cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
riffjim4069
Newcomer III

Recently Passed the ISSAP - my thoughts and strategy

I recently passed the Information Systems Security Architecture Professional (ISSAP) exam and wanted to briefly mention my strategy since...well, the ISSAP CBK is dated and needs to be revamped.  First, the ISSAP is no longer a CISSP concentration certification (Oct 2023).  The ISSAP, along with the ISSEP and ISSMP, are Stand Alone certifications and take precedence ahead of the CISSP.  They require 7-years of experience vice 5-years for the CISSP (e.g., CISSP + 2 Years or 7 years cumulative).  Just thought I would toss this out there if you weren't already aware.   
 

Second, I've been an ISSEP for about 15-years and I don't recall having my engineering "experience" endorsed back when the ISSEP was a concentration certification.  But it has been a while, so I may be mistaken.  Regardless, you'll need a fellow ISC2 member to endorse your Architecture experience regardless of how long you've been a CISSP, or whether you've already obtained other [formerly] concentration certifications. 
 

Disclaimer: due to the NDA (https://www.isc2.org/Exams/Non-Disclosure-Agreement) there is limited information I can disclose about the exam itself, nor would I, but I can share what materials and strategy I used to prepare. The exam itself is NOT a walk in the park so preparation is key. 
 

Rote memorization and the ability to regurgitation information will not get you over-the-bar since the ISSAP (ISSEP for that matter) deals with one's ability to understand problems, and process a deep knowledge of myriad infrastructure and cloud technologies.  And let's not forget the ISSAP needs to provide sound architectural and risk based guidance to senior management in pursuit of organizational goals.
 

Having real world experience is key! If the CISSP exam is a river a mile-wide and an inch-deep river (as often been claimed) then the ISSAP requires one to navigate that mile-wide and inch-deep river, but who is also capable of performing a deep-dive into security technologies and architectures, and navigating waters that are deep, turbulent, and fraught with dangers in order to safely & securely support the organization.
 

I have been involved with a fair number of exam question writing and job task analysis (JTA) SME volunteer efforts with ISC2 over the years and their Official CBK, Training Curriculum, so I attest that the Exams are closely aligned due to the JTA process.  Like all bureaucracy, it's not perfect, but they follow a rigid process so the Training<-->CBK<-->Exams are generally well aligned.  Except for the ISSAP!  Just my two-cents, but the Official CBK (2014) is completely out-of-whack with Official ISSAP Training-->which is still out-of-sync with the Exam.  But I'm sure this will get ironed-out in the coming year.
 

*If you read nothing but the Official CBK, I feel you're not fully informed and more apt to experience exam issues unless you're one of those rare individuals who live and breath architecture 24x7 and, equally important, never forget anything you read.  Use the CBK as supplemental reading.
 

*If you do nothing but the Official ISC2 Self-Paced training, you may have exam issues.  Don't get the wrong the ISC2 curriculum in fine and it will help focus your study efforts for the exam.  However, don't use it in lieu of possessing real world KSAs. I f this is you, then spend more time building security requirements, designing and validating security controls, etc. 
 

*If you read the CBK and many of the suggested readings...you can do well, but it's a massive scattershot approach.  It will cost you nothing to read NIST Special Publications, and most are quite outstanding.  If you follow the Official ISC2 ISSAP training outline, and couple this with the CBK and selective suggested reading and architecture references (e.g., SABSA, TOGAF, etc.), then this will get you over the goal line. However, this is not the best method IMO.
 

Here's what I did:
 

1. Read the Official ISC2 ISSAP CBK (2014): this is EXCELLENT foundational material, a great refresher, but not necessarily what you're going to be tested on.  Read through it, but won't spend time studying it.  Why? It's 10+ years old and there's just too much outdated information (e.g., cryptography and cloud being two huge ones).  I don't think you're going to be asked about DES or SSL 1.1.
 

2. Prepared for the CompTIA CASP+ (CAS-004) certification.  Yep, you heard me...and here's why.  The CASP+ certification is no joke - it's a serious certification and 50-60% of the ISSAP exam questions also apply to the CASP+.  It contains a lot of excellent foundational materials.  Understand the CASP+ takes a more hands-on/operations and only touches upon things like architectures, flows, processes, risks, gaps, compliance, and big picture items.  You'll need to understand how they all work together. 

3. I DID NOT take CompTIA CASP+ training nor purchase the CompTIA CASP+ Study Guide (although I do have others).  Instead, I purchased the CompTIA CASP+ CAS-004 Certification Guide by Mark Birch.  I found it to be an excellent reference, but I'm sure there are others. 
 

Note: I noticed my Shon Harris CISSP all-in-one Study Guide is Third Edition (2005?) so not very useful these days.  However, I was flipping through someone's Ninth Edition (2021) the other day and it's even better than the aforementioned CASP+ book.  So study the CISSP and/CASP+ from an architect's perspective.
 
