I recently passed the Information Systems Security Architecture Professional (ISSAP) exam and wanted to briefly mention my strategy since...well, the ISSAP CBK is dated and needs to be revamped. First, the ISSAP is no longer a CISSP concentration certification (Oct 2023). The ISSAP, along with the ISSEP and ISSMP, are Stand Alone certifications and take precedence ahead of the CISSP. They require 7-years of experience vice 5-years for the CISSP (e.g., CISSP + 2 Years or 7 years cumulative). Just thought I would toss this out there if you weren't already aware.
Second, I've been an ISSEP for about 15-years and I don't recall having my engineering "experience" endorsed back when the ISSEP was a concentration certification. But it has been a while, so I may be mistaken. Regardless, you'll need a fellow ISC2 member to endorse your Architecture experience regardless of how long you've been a CISSP, or whether you've already obtained other [formerly] concentration certifications.
Disclaimer: due to the NDA (https://www.isc2.org/Exams/Non-Disclosure-Agreement) there is limited information I can disclose about the exam itself, nor would I, but I can share what materials and strategy I used to prepare. The exam itself is NOT a walk in the park so preparation is key.
Rote memorization and the ability to regurgitation information will not get you over-the-bar since the ISSAP (ISSEP for that matter) deals with one's ability to understand problems, and process a deep knowledge of myriad infrastructure and cloud technologies. And let's not forget the ISSAP needs to provide sound architectural and risk based guidance to senior management in pursuit of organizational goals.
Having real world experience is key! If the CISSP exam is a river a mile-wide and an inch-deep river (as often been claimed) then the ISSAP requires one to navigate that mile-wide and inch-deep river, but who is also capable of performing a deep-dive into security technologies and architectures, and navigating waters that are deep, turbulent, and fraught with dangers in order to safely & securely support the organization.
I have been involved with a fair number of exam question writing and job task analysis (JTA) SME volunteer efforts with ISC2 over the years and their Official CBK, Training Curriculum, so I attest that the Exams are closely aligned due to the JTA process. Like all bureaucracy, it's not perfect, but they follow a rigid process so the Training<-->CBK<-->Exams are generally well aligned. Except for the ISSAP! Just my two-cents, but the Official CBK (2014) is completely out-of-whack with Official ISSAP Training-->which is still out-of-sync with the Exam. But I'm sure this will get ironed-out in the coming year.
*If you read nothing but the Official CBK, I feel you're not fully informed and more apt to experience exam issues unless you're one of those rare individuals who live and breath architecture 24x7 and, equally important, never forget anything you read. Use the CBK as supplemental reading.
*If you do nothing but the Official ISC2 Self-Paced training, you may have exam issues. Don't get the wrong the ISC2 curriculum in fine and it will help focus your study efforts for the exam. However, don't use it in lieu of possessing real world KSAs. I f this is you, then spend more time building security requirements, designing and validating security controls, etc.
*If you read the CBK and many of the suggested readings...you can do well, but it's a massive scattershot approach. It will cost you nothing to read NIST Special Publications, and most are quite outstanding. If you follow the Official ISC2 ISSAP training outline, and couple this with the CBK and selective suggested reading and architecture references (e.g., SABSA, TOGAF, etc.), then this will get you over the goal line. However, this is not the best method IMO.
Here's what I did:
1. Read the Official ISC2 ISSAP CBK (2014): this is EXCELLENT foundational material, a great refresher, but not necessarily what you're going to be tested on. Read through it, but won't spend time studying it. Why? It's 10+ years old and there's just too much outdated information (e.g., cryptography and cloud being two huge ones). I don't think you're going to be asked about DES or SSL 1.1.
2. Prepared for the CompTIA CASP+ (CAS-004) certification. Yep, you heard me...and here's why. The CASP+ certification is no joke - it's a serious certification and 50-60% of the ISSAP exam questions also apply to the CASP+. It contains a lot of excellent foundational materials. Understand the CASP+ takes a more hands-on/operations and only touches upon things like architectures, flows, processes, risks, gaps, compliance, and big picture items. You'll need to understand how they all work together.
3. I DID NOT take CompTIA CASP+ training nor purchase the CompTIA CASP+ Study Guide (although I do have others). Instead, I purchased the CompTIA CASP+ CAS-004 Certification Guide by Mark Birch. I found it to be an excellent reference, but I'm sure there are others.
Note: I noticed my Shon Harris CISSP all-in-one Study Guide is Third Edition (2005?) so not very useful these days. However, I was flipping through someone's Ninth Edition (2021) the other day and it's even better than the aforementioned CASP+ book. So study the CISSP and/CASP+ from an architect's perspective.
More to follow...
