Top of Page
 

CISSP Concentrations logoCISSP
Concentrations

 

Achieve Excellence in Information Security

You’re a leader in information security. And in this ever-changing industry in which the opposition grows ever smarter, you’re always looking for ways to stay ahead and master your craft.

Challenge yourself with a CISSP Concentration! These specialized credentials build upon the CISSP. Whether you’re interested in career growth, deeper knowledge or achieving elite status, CISSP Concentrations are optional pursuits that prove your subject matter mastery. They highlight your evolving expertise in information security:

  • Architecture
  • Engineering
  • Management

Are you ready to prove yourself? Get started today.

Steps to Certification

  1. Step 1
  2. Step 2
  3. Step 3
  4. Step 4

Get the Needed Experience

To qualify for the CISSP-ISSAP, you must be a CISSP in good standing and:

  • Have two years cumulative, paid, full-time work experience
  • In one or more of the six domains of the CISSP-ISSAP Common Body of Knowledge (CBK)

To qualify for the CISSP-ISSEP, you must be a CISSP in good standing and:

  • Have two years cumulative, paid, full-time work experience
  • In one or more of the four domains of the CISSP-ISSEP CBK

To qualify for the CISSP-ISSMP, you must be a CISSP in good standing and:

  • Have two years cumulative, paid, full-time work experience
  • In one or more of the five domains of the CISSP-ISSMP CBK

Create an Account at Pearson VUE and Schedule Your Exam

To schedule an exam, you must create an account at Pearson VUE.

Pearson VUE is the leading provider of global, computer-based testing for certification and licensure exams. You can find details on testing locations, policies, accommodations and more on their website.

Once you’ve set up your account and are ready to register, you’ll need to:

Pass the Exam

This is the day to show your greatness!

Depending on the exam you take, you’ll have:

  • Three hours to complete the 125 ISSAP exam questions.
  • Three hours to complete the 150 ISSEP exam questions.
  • Three hours to complete the 125 ISSMP exam questions.

You must pass the exam with a scaled score of 700 points or greater.

Want more details? Read our exam scoring FAQs.

Get Endorsed

Once you successfully pass the exam, you’ll have nine months from the date of the exam to have your application endorsed.

Your endorsement form must be completed and signed by an (ISC)² certified professional. He or she needs to be an active member who can confirm your professional experience.

(ISC)² can endorse you if you can’t find a certified individual.

Want to learn more? Read our endorsement assistance guidelines. >

CISSP Concentrations Please Select One of the Following:

Information Systems Security Architecture Professional

The CISSP-ISSAP is an appropriate credential if you’re a chief security architect or analyst. Typically, you work as an independent consultant or in a similar capacity.

As the architect, you play a key role in the information security department. Your responsibilities fall between the C-suite and upper managerial level and the implementation of the security program.

Although your role is tied closely to technology, it may be closer to the consultative and analytical process of information security. 

This security architect certification proves your expertise developing, designing and analyzing security solutions. It also shows you excel at giving risk-based guidance to senior management in order to meet organizational goals.

Get to Know the CISSP-ISSAP

  • Why Earn the CISSP-ISSAP Why Earn the CISSP-ISSAP

    You’re on the leading edge of your craft. Here are just a few reasons to challenge yourself with this security architect certification:

    • A demonstration of excellence. You want to stand out from your fellow CISSPs. This concentration proves you have an elite level of knowledge and expertise.
    • New opportunities. The CISSP-ISSAP opens doors: from new career paths and jobs, to more exciting work.
    • Growth and learning. This is an opportunity to dive deep and hone your craft. You’ll find new ways to grow and stay on the forefront of information security. And earning your concentration is a big challenge.
    • Ease of continuing education and dues. As a CISSP, you already have a relationship with (ISC)². If you earn the CISSP-ISSAP, you only have to share your Continuing Professional Education (CPE) credits with one organization. You may apply your CISSP-ISSAP CPE credits toward your CISSP requirement (as long as these credits are specific to security architecture). And your dues are a lot less than if you pursue an advanced certification with a separate organization. You’ll make great use of your time, energy and money.

