CISSP Concentrations (ISSAP, ISSMP & ISSEP)

June 28, 2019 by Infosec

CISSP Concentrations

While earning your Certified Information Systems Security Professional (CISSP) certification is an excellent way to embark on a rewarding career, it may be worth your time to consider earning your credentials in one of the CISSP concentrations. These concentrations go above and beyond the standard CISSP certification in many ways, making you a more attractive job candidate to hirers or allowing you to advance your career with your current employer through a higher-paid position with more responsibilities.

What are the various CISSP concentrations?

There are three CISSP concentrations, which are as follows:

  • Information Systems Security Architecture Professional (ISSAP)
  • Information Systems Security Engineering Professional (ISSEP)
  • Information Systems Security Management Professional (ISSMP)

Each focuses on a different sub-area within the CISSP framework, allowing you to hone your skills and specialize. According to the International Information System Security Certification Consortium or (ISC)2, “With the continuous evolution of information security, (ISC)2 built on the original conception of the CISSP to develop credentials that address the specific needs of our members. With this in mind, we produced our CISSP concentration in the functional areas of architecture (ISSAP), engineering (ISSEP), and management (ISSMP).”

In order to earn your CISSP concentration certification, you must have first earned your CISSP certification and maintained it. You must also have at least two years of real-world experience in the area covered by the concentration (architecture, engineering or management). If you’re counting, that’s a total of seven years of on-the-job experience (five years for the initial CISSP certification, and then two more for the concentration).

If you meet those requirements and are still a CISSP in good standing with the organization, you’ll need to complete another exam. You’ll have a total of three hours to answer 125 questions if you’re trying to earn either the ISSAP or ISSMP concentration certification, or 150 questions if you’re pursing the ISSEP concentration. All three tests require you to score 700 out of 1,000 possible points.

Note that you will need to develop your own study plan or participate in training provided by (ISC)2 or a licensed training provider. (ISC)2 also offers webinars on each of the three concentrations. Training can be online, provided in a class-room, or be private, onsite training. Understand that each of the three concentrations has its own common body of knowledge (CBK) that goes beyond that for CISSP.

After passing the exam, you will need to go through the endorsement process once more (the same as when you earned your CISSP certification). You have nine months from the date of passing your exam to complete your endorsement.

Finally, you’ll need to complete 20 continuing education credits per year, and you’ll need to renew your certification every three years (which will cost you $85 for your CISSP certification and $35 for the maintenance fee).

How Do These Concentrations Differ from the Actual CISSP Certification?

It’s important to understand that the CISSP concentrations build on the CISSP certification, but bring greater depth, knowledge, and expertise in one of the three areas covered. To truly highlight the differences between CISSP concentration and the standard CISSP certification, we’ll need to delve into what each of the three concentrations covers.


The CISSP-ISSAP certification deals specifically with information security architecture. It is designed for analysts, as well as chief security architects, consultants and others in the industry who develop, design and implement program security.

According to (ISC)2, this concentration is ideal for system architects, chief technology officers, system designers, network designers, business analysts and chief security officers who want to “specialize in designing security solutions and providing management with risk-based guidance to meet organizational goals.” The ISSAP CBK covers quite a few areas, including:

  • Physical security considerations
  • Communications and network security
  • Cryptography
  • Technology-related business continuity planning
  • Disaster recovery planning
  • Security architecture analysis

In order to complete this concentration, you’ll need at least two years of real-world experience in one of the covered domains. Note that the domains vary significantly with each concentration.

Furthermore, (ISC)2 lists the following learning objectives for the ISSAP course:

  • Define an architecture that will ensure adequate security and reliability for the organization’s information systems design.
  • Identify and deploy physical access controls that will enable the complete information system security model to prevent, detect, and react to suspicious activity.
  • Describe how cryptography is used to protect an organization’s data and communications from security threats.
  • Explain how to select, implement and monitor communications products according to company standards and policies.
  • Develop a business continuity plan and disaster recovery plan for an organization through an understanding of identifying adverse events that could potentially threaten an organization’s ability to thrive.
  • Utilize hard and soft concepts to applying access control methodologies.


The CISSP-ISSEP concentration deals with information systems security engineering, and is designed for senior systems engineers, information assurance systems engineers, information assurance officers, information assurance analysts, and senior security analysts along with others. According to (ISC)2, these professionals “specialize in the practical application of systems engineering principles and processes to develop security systems.”

The CBK for this concentration includes:

  • US government information assurance related policies and issuances
  • Systems security engineering
  • Certification and accreditation
  • Risk management framework
  • Technical management

(ISC)2 lists the following learning objectives for the ISSEP course:

  • Describe concepts related to how certification and accreditation and risk management framework processes are applied and integrated/implemented with systems security engineering.
  • Explain the details of technical management, including how to design, implement, and execute technical aspects related to systems security engineering.
  • Describe how US government information assurance laws, regulations, policies and standards apply to information security systems.
  • Apply knowledge of systems security engineering to protect organizational information through a process which includes identifying needs, designing the architecture, developing systems security requirements, and implementing those requirements.


