ISSMP Certification Exam Outline Summary

1.1 Establish security’s role in organizational culture, vision, and mission 

• Defining information security program vision and mission
• Aligning security with organizational goals, objectives, and values
• Defining security’s relationship with the overall organization processes
• Defining the relationship between organizational culture and security

1.2 Align security program with organizational governance

• Identifying and navigating organizational governance structure
• Verifying and validating roles of key stakeholders
• Validating sources and boundaries of authorization
• Advocating and obtaining organizational support for security initiatives

1.3 Define and implement information security strategies

• Identifying security requirements from organizational initiatives
• Evaluating capacity and capability to implement security strategies
• Prescribing security architecture design
• Managing implementation of security strategies
• Reviewing and maintaining security strategies

1.4 Define and maintain security policy framework 

• Determining applicable external standards, laws, and regulations 
• Determining data classification and protection requirements 
• Establishing internal policies 
• Advocating and obtaining organizational support for policies 
• Developing procedures, standards, guidelines, and baselines 
• Ensuring periodic review of security policy framework

1.5 Manage security requirements in contracts and agreements

• Evaluating service management agreements (e.g., risk, financial)
• Governing managed services (e.g., infrastructure, cloud services)
• Managing security impact of organizational change (e.g., mergers and acquisitions, outsourcing, capability development)
• Ensuring that applicable regulatory compliance statements and requirements are included in contractual and service management agreements
• Monitoring and enforcing compliance with contractual and service management agreements

1.6 Manage security awareness and training programs

• Promoting security programs to key stakeholders
• Identifying needs and implementing training programs by target segment
• Monitoring, evaluating, and reporting on effectiveness of security awareness and training programs

1.7 Define, measure, and report security metrics

• Identifying Key Performance Indicators (KPI) and Key Risk Indicators (KRI)
• Associating metrics to the risk posture of the organization
• Using metrics to drive improvements to the security program and operations

1.8 Prepare, obtain, and manage security budget

• Preparing and securing annual budget
• Adjusting or requesting budget based on evolving risks and threat landscape
• Managing and reporting financial responsibilities

1.9 Manage security programs

• Defining roles and responsibilities
• Determining and managing team accountability
• Building cross-functional relationships
• Resolving conflicts between security and other stakeholders
• Identifying communication bottlenecks and barriers
• Integrating security controls into organization processes

1.10 Apply product development and project management principles

• Incorporating security throughout the lifecycle
• Identifying and applying applicable methodology (e.g., agile, waterfall, lean, rapid application development)
• Analyzing project scope, timelines, quality, and budget

2.1 Manage integration of security throughout system life cycle 

• Integration of information security decision points and requirements throughout the system life cycle
• Implementation of security controls throughout the system life cycle
• Overseeing security configuration management (CM) processes

2.2 Integrate organization initiatives and emerging technologies throughout the security architecture 

• Implementing security principles 
• Addressing impact of organization initiatives on security posture 

2.3 Define and manage comprehensive vulnerability management programs (e.g., vulnerabilities, scanning, penetration testing, threat analysis)

• Identification, classification, and prioritization of assets, systems, and services based on criticality and impact to the organization 
• Prioritization of threats and vulnerabilities based on risk 
• Management of security testing 
• Management of mitigation and/or remediation of vulnerabilities 
• Monitoring and reporting of vulnerabilities

2.4 Manage security aspects of change control

• Integration of security requirements with change control process 
• Conducting a security impact analysis 
• Identification and coordination with the stakeholders 
• Management of documentation and tracking 
• Ensuring policy compliance (e.g., continuous monitoring)

3.1 Develop and manage a risk management program

• Identifying risk management program objectives
• Defining risk management objectives with risk owners and other stakeholders
• Determining scope of organizational risk program
• Identifying organizational risk tolerance/appetite
• Obtaining and verifying organizational asset inventory
• Analyzing organizational risks
• Determine countermeasures, compensating and mitigating controls
• Identifying risk treatment options
• Conducting Cost-benefit analysis (CBA) of risk treatment options
• Recommending risk treatment options to stakeholders
• Documenting and managing agreed risks and issues treatments
• Testing, monitoring, and reporting on risks and issues

