Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Viewer II

Why I cancelled my ISSEP exam.

What is the value of the ISSEP for anyone outside of the US? I hold both the ISSMP and ISSAP certifications and was planning to take my ISSEP exam at the beginning of December. I started reading and studying from the limited resources I could find. However, I can’t understand the relevance of this exam for me, as it seems very US government-centric.


I appreciate that this is an engineering concentration and needs to be based on some formal material, and the NIST standards fill this gap. But why is it so US government-focused? Why can’t it be more generic, encompassing good engineering security practices and the SDLC processes laid out in the NIST documents? This approach would make it more accessible and relevant to people outside of the US and the US government.


Is anyone else choosing not to take this exam because it's too US-focused?

3 Replies
Newcomer II

Hi Stevelaw, I am aligned to your view that ISSEP is USA Govt centric, and felt the same when I had my learning. My employer never asked me to have this certification, though they were kind with the expenses. And, I am glad to be the first ISSEP certified person in my country (confirmed by (ISC)2).
For me, it was a different experience (albeit, a good one). ISSEP had a difficult learning curve, basically the knowledge material are scattered around and took me roughly 5 months to put together and get success in first attempt while having a full time paid job. Now I am proud that I did ISSEP, and got introduced to systems security engineering (and broader systems engineering) from INCOSE (and later ASEP certified) and other product engineering bodies. I also followed ISSEP with CAP (now CGRC) certification.
I have 2 decades of experience in security, risk consulting and architecture, yet I found the body of knowledge, (agonisingly, some of the content are no longer maintained), still prodigious and helped me in shaping my view much clearer and sharper in consulting engagements. Simply, my take is, it’s worth the pain, though you might not be able to directly monetise outside USA mainland.


Perpetual Learner..!
Community Champion

I take it you just didn’t book rather than canceled?

I’d be interested as to why you were looking at it in the first place? It’s a rare club with Circa 2k members, but the linkage with CISSP as a concentration is no longer there it’s just a different route we it’s CISSP plus ISSEP exams vs the new route that has only the ISSEP exam for validation and confirmation.

Maybe there is some understanding with the US that it is US Gov centric - and as a product that’s probably easier to keep it alive. Though a worldwide search in linked in for ISSEP brings back two results based in Maryland( probably the same job different agencies(Well it does say the NSA had a hand in it)) … so not so many reasons to do it for gaining employment outside of those rarefied circles.

So I think the best answer is “Personal satisfaction of a job well done.”

Reader I

Well, if you work for most commercial companies, it is probably not what you need. 


If you work for federal government and public agencies who work with them, then it is critical.  I work for Skyline Technology Solutions and we manage state and regional transportation networks which can be seperate from the IT network. They often lack any type of security controls, configuration management, change control, policies, and procedures due to management by civil engineers and journeymen electrician signal technicians. Yes, they have no real IT personnel and  at best they have integrators doing sustained operations.  I know, I know...not my call.


It is far easier to adopt federal/NIST processes than to start from complete scratch. Not to mention 85% of state DOT budget is from Federal Highway Association.  FHWA is finally going to mandate a security program. It is now only a question of when.  


I am new to CISSP and ISSEP, and though I am very familiar with CISA CPGs, NIST CSF,  NIST 800-53/A, and NIST 800-82 I was not familiar with ISSE. Some of what  I learned will be integrated into these state DOT security requirements.