Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Newcomer II

ISSMP Passed - Study Sharing

Disclaimer: I will not violate the ISC2 NDA. Do not email or contact me regarding specific questions related to the content of the exam. 


I passed the exam (June 2021) and received my endorsement!

The exam definitely follows the ISC2 approach of ensuring you have full understanding of the underlying topics. The questions test your ability to apply your core understanding and I do not believe there is a way to study for the questions. Rather, you must truly understand the material at a core level.

I've recently passed both the CISM and CRISC, so I was feeling well prepared for the ISSMP. This exam was definitely typical of ISC2 and I firmly believed I had failed until I got the printout with "Congratulations!" on the first line.


Study Plan

The following is how I approached studying for the test:

  • Read the ISACA CISM CRM (Certification Reference Manual) - Good foundational information
  • Utilized the ISACA CISM QA&E (Questions Answers & Explanations) - Essential!
  • Read the ISACA CRISC CRM - Foundational and focused specifically on Risk
  • Utilized the ISACA CRISC QA&E - Helpful
  • Read the Official (ISC)2 Guide to the ISSMP CBK - 2nd Edition (I just reviewed the material and focused on the areas that the CISM had not covered)
  • Read all online documents identified in the ISC2 CBK Suggested References for the ISSMP (I did not purchase any books other than the ISSAP CBK)
  • Downloaded the ISC2 Exam Outline for the ISSMP, searched for, and read, references to each section (focusing on NIST documents)
  • Downloaded the ISC2 Flashcards and worked through the tests for each domain

Test Question Preparation

The ISACA CISM QA&E is essential, in my opinion.


The questions are nothing like the test, but the questions ensure your understanding of the overall material.


You need to understand both the reason why an answer is wrong and why an answer is right. This will help hone your understanding of the topics.


Taking the Test

You must be focused and relaxed.

  • Read the question. Read the question again. Read the question a third time.
  • Read the possible answers.
  • Read the question again.
  • Select your answer.

Good Luck!

17 Replies
Community Champion

Congrats @DWayland and welcome to the club!


Newcomer II

Thanks @AlecTrevelyan, this was definitely a long term goal.


Thanks again!

Newcomer I

Congrats on passing the ISSMP!


I had a question on your endorsement experience. I was wondering how long it took between the time you submitted the application for endorsement and when you got the approval email from (ISC)2?


Six weeks for an approval of ISSMP seems like a really long time when the process doesn't even require someone to endorse concentrations.


Just curious because I passed the exam just over a week ago, and trying to set my expectations appropriately.


Congrats again on passing the exam!



Advocate II

My ISSMP came through very quickly, even back when it was a paper based exam.

Congrats on passing the exam.


Newcomer II

My ISSMP endorsement process finished in about 3 weeks.


I was pleasantly surprised.

Newcomer I

Mine finished in just under two weeks. I am happy that it didn't take 4-6 weeks.


However, as I wrote to (ISC)2, my main concern is that I think the process in antiquated and somewhat broken. (ISC)2 isn't unique in reviewing the scoring of tests using psychometrics. Indeed, AWS, Microsoft, and a host of others use this method to validate test results.


The problem comes in the endorsement process itself. (ISC)2 has several other options available to it rather than relying on the office staff. They could implement:

  • a web-of-trust model for the endorsement process;
  • a blind panel review (like they do for scholarships) and approve the highest scoring ones automaticall and do "staff reviews" of the lower scoring ones;
  • implement a sort of confidence system for people who hold multiple certifications with them (e.g. the more certifications you hold with them, the higher the confidence level they have in you and endorsement becomes automatic subject to audit


There are lots of ways to do this to cut down the time from weeks to days - (ISC)2 just needs to be interested enough in it to do something about it.

The credly/acclaim badges are also another area where it is difficult to understand the issue. Again, comparing (ISC)2 to my experience with companies who give technical exams, you go from "pass to badge" in about 48-72 hours. With (ISC)2 it can take up to another month from the date that endorse you. It's just really hard to understand what drives the difference. It'd be great to know what Microsoft and AWS have been to optimise so that some learning can be shared with (ISC)2.


I get this isn't the exact forum to discuss these things, but I really do think the endorsement process at (ISC)2 needs to be improved upon. I am not bought into the fact that a quicker and more efficient endorsement process is an insurmountable challenge.

Advocate II

Still not as long winded as CIISec.  


It took an age to complete the application; all 40+ pages of narrative, then several weeks to arrange a face to face interview and then about 3 or 4 weeks to be notified I'd been accepted.


Newcomer II

I have no issues with the endorsement process.


Once the certification is passed, to me, if it takes 2 weeks or 6 months, the certification is gained.


I would rather have a thorough vetting and I'm willing to wait as long as needed.


Now, with that, I definitely want to be able to post my accomplishment as soon as possible, but I understand why I have to wait.

Newcomer I

If this timeframe works for you that's great.

Now, at no point did I say that the process wasn't important or that it
doesn't serve a purpose. What I said, in summary, is that there are faster
and more efficient ways to do this that would still give them the quality
vetting that is needed. I outlined a few ways as examples.

(ISC)2 staff are working through a pile of endorsement applications. How
much time do you think they are really spending on each endorsement
application? If the endorsement application were asking for lots of info
that most candidates weren't already making publicly available on LinkedIn,
or asked for detailed answers to questions to measure knowledge or share
perspective, I would understand the current system better.

A time frame of "two weeks to six months" may very well be fine for you.
However, many people are using these certifications to demonstrate
independent verification of their knowledge to potential or current
employers or as part of RFI responses when asked. Looking to be thorough
and efficient are not mutually exclusive. We can have both.

I appreciate that you took the time to share your view.