    What the Industry Is Saying About the CISSP-ISSAP

  • Should You Pursue the CISSP-ISSAP? Should You Pursue the CISSP-ISSAP?

    This security architect certification is an excellent way to hone your craft. But is it right for you?

    You’re a great fit for the CISSP-ISSAP if you:

    • Are a life-long learner who craves a new challenge.
    • Want to go beyond the CISSP. You have a competitive spirit and want to stand out from your peers.
    • Want to be seen as a subject matter expert and prove your knowledge in a more focused area.
    • Are looking ahead in your career. The CISSP-ISSAP will help you achieve an even higher level of success.
    • Need this concentration to move into a specific job.

    The CISSP-ISSAP is ideal for those working in roles such as:

    • System architect
    • Chief technology officer
    • System and network designer
    • Business analyst
    • Chief security officer
  • Mastering the Domains on the Exam Mastering the Domains on the Exam

    The CISSP-ISSAP exam tests your skills in six domains. The domains draw from a range of information security topics within the (ISC)² Common Body of Knowledge (CBK).

    Here’s how the domains are weighted on the exam:

    CISSP-ISSAP

    Domains Weight

    1. Identity and Access Management Architecture 

    19%

    2. Security Operations Architecture

    17%

    3. Infrastructure Security

    19%

    4. Architect for Governance, Compliance and Risk Management

    16%

    5. Security Architecture Modeling

    14%

    6. Architect for Application Security

    15%

    Total

    100%

    Identity and Access Management Architecture

    • Design identity management and lifecycle
    • Design access control management and lifecycle

    Security Operations Architecture

    • Determine security operation capability requirements and strategy
    • Design continuous security monitoring (e.g., SIEM, insider threat, enterprise log management, cyber crime, advanced persistent threat)
    • Design continuity, availability and recovery solutions
    • Design security operations (e.g., interoperability, scalability, availability, supportability)
    • Integrate physical security controls
    • Design incident management capabilities
    • Security communications and networks

    Infrastructure Security

    • Determine infrastructure security capability requirements and strategy
    • Design layer 2/3 architecture (e.g., access control segmentation, out-of-band management, OSI layers)
    • Secure common services (e.g., wireless, email, VoIP, unified communications)
    • Architect detective, deterrent, preventative and control systems
    • Architect infrastructure monitoring
    • Design integrated cryptographic solutions (e.g., Public Key Infrastructure (PKI), identity system integration)

    Architect for Governance, Compliance and Risk Management

    • Architect for governance and compliance
    • Design threat and risk management capabilities
    • Architect security solutions for off-site data use and storage
    • Operating environment (e.g., virtualization, cloud computing)

    Security Architecture Modeling

    • Identify security architecture approach (e.g., reference architectures, build guides, blueprints, patterns)
    • Verify and validate design (e.g., POT, FAT, regression)

    Architect for Application Security

    • Review software development lifecycle (SDLC) integration of application security architecture (e.g., requirements traceability matrix, security architecture documentation, secure coding)
    • Review application security (e.g., custom, commercial off-the-shelf (COTS), in-house cloud)
    • Determine application security capability requirements and strategy (e.g., open source, cloud service providers, SaaS/IaaS providers)
    • Design application cryptographic solutions (e.g., cryptographic API selection, PRNG selection, software-based key management)
    • Evaluate application controls against existing threats and vulnerabilities
    • Determine and establish application security approaches for all system components (mobile, web and thick client applications; proxy, application and database services)
  • Getting Training That’s Right for You Getting Training That’s Right for You

    Prepare for your CISSP-ISSAP exam through a combination of training courses and individual study. And learn from (ISC)² — the creator of the CBK!

    Simply choose the best training format for your schedule, needs and learning style.

