CISSP Concentrations (ISSAP, ISSMP & ISSEP) [updated 2021]
New career opportunities
Earning your Certified Information Systems Security Professional (CISSP) certification delivers new opportunities for your cybersecurity career. It’s a great first step, but you may find it valuable to go beyond this and focus on CISSP concentrations. These concentrations go above the standard CISSP certification in many ways. With such credentials, you may be an even more attractive candidate to employers or advance your career, earn more and take on more responsibilities.
We’ll review requirements, steps for certification, learning objectives for each certification and who should pursue concentrations and why for all the CISSP concentrations.
What are the various CISSP concentrations?
There are three CISSP concentrations:
- Information Systems Security Architecture Professional (ISSAP)
- Information Systems Security Engineering Professional (ISSEP)
- Information Systems Security Management Professional (ISSMP)
Each focuses on a different subarea within the CISSP framework, allowing you to hone your skills and specialize. The concentrations will enable you to build upon the knowledge learned by achieving your CISSP certification. With these three concentrations, you can develop your acumen in either architecture, engineering or management.
These concentrations come from the International Information System Security Certification Consortium or (ISC)². This group defines the steps to certification.
Steps to certification
There are several steps you must take to qualify for concentrations.
Step 1: Experience
To qualify for each of these concentrations, you’ll need to be a CISSP in “good standing,” which means holding and maintaining the certification, including earning continuing Professional Education (CPE) credits.
You’ll also need at least two years of cumulative, paid work experience in these areas, respective to their concentration:
- One of more of the six domains of CISSP-ISSAP Common Body of Knowledge (CBK)
- One or more of the five domains of the CISSP-ISSEP CBK
- One or more of the six domains of the CISSP-ISSMP CBK
The CISSP certification requires five years of experience, so these certifications are targeted towards experienced security professionals.
Step 2: Register with Pearson VUE and schedule the exam
If you meet the first round of qualifications, you’ll next need to take an exam. You’ll start by creating an account on Pearson VUE. When you set up an account, you’ll have to complete an examination agreement, which means you will adhere to the (ISC)² code of ethics. You’ll also need to review the candidate background questions. Finally, you’ll pay the fee of $599 (or equivalent in other currency).
Step 3: Prep for, take and pass the exam
In preparation for the exam, you can either develop a study plan or enroll in certification training prep from (ISC)² or a licensed training provider. (ISC)² also offers webinars on each of the three concentrations. Training can be online, in a classroom, or private, on-site. Understand that each of the three concentrations has its own CBK that goes beyond that for CISSP.
The exam format for each credential is 3 hours to answer 125 multiple-choice questions. To successfully pass, you’ll need to earn 700 points on a 1,000-point scale. A panel of subject matter experts (SMEs) who are (ISC)² volunteers establish the passing score.
Step 4: Endorsement
After passing the exam, you will need to go through the endorsement process once more (the same as when you earned your CISSP certification). You have nine months from the date of passing your exam to complete your endorsement. The endorsement requires a signing off by an (ISC)² certified professional who is an active member.
After the endorsement approval, you’ll pay a single annual maintenance fee (AMF). (ISC)² uses these fees to support the costs of maintaining certifications. The cost is $125, and it’s due annually. It’s one cost, no matter the number of certifications you earn.
Along with the yearly AMF, you’ll also need to complete 20 CPEs every year for each concentration. Every three years, you’ll need to renew your certification.
How do these concentrations differ from CISSP certification?
CISSP concentrations build upon your CISSP certification, bringing greater depth, knowledge and expertise in one of the three areas. The testing is shorter for concentrations compared to CISSP.
Another key difference between the three CISSP concentrations and the CISSP itself is that you cannot substitute becoming an (ISC)² associate to demonstrate competence. The “associate” level is for those who have not yet earned their CISSP certification and need a little help in demonstrating competence.
To truly highlight the differences between CISSP concentrations and the standard CISSP certification, we’ll delve into what each of the three concentrations covers.
The CISSP-ISSAP certification deals specifically with information security architecture. Earning this certification demonstrates your knowledge in developing, designing and analyzing security solutions. Further, it proves you are proficient in providing risk-based guidance to key decision-makers to enable organizational goals.
CISSP-ISSAP domains and weighting:
- Domain 1. Architect for governance, compliance, and risk management (17%)
- Domain 2. Security architecture modeling (15%)
- Domain 3. Infrastructure security architecture (21%)
- Domain 4. Identity and access management (IAM) architecture (16%)
- Domain 5. Architect for application security (13%)
- Domain 6. Security operations architecture (18%)
Are you a good fit for CISSP-ISSAP?
(ISC)² notes CISSP-ISSAP is an appropriate credential for chief security architects or analysts. The roles it fits best with are those with a consultative or analytical process of information security.
Ideally, you should pursue ISSAP if you want to be a SME in your field and are plotting a path for your career that includes incremental growth in responsibility and salary.
What are the learning objectives for ISSAP?
(ISC)² lists the following ISSAP exam outline for each domain:
- Domain 1
- Determine legal, regulatory, organizational and industry requirements
- Manage risk
- Domain 2
- Identify security architecture approach
- Verify and validate design (e.g., Functional Acceptance Testing (FAT), regression)
- Domain 3
- Develop infrastructure security requirements
- Design defense-in-depth architecture
- Secure shared services (e.g., wireless, email, voice over internet protocol (VoIP), unified communications (UC), Domain Name System (DNS), network time protocol (NTP))
- Integrate technical security controls
- Design and integrate infrastructure monitoring
- Design infrastructure cryptographic solutions
- Design secure network and communication infrastructure (e.g., virtual private network (VPN), internet protocol security (IPsec), transport layer security (TLS))
- Evaluate physical and environmental security requirements
- Domain 4
- Design identity management and lifecycle
- Design access control management and lifecycle
- Design identity and access solutions
- Domain 5
- Integrate software development life cycle (SDLC) with application security architecture (e.g., requirements traceability matrix (RTM), security architecture documentation, secure coding)
- Determine application security capability requirements and strategy (e.g., open source, cloud service providers (CSP), software as a service (SaaS)/infrastructure as a service (IaaS)/platform as a service (PaaS) environments)
- Identify common proactive controls for applications (e.g., Open Web Application Security Project (OWASP))
- Domain 6
- Gather security operations requirements (e.g., legal, compliance, organizational and business requirements)
- Design information security monitoring (e.g., security information and event management (SIEM), insider threat, threat intelligence, user behavior analytics, incident response (IR) procedures)
- Design business continuity (BC) and resiliency solutions
- Validate business continuity plan (BCP)/disaster recovery plan (DRP)
- Design incident response (IR) management
The CISSP-ISSEP concentration focuses on information systems security engineering. Earning the certification demonstrates you know how to apply systems engineering principles and processes practically. It also represents your ability to integrate security across the infrastructure. (ISC)² developed the concentration in partnership with the U.S. National Security Agency (NSA).
CISSP-ISSEP domains and weighting
- Domain 1. Systems security engineering foundations (25%)
- Domain 2. Risk management (14%)
- Domain 3. Security planning and design (30%)
- Domain 4. Systems implementation, verification, and validation (14%)
- Domain 5. Secure operations, change management and disposal (17%)
Are you a good fit for CISSP-ISSEP?
Most pursuers of this concentration are senior systems engineers, information assurance systems engineers, information assurance officers, information assurance analysts and senior security analysts. If those are your areas of specialty and interest, you can move ahead in your career by earning ISSEP.
What are the learning objectives for ISSEP?
(ISC)² lists the following ISSEP exam outline for each domain:
- Domain 1
- Apply systems security engineering fundamentals
- Execute systems security engineering processes
- Integrate with applicable system development methodology
- Perform technical management
- Participate in the acquisition process
- Design trusted systems and networks (TSN)
- Domain 2
- Apply security risk management principles
- Address risk to the system
- Manage risk to operations
- Domain 3
- Analyze the organizational and operational environment
- Apply system security principles
- Develop system requirements
- Create system security architecture and design
- Domain 4
- Implement, integrate and deploy security solutions
- Verify and validate security solutions
- Domain 5
- Develop secure operations strategy
- Participate in secure operations
- Participate in change management
- Participate in the disposal process
The ISSMP concentration centers around security management. Holding this concentration certification represents that you can establish, present and govern information security programs. It also shows your management and leadership skills.
CISSP-ISSMP domains and weighting
- Domain 1. Leadership and business management (22%)
- Domain 2. Systems lifecycle management (19%)
- Domain 3. Risk management (18%)
- Domain 4. Threat intelligence and incident management (17%)
- Domain 5. Contingency management (10%)
- Domain 6. Law, ethics and security compliance management (14%)
Are you a good fit for CISSP-ISSMP?
Those pursuing ISSMP fall into leadership roles, including chief information officers, chief information security officers, chief technology officers or senior security executives. If you hold these titles or are the goal for your career, then ISSMP is an excellent concentration. To take on a leadership role, you need more than technical skills. You also need to manage things like budget, training and metrics.
What are the learning objectives for ISSMP?
(ISC)² lists the following ISSMP exam outline for each domain:
- Domain 1
- Establish security’s role in organizational culture, vision and mission
- Align security program with organizational governance
- Define and implement information security strategies
- Define and maintain security policy framework
- Manage security requirements in contracts and agreements
- Oversee security awareness and training programs
- Define, measure and report security metrics
- Prepare, obtain and administer security budget
- Manage security programs
- Apply product development and project management principles
- Domain 2
- Manage integration of security into system development lifecycle (SDLC)
- Integrate new business initiatives and emerging technologies into the security architecture
- Define and oversee comprehensive vulnerability management programs (e.g., vulnerability scanning, penetration testing, threat analysis)
- Manage security aspects of change control
- Domain 3
- Develop and manage a risk management program
- Conduct risk assessments
- Domain 4
- Establish and maintain a threat intelligence program
- Establish and Maintain Incident Handling and Investigation Program
- Domain 5
- Oversee development of contingency plans
- Guide development of recovery strategies
- Maintain business continuity plan (BCP), continuity of operations plan (COOP) and disaster recovery plan (DRP)
- Manage recovery process
- Domain 6
- Understand the impact of laws that relate to information security
- Understand management issues as related to the (ISC)² Code of Ethics
- Validate compliance with applicable laws, regulations and industry best practices
- Coordinate with auditors and assist with the internal and external audit process
- Document and manage compliance exceptions
Why earn a CISSP concentration?
There are several benefits to earning a concentration. According to the (ISC)², “Passing a concentration examination demonstrates proven capabilities and subject-matter expertise beyond that required for the CISSP or SSCP credentials.”
This puts you in a prime position for higher-paying positions with more responsibilities and challenges, allowing you to enjoy an even more rewarding career.
Another reason to earn your credentials is to set yourself apart from others; CISSP certification is the gold standard for the industry. According to (ISC)², there are over 147,000 certified CISSP professionals in the world. That’s widespread, but concentrations have much fewer numbers. In the U.S., current numbers are:
- 1,311 ISSAP certified professionals
- 1,220 ISSEP certified professionals
- 961 ISSMP certified professionals
Earning your CISSP credential will give you an advantage in a very competitive, growing field, and a CISSP concentration credential will do even more for you. Completing these concentrations is not necessary for everyone. Balance your career goals against the CBKs for each concentration to determine if they will be the right fit for your needs.
Which CISSP concentration is right for you?
Choosing which field to specialize in includes a variety of factors. Each concentration is specific to roles and career paths. The decision for you may include considering:
- Your strengths and required experience
- Career goals
- Opportunities within your current organization and the job market
- What you’re passionate about
- Your interest in leadership positions
By defining your goals, strengths and opportunities, you can determine which concentration will deliver the most value.