I recently passed the Information Systems Security Architecture Professional (ISSAP) exam and wanted to briefly mention my strategy since...well, the ISSAP CBK is dated and needs to be revamped. First, the ISSAP is no longer a CISSP concentration certification (Oct 2023). The ISSAP, along with the ISSEP and ISSMP, are Stand Alone certifications and take precedence ahead of the CISSP. They require 7-years of experience vice 5-years for the CISSP (e.g., CISSP + 2 Years or 7 years cumulative). Just thought I would toss this out there if you weren't already aware. Second, I've been an ISSEP for about 15-years and I don't recall having my engineering "experience" endorsed back when the ISSEP was a concentration certification. But it has been a while, so I may be mistaken. Regardless, you'll need a fellow ISC2 member to endorse your Architecture experience regardless of how long you've been a CISSP, or whether you've already obtained other [formerly] concentration certifications. Disclaimer: due to the NDA (https://www.isc2.org/Exams/Non-Disclosure-Agreement) there is limited information I can disclose about the exam itself, nor would I, but I can share what materials and strategy I used to prepare. The exam itself is NOT a walk in the park so preparation is key. Rote memorization and the ability to regurgitation information will not get you over-the-bar since the ISSAP (ISSEP for that matter) deals with one's ability to understand problems, and process a deep knowledge of myriad infrastructure and cloud technologies. And let's not forget the ISSAP needs to provide sound architectural and risk based guidance to senior management in pursuit of organizational goals. Having real world experience is key! If the CISSP exam is a river a mile-wide and an inch-deep river (as often been claimed) then the ISSAP requires one to navigate that mile-wide and inch-deep river, but who is also capable of performing a deep-dive into security technologies and architectures, and navigating waters that are deep, turbulent, and fraught with dangers in order to safely & securely support the organization. I have been involved with a fair number of exam question writing and job task analysis (JTA) SME volunteer efforts with ISC2 over the years and their Official CBK, Training Curriculum, so I attest that the Exams are closely aligned due to the JTA process. Like all bureaucracy, it's not perfect, but they follow a rigid process so the Training<-->CBK<-->Exams are generally well aligned. Except for the ISSAP! Just my two-cents, but the Official CBK (2014) is completely out-of-whack with Official ISSAP Training-->which is still out-of-sync with the Exam. But I'm sure this will get ironed-out in the coming year. *If you read nothing but the Official CBK, I feel you're not fully informed and more apt to experience exam issues unless you're one of those rare individuals who live and breath architecture 24x7 and, equally important, never forget anything you read. Use the CBK as supplemental reading. *If you do nothing but the Official ISC2 Self-Paced training, you may have exam issues. Don't get the wrong the ISC2 curriculum in fine and it will help focus your study efforts for the exam. However, don't use it in lieu of possessing real world KSAs. I f this is you, then spend more time building security requirements, designing and validating security controls, etc. *If you read the CBK and many of the suggested readings...you can do well, but it's a massive scattershot approach. It will cost you nothing to read NIST Special Publications, and most are quite outstanding. If you follow the Official ISC2 ISSAP training outline, and couple this with the CBK and selective suggested reading and architecture references (e.g., SABSA, TOGAF, etc.), then this will get you over the goal line. However, this is not the best method IMO. Here's what I did: 1. Read the Official ISC2 ISSAP CBK (2014): this is EXCELLENT foundational material, a great refresher, but not necessarily what you're going to be tested on. Read through it, but won't spend time studying it. Why? It's 10+ years old and there's just too much outdated information (e.g., cryptography and cloud being two huge ones). I don't think you're going to be asked about DES or SSL 1.1. 2. Prepared for the CompTIA CASP+ (CAS-004) certification. Yep, you heard me...and here's why. The CASP+ certification is no joke - it's a serious certification and 50-60% of the ISSAP exam questions also apply to the CASP+. It contains a lot of excellent foundational materials. Understand the CASP+ takes a more hands-on/operations and only touches upon things like architectures, flows, processes, risks, gaps, compliance, and big picture items. You'll need to understand how they all work together. 3. I DID NOT take CompTIA CASP+ training nor purchase the CompTIA CASP+ Study Guide (although I do have others). Instead, I purchased the CompTIA CASP+ CAS-004 Certification Guide by Mark Birch. I found it to be an excellent reference, but I'm sure there are others. Note: I noticed my Shon Harris CISSP all-in-one Study Guide is Third Edition (2005?) so not very useful these days. However, I was flipping through someone's Ninth Edition (2021) the other day and it's even better than the aforementioned CASP+ book. So study the CISSP and/CASP+ from an architect's perspective. More to follow...
Welcome to the CISSP-ISSAP Certification Study Group.
This is an open discussion forum for those studying for the CISSP-ISSAP certification.This forum provides an opportunity to connect with others preparing for the exam. Please follow all Community Guidelines regarding usage of this group, including adhering to the exam confidentiality policy.
View our Community Usage Policies and Guidelines.
Adhere to (ISC)² Exam Confidentiality
Discussing (ISC)² examination items, answers and responses with other individuals is a violation of the (ISC)² Examination Non-Disclosure Agreement that is signed prior to taking an (ISC)² examination. Any posts related to this will be removed, and users found to be in violation may face penalties.
General discussions about exams that do not share specific exam items are permissible. We encourage Community members to help candidates prepare themselves for success and share their own experiences without disclosing any information that could compromise the integrity of the exam process.
Apologies if this question has been asked before but was curious on what everyone is using for study material for the ISSAP exam? I have the CBK but I know that is not enough. Was thinking of buying the self-paced course as well. Looking forward to hear some responses and good luck.
Hello fellow candidates, Curious on others thoughts regarding DIACAP being replaced with RMF. Based on the NIST listed as additional resources, it seems like it would be more beneficial to focus on the RMF process and how it fits into information systems security engineering. The original CBK gets into DIACAP and NIACAP but I think I'm just going to read it for context but really focus more on RMF. Curious on how you all are approaching this particular topic. Thanks.