    In-Person Training Seminars

    Classroom-Based Training

    • Ideal for hands-on learners. The most thorough review of the CBK, industry concepts and best practices.
    • Four-day training event delivered in a classroom setting. Eight hours a day.
    • Available at (ISC)2 facilities and through (ISC)2 Official Training Providers worldwide.
    • Led by authorized instructors.
    Get details on Classroom-Based Training

    Private On-Site Training

    • A cost-effective and convenient training solution if your organization has 10 or more employees taking the exam.
    • Tailored to your team’s schedule, budget and certification requirements.
    • Conveniently taught in your office space or a local venue.
    • Led by authorized instructors.
    Get details on Private On-Site Training

    Online Training Seminars

    Instructor-Led Training

    • Participate from the convenience of your computer. This saves you travel time and expense.
    • Weekday, weekend and evening options to fit your busy schedule.
    • Comprehensive review of the CBK, so you’re ready for this security architecture certification.
    • Access to recordings of all course sessions for 60 days.
    • Led by authorized instructors.
    Get details on Instructor-Led Seminars

    Training Course Overview

    Our training helps you fully prepare for your CISSP-ISSAP exam. You will:

    • Review, refresh and expand your knowledge.
    • Identify areas you need to study for your exam.

    You can expect an in-depth review of the domains of the CBK — including discussion of industry best practices and timely security concepts.

    (ISC)² authorized instructors lead all our training. You’re learning from industry experts who understand you. They know how to make the content highly relatable. And they go through a rigorous process to teach to our CBK.

    Plus, we use proven adult learning techniques to reinforce topics. This approach increases how much information you retain. Our techniques are highly interactive. They focus on real-world learning activities and scenarios, so you get the most out of training.

    Self-Study Resources

    In addition to training, we offer resources to help you with self-study. Our resources include the:

  • Taking Your CISSP-ISSAP Exam Taking Your CISSP-ISSAP Exam
    Length of exam Up to 3 hours
    Number of questions 125 questions
    Question format Multiple choice
    Passing grade A passing score is 700 out of 1000 points
    Exam language English
    Testing center Pearson VUE Testing Center

    Ready to sign up for the exam? Visit the Pearson VUE website to create an account and book your exam.

  • Maintaining Your Concentration Maintaining Your Concentration

    Once you have passed your CISSP-ISSAP exam and are certified, you need to recertify every three years. To do so, you simply need to:

    • Earn 20 continuing professional education (CPE) credits each year. (You may apply these 20 credits toward your CISSP CPE requirement as long as these credits are specific to security architecture.)
    • Pay a USD$35 Annual Maintenance Fee (AMF). This amount is in addition to the fee required for the CISSP.

Information Systems Security Engineering Professional

The CISSP-ISSEP is an ideal credential for proving you know how to incorporate security into all facets of business operations.

This security engineering certification recognizes your keen ability to practically apply systems engineering principles and processes to develop secure systems. You have the knowledge and skills to incorporate security into projects, applications, business processes and all information systems.

The CISSP-ISSEP was developed in conjunction with the U.S. National Security Agency (NSA). It offers an invaluable tool for any systems security engineering professional.

Get to Know the CISSP-ISSEP

  • Why Earn the CISSP-ISSEP Why Earn the CISSP-ISSEP

    You’re on the leading edge of your craft. Here are just a few reasons to challenge yourself with this security architect certification:

    • A demonstration of excellence. You want to stand out from your fellow CISSPs. This concentration proves you have an elite level of knowledge and expertise.
    • New opportunities. The CISSP-ISSEP opens doors: from new career paths and jobs, to more exciting work.
    • Growth and learning. This is an opportunity to dive deep and hone your craft. You’ll find new ways to grow and stay on the forefront of information security. And earning your concentration is a big challenge.
    • Ease of continuing education and dues. As a CISSP, you already have a relationship with (ISC)². If you earn the CISSP-ISSEP, you only have to share your Continuing Professional Education (CPE) credits with one organization. You may apply your CISSP-ISSEP CPE credits toward your CISSP requirement (as long as these credits are specific to security engineering). And your dues are a lot less than if you pursue an advanced certification with a separate organization. You’ll make great use of your time, energy and money.

    What the Industry Is Saying About the CISSP-ISSEP

  • Should You Pursue the CISSP-ISSEP? Should You Pursue the CISSP-ISSEP?

    This security engineering certification is an excellent way to hone your craft. But is it right for you?

