What is the ISSMP? What does the acronym stand for?

Information Security System Management Professional(ISSMP) is one of many certifications offered in the Certified Information Systems Security Professional (CISSP) suite of certifications. These certifications are governed by the International Information System Security Certification Consortium (ISC)2. As implied by the name, this independent organization certifies professionals engaged in the IT security field.

The ISSMP certification encompasses areas of security project management and planning. Designing continuity, resiliency and response plans may be one task an ISSMP engages in. Developing and implementing an organization’s security awareness and training initiatives might be another.

Typically, ISSMPs have a much broader, but not as deep an understanding of specific security issues than other IT professionals.

Who should earn the ISSMP?

The ISSMP is geared towards management roles. The certification is ideal for either acting or aspiring Chief Information Officers (CIOs), Chief Technology Officers (CTOs), or any other management position tasked with overseeing IT security initiatives.

To qualify for the ISSMP, candidates must have a minimum of two years of professional experience in management of IT security for a large organization.

What are the Five Domains covered in the ISSMP?

The ISSMP exam covers five areas, or domains, of knowledge: Security Leadership and Management, Security Lifecycle Management, Security Compliance Management, Contingency Management, and Law, Ethics, and Incident Management.

  1. Security Leadership and Management

The Security Leadership and Management segment tests for an understanding of the core components of an entity’s security measures. It is the broadest of the five domains, as it covers how a manager will assure that the overarching security program’s mission is fulfilled.

Candidates must be able to demonstrate a knowledge of need for and steps taken in constructing and publishing an organization’s security policies and procedures. To accomplish this, ISSMP candidates must understand how to collaborate with all departments throughout an operation, while developing policies and goals and ensuring compliance with each.

Implementation of an organization’s overall IT security also extends to the establishment of methods and metrics used to measure compliance and effectiveness of security initiatives. Training and awareness programs are an integral part of this process, and candidates must be able to demonstrate knowledge of how to effectively accomplish this.

Data classification and associated procedures and protections used for each level of classificationare also covered in this domain. Certified ISSMPs should be able to take a lead role in the execution of all practices associated with the evaluation of data for classification and development of policies applicable to each classification.

Security leadership and management also includes evaluation of contracts and purchases, to ensure compliance and conformity to existing internal security policies, or modify those procedures, as needed to accommodate new products or technology. 

  1. Security Compliance Management

Security Compliance Management entails the processes used for monitoring, assessing and enforcing an organization’s IT security policies and procedures. Additionally, this subject matter includes methodologies for establishing key performance metrics and reporting procedures for exceptions to key metrics.

Internal and external audits are covered within the compliance domain. The exam will cover both how to prepare for audits, as well as how to respond to findings of an audit. Contingency actions for audit responses should be created prior to audits.

  1. Security Life Cycle Management

The Security Lifecycle Management domain provides guidance for how an organization can and should manage security in every stage of a program, which includes planning, operational, and termination stages of a project.

Crucial to this domain is the idea that security must be accounted for at the earliest stage of any initiative, and that all IT risks associated with a program are identified and measures taken to minimize these risks, as well as to develop plans to address each of these risks, should they become events. Candidates are also expected to understand how to measure each potential IT security risk, with respect to interests of the organization.

  1. Contingency Management

Contingency management encompasses the body of knowledge which covers how an organization will either continue or resume operations in the most expedient and safest manner following an interruption. Interruptions may be either natural or unnatural, and may also be either unintentional or intentional.

Candidates are expected to understand how to conduct Business Impact Analysis (BIA) studies for interruption events.

Central to contingency management is the contingency plan, which a candidate for the ISSMP must understand fully, from development through implementation (in the event of an interruption). The identification and analyzing of continuity and resiliency alternatives for business practices, both before and during an event, are covered within the contingency management domain.

These steps involve communication and collaboration with key stakeholders in the organization. Candidates are expected to understand how to work with these stakeholders for testing, evaluating and modifying contingency plans.

  1. Law, Ethics and Incident Management

The Law, Ethics and Incident Management body of knowledge tested on the ISSMP exam covers laws that pertain to privacy of both clients and employees, and how laws may vary from country-to-country in which a firm does business. Intellectual property laws, which apply to trademarks, copyrights, patents and licensing are also covered in this section.

Candidates are expected to understand not only the liabilities associated with laws governing the IT practices of an organization, but also how to design and implement responses for handling of incidents which may violate laws.

What is involved with the ISSMP Exam? (length, #of questions, format, passing grade etc.)

Testing takes place at third-party testing centers. In the U.S., Pearson provides this service. Candidates must register in advance and pay the fee (currently $399) for the exam. Cancellation or rescheduling of exam must be made between 24 and 48 hours in advance, depending upon whether made online or by phone, to avoid forfeiture of all fees paid.

(ISC)2 will work with candidates who are subject to provisions of the Americans with Disabilities Act (ADA). Prior to scheduling of test with Pearson, candidates need to email (ISC)2 with test information (location, time, candidate name) and what accommodations may be necessary for a candidate to successfully complete the test. (ISC)2 will then advise the center will test will take place of special needs for a particular candidate directly.

On the day of the test, it is recommended that candidates arrive at least 30 minutes prior to scheduled test time, so as to provide ample time to check in. Failure to arrive within 15 minutes of scheduled start time could result in forfeiture of seat for exam. Two forms of ID, one of which must have a picture, are required for check in. IDs must be original, with no photocopies or faxes accepted.

The test consists of 125 multiple choice questions, each of which has four possible answers. Three hours are allowed for completion of the exam. Unofficial results of exam are generally available immediately after completing the test, except in cases of new test cycle, in which case it may take from six to eight weeks to receive a grade.

Passing score is 700 out of a possible 1000 points. Should a candidate fail to pass the exam, s/he must wait 30 days before testing again. If candidate fails the second exam, then s/he must wait 90 days before testing a third time. Upon failing a third time, candidates must wait 180 days before sitting for the exam a fourth time or any other subsequent exams.

CISSP Instant Pricing- Resources

What are the best ISSMP study resources?

(ISC)2 recommends both their textbook and free exam outline, which may be accessed below.

Official (ISC)² Guide to the CISSP-ISSMP CBK Textbook

Exam outline

Supplemental reading, also recommended by (ISC)2 include the following:

A Practical Guide to Security Assessments, 2004 Sudhanshu Kairab
Asset Protection and Security Management Handbook, 2003 James Walsh

Building a global Information Assurance Program, 2005

Raymond J. Curts, Douglas E. Campbell
Building an Information Security Awareness Program, 2001 Marck B.Desman
Business Continuity Management: Building an Effective Incident Management Plan, 2009  

Michael Blyth

Computer Forensics, Computer Crime Scene Investigation 2nd Ed. 2005 John R. Vacca
Computer Security Art and Science, 2002 Matt Bishop
Corporate Resiliency: Managing the Growing Risk of Fraud and Corruption, 2009  

Toby J. Bishop, Frank E. Hydoski

The Definitive Handbook of Business Continuity Management, 2010 Andrew Hiles
Disaster Recovery Planning: Preparing for the Unthinkable 3rd Ed. 2003 Jon William Toiga

Enterprise Security Architecture: A Business-Driven Approach, 2005

John Sherwood, Andrew Clark, David Lynas
EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 1995  

European Parliament, Council of the European Union

Information Assurance – Managing Organizational IT Security Risks, 2002  

Joseph G. Boyce, Dan W. Jennings

Information Security Management Handbook Series, 1998, 2000, 2001,

2003, 2005,2006, 2007, 2008


Harold F. Tipton, Micki Krause

Inside the Security Mind, 2003 Kevin Day
ISO/IEC 27001:2005 – Information technology — Security techniques — Information security management systems — Requirements.  


ISO/IEC 27002:2005 – Information technology – Security techniques – Code of practice for information security management.  


ISO/IEC 27003:2010 – Information technology – Security techniques – Information security management system implementation guidance  


ISO/IEC 27004:2009 – Information technology – Security techniques – Information security management – Measurement  






ISO/IEC 27005:2011- Information technology – Security techniques – Information security risk management  


ISO/IEC 29100:2011 – Information technology – Security techniques – Privacy framework  


IT Governance: A Manager’s Guide to Data Security and ISO 27001 /ISO 27002, 2008  

Alan Calder, Steve Watkins

IT Security Risking the Corporation, 2003 Linda McCarthy
Managing an Information Security and Privacy Awareness Training Program, 2005  

Rebecca Herold

The New School of Information Security, 2008 Adam Shostack, Andrew Stewart
NIST Special Publication 800-30, July 2002 or later,

Risk Management Guide for Information Technology Systems http://csrc.nist.gov/publications/PubsSPs.html


Gary Stoneburner, Alice Goguen, and Alexis Feringa

NIST Special Publication 800-35, October 2003 or later, Guide to Information Technology Security Services, http://csrc.nist.gov/publications/PubsSPs.html  

Grance, Hash, Stevens, O’Neal, Bartol

NIST Special Publication 800-47, August 2002 or later,

Security Guide for Interconnecting Information Technology Systems http://csrc.nist.gov/publications/PubsSPs.html


Grance, Hash, et al.

NIST Special Publication 800-55 rev 1 or later, July 2008 Performance Measurement Guide for Information Security http://csrc.nist.gov/publications/PubsSPs.html  

Chew, Swanson, Stein, Bartol, Brown, Robinson

NIST Special Publication 800-100, October 2006 or later, Information Security Handbook: A Guide for Managers http://csrc.nist.gov/publications/PubsSPs.html  

Pauline Bowen, Joan Hash, Mark Wilson

The Practice of Network Security, 2003 Allan Liska
Surviving and Thriving in Uncertainty: Creating The Risk Intelligent Enterprise, 2010  

Frederick Funston, Stephen Wagner


Be Safe

Section Guide


View more articles from Miller

Earn your CISSP the first time with Infosec and pass your exam, GUARANTEED!

Section Guide


View more articles from Miller