduling and scoring
- CISSP interview prep: 10 common questions and answers
- CISSP resources: Free books, videos, practice exams and other study tools
- CISSP certification cost and requirements (2025): Your complete preparation guide
- Perimeter defenses: What you need to know for the CISSP exam
- Understanding control frameworks and the CISSP
- CISSP computerized adaptive testing (CAT): 25 of your questions answered
- Due care vs. due diligence: What you need to know for the CISSP exam
- The ISC2 code of ethics: A binding requirement for certification
- Security governance principles: What you need to know for the CISSP exam
- Understanding access control: A CISSP certification guide
- Renewal requirements for the CISSP certification
- Secure communication channels: What you need to know for the CISSP exam
- Risk management concepts and the CISSP
- CISSP: Business continuity planning and exercises
- Data and system ownership in the CISSP exam
- Information and asset classification in the CISSP exam
- Incident management and the CISSP exam: What you need to know
- CISSP prep: Security policies, standards, procedures and guidelines
- Earning CPE credits to maintain the CISSP
- Data security controls and the CISSP exam
- CISSP: Disaster recovery processes and plans
- Vulnerability and patch management in the CISSP exam
- Secure system design principles: CISSP exam concepts and frameworks
- Certification and accreditation: What’s on the CISSP exam?
- Change management and the CISSP
- Threat modeling and the CISSP
- CISSP exam questions: 5 drag & drop and hotspot questions
- CISSP certification salary: A comprehensive 2025 salary guide
- 8 tips for CISSP exam success in 2025
- Environmental controls and the CISSP