    You’re a great fit for the CISSP-ISSEP if you:

    • Are a life-long learner who craves a new challenge.
    • Want to go beyond the CISSP. You have a competitive spirit and want to stand out from your peers.
    • Want to be seen as a subject matter expert and prove your knowledge in a more focused area.
    • Are looking ahead in your career. The CISSP-ISSEP will help you achieve an even higher level of success.
    • Need this concentration to move into a specific job.

    The CISSP-ISSEP is ideal for those working in roles such as:

    • Senior systems engineer
    • Information assurance systems engineer
    • Information assurance officer
    • Information assurance analyst
    • Senior security analyst
  • Mastering the Domains on the Exam Mastering the Domains on the Exam

    The CISSP-ISSEP exam tests your skills in four domains. The domains draw from a range of information security topics within the (ISC)² Common Body of Knowledge (CBK).

    Here’s how the domains are weighted on the exam:

    CISSP-ISSEP

    Domains Weight

    1. System Security Engineering

    50%

    2. Certification and Accreditation (C&A) / Risk Management Framework (RMF)

    15%

    3. Technical Management

    15%

    4. U.S. Government Information Assurance Related Policies and Issuances

    20%

    Total

    100%

    System Security Engineering

    Understand relationship between security engineering and systems engineering

    • Discover information protection needs
    • Define system security requirements
    • Develop detailed security design
    • Implement system security

    Certification and Accreditation (C&A) / Risk Management Framework (RMF)


    • Understand the U.S. Government C&A/RMF process to be applied (e.g., National Information Assurance Certification and Accreditation Process (NIACAP), DoD Information Assurance Certification and Accreditation Process (DIACAP), National Institute of Standards and Technology Special Publication (NIST SP) 800-37 rev 1)
    • Understand the roles and responsibilities of stakeholders identified with the C&A/RMF process
    • Integrate the C&A/RMF process with systems security engineering

    Technical Management

    • Understand and support the acquisition process
    • Initiate the technical effort
    • Plan the technical effort
    • Implement and manage the technical effort
    • Close the technical effort

    U.S. Government Information Assurance Related Policies and Issuances

    • Understand national laws and policies
    • Understand civil agency policies and guidelines
    • Understand DoD policies and guidelines
    • Understand applicable international standards
  • Getting Training That’s Right for You Getting Training That’s Right for You

    Prepare for your CISSP-ISSEP exam through a combination of training courses and individual study. And learn from (ISC)² — the creator of the CBK!

    Simply choose the best training format for your schedule, needs and learning style.

    In-Person Training Seminars

    Classroom-Based Training

    • Ideal for hands-on learners. The most thorough review of the CBK, industry concepts and best practices.
    • Four-day training event delivered in a classroom setting. Eight hours a day.
    • Available at (ISC)² facilities and through (ISC)² Official Training Providers worldwide.
    • Led by authorized instructors.
    Get details on Classroom-Based Training

    Private On-Site Training

    • A cost-effective and convenient training solution if your organization has 10 or more employees taking the exam.
    • Tailored to your team’s schedule, budget and certification requirements.
    • Conveniently taught in your office space or a local venue.
    • Led by authorized instructors.
    Get details on Private On-Site Training

    Online Training Seminars

    Instructor-Led Training

    • Participate from the convenience of your computer. This saves you travel time and expense.
    • Weekday, weekend and evening options to fit your busy schedule.
    • Comprehensive review of the CBK, so you’re ready for this security engineering certification.
    • Access to recordings of all course sessions for 60 days.
    • Led by authorized instructors.
    Get details on Instructor-Led Seminars

    Training Course Overview

    Our training helps you fully prepare for your CISSP-ISSEP exam. You will:

    • Review, refresh and expand your knowledge.
    • Identify areas you need to study for your exam.

    You can expect an in-depth review of the domains of the CBK — including discussion of industry best practices and timely security concepts.

    (ISC)² authorized instructors lead all our training. You’re learning from industry experts who understand you. They know how to make the content highly relatable. And they go through a rigorous process to teach to our CBK.

    Plus, we use proven adult learning techniques to reinforce topics. This approach increases how much information you retain. Our techniques are highly interactive. They focus on real-world learning activities and scenarios, so you get the most out of training.