More to follow...

7 Replies
AlecTrevelyan
Community Champion


@riffjim4069 wrote:

...   
...

Second, I've been an ISSEP for about 15-years and I don't recall having my engineering "experience" endorsed back when the ISSEP was a concentration certification.  But it has been a while, so I may be mistaken.  Regardless, you'll need a fellow ISC2 member to endorse your Architecture experience regardless of how long you've been a CISSP, or whether you've already obtained other [formerly] concentration certifications. 
...

...


Many congratulations and welcome to the club!

 

In terms of what you wrote above, previously when they were still the CISSP concentrations, you would self-endorse.

 

conc-details.png

 

Of course, you still needed to go through the endorsement process and submit evidence of your 2 years of relevant experience.

 

Interesting they have changed this now even for those effectively taking the same CISSP first path.

 

Peterkr
Newcomer I

Congrats on passing the ISSAP, @riffjim4069 !
I passed the exam in December, and due to some issues with the endorsement process got my certification this week.

 

Fully agree that the CBK is a bit outdated, and the self-paced training is too high-level. Reading many of the supplemental materials was key for me (even though I did forget some of the information by the time I needed it on the exam).

The ISSAP includes a fair share of cloud questions, so anyone who took the CCSP exam before should go through their notes again. 

I also watched the ISSAP videos by Prabh Nair on YouTube. His earlier videos are a bit difficult to understand, but they get better with time.

In the weeks leading up to the exam I used CISSP test prep apps and Adam Gordon's Question of the Day to get into the exam mindset.

 

The ISSAP is a great certification, although challenging to prepare for due to the lack of a single source of truth. Hopefully it will get a bit more love from ISC2 now that it is no longer a CISSP concentration.

riffjim4069
Newcomer III

Yep, I love the ISSEP but it used to be heavily DoD/Three Letter Agency focused, with a whole lot of DITSCAP, DIACAP, C&A.  But it was "great to have" as a Defense Contractor, no doubt.  Although the CBK has changed over time (more NIST/RMF) I'd like it see more change to where it became the CISSP (Gold Standard) of Security Engineers.  The same goes for the ISSAP.  I'm expecting to see some changes now that they ISSAP, ISSEP, and ISSMP are stand alone certifications with a 7-year experience requirement.  We shall see.
 
I haven't been to a JTA Workshop in ages...wouldn't mind going, if I can find time (no easy task).  

manpreets
Viewer II

Any updates on the continuation of your article for ISSAP?

riffjim4069
Newcomer III

"Any updates on the continuation of your article for ISSAP?"
 
I'm studying for Azure (next week) and AWS (following week) certs and, to be honest, don't recall what else I wanted to add to my initial post two months ago. LOL! 
 
But seriously, one thing I wanted to add was US military/government employees, or military veterans, have access to FedVTE (online training) and they offer  various ISC2/ISACA and other training in the form of recorded lectures with accompanying slidedeck and handouts. I completed their CISSP-ISSAP module back in 2016, which was last updated in 2014.  I'm not big into the lecture/powerpoint learning method (unless it's attended in person with Q&A), but thought some eligible folks could benefit from this training method. 
 
However, I later noticed the course has been retired - so it's a moot point.  I downloaded all the handouts years ago.  They're not bad study materials, but they were created shortly after the ISSAP CBK was published, so you're better off just reading the book.
 
I actually had some enterprise reference architecture training materials Capture.JPGwhen I was defense contractor (a smattering of of FEAF, DoDAF, TOGAF, Zachman, Open Group Framework, ATPM, ATAM, and some other stuff, no doubt) but it's proprietary and leans more on the enterprise side versus security architecture. 

Cheers! 

David_8507
Newcomer I

i agree with what you said

nkeaton
Newcomer III

I passed the ISSEP in November and did not need to be endorsed, that was the month after no longer were concentrations; I believe.  I passed my ISSMP in July and was surprised that I needed to be endorsed.  It was not a big issue, but I did look to make sure that they had changed the text of requirements on the endorsement page.  I am thinking about doing the ISSAP for the trifecta.  It is my weakest discipline of the 3.  It and the CSSLP are the only ones left for me, but I do not think that I will attempt it.  I did watch a nice discussion between Prabh Nair and Adam Gordon (editor of 2nd Edition of ISSAP CBK).  He talked about his study suggestions.  I rely heavily on the exam objectives (ISC2 calls it an exam outline), reading (to include suggested NIST documents), and practice questions.  So there are not really many of the last available for concentrations.  I do think that Luke's How to Think Like a Manager was good for the 2 that I passed.  I am not sure that it will be as relevant for the ISSAP, but I think that his answering strategy is spot on,