Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Newcomer II

ISSMP Passed - Study Sharing

Disclaimer: I will not violate the ISC2 NDA. Do not email or contact me regarding specific questions related to the content of the exam. 


I passed the exam (June 2021) and received my endorsement!

The exam definitely follows the ISC2 approach of ensuring you have full understanding of the underlying topics. The questions test your ability to apply your core understanding and I do not believe there is a way to study for the questions. Rather, you must truly understand the material at a core level.

I've recently passed both the CISM and CRISC, so I was feeling well prepared for the ISSMP. This exam was definitely typical of ISC2 and I firmly believed I had failed until I got the printout with "Congratulations!" on the first line.


Study Plan

The following is how I approached studying for the test:

  • Read the ISACA CISM CRM (Certification Reference Manual) - Good foundational information
  • Utilized the ISACA CISM QA&E (Questions Answers & Explanations) - Essential!
  • Read the ISACA CRISC CRM - Foundational and focused specifically on Risk
  • Utilized the ISACA CRISC QA&E - Helpful
  • Read the Official (ISC)2 Guide to the ISSMP CBK - 2nd Edition (I just reviewed the material and focused on the areas that the CISM had not covered)
  • Read all online documents identified in the ISC2 CBK Suggested References for the ISSMP (I did not purchase any books other than the ISSAP CBK)
  • Downloaded the ISC2 Exam Outline for the ISSMP, searched for, and read, references to each section (focusing on NIST documents)
  • Downloaded the ISC2 Flashcards and worked through the tests for each domain

Test Question Preparation

The ISACA CISM QA&E is essential, in my opinion.


The questions are nothing like the test, but the questions ensure your understanding of the overall material.


You need to understand both the reason why an answer is wrong and why an answer is right. This will help hone your understanding of the topics.


Taking the Test

You must be focused and relaxed.

  • Read the question. Read the question again. Read the question a third time.
  • Read the possible answers.
  • Read the question again.
  • Select your answer.

Good Luck!

17 Replies



I'm about to start preparing for the ISSMP exam and I'm looking around for study material....

Was "Official (ISC)2 Guide to the ISSMP CBK - 2nd Edition" any helpful? You mention it in the list.... the reviews on Amazon are terrible for this book though which is why I'm wondering if I should purchase this or not.

Unfortunately, the official online study preparation material provided by ISC is way too expensive.


Best regards


Newcomer I

Hi Chris,

An excellent question.

There really is no good way to prepare for this exam. Even more than the
CISSP, the ISSMP an experienced-based exam (imho). But hopefully this
feedback helps a bit.

I got the CBK book and read it, but I don't feel like it provided much
value. In fact, I am glad work paid for it instead of me (otherwise I would
have wanted my money back).

I think you're better off reading the exam content outline, identifying
which areas you feel unsure about, and then reading through the associated
material on the CBK reference list for the ISSMP (focus on the free NIST
and other documents). And also checking for content on YouTube, websites,
and other channels you trust.

You can also consider to download and use CISM prep apps. I think CISM
drastically expands on risk management categories and risk types compared
to ISSMP, but the high-level context is the same.

If you took your CISSP exam and passed it within the last three years, it
will serve you well (if not, brush up by getting a copy of something like
the 11th Hour CISSP and read the appropriate sections you feel weak on).
Helpful if you have a CCSP for a few questions, but absolutely not required.

We are probably not allowed to plug other communities, but If you have
Discord, join the Certification Station:

I found that channel to very helpful to me in studying for my CCSP and my

The culmination of your IT experience has probably prepared your more for
this exam than you give it credit for. Speaking for myself, I went from
being nervous about the lack of material, to confident that so long as I
remember what (ISC)2 focuses on (code of ethics, good governance and risk
management, sound technical choices to maximise security benefit), that I
would probably pass the exam.

Sorry that I don't have a specific list of references to offer, but hope
that some of this was helpful.

Hi Rodney

Thanks for the reply, I really appreciate it.

Don't worry too much about the lack of a specific list of reference, your pointers are quite helpful.

I did pass the CISSP in 2019, followed up by CISM and CISA in 2020. I have finished the basic preparation for CRISC as well but there is an CRISC exam overhaul coming up soonish so I'll wait until that is out.

Overall I think that means I'm at least half-way there so I'll check the official exam outline and focus on the identified weaknesses.

(By the way, ISACA also insists on saying how much of an experience-based exam CISA is and yet I manged to pass the exam. CKAD/CKA/CKS exams are much harder because these are hands-on exam where time management is absolutely crucial)

Best regards


Newcomer I

No worries, glad it was useful.

Given your certification history, you're more like >80% of the way there.

Good luck when you decide to take it - I am sure you'll knock it out of the
part 😊
Community Champion

I recall I take CISM and ISSMP together.
I only look at CISM QAE for the CISM.
and look at one or two domain in the ISSMP which does not cover in the CISM and pretty much that's it for me.
Community Champion


Congrats and welcome to the club.

Newcomer II

Thanks John.


This was definitely a roadmap goal, and it's nice to finally have it.

Viewer II

Thank you for the write up. Helpful. Same boat, not a lot of good study material out there for the ISSMP.