3.2 Manage security risks within the supply chain (e.g., supplier, vendor, third-party risk, contracts) 

• Identifying supply chain security risk objectives
• Integrating supply chain security risks into organizational risk management
• Verifying and validating security risk control within the supply chain
• Monitoring and reviewing the supply chain security risks

3.3 Conduct risk assessments

• Identifying risk factors
• Determining the risk assessment approach (e.g., qualitative, quantitative)
• Performing the risk analysis

3.4 Manage risk controls

• Identifying controls
• Determining control effectiveness
• Evaluating control coverage
• Monitoring/reporting risk control effectiveness and coverage

4.1 Establish and maintain security operations center

• Development of security operations center (SOC) documentation 

4.2 Establish and maintain threat intelligence program 

• Aggregating threat data from multiple threat intelligence sources
• Conducting baseline analysis of network traffic, data, and user behavior
• Detecting and analyzing anomalous behavior patterns for potential concerns
• Conducting threat modeling
• Identifying and categorizing attacks
• Correlating related security events and threat data
• Defining actionable alerts

4.3 Establish and maintain incident management program 

• Development of program documentation
• Establishing incident response (IR) case management processes
• Establishing incident response (IR) team
• Applying incident management methodologies
• Establishing and maintaining incident handling processes
• Establishing and maintaining investigation processes
• Quantifying and reporting incident impacts and investigations to stakeholders
• Conducting root cause analysis

5.1 Facilitate development of contingency plans

• Identifying and analyzing factors related to resiliency planning (e.g., Continuity of Operations Plan (COOP), external factors, laws, regulations, business impact analysis (BIA))
• Identifying and analyzing factors related to the business continuity plan (BCP) (e.g., time, resources, verification, business impact analysis (BIA))
• Identifying and analyzing factors related to the disaster recovery plan (DRP) (e.g., time, resources, verification)
• Coordinating contingency management plans with key stakeholders
• Defining internal and external crisis communications plan
• Defining and communicating contingency roles and responsibilities
• Identifying and analyzing contingency impact on organization processes and priorities
• Managing third-party contingency dependencies (e.g., cloud providers, utilities)
• Preparing security management succession plan

5.2 Develop recovery strategies

• Identifying and analyzing alternatives
• Recommending and coordinating recovery strategies
• Assigning recovery roles and responsibilities

5.3 Maintain contingency plan, resiliency plan (e.g., Continuity of Operations Plan (COOP)), business continuity plan (BCP) and disaster recovery plan (DRP)

• Planning testing, evaluation, and modification
• Determining survivability and resiliency capabilities
• Managing plan update process

5.4 Manage disaster response and recovery process 

• Declaring and communicating disaster
• Implementing plan
• Restoring normal operations
• Gathering lessons learned
• Updating plan based on lessons learned

6.1 Identify the impact of laws and regulations that relate to information security

• Identifying legal jurisdictions that the organization and users operate within (e.g., trans-border data flow)
• Identifying applicable security and privacy laws/regulations/standards
• Identifying intellectual property laws
• Identifying and advising on risks of non-compliance and non-conformity

6.2 Understand, adhere to, and promote professional ethics

• ISC2 Code of Ethics
• Organizational code of ethics

6.3 Validate compliance in accordance with applicable laws, regulations, and industry standards 

• Informing and advising senior management
• Evaluating and selecting compliance framework(s)
• Implementing the compliance framework(s)
• Defining and monitoring compliance metrics

6.4 Coordinate with auditors and regulators in support of internal and external audit processes

• Planning
• Scheduling
• Coordinating audit activities
• Evaluating and validating findings 
• Formulating response
• Monitoring and validating implemented mitigation and remediation actions

6.5 Document and manage compliance exceptions

• Identifying and documenting controls and workarounds
• Reporting and obtaining authorized approval of risk waiver

In the realm of strategic leadership, AI integration focuses on guiding executive teams through the secure adoption of machine learning into core business functions. This domain emphasizes the establishment of ethical AI governance models that ensure algorithmic transparency and accountability for automated decision-making. Security managers are tasked with fostering a culture that encourages secure AI experimentation while preventing the risks associated with “Shadow AI”—the unauthorized use of public AI tools that could lead to data leakage or reputational damage.

