ISSAP Certification Exam Outline

1.1 Identify legal, regulatory, organizational, and industry requirements

• Applicable information security standards and guidelines
• Third-party and contractual obligations (e.g., supply chain, outsourcing, partners)
• Applicable sensitive/personal data standards, guidelines, and privacy regulations
• Resilient solutions 

1.2 Architecting for governance, risk, and compliance (GRC)

• Identify key assets, business objectives, and stakeholders
• Design monitoring and reporting (e.g., vulnerability management, compliance audit)
• Design for auditability (e.g., determine regulatory, legislative, forensic requirements, segregation, high assurance systems)
• Incorporate risk assessment artifacts
• Advise risk treatment (e.g., mitigate, transfer, accept, avoid)

2.1 Identify security architecture approach

• Scope (e.g., enterprise, cloud) and types (e.g., network, service-oriented architecture (SOA))
• Frameworks (e.g., The Open Group Architecture Framework (TOGAF), Sherwood Applied Business Security Architecture (SABSA), service-oriented modeling framework)
• Reference architectures and blueprints
• Threat modeling frameworks (e.g., Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege (STRIDE), Common Vulnerability Scoring System (CVSS), threat intelligence) 

2.2 Verify and validate design (e.g., functional acceptance testing, regression)

• Results of threat modeling (e.g., threat vectors, impact, probability)
• Gaps
• Alternative solutions/mitigations/compensating controls
• Internal or external third-party (e.g., tabletop exercises, modeling and simulation, manual review of functions, peer review)
• Code review methodology (e.g., dynamic, manual, static, source composition analysis)

3.1 Identify infrastructure and system security requirements

• Deployment model (e.g., On-premises, cloud-based, hybrid)
• Information technology (IT) and operational technology
• Physical security (e.g., perimeter protection and internal zoning, fire suppression)
• Infrastructure and system monitoring
• Infrastructure and system cryptography
• Application security (e.g., Requirements Traceability Matrix, security architecture documentation, secure coding)

3.2 Architect infrastructure and system security

• Physical security control set (e.g., cameras, doors, system controllers)
• Platform security (e.g., physical, virtual, container, firmware, operating system (OS))
• Network security (e.g., wired/wireless, public/private, Internet of Things (IoT), management, firewalls, airgaps, software defined perimeters, virtual private network (VPN), Internet Protocol Security (IPsec), Network Access Control (NAC), Domain Name System (DNS), Network Time Protocol (NTP), Voice over Internet Protocol (VoIP), Web Application Firewall (WAF))
• Storage security (e.g., direct attached, storage area network (SAN), network-attached storage (NAS), archival and removable media, encryption)
• Data repository security (e.g., access control, encryption, redaction, masking)
• Cloud security (e.g., public/private, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS))
• Operational technology (e.g., industrial control system (ICS), Internet of Things (IoT), supervisory control and data acquisition (SCADA))
• Endpoint security (e.g., bring your own device (BYOD), mobile, endpoint detection and response (EDR), host-based intrusion detection system (HIDS)/host-based intrusion prevention system (HIPS))
• Secure shared services (e.g., e-mail, Voice over Internet Protocol (VoIP), unified communications)
•  Third-party integrations (e.g., internal/external, federation, application programming interface (API), virtual private network (VPN), Secure File Transfer Protocol (SFTP))
• Infrastructure monitoring
• Content monitoring (e.g., email, web, data, social media, data loss prevention (DLP))
• Out-of-band communications (e.g., incident response, information technology (IT) system management, Business Continuity (BC)/disaster recovery (DR))
• Evaluate applicability of security controls for system components (e.g., web client applications, proxy services, application services)

3.3 Architect infrastructure and system cryptographic solutions

• Determine cryptographic design considerations and constraints (e.g., technologies, lifecycle, computational capabilities, algorithms, attack in system)
• Determine cryptographic implementation (e.g., in-transit, in-use, at-rest)
• Plan key management lifecycle (e.g., generation, storage, distribution)

4.1 Architect identity lifecycle

• Establish identity and verify (e.g., physical, logical)
• Assign identifiers (e.g., to users, services, processes, devices, components)
• Identity provisioning and de-provisioning (e.g., joiners, movers, and leavers process)
• Identity management technologies

4.2 Architect identity authentication

• Define authentication approach (e.g., single-factor, multi-factor, risk-based elevation)
• Authentication protocols and technologies (e.g., Security Assertion Markup Language (SAML), Remote Authentication Dial-In User Service (RADIUS), Kerberos, Open Authorization (OAuth))
• Authentication control protocols and technologies (e.g., eXtensible Access Control Markup Language (XACML), Lightweight Directory Access Protocol (LDAP))
• Define trust relationships (e.g., federated, stand-alone)

4.3 Architect identity authorization

• Authorization concepts and principles (e.g., discretionary/mandatory, Separation of Duties (SoD), least privilege, interactive, non-interactive)
• Authorization models (e.g., physical, logical, administrative)
• Authorization process and workflow (e.g., governance, issuance, periodic review, revocation, suspension)
• Roles, rights, and responsibilities related to system, application, and data access control (e.g., groups, Digital Rights Management (DRM), trust relationships)
• Management of privileged accounts (e.g., Privileged Access Management (PAM))
• Authorization approach (e.g., single sign-on (SSO), rule-based, role-based, attribute-based, token, certificate) 

4.4 Architect identity accounting

• Determine accounting, analysis, and forensic requirements
• Define audit events
• Establish audit log alerts and notifications
• Log management (e.g., log data retention, log data integrity)
• Log analysis and reporting
• Comply with policies and regulations (e.g., PCI-DSS, FISMA, HIPAA, GDPR)

In the realm of identity architecture, the ISSAP Exam Outline addresses the complex challenge of managing identities for autonomous AI agents and automated service accounts. Architects are tasked with designing “Identity-as-a-Service” (IDaaS) frameworks that enforce the Principle of Least Privilege for non-human entities, ensuring that AI systems cannot escalate their own permissions as they navigate the enterprise. This domain emphasizes the architectural integration of behavioral biometrics and AI-driven adaptive authentication to move organizations toward a true Zero Trust posture.

Furthermore, we incorporate the use of AI to enhance the orchestration of access controls across hybrid and multi-cloud environments. Architects understand how to design automated provisioning and de-provisioning workflows that react in real-time to detected anomalies in user behavior. By placing AI at the heart of identity orchestration, the ISSAP ensures that the architecture can scale to meet the demands of an increasingly automated and decentralized workforce.

The security architecture modeling domain focuses on the architectural design of the “Intelligent SOC.” We integrate AI by addressing the infrastructure requirements for Security Orchestration, Automation and Response (SOAR) platforms and AI-driven Security Information and Event Management (SIEM) systems. Architects understand how to design high-throughput data pipelines that can feed massive volumes of telemetry into ML- powered correlation engines without introducing latency or data loss.

Beyond defensive automation, this domain covers the architecture required to monitor and defend AI models themselves. This includes the placement of specialized “AI Firewalls” and monitoring probes designed to detect prompt injection or model evasion attempts. By architecting a unified visibility layer, the ISSAP ensures that security operations can maintain a cohesive defense strategy across both traditional assets and sophisticated machine learning pipelines.

Infrastructure architecture accounts for the specialized, high-performance compute environments required for AI training and inference. The integration focuses on the use of “Hardware-Rooted Trust” and Trusted Execution Environments (TEE) to protect sensitive model weights and training data at the physical layer. Architects are tasked with designing secure enclaves and micro-segmentation strategies that isolate AI workloads, preventing an adversary from leveraging a compromised AI interface to move laterally through the data center.

We also address the role of AI in defending the network and physical perimeter. Architects understand how to integrate AI-powered network sensors and Software-Defined Perimeter (SDP) solutions that can dynamically adjust to emerging threats. By building a resilient, AI-aware infrastructure, the ISSAP ensures that the foundational layers of the enterprise are capable of supporting the massive computational and security demands of modern intelligence systems.

At the architectural level, GRC integration involves designing systems that are “secure and compliant by design.” This domain focuses on the architectural implementation of the NIST AI Risk Management Framework (AI RMF) and global regulatory requirements like the “Right to Explanation.” Architects understand how to design transparent system architectures that provide auditable logs of AI decision-making, ensuring that automated processes can be verified by human overseers and legal auditors.

Additionally, this domain addresses the risk architecture for third-party and supply-chain AI integrations. We emphasize the design of “Vendor Risk Architecture” that evaluates the security posture of AI service providers before they are integrated into the enterprise. By embedding risk management directly into the architectural blueprints, the ISSAP ensures that AI adoption remains within the organization’s established risk appetite and legal boundaries.