  • Taking Your CISSP-ISSEP Exam Taking Your CISSP-ISSEP Exam
    Length of exam Up to 3 hours
    Number of questions 150 questions
    Question format Multiple choice
    Passing grade A passing score is 700 out of 1000 points
    Exam language English
    Testing center Pearson VUE Testing Center

    Ready to sign up for the exam? Visit the Pearson VUE website to create an account and book your exam.

  • Maintaining Your Concentration Maintaining Your Concentration

    Once you have passed your CISSP-ISSEP exam and are certified, you need to recertify every three years. To do so, you simply need to:

    • Earn 20 continuing professional education (CPE) credits each year. (You may apply these 20 credits toward your CISSP CPE requirement as long as these credits are specific to security engineering.)
    • Pay a USD$35 Annual Maintenance Fee (AMF). This amount is in addition to the fee required for the CISSP.

Information Systems Security Management Professional

You are vital to your organization’s success. Prove your knowledge and leadership skills with the CISSP-ISSMP.

This cybersecurity management certification shows you excel at establishing, presenting and governing information security programs. You also demonstrate deep management and leadership skills whether you’re leading incident handling and/or a breach mitigation team.

Get to Know the CISSP-ISSMP

  • Why Earn the CISSP-ISSMP Why Earn the CISSP-ISSMP

    You’re on the leading edge of your craft. Here are just a few reasons to challenge yourself with this cybersecurity management certification:

    • A demonstration of excellence. You want to stand out from your fellow CISSPs. This concentration proves you have an elite level of knowledge and expertise.
    • New opportunities. The CISSP-ISSMP opens doors: from new career paths and jobs, to more exciting work.
    • Growth and learning. This is an opportunity to dive deep and hone your craft. You’ll find new ways to grow and stay on the forefront of information security. And earning your concentration is a big challenge.
    • Ease of continuing education and dues. As a CISSP, you already have a relationship with (ISC)². If you earn the CISSP-ISSMP, you only have to share your Continuing Professional Education (CPE) credits with one organization. You may apply your CISSP-ISSMP CPE credits toward your CISSP requirement (as long as these credits are specific to security management). And your dues are a lot less than if you pursue an advanced certification with a separate organization. You’ll make great use of your time, energy and money.

    What the Industry Is Saying About the CISSP-ISSMP

  • Should You Pursue the CISSP-ISSMP? Should You Pursue the CISSP-ISSMP?

    The CISSP-ISSMP is an excellent way to hone your craft. But is it right for you?

    You’re a great fit for this cybersecurity management certification if you:

    • Are a life-long learner who craves a new challenge.
    • Want to go beyond the CISSP. You have a competitive spirit and want to stand out from your peers.
    • Want to be seen as a subject matter expert and prove your knowledge in a more focused area.
    • Are looking ahead in your career. A CISSP concentration will help you achieve an even higher level of success.
    • Need a CISSP Concentration to move into a specific job.

    The CISSP-ISSMP is ideal for those working in roles such as:

    • Chief information officer
    • Chief information security officer
    • Chief technology officer
    • Senior security executive
  • Mastering the Domains on the Exam Mastering the Domains on the Exam

    The CISSP-ISSMP exam tests your skills in five domains. The domains draw from a range of information security topics within the (ISC)² Common Body of Knowledge (CBK).

    Here’s how the domains are weighted on the exam:

    CISSP-ISSMP

    Domains Weight

    1. Security Leadership and Management

    38%

    2. Security Lifecycle Management

    21%

    3. Security Compliance Management

    14%

    4. Contingency Management

    12%

    5. Law, Ethics and Incident Management

    15%

    Total

    100%

    Security Leadership and Management

    • Understand security’s role in the organization’s culture, vision and mission
    • Align security program with organizational governance
    • Define and implement information security strategies
    • Manage data classification
    • Define and maintain security policy framework
    • Manage security requirements in contracts and agreements
    • Develop and maintain a risk management program
    • Manage security aspects of change control
    • Oversee security awareness and training programs
    • Define, measure and report security metrics
    • Prepare, obtain and administer security budget
    • Manage the security organization (e.g., define roles and responsibilities, determine FTEs, performance evaluation)
    • Understand project management principles (e.g., time, scope and cost relationship; work breakdown structure)

