What is the CISSP-ISSEP? Information Systems Security Engineering Professional
What Is the ISSEP?
The ISSEP is one of the CISSP concentration certification exams. ISSEP stands for information system security engineering professional. ISC2 and the NSA collaborated on the creation of content for this certification, which is used to provide security engineers with an opportunity to prove their ability to apply security engineering principles into the business processes they support. This test helped to created usable methodologies and best practices within the industry. It is partly based on the Information Assurance Technical Framework (IATF), which was written in 2002 by the NSA to define proper technical requirements to protect information, in particular critical DoD or government information.
Who Should Earn the ISSEP?
According to ISC2, the ISSEP is intended for the following (not exclusive) list:
- Senior systems engineers
- Information assurance systems engineers
- Information assurance officers
- Information assurance analysts
- Senior security analysts
Anyone hoping to sit for the ISSEP examination has to have a minimum of two years of experience in engineering and valid CISSP credentials. One seeking to take the ISSEP exam does not have to have any of the specific job titles above, but practical system engineering experience with a focus on developing highly secure systems is required. The applicant will need to be able to design strong security architecture, assess organizational security needs, define security requirements, and properly perform security risk assessments.
Outside of having the required experience, the hopeful test-taker will need to fill out the ISSEP application form which can be found on the ISC2 website. They will need to answer a yes or no to the following questions:
- Have you ever been convicted of a felony; a misdemeanor involving a computer crime, dishonesty, or repeat offenses; or a court martial in military service, or is there a felony charge, indictment, or information now pending against you? (Omit minor traffic violations and offenses prosecuted in juvenile court.
- Have you ever had a professional license, certification, membership or registration revoked, or have you ever been censured or disciplined by any professional organization or government agency?
- Have you ever been involved, or publicly identified, with criminal hackers or hacking?
- Have you ever been known by any other name, alias, or pseudonym? (You need not include user identities or screen names with which you were publically identified). (From isc2.org ISSEP Exam Outline, pg. 4).
Both Pearson VUE and Prometric are registered testing partners who can administer the exam.
What Are the ISSEP Domains?
The ISSEP has 4 domains. They are:
- Systems Security Engineering – This is where knowledge of the IATF will be tested. The test-taker will need to know the defense-in-depth system security model, the system lifecycle, and how to perform risk assessments.
- Certification and Accreditation (C&A) / Risk Management Framework (RMF) – Reviews and tests all of the certification and accreditation processes and requirements. With the RMF becoming the more widely used standard, the test has been updated to test based on that model.
- Technical Management – Tests on the various system development models and methodologies and how to map them to their corresponding security tasks.
- U.S. Government Information Assurance Related Policies and Issuances – The test-taker will demonstrate understanding of and ability to identify government IA/Cybersecurity regulations.
What Does the ISSEP Exam Involve?
The ISSEP is similar to the CISSP exam. It is three hours in length, consist of 150 multiple-choice, hot area, drag-and-drop or fill-in-the-blank questions, and requires 700 out of 1000 points to pass.
What Are the Best ISSEP Study Resources?
One recent recipient of the ISSEP credential was asked how they studied for the exam. They suggested using the Shon Harris CISSP study guide. This will help with learning the objectives and vocabulary. Then gather “multiple sources to expand vocabulary of the same technologies, repetitive test taking and quick objectives that match the criteria for each domain of the particular subject.” They also suggested “a short guide that’s a quick read. Perhaps a dummies book and a medium volume guide for balance. Not too heavy, not too thin”. (Michael Frazier, CISSP, ISSEP).
ISC2 has training options on their website. An ISSEP hopeful can take an ISC2 training seminar, download a practice exam, or purchase the official ISC2 guide. There are other study options outside of official ISC2 opportunities that are live, in-person, online training, as well as books and other study guides.
uCertify has an ISSEP preparation kit that consists of practice exam questions, including explanations of the questions, a study guide, interactive quizzes, how-to articles, and flash cards.
SecureNinja also has a study guide available with over 400 content slides that review all four domain areas.
Infosec offers a four-day boot camp to prepare for the ISSEP exam.
The ISSEP is a certification exam used to test the security capabilities of system engineers with over two years of experience. ISC2 has study items available on their website, along with a host of other mediums. The best approach seems to be using multiple types of study aids and focusing on how the test is structured and the types of vocabulary used. The ISSEP is a great addition to any system engineer’s resume.
Interested in learning more about ISSEP? Check out these articles:
Frazier, M., CISSP, ISSEP. 2016, 09/26. Phone interview with M. Frazier.