CISSP-ISSAP
CISSP Information Systems Security Architecture Professional
Architecture concentration on top of CISSP — trust boundaries, identity / crypto / network composition, defense-in-depth design.
› Quality score
Four-axis SecProve rubric, each 0–10. SecProