topic Re: ISSEP vs ISSAP in Exams

ISSEP vs ISSAP

grayfox — Wed, 06 May 2020 19:25:42 GMT

I have both the HCISPP and the CISSP. I am extremely pleased with the (ISC)2 in terms of their reputation, integrity, and contribution to the field. My certifications have opened many doors for me.

The training offered, the opportunities to gain knowledge, the free CPEs and variety of courses are outstanding. For these reasons mentioned, and for the purpose of deepening my knowledge, I want to pursue a CISSP concentration.

I am still trying to decide between the ISSEP and the ISSAP. There seem to be the same number of job opportunities and one isn't necessarily more "prestigious" than the other one. From my analysis, it seems that the ISSEP concentrates more on the federal government approaches and frameworks, and the ISSAP is more technical and geared towards private industry.

Since my entire career has been in private industry with some consulting experience with defense contractors, I am leaning towards the ISSEP in order to round out my skills. I like the ISSAP in that it is technical and comprehensive, but it just seems to be the CISSP on steroids. I have plenty of technical experience and I think that the ISSAP is more likely to become obsolete due to the rapid changes in technology. I already have cloud certifications in AWS to prove my technical knowledge.

The ISSEP seems to be more based on methodology which is less likely to experience rapid change and become obsolete. Methodologies endure for a longer time, especially when tied to the federal government. Additionally, I am attracted to the fact that the NSA helped develop the ISSEP.

Is my reasoning sound?

Feedback is welcome. Wishing you all health and safety.

Thank you.

Re: ISSEP vs ISSAP

AppDefects — Wed, 06 May 2020 23:13:11 GMT

@grayfox wrote:

I am still trying to decide between the ISSEP and the ISSAP. There seem to be the same number of job opportunities and one isn't necessarily more "prestigious" than the other one. From my analysis, it seems that the ISSEP concentrates more on the federal government approaches and frameworks, and the ISSAP is more technical and geared towards private industry.

You are right, the NSA did originally sponsor the ISSEP, so it does have that pedigree going for it. The CBK though has shifted away from being US government centric to now being more applicable globally. The primary focus now is ensuring that qualified candidates are well versed in system security engineering principles, risk management, and technical program management. The domains may look a little different then that in the CBK, but those principles remain at its foundational core. If you choose the ISSEP you'll be one of the few, the proud, and an elite security professional that gets the job done. Combine that with your AWS certs and you'll go far. Maybe even land a position as a Chief Security Architect or a Director. Good luck!

Re: ISSEP vs ISSAP

grayfox — Wed, 06 May 2020 23:31:32 GMT

Thank you for your reply! Very helpful.

Re: ISSEP vs ISSAP

AlecTrevelyan — Thu, 07 May 2020 10:38:45 GMT

Why do you have to decide between them? Why not do both like I did?

ISC2 have a sale on online learning materials + exam bundles for CISSP Concentrations at the moment:

https://www.isc2.org/Training/Online-Self-Paced/concentrations-bundle-promo

Alternatively, you can use the suggested reference lists to find study material:

https://www.isc2.org/issap-cbk-references
https://www.isc2.org/issep-cbk-references

As to your comments about the ISSAP becoming obsolete, all ISC2 certifications are updated roughly every 3 years through a rigorous process known as the job task analysis (JTA), where certification holders get together and say what should be in the curriculum to reflect current practices based on what they do day in, day out.

Due to this, it is fair to say the ISSAP is more prone to greater changes in its curriculum than the ISSEP, but it won't ever be obsolete!

Check out my reviews of the forthcoming ISSAP and ISSEP updates to get an idea of the scope of the changes for each:

https://community.isc2.org/t5/Certifications/ISSAP-Exam-Changes-Announced/m-p/32793
https://community.isc2.org/t5/Certifications/ISSEP-Exam-Changes-Announced/m-p/34690

BTW - both of those exam updates are set to take effect Q4 2020 so that's something for you to bear in mind depending on how long you think it will take you to study.

While the JTA keeps the exams up to date, you keep your own knowledge and skills up to date through continuous professional education (CPE) - when you hold a Concentration one sixth of your CISSP CPEs need to be related to the domains of your Concentration.

Judging by what you have written it seems you've decided on the ISSEP already, which is a fine choice, but you shouldn't just write off the ISSAP as being a technical certification. While I think it is ISC2's most technical certification, it's actually a really nice blend between technical architecture and Enterprise Security Architecture concepts (i.e. alignment of IT/Security with Business goals/strategies).

Studying for either (or both) will be an excellent learning experience, so I wish you good luck with whatever you choose!

Re: ISSEP vs ISSAP

grayfox — Thu, 07 May 2020 17:02:09 GMT

Thank you for your reply. Great information and very helpful advice.

Re: ISSEP vs ISSAP

AppDefects — Thu, 07 May 2020 18:09:34 GMT

@AlecTrevelyan wrote:
Why do you have to decide between them? Why not do both like I did?

ISC2 have a sale on online learning materials + exam bundles for CISSP Concentrations at the moment:

https://www.isc2.org/Training/Online-Self-Paced/concentrations-bundle-promo

Alternatively, you can use the suggested reference lists to find study material:

https://www.isc2.org/issap-cbk-references
https://www.isc2.org/issep-cbk-references

Both? What a novel idea!

Caveat Emptor. The ISSEP reference list unfortunately misses the mark on the body of knowledge for systems security engineering, except for the reference to NIST SP 800-161, which you can think of as the new improved IATF. Even if you can find the ITAF document out there on the Internet, don't use it. Also, don't use the Official ISSEP CBK, the content in that book is longer valid.

Re: ISSEP vs ISSAP

AlecTrevelyan — Fri, 08 May 2020 09:26:22 GMT

@AppDefects wrote:

Both? What a novel idea!

Advisable only for those of us who have the requisite breadth of skill, knowledge and experience, and who like to walk the walk and not just talk the talk

Caveat Emptor. The ISSEP reference list unfortunately misses the mark on the body of knowledge for systems security engineering, except for the reference to NIST SP 800-161, which you can think of as the new improved IATF. Even if you can find the ITAF document out there on the Internet, don't use it. Also, don't use the Official ISSEP CBK, the content in that book is longer valid.

Yeah, I don't know why they added the IATF back in.

Here's the list of study materials I used which was derived from this post:

https://community.isc2.org/t5/Certifications/New-ISSEP-Official-Guide-and-or-training-for-the-March-14/td-p/8403#M2485

I passed the the ISSEP exam in Dec 2018 which means it was the same version as the one available at the moment, so these are known to be good even if some of them have some parts that are now obsolete - it never hurts to understand what came before:

NIST SP 800-30 Rev 1
NIST SP 800-100
NIST 800-37 rev 1
NIST SP 800-160
NIST SP 800-64
FIPS 140-2
NIST SP 800-115
NIAP/CCE Pub v4
NIST SP 800-88 Rev 1
NIST SP 800-53 Rev 4
Systems Engineering Fundamentals by United States Government US Army
SSE-CMM-1999
PMBOK Guide v5
Official ISC2 Guide to the CISSP-ISSEP CBK