    Security Lifecycle Management

    • Manage the integration of security into the system development lifecycle (SDLC)
    • Integrate new business initiatives into the security architecture
    • Define and oversee comprehensive vulnerability management programs (e.g., vulnerability scanning, penetration testing, threat analysis)

    Security Compliance Management

    • Validate compliance with organizational security policies and procedures
    • Manage and document exceptions to the compliance framework
    • Coordinate with auditors and assist with the internal and external audit process

    Contingency Management

    • Oversee development of contingency plans
    • Guide development of recovery strategies
    • Manage maintenance of the BCP and DRP plans (e.g., lessons learned, architecture changes)

    Law, Ethics and Incident Management

    • Understand the impact of laws that relate to information security
    • Develop and manage the incident handling and investigation processes
    • Understand management issues as they related to the (ISC)² Code of Ethics
  • Getting Training That’s Right for You Getting Training That’s Right for You

    Prepare for your CISSP-ISSMP exam through a combination of training courses and individual study. And learn from (ISC)² — the creator of the CBK!

    Simply choose the best training format for your schedule, needs and learning style.

    In-Person Training Seminars

    Classroom-Based Training

    • Ideal for hands-on learners. The most thorough review of the CBK, industry concepts and best practices.
    • Five-day training event delivered in a classroom setting. Eight hours a day.
    • Available at (ISC)² facilities and through (ISC)² Official Training Providers worldwide.
    • Led by authorized instructors.
    Get details on Classroom-Based Training

    Private On-Site Training

    • A cost-effective and convenient training solution if your organization has 10 or more employees taking the exam.
    • Tailored to your team’s schedule, budget and certification requirements.
    • Conveniently taught in your office space or a local venue.
    • Led by authorized instructors.
    Get details on Private On-Site Training

    Online Training Seminars

    Instructor-Led Training

    • Participate from the convenience of your computer. This saves you travel time and expense.
    • Weekday, weekend and evening options to fit your busy schedule.
    • Comprehensive review of the CBK, so you’re ready for this security management certification.
    • Access to recordings of all course sessions for 60 days.
    • Led by authorized instructors.
    Get details on Instructor-Led Seminars

    Training Course Overview

    Our training helps you fully prepare for your CISSP-ISSMP exam. You will:

    • Review, refresh and expand your knowledge.
    • Identify areas you need to study for your exam.

    You can expect an in-depth review of the domains of the CBK — including discussion of industry best practices and timely security concepts.

    (ISC)² authorized instructors lead all our training. You’re learning from industry experts who understand you. They know how to make the content highly relatable. And they go through a rigorous process to teach to our CBK.

    Plus, we use proven adult learning techniques to reinforce topics. This approach increases how much information you retain. Our techniques are highly interactive. They focus on real-world learning activities and scenarios, so you get the most out of training.

    Self- Study Resources 

    In addition to training, we offer resources to help you with self-study. Our resources include the:

  • Taking Your CISSP-ISSMP Exam Taking Your CISSP-ISSMP Exam
    Length of exam Up to 3 hours
    Number of questions 125 questions
    Question format Multiple choice
    Passing grade A passing score is 700 out of 1000 points
    Exam language English
    Testing center Pearson VUE Testing Center

    Ready to sign up for the exam? Visit the Pearson VUE website to create an account and book your exam.

  • Maintaining Your Concentration Maintaining Your Concentration

    Once you have passed your CISSP-ISSMP exam and are certified, you need to recertify every three years. To do so, you simply need to:

    • Earn 20 continuing professional education (CPE) credits each year. (You may apply these 20 credits toward your CISSP CPE requirement as long as these credits are specific to security management.)
    • Pay a USD$35 Annual Maintenance Fee (AMF). This amount is in addition to the fee required for the CISSP.
CISSP Concentrations ANSI-Accredited banner image

The CISSP Concentrations Are ANSI-Accredited

The CISSP-ISSAP, CISSP-ISSEP and CISSP-ISSMP are accredited by the American National Standards Institute (ANSI). This means they comply with the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) 17024 Standards. Why is accreditation important when choosing a certification program?

Visit the Institute for Credentialing Excellence website for details.