cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
riffjim4069
Newcomer II

Recently Passed the ISSAP - my thoughts and strategy

I recently passed the Information Systems Security Architecture Professional (ISSAP) exam and wanted to briefly mention my strategy since...well, the ISSAP CBK is dated and needs to be revamped.  First, the ISSAP is no longer a CISSP concentration certification (Oct 2023).  The ISSAP, along with the ISSEP and ISSMP, are Stand Alone certifications and take precedence ahead of the CISSP.  They require 7-years of experience vice 5-years for the CISSP (e.g., CISSP + 2 Years or 7 years cumulative).  Just thought I would toss this out there if you weren't already aware.   
 

Second, I've been an ISSEP for about 15-years and I don't recall having my engineering "experience" endorsed back when the ISSEP was a concentration certification.  But it has been a while, so I may be mistaken.  Regardless, you'll need a fellow ISC2 member to endorse your Architecture experience regardless of how long you've been a CISSP, or whether you've already obtained other [formerly] concentration certifications. 
 

Disclaimer: due to the NDA (https://www.isc2.org/Exams/Non-Disclosure-Agreement) there is limited information I can disclose about the exam itself, nor would I, but I can share what materials and strategy I used to prepare. The exam itself is NOT a walk in the park so preparation is key. 
 

Rote memorization and the ability to regurgitation information will not get you over-the-bar since the ISSAP (ISSEP for that matter) deals with one's ability to understand problems, and process a deep knowledge of myriad infrastructure and cloud technologies.  And let's not forget the ISSAP needs to provide sound architectural and risk based guidance to senior management in pursuit of organizational goals.
 

Having real world experience is key! If the CISSP exam is a river a mile-wide and an inch-deep river (as often been claimed) then the ISSAP requires one to navigate that mile-wide and inch-deep river, but who is also capable of performing a deep-dive into security technologies and architectures, and navigating waters that are deep, turbulent, and fraught with dangers in order to safely & securely support the organization.
 

I have been involved with a fair number of exam question writing and job task analysis (JTA) SME volunteer efforts with ISC2 over the years and their Official CBK, Training Curriculum, so I attest that the Exams are closely aligned due to the JTA process.  Like all bureaucracy, it's not perfect, but they follow a rigid process so the Training<-->CBK<-->Exams are generally well aligned.  Except for the ISSAP!  Just my two-cents, but the Official CBK (2014) is completely out-of-whack with Official ISSAP Training-->which is still out-of-sync with the Exam.  But I'm sure this will get ironed-out in the coming year.
 

*If you read nothing but the Official CBK, I feel you're not fully informed and more apt to experience exam issues unless you're one of those rare individuals who live and breath architecture 24x7 and, equally important, never forget anything you read.  Use the CBK as supplemental reading.
 

*If you do nothing but the Official ISC2 Self-Paced training, you may have exam issues.  Don't get the wrong the ISC2 curriculum in fine and it will help focus your study efforts for the exam.  However, don't use it in lieu of possessing real world KSAs. I f this is you, then spend more time building security requirements, designing and validating security controls, etc. 
 

*If you read the CBK and many of the suggested readings...you can do well, but it's a massive scattershot approach.  It will cost you nothing to read NIST Special Publications, and most are quite outstanding.  If you follow the Official ISC2 ISSAP training outline, and couple this with the CBK and selective suggested reading and architecture references (e.g., SABSA, TOGAF, etc.), then this will get you over the goal line. However, this is not the best method IMO.
 

Here's what I did:
 

1. Read the Official ISC2 ISSAP CBK (2014): this is EXCELLENT foundational material, a great refresher, but not necessarily what you're going to be tested on.  Read through it, but won't spend time studying it.  Why? It's 10+ years old and there's just too much outdated information (e.g., cryptography and cloud being two huge ones).  I don't think you're going to be asked about DES or SSL 1.1.
 

2. Prepared for the CompTIA CASP+ (CAS-004) certification.  Yep, you heard me...and here's why.  The CASP+ certification is no joke - it's a serious certification and 50-60% of the ISSAP exam questions also apply to the CASP+.  It contains a lot of excellent foundational materials.  Understand the CASP+ takes a more hands-on/operations and only touches upon things like architectures, flows, processes, risks, gaps, compliance, and big picture items.  You'll need to understand how they all work together. 

3. I DID NOT take CompTIA CASP+ training nor purchase the CompTIA CASP+ Study Guide (although I do have others).  Instead, I purchased the CompTIA CASP+ CAS-004 Certification Guide by Mark Birch.  I found it to be an excellent reference, but I'm sure there are others. 
 

Note: I noticed my Shon Harris CISSP all-in-one Study Guide is Third Edition (2005?) so not very useful these days.  However, I was flipping through someone's Ninth Edition (2021) the other day and it's even better than the aforementioned CASP+ book.  So study the CISSP and/CASP+ from an architect's perspective.
 
More to follow...

3 Replies
AlecTrevelyan
Community Champion


@riffjim4069 wrote:

...   
...

Second, I've been an ISSEP for about 15-years and I don't recall having my engineering "experience" endorsed back when the ISSEP was a concentration certification.  But it has been a while, so I may be mistaken.  Regardless, you'll need a fellow ISC2 member to endorse your Architecture experience regardless of how long you've been a CISSP, or whether you've already obtained other [formerly] concentration certifications. 
...

...


Many congratulations and welcome to the club!

 

In terms of what you wrote above, previously when they were still the CISSP concentrations, you would self-endorse.

 

conc-details.png

 

Of course, you still needed to go through the endorsement process and submit evidence of your 2 years of relevant experience.

 

Interesting they have changed this now even for those effectively taking the same CISSP first path.

 

Peterkr
Newcomer I

Congrats on passing the ISSAP, @riffjim4069 !
I passed the exam in December, and due to some issues with the endorsement process got my certification this week.

 

Fully agree that the CBK is a bit outdated, and the self-paced training is too high-level. Reading many of the supplemental materials was key for me (even though I did forget some of the information by the time I needed it on the exam).

The ISSAP includes a fair share of cloud questions, so anyone who took the CCSP exam before should go through their notes again. 

I also watched the ISSAP videos by Prabh Nair on YouTube. His earlier videos are a bit difficult to understand, but they get better with time.

In the weeks leading up to the exam I used CISSP test prep apps and Adam Gordon's Question of the Day to get into the exam mindset.

 

The ISSAP is a great certification, although challenging to prepare for due to the lack of a single source of truth. Hopefully it will get a bit more love from ISC2 now that it is no longer a CISSP concentration.

riffjim4069
Newcomer II

Yep, I love the ISSEP but it used to be heavily DoD/Three Letter Agency focused, with a whole lot of DITSCAP, DIACAP, C&A.  But it was "great to have" as a Defense Contractor, no doubt.  Although the CBK has changed over time (more NIST/RMF) I'd like it see more change to where it became the CISSP (Gold Standard) of Security Engineers.  The same goes for the ISSAP.  I'm expecting to see some changes now that they ISSAP, ISSEP, and ISSMP are stand alone certifications with a 7-year experience requirement.  We shall see.
 
I haven't been to a JTA Workshop in ages...wouldn't mind going, if I can find time (no easy task).