Furthermore, the domain addresses the alignment of security vision with the unique demands of the AI era. This involves updating organizational missions to protect intellectual property in the age of generative AI and embedding security checkpoints directly into data science workflows. By redefining organizational processes to account for the speed of AI-assisted operations, ISSMPs ensure that security remains an enabler of innovation rather than a bottleneck to progress.

The transition from traditional, deterministic systems to continuous, probabilistic machine learning pipelines is a primary focus of this domain. Security managers understand how to oversee “MLSecOps” lifecycles, integrating automated, AI-driven security testing and dynamic validation at every phase. The integration introduces explicit decision gates within the development process to halt deployments if an AI model exceeds established thresholds for bias or “hallucinations,” ensuring that only safe and reliable models reach production.

Additionally, this domain includes the use of AI to enhance the management of enterprise architectures. Practitioners are expected to leverage autonomous discovery and classification tools to categorize massive volumes of unstructured data that feed into AI systems. By managing the continuous feedback loops required to secure and retrain active models, ISSMPs ensure that the security of an application is maintained even as the underlying machine learning logic evolves over time.

Risk management has evolved from a static, point-in-time assessment to a dynamic, real- time discipline. The ISSMP Exam Outline integrates globally recognized frameworks, such as NIST AI Risk Management Framework (AI RMF) and ISO/IEC 42001 alongside traditional strategies, enabling managers to govern the ethical use and procurement of generative AI. By utilizing predictive machine learning models for risk scoring, organizations can transition to a more proactive posture, identifying and mitigating threats to proprietary model weights and algorithms before they are exploited.

The scope of risk management also expands to include the complex ecosystem of third- party LLMs and the massive data lakes required for continuous learning. ISSMPs are to engage new stakeholders—such as Chief Data Officers and AI Ethics Committees—to define acceptable error thresholds and mitigate the reputational impact of AI-driven decisions. This ensures that the organizational risk strategy is comprehensive enough to cover both human and algorithmic vulnerabilities.

In the modern Security Operations Center (SOC), AI is both a powerful defensive tool and a new attack surface. This domain focuses on managing “AIOps” to autonomously detect and remediate threats, moving beyond reactive alert triage to proactive, AI-driven threat hunting. Security managers are responsible for overseeing the operational response to novel adversarial attacks, such as prompt injection and data poisoning, which specifically target the logic of the organization’s AI models.

Operational integration also involves the use of Generative AI to rapidly author and update complex playbooks and runbooks. Data Scientists and ML Engineers are key stakeholders in the incident response process. By structuring teams to include AI Security Analysts who specialize in reverse-engineering algorithmic evasion tactics, ISSMPs ensure that the SOC remains resilient in the face of machine-speed attacks.

Resiliency planning must now account for the massive scale and specialized infrastructure required by modern AI. This domain integrates AI by using generative modeling to simulate and draft highly complex disaster recovery (DR) plans. Security managers understand how to architect contingency strategies that prioritize the restoration of critical data ingestion pipelines and massive vector databases, ensuring that the predictive accuracy of business-critical AI does not degrade during a disruption.

The ISSMP Exam Outline also addresses the unique challenge of “Model Drift” as a continuity risk. ISSMPs must analyze the resiliency of cloud architectures hosting massive LLMs and establish Recovery Time Objectives (RTO) that account for the extreme computational resources needed to retrain a model from scratch. By utilizing predictive AI to model the business impact of various disaster scenarios, practitioners can ensure that organizational resiliency keeps pace with the demands of an AI-dependent enterprise.

The final domain navigates the rapidly shifting legal landscape, including global regulations like the EU AI Act and emerging standards for algorithmic liability. Integration efforts focus on managing the conflict between data minimization requirements and the massive data ingestion needs of continuous machine learning. ISSMPs understand how to implement dynamic data routing to comply with localized trans-border data flow restrictions when training centralized enterprise LLMs.

Ethics and compliance also cover the “Right to Explanation,” where users must be informed of the logic behind automated profiling. Subtasks within this domain address the intellectual property risks of using open-source AI models and the necessity of maintaining conversational prompt histories in compliance with privacy laws. By ensuring that AI systems are transparent, unbiased and respectful of user privacy, the ISSMP serves as the guardian of the organization’s legal and ethical integrity in an automated world.