What is the ISSMP? What does the acronym stand for?
Information Security System Management Professional(ISSMP) is one of many certifications offered in the Certified Information Systems Security Professional (CISSP) suite of certifications. These certifications are governed by the International Information System Security Certification Consortium (ISC)2. As implied by the name, this independent organization certifies professionals engaged in the IT security field.
The ISSMP certification encompasses areas of security project management and planning. Designing continuity, resiliency and response plans may be one task an ISSMP engages in. Developing and implementing an organization’s security awareness and training initiatives might be another.
Typically, ISSMPs have a much broader, but not as deep an understanding of specific security issues than other IT professionals.
Who should earn the ISSMP?
The ISSMP is geared towards management roles. The certification is ideal for either acting or aspiring Chief Information Officers (CIOs), Chief Technology Officers (CTOs), or any other management position tasked with overseeing IT security initiatives.
To qualify for the ISSMP, candidates must have a minimum of two years of professional experience in management of IT security for a large organization.
What are the Five Domains covered in the ISSMP?
The ISSMP exam covers five areas, or domains, of knowledge: Security Leadership and Management, Security Lifecycle Management, Security Compliance Management, Contingency Management, and Law, Ethics, and Incident Management.
Security Leadership and Management
The Security Leadership and Management segment tests for an understanding of the core components of an entity’s security measures. It is the broadest of the five domains, as it covers how a manager will assure that the overarching security program’s mission is fulfilled.
Candidates must be able to demonstrate a knowledge of need for and steps taken in constructing and publishing an organization’s security policies and procedures. To accomplish this, ISSMP candidates must understand how to collaborate with all departments throughout an operation, while developing policies and goals and ensuring compliance with each.
Implementation of an organization’s overall IT security also extends to the establishment of methods and metrics used to measure compliance and effectiveness of security initiatives. Training and awareness programs are an integral part of this process, and candidates must be able to demonstrate knowledge of how to effectively accomplish this.
Data classification and associated procedures and protections used for each level of classificationare also covered in this domain. Certified ISSMPs should be able to take a lead role in the execution of all practices associated with the evaluation of data for classification and development of policies applicable to each classification.
Security leadership and management also includes evaluation of contracts and purchases, to ensure compliance and conformity to existing internal security policies, or modify those procedures, as needed to accommodate new products or technology.
Security Compliance Management
Security Compliance Management entails the processes used for monitoring, assessing and enforcing an organization’s IT security policies and procedures. Additionally, this subject matter includes methodologies for establishing key performance metrics and reporting procedures for exceptions to key metrics.
Internal and external audits are covered within the compliance domain. The exam will cover both how to prepare for audits, as well as how to respond to findings of an audit. Contingency actions for audit responses should be created prior to audits.
Security Life Cycle Management
The Security Lifecycle Management domain provides guidance for how an organization can and should manage security in every stage of a program, which includes planning, operational, and termination stages of a project.
Crucial to this domain is the idea that security must be accounted for at the earliest stage of any initiative, and that all IT risks associated with a program are identified and measures taken to minimize these risks, as well as to develop plans to address each of these risks, should they become events. Candidates are also expected to understand how to measure each potential IT security risk, with respect to interests of the organization.
Contingency management encompasses the body of knowledge which covers how an organization will either continue or resume operations in the most expedient and safest manner following an interruption. Interruptions may be either natural or unnatural, and may also be either unintentional or intentional.
Candidates are expected to understand how to conduct Business Impact Analysis (BIA) studies for interruption events.
Central to contingency management is the contingency plan, which a candidate for the ISSMP must understand fully, from development through implementation (in the event of an interruption). The identification and analyzing of continuity and resiliency alternatives for business practices, both before and during an event, are covered within the contingency management domain.
These steps involve communication and collaboration with key stakeholders in the organization. Candidates are expected to understand how to work with these stakeholders for testing, evaluating and modifying contingency plans.
Law, Ethics and Incident Management
The Law, Ethics and Incident Management body of knowledge tested on the ISSMP exam covers laws that pertain to privacy of both clients and employees, and how laws may vary from country-to-country in which a firm does business. Intellectual property laws, which apply to trademarks, copyrights, patents and licensing are also covered in this section.
Candidates are expected to understand not only the liabilities associated with laws governing the IT practices of an organization, but also how to design and implement responses for handling of incidents which may violate laws.
What is involved with the ISSMP Exam? (length, #of questions, format, passing grade etc.)
Testing takes place at third-party testing centers. In the U.S., Pearson provides this service. Candidates must register in advance and pay the fee (currently $399) for the exam. Cancellation or rescheduling of exam must be made between 24 and 48 hours in advance, depending upon whether made online or by phone, to avoid forfeiture of all fees paid.
(ISC)2 will work with candidates who are subject to provisions of the Americans with Disabilities Act (ADA). Prior to scheduling of test with Pearson, candidates need to email (ISC)2 with test information (location, time, candidate name) and what accommodations may be necessary for a candidate to successfully complete the test. (ISC)2 will then advise the center will test will take place of special needs for a particular candidate directly.
On the day of the test, it is recommended that candidates arrive at least 30 minutes prior to scheduled test time, so as to provide ample time to check in. Failure to arrive within 15 minutes of scheduled start time could result in forfeiture of seat for exam. Two forms of ID, one of which must have a picture, are required for check in. IDs must be original, with no photocopies or faxes accepted.
The test consists of 125 multiple choice questions, each of which has four possible answers. Three hours are allowed for completion of the exam. Unofficial results of exam are generally available immediately after completing the test, except in cases of new test cycle, in which case it may take from six to eight weeks to receive a grade.
Passing score is 700 out of a possible 1000 points. Should a candidate fail to pass the exam, s/he must wait 30 days before testing again. If candidate fails the second exam, then s/he must wait 90 days before testing a third time. Upon failing a third time, candidates must wait 180 days before sitting for the exam a fourth time or any other subsequent exams.
CISSP Instant Pricing- Resources
What are the best ISSMP study resources?
(ISC)2 recommends both their textbook and free exam outline, which may be accessed below.