What is the ISC2 ISSAP (Information Systems Security Architecture Professional) certification?

As technology evolves and organizations face new challenges to secure information from ever-increasing cyber threats, certified professionals are trained and specialized in helping achieve security goals. The Information Systems Security Architecture Professional, or ISSAP certification, validates expertise in designing security solutions and providing management with risk-based guidance to meet organizational goals. 

The ISSAP is a vendor neutral certification managed by the International Information Security Certification Consortium (ISC2), and it highlights expertise to "facilitate the alignment of security solutions within the organizational context (e.g., vision, mission, strategy, policies, requirements, change and external factors)."  

As of October 2023, there has been a change in prerequisites. Professionals can pursue this certification through two paths — one for CISSP certification holders and another for experienced security professionals without CISSP certification. CISSP holders need two years of experience in two or more ISSAP domains, while non-CISSP professionals must have seven years of experience in these domains. Both paths require passing the ISSAP examination.  

For a comprehensive overview of certification pathways in cybersecurity, download our free Cybersecurity certifications and skills roadmap. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Who should earn the ISSAP certification? 

This credential ideally suits professionals who design, develop and analyze complete security plans. The ISSAP certification is valuable for security professionals in positions such as: 

• Systems or network architect 
• System and network designer 
• Business analyst 
• Chief information security officer 
• Chief technology officer 

What are the ISSAP domains? 

The ISSAP exam covers six domains with the following focus areas and weights.  

Domain 1: Architect for governance, compliance and risk management - 17% 

• Determine legal, regulatory, organizational and industry requirements 
• Manage risk 

Domain 2: Security architecture modeling - 15% 

• Identify security architecture approach 
• Verify and validate design (e.g., functional acceptance testing (FAT), regression) 

Domain 3: Infrastructure security architecture - 21% 

• Develop infrastructure security requirements 
• Design defense-in-depth architecture 
• Secure shared services (e.g., wireless, e-mail and voice over internet protocol (VoIP), unified communications (UC), etc.) 
• Domain name system (DNS) and network time protocol (NTP) 
• Integrate technical security controls 
• Design and integrate infrastructure monitoring 
• Design infrastructure cryptographic solutions 
• Design secure network and communication infrastructure (e.g., a virtual private network (VPN), internet protocol security (IPsec), transport layer security (TLS), etc.) 
• Evaluate physical and environmental security requirements 

Domain 4: Identity and access management (IAM) architecture - 16% 

• Design identity management and lifecycle 
• Design access control management and lifecycle 
• Design identity and access solutions 

Domain 5: Architect for application security - 13% 

• Integrate software development life cycle (SDLC) with application security architecture (e.g., requirements traceability matrix (RTM), security architecture documentation and secure coding) 
• Determine application security capability requirements and strategy (e.g., open-source, cloud service providers (CSP) and software as a service (SaaS)/infrastructure as a service (IaaS)/platform as a service (PaaS) environments) 
• Identify standard proactive controls for applications (e.g., Open Web Application Security Project (OWASP) and more) 

Domain 6: Security operations architecture - 18% 

• Gather security operations requirements (e.g., legal, compliance, organizational and business requirements) 
• Design information security monitoring (e.g., security information and event management (SIEM), insider threat, threat intelligence, user behavior analytics and incident response (IR) procedures) 
• Design business continuity (BC) and resiliency solutions 
• Validate business continuity plan (BCP)disaster recovery plan (DRP) architecture 
• Design incident response (IR) management 

For more details on the exam domains and subdomain, review the full ISSAP exam outline. 

What skills are tested by the ISSAP exam? 

The ISSAP exam will verify your skills by testing your ability to: 

• Create an information security architecture that meets the requirements of governance, compliance and risk management 
• Evaluate security architecture models and frameworks 
• Develop an infrastructure security program 
• Produce an identity and access management architecture 
• Integrate security principles into application development 
• Design a security operations architecture 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

What is involved with the ISSAP exam? 

Below are details of the ISSAP exam in brief: 

• Length of exam: Three hours 
• Exam format: Multiple-choice questions 
• Number of questions: 125 
• Passing grade: 700 out of 1,000 
• Language: English 
• Test center: Pearson Vue testing center 

How do I register for an ISSAP exam? 

To register yourself for an ISSAP exam, carry out the following steps: 

• Create an account with Pearson VUE, the exclusive global administrator of all ISC2 exams 
• Select the ISC2 certification exam you are pursuing 
• Schedule your exam and testing location 
• Pay for the test online 
• Once the application is approved, read the ISC2 examination agreement and fully understand and accept your obligations; in addition, review all ISC2 exam policies and procedures before the test day 

Additional fee info: 

• Rescheduling exam: $50 in the U.S. 
• Canceling exam: $100 in the U.S. 

Annual Maintenance Fee (AMF) and CPE requirements: 

• CISSP holders: 
  • No additional AMF 
  • 60 CPE credits every three years 
• Non-CISSP professionals: 
  • First ISC2 certification: $125 AMF 
  • Current CC holders: Additional $75 AMF 
  • 140 CPE credits every three years 

See up-to-date exam pricing and fees on the ISC2 website. 

What are the best ISSAP study resources? 

You can prepare for the CISSP-ISSAP exam by reviewing relevant domains and topics of the ISSAP certification exam outline, which was last updated in October 2020. 

Below are other study resources for ISSAP exam preparation: 

• Infosec ISSAP Boot Camp: This four-day boot camp includes live in-person or online instruction that prepares you to pass the exam — and includes an Exam Pass Guarantee. 
• Official ISC2 Guide to the ISSAP CBK, Second Edition: This is a comprehensive guide covering all the domains of the ISSAP exam. 
• ISC2 materials: The ISC2 website includes flash cards and a practice quiz. 

Study tips for the ISSAP exam 

The ISSAP exam, part of the CISSP certification family, can best position you for success in an IT security career. Success on the ISSAP exam demands thorough preparation across all domains. These tips will help you create an effective study strategy: 

• Make a study schedule: You must prepare in-depth for all six domains. Dividing your time into days or weeks for each domain will help you achieve the targets and not fall behind in preparation. Consider allocating extra time to domains with higher exam weights or areas where you need more practice. 
• Prepare a summary: Note all important points and make summary notes for yourself for later reference and keep things fresh in mind. Focus on key concepts, frameworks and technical details from each domain. Review these notes regularly to reinforce your understanding. 
• Practice exam questions extensively: The more you practice, the more confident you will be while attempting the timed exam and learn to divide your time evenly for all questions. Focus on understanding why answers are correct or incorrect rather than just memorizing solutions. Time yourself during practice to build comfort with the three-hour exam duration. 
• Join study groups in the ISC2 Community: Connect with other security architects preparing for the exam to share insights, discuss complex topics and learn from shared experiences. Start with Infosec's TechExams ISC2 community. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Earning the ISSAP certification 

The ISSAP certification proves advanced knowledge and experience in information security architecture, opening doors for both current architects and those planning their career path in security architecture. ISSAP holders play crucial roles in IT security departments, leading the design and implementation of security solutions. Their responsibilities span from technical architecture to executive leadership positions. 

As a specialized security architecture credential, ISSAP certification remains an elite qualification in the cybersecurity field. ISSAP holders guide critical security decisions, shape organizational security strategy, and help build resilient security architectures that protect against evolving threats. 

Download our cybersecurity salary guide to find out what you could make as an ISSAP professional. Or if you're ready to start your ISSAP journey, our ISSAP Boot Camp gives you instructor-led training and an Exam Pass Guarantee.