I've just been through the timespan of the official ISC2 ISSMP training. Rather expensive, and not that helpful. I'm passing this on for those that are considering this concentration. I already have ISSAP and looked forward to working on another.
First problem, which probably isn't that common is that the material is entirely for use in the USA. I'm OK with ISC2 being primarily a US organisation but the ISSAP doesn't really have any use outside the US at least based on the material I got through.
Second, the material provided is very simplistic the heavy lifting is done by external links to organisations like NIST or Mitre. Many of these links were broken or to standards that have expired. Also, the course material really gave no indication what the learning outcome of these external links is or how long to spend studying them.
To do justice to all the links and have a full time Cyber security job I don't think a time limit on the material is a good idea. Without employer support it might not be worth the risk, especially if you're risking your own money. On that latter point, you don't get the standard text books even in Kindle form you are expected to buy these on top of the course costs.
Last thing, there is no tutor guidance, only generalities. What does the ISC2 think we should know to do this job well? I honestly couldn't tell.
So, if you just want to pass, buy the books and read them until you can quote them in your sleep. If you want to learn how to be a good ISSMP start with a tutor driven face 2 face course. The online version falls between two posts and is probably best avoided in its current form.
I'm really glad to see this, so thank you! Can you give any indication of what this work is? I spoke with an ISC2 staff member at BlackHat about my frustrations with the concentrations. Your CISSP and CCSP trainings are truly first class. I just wish the other certs had similar content availability.
The book and the links contained are enough to pass the exam. It literally took 4 days study, so you may be looking into this too deeply, if your objective is passing the exam.
By the time I took the exam I'd spent 12 years working in InfoSec, so at some time in the past I'd read a proportion of the referenced documents. You don't need to read every line in every document obviously. I suppose it depends how you look at it. Did I spend from 1997 when I first became interested in security until 2012 when I took the exam amassing knowledge or was it just the 4 days?