What is the CISSP-ISSMP? Information Security System Management Professional [updated 2021]
Validate your information security program skills
The Certified Information Security Systems Professional, or CISSP, is a certification offered by the International Information System Security Certification Consortium, also known as (ISC)². This organization offers additional certifications with specific concentrations which build upon the subject matter mastery verification offered by CISSP. CISSP has become a suite of certifications covering various aspects of information systems security. One of these certifications is the Information Security System Management Professional, or CISSP-ISSMP, certification. CISSP-ISSMP verifies the certification holder excels at implementing, presenting and governing organizational information security programs. Do you know the individual at your organization who set up the information security program? They very well may already have this certification.
What is the CISSP-ISSMP certification? Who is it for? We will answer this, the domains of knowledge it covers and other important details such as exam cost and study resources. We will equip you with the information you need to make an informed decision on whether you want to pursue the certification yourself.
Who should earn the CISSP-ISSMP?
The CISSP-ISSMP is intended for management roles within an organization responsible for establishing, presenting and managing their information security program. Those aspiring to, or already in, the roles of chief technology officers (CTO), chief information officers (CIO) or any other management professional overseeing organization information security or IT security.
What are the six domains covered by CISSP-ISSMP?
The current version of the CISSP-ISSMP exam has changed a bit since the last exam version. Below is a comparison of the current domains compared to the last version.
|Previous CISSP-ISSMP domains||Current CISSP-ISSMP domains|
|Domain 1.0: Security leadership and management||Domain 1.0: Leadership and business management|
|Domain 2: Security lifecycle management||Domain 2.0: Systems lifecycle management|
|Domain 3: Security compliance management||Domain 3.0: Risk management|
|Domain 4: Contingency management||Domain 4.0: Threat intelligence and incident management|
|Domain 5: Law, ethics and incident management||Domain 5.0: Contingency management|
|Domain 6: Law, ethics and security compliance management|
A new domain has been added to the lineup — threat intelligence and incident management. Also, security compliance management has become risk management.
With the CISSP-ISSMP domain changes out of the way, let’s take a look at the domains themselves.
Domain 1.0: Leadership and business management 22%
Described as being the broadest of all the domains, domain 1.0 focuses on the high-level requirements that must be fulfilled for the overarching organizational information security program to be successful. This domain will test the following:
- Establish security’s role in organizational culture, vision and mission
- Align security program with organizational governance
- Define and implement information security strategies
- Define and maintain security policy framework
- Manage security requirements in contracts and agreements
- Oversee security awareness and training programs
- Define, measure and report security metrics
- Prepare, obtain and administer security budget
- Manage security programs
- Apply product development and project management principles
Domain 2.0: Systems lifecycle management 19%
This domain has had a name change that highlights the shift from security to systems lifecycle management. Security management is now a subdomain within systems lifecycle management and security is baked in within the rest of the domain. It will test:
- Manage integration of security into system development lifecycle (SDLC)
- Integrate new business initiatives and emerging technologies into the security architecture
- Define and oversee comprehensive vulnerability management programs
- Manage security aspects of change control
Domain 3.0: Risk management 18%
Risk management covers the following:
- Develop and manage a risk management program
- Conduct risk assessments (RA)
Domain 4.0: Threat intelligence and incident management 17%
This domain is new and comprehensively covers what an organizational management professional needs to know for both threat intelligence and incident management. It covers the following:
- Establish and maintain threat intelligence program
- Establish and maintain incident handling and investigation program
Domain 5.0: Contingency management 10%
Contingency management tests:
- Oversee development of contingency plans (CP)
- Guide development of recovery strategies
- Maintain business continuity plan (BCP), continuity of operations plan (COOP) and disaster recovery plan (DRP)
- Manage recovery process
Domain 6.0: Law, ethics and security compliance management 14%
This domain will test mastery over:
- Understand the impact of laws that relate to information security
- Understand management issues as related to the (ISC)² code of ethics
- Validate compliance in accordance with applicable laws, regulations and industry best practices
- Coordinate with auditors, and assist with the internal and external audit process
- Document and manage compliance exceptions
Other exam information
- Exam length — 3 hours
- Number of questions — 125
- Exam format — multiple-choice questions
- Passing score — 700 out of 1000
- Exam cost — $599
- Exam location — Pearson Testing Center
If a certification candidate does not pass the exam on their first attempt, the candidate is required to wait 30 days before their next exam attempt. After not passing for the second time, the candidate will need to wait 90 days and every failed attempt after that will require a 180-day waiting period before retesting.
CISSP-ISSMP study resources
The CISSP-ISSMP is easier to pass with the help of study resources, and there are a few that you will want to have at hand to help you pass. These study resources are:
- CISSP-ISSMP Exam Outline, available here
- “Official (ISC)² Guide to the CISSP-ISSMP CBK, Second Edition,” available here
- Official CISSP-ISSMP Flash Cards, available here
Verify your knowledge, advance your career
The CISSP-ISSMP certification is an information security certification intended for information security management professionals, such as CIOs and CTOs, to verify the knowledge necessary for implementing, presenting and managing/governing an organization’s information security program. If you are currently an information security management professional or aspiring to become one, you may want to consider this certification to give your career progression a boost.
CISSP-ISSMP Exam Outline. (ISC)².