The ISSMP concentration deals with information systems security management, and it is designed for chief information officers, chief information security officers, senior security executives and chief technology officers, amongst many others. The organization says these professionals “specialize in establishing, presenting, and governing information security programs, and demonstrate management and leadership skills.”

The CBK for the ISSMP concentration includes:

  • Law, ethics and incident management
  • Security leadership and management
  • Contingency management
  • Security lifecycle management
  • Security compliance management

The following learning objectives are listed on the (ISC)2 course outline concerning the ISSMP course:

  • Understand and apply the fundamental security leadership and management skills and knowledge in managing an organization’s information security program.
  • Understand and apply the security lifecycle management processes and principles into new business initiatives as well as the system development lifecycle, including the operations, maintenance and disposal phases.
  • Understand and apply the security compliance management skills in establishing, managing, and overseeing a process to help monitor, assess and enforce compliance with security policies and procedures.
  • Understand and apply contingency management practices in planning and implementing processes for reducing the impact of adverse events, such as natural and man-made disasters, virus outbreaks or equipment failures.
  • Understand and apply the law, ethics and incident management practices that apply to the organization and the necessary knowledge and skill in developing processes for managing security incidents, coordinating with law enforcement and legal authorities, identifying and applying guidelines and keeping the organization’s management informed of real or potential impacts.

Now, compare the requirements and learning objectives for the concentrations listed above to the CBK and focus areas of the CISSP:

  • Security and risk management
  • Software development security
  • Security operations
  • Asset security
  • Security engineering
  • Identity and access management
  • Security assessment and testing
  • Communications and network security

While the CISSP concentrations require a three-hour testing period, the CISSP itself requires six hours, and consists of 250 questions (compared to 125 or 150 questions). Each of the three CISSP concentrations builds on separate principles and knowledge areas within the wider CISSP, allowing you to specialize and drill down into those areas.

Finally, another key difference between the three CISSP concentrations and the CISSP itself is that you are not able to substitute becoming an (ISC)2 associate as a way to demonstrate competence. The “associate” level is designed for those who have not yet earned their CISSP certification and need a little help in demonstrating competence.

If you’ll be pursuing a concentration, you should already have that competence and have demonstrated it, along with demonstrable competence in at least two of the CBK areas for the concentration you’re interested in earning.

Why Do CISSP Concentrations Matter?

Why should you consider completing any of the three CISSP concentrations? According to the (ISC)2, “Passing a concentration examination demonstrates proven capabilities and subject-matter expertise beyond that required for the CISSP or SSCP credentials.” This puts you in a prime position for higher-paying positions with more responsibilities and challenges, allowing you to enjoy an even more rewarding career.

Another reason to earn your credentials in one of these concentrations is to set yourself apart from others. While CISSP certification has become the gold standard for the industry and there are over 100,000 certified professionals around the world, that’s not the case with the concentrations.

For instance, there are only about 1,000 people in the US with ISSAP concentration certification. There are roughly the same number of professionals in the US with ISSEP certification and even fewer with ISSMP certification.

So, while earning your CISSP credential will definitely give you a leg up in a very competitive, growing field, earning your CISSP concentration credential will do even more for you. With that being said, completing these concentrations is not necessary for everyone. Balance your career goals against the CBKs for each concentration to determine if they will be the right fit for your needs.

Training and Testing

Like the CISSP training and examination process, CISSP concentrations are taught by training providers around the world, with the material being offered in multiple languages. The cost for each concentration test is $399 (or the equivalent in local currency), and the same rules that apply to the larger CISSP exam apply to concentration testing as far as rescheduling, cancellation, late arrival and the like.

Also like the CISSP, testing for CISSP concentrations is done through Pearson VUE, and, depending on your geographic location, will be done in a physical testing center, or through a licensed, secure online portal. All testing, rescheduling or test cancellations must be done via the Pearson VUE website, and you’ll need to create an account before testing can begin (if you’ve earned your CISSP, it will be the same account you used previously).

Is a Concentration Right for You?

Is pursuing one of the three CISSP concentrations the right career choice for you? It could be, but that will require a good understanding of your career goals. Where do you want to be in the future?

It also requires that you have at least some past experience in a minimum of two of the CBK areas covered by the concentration, so chances are good that if you’re considering a particular concentration, you already have a good idea of what’s involved, how the area is growing, and where you want to go within it, whether with your current employer or with another.

Considering the fact that the US boasts fewer than 3,000 individuals with any CISSP concentration credentials, pursuing this training and certification path can be an excellent way to stand out from the crowd. With almost 50,000 information security jobs posted by companies in virtually every industry in 2014 alone, it’s clear that demand is only increasing. By earning your credentials, you can forge your own path.


Posted: June 28, 2019
Articles Author
View Profile

Notice: Undefined index: visitor_id12882 in /www/resourcesinfosecinstitute_601/public/wp-content/plugins/infosec-user-info/infosec-user-info.php on line 117