Sankar,

Again, I think you are selling yourself short.  The content of all of these publications formed the basis for many of the topics and objectives.

---

@SOSUSAwrote:

 

I agree with you on referring NIST pubs, it seems like the flash card content was created in 2013 and yet to be updated to reflect the updated domains as its still referring to DoD and National System Security regulations, which I am planning to skip and focus on the content from other NIST pubs, which addresses the topics listed in the Exam Outline handbook.

---

For example, the Committee on National Security Systems was the one to codify the terminology and concepts we use in INFOSEC under CNSSI 4009, the INFOSEC Glossary.  

The Exam Outline handbook provides the objectives and a non-exhaustive list of reference material.  The key phrase in there being the non-exhaustive list.  Again, I wouldn't worry as much about tying back a concept to a specific publication number (for example, knowing that CNSSI 4009 is the INFOSEC Glossary), but don't overlook these pubs as the source material for the meat of the current objectives.

Sincerely,

Eric B.

Thanks Eric. I will consider your advise and not to limit my reading only to the selected NIST pubs. Will keep you posted on the outcome by end of next month.

Cheers,

Sankar

Sankar,

Thank you!  I really would like to know how you do.  There are not many ISSEPs in the world and I believe that the focus concepts covered in the exam are tremendously important to the technical design and implementation of security systems, government or commercial.

Also, don't necessarily overlook the DoD pubs either.  I'm willing to bet that a lot of the content, for example, on supply chain risk management comes directly from DoD procurement and counterintelligence regs.

Aloha!

Eric B.

Don't remember anything specific coming out of DoD or counter intel regs but in a prior life I did live in that world.

Biggest thing is to read the bibliography. NIST has updated a number of these publications, clarified others otherwise the government moves at its own speed - slowly. So don't worry that the material will be grossly changed on the exam because of it.

If you can find a copy of Doug Landoll's: The Security Risk Assessment Handbook, its good for a browse but also feels dated. Remember that being in the bibliography as well as a ton of .PDFs, websites. I wouldn't go as far as buying many if any of these reading materials but barrow when you can or hit the public library.

Good luck.

Brent,

---

@Beadswrote:

Don't remember anything specific coming out of DoD or counter intel regs but in a prior life I did live in that world.

 

When the exam candidate has loads of training and experience in something, that’s really kind of the ideal target demographic for these certifications.  Knowledge you’ve accumulated over time is also hard to attribute to an original source.  It feels more like a natural thought or action than something that was learned from a book or on the job.

I can honestly say that I didn’t study at all for the ISSEP.  I when I sat for the exam, I worked daily %50 in a Delegated Accrediting Agent Engineer and %50 as a Theater-level fly away team Cyber-CI incident responder.  There wasn’t much in the way of study guides at the time, and it was quite difficult to get an idea of what was actually covered on the exam.  So, I just scheduled it and passed on the first go.  I’m pretty sure I was the first ISSEP holder in my state.

My comments come from getting a face full of the references from unlikely sources.  For example, working procurement fraud cases involving non-conforming and counterfeit products I basically got a crash course on the procurement regs.  And as I read into the procurement and supply chain guidance and regs, I would get to particular topics and sections and would be like, “Oh… so that’s where they got that CBK objective from.”

So, take that with a grain of salt. 

Sincerely,

Eric B.

Thank you very much for this helpful insight.

CISSP-ISSAP Information Systems Security Architecture Professional

CISSP-ISSEP Information Systems Security Engineering Professional

CISSP-ISSMP Information Systems Security Management Professional

It's more about security controls at a greater depth within the domain covered than architecture in SABSA or ToGAF sense.  The textbook may not cover the material in enough depth, so you'll need to have followed up on some of the references at the end of each chapter.  I'd consider it along side looking at SABSA, ToGAF and Zachman or CSSK/CCSP or AWS cert if you're looking into architecture in a more general sense.