cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
narcling
Viewer II

ISSAP, ISSEP and ISSMP going away?

I was trying to find a boot camp for the CISSP-ISSMP certification and was told by an ISC2 training partner that the CISSP concentration certifications were going away.

 

Is it true that ISC2 is abandoning the ISSEP, ISSAP and ISSMP?

28 Replies
Beads
Advocate I

There never has been a great deal of traction surrounding these exams which has over the years only lead to confusion and as you can read from the above comments, speculation.

 

I took the ISSAP simply to stand out among CISSPs.

kurtholz
Viewer II

Hi Brent, I used the same reasoning when going for my ISSAP...to stand out a bit amongst the crowd.  And aside from qualifying me for IASAE Level III, I don't see much desire for this certification among industry partners.  The ISSEP certification seems to make more sense within the ISSE realm but as far as job searches and level of the job (i.e. ISSE with the cert vs ISSM or ISSO without), I haven't come across anyone requiring (or wanting) the ISSAP certification. 

 

Being qualified for IASAE Level III is nothing to sneeze at, but that's only within certain environments.  Outside of Government work in the US, IASAE Level III means nothing.

 

All said and done, I'm still glad I went for the ISSAP...just wish more companies knew about it!

 

Kurt Holz, CISSP-ISSAP

 

Steve-Wilme
Advocate II

As a ISSAP and ISSMP the best way to prepare is to get the official text and ensure that you have also read the majority of the references (most are in the public domain) at the end of the chapters.  You may find if you've worked in InfoSec any length of time that you already have some of the text books, standards etc.  Many of the references are to NIST SP800, RFCs, ISO standards etc, which you'll probably have read at some point.

 

I would consider self study rather than looking for a boot camp.  You simply need the self discipline to get up early and work at it all day, sleep, get up and do the same.

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
SOSUSA
Newcomer I

Sorry to hear that u had fell short. I am preparing for ISSEP and taking it by end of June. Focusing on all the 5 domains (and not planning to read any of the regulatory, Common Criteria stuff), primarily using the public documents listed in the references list, flash cards seems like still has the information from old domains. Best of luck! 

SOSUSA
Newcomer I

I am pretty much using the same documents, and planning to read the old CBK book, which is still applicable for couple of domains. Planning to take the exam by end of next month. Did you find flash cards useful, as it still has information related to old domains. Good luck to you.

Baechle
Advocate I

Sankar,

 


@SOSUSAwrote:

Sorry to hear that u had fell short. I am preparing for ISSEP and taking it by end of June. Focusing on all the 5 domains (and not planning to read any of the regulatory, Common Criteria stuff), primarily using the public documents listed in the references list, flash cards seems like still has the information from old domains. Best of luck! 


From my memory of the exam, leaving out knowing (being able to nearly recite the content nearly verbatim and its source document) of the regulatory information would be a serious mistake.  I’m not sure if you said this because you work with it so regularly that you don’t feel the need to study, or you think that it isn’t a relevant portion of the exam.

 

Sincerely,

 

Eric B.

Baechle
Advocate I


@Steve-Wilmewrote:

As a ISSAP and ISSMP the best way to prepare is to get the official text and ensure that you have also read the majority of the references (most are in the public domain) at the end of the chapters.  You may find if you've worked in InfoSec any length of time that you already have some of the text books, standards etc.  Many of the references are to NIST SP800, RFCs, ISO standards etc, which you'll probably have read at some point.

 

I would consider self study rather than looking for a boot camp.  You simply need the self discipline to get up early and work at it all day, sleep, get up and do the same.

 


I wholeheartedly agree with Steven. 

 

Even more than the CISSP, these concentrations are deep dives into work roles.  If you do not currently do these work roles on a daily basis that would expose you to either the processes or regulations that these exams cover, you will not likely be in a good position to pass.

 

You will likely need to commit significant time to working with flash cards and taking scenario based practice exams if you don’t currently work in all of the domains for the work role you’re testing for.

 

Sincerely,

 

Eric B.

 

SOSUSA
Newcomer I

Eric,

 

Couple of domains were dropped and new topics have been included.(refer https://www.isc2.org/-/media/ISC2/Certifications/Exam-Outlines/ISSEP-Exam-Outline-v1204---March-2018...).

Here is a thread from ChrisBoz** about the changes.

 

I can tell you that ISC2 is testing on the new 5 domain layout for ISSEP as I found out the hard way yesterday. I had an instructor tell me during my prep course that ISC2 was not changing the exam (even though there was a scheduled date) until they released new training material. Well I followed his advice and only studied for the old 4 domain structure and fell short when I tested yesterday, although I came super close which is encouraging. So for anyone who is planning to test, know the 5 domains and you can forget about stuff like the Federal regulations domain which is a thing of the past. I will study the new areas and plan to test in about 45 days.

 

Hope this helps...

 

Best,

Sankar

Baechle
Advocate I

William,

 

It looks like you’re missing several NIST/CSRC Special Publications and all of the DoD references besides the “SEF Guide”.  You may want to revisit DoD references on “Operational Risk Management” as an overlay to the Risk Management Domain, and then apply them to the IT environment.  There are some CBT courses available from the Defense Security Services SPeD program that should fill some gaps in concepts like IT Supply Chain Management with knowledge and input from the Counterintelligence world.  I don’t know if these are open to the public or if you have to be affiliated with government.  It also couldn’t hurt to lean on the CompTIA IT Project+ materials for the project management objectives.

 

Sincerely,

 

Eric B.

Baechle
Advocate I

Sankar,

 


@SOSUSAwrote:

So for anyone who is planning to test, know the 5 domains and you can forget about stuff like the Federal regulations domain which is a thing of the past. I will study the new areas and plan to test in about 45 days.

I would like to know from any of you who take the test soon, if not knowing the content of these pubs holds true.

 

For example, even if not knowing “SP 800-37” is the regulation for the “Risk Management Framework”, the framework itself contained in this pub is the basis for several exam Objectives from what I can see in the March 2018 Exam Outline.  U.S. Government published Operational Risk Management manual, or “ORM” form the basis of nearly every Risk Management process I’ve seen related to IT engineering risk regardless of if it were public or proprietary. 

 

Ridding the exam of a regulation mapping domain may make it unnecessary to quote which publication a concept came from, but I am wagering that many of the questions on the current exam were adopted directly from these pubs. 

 

Sincerely,

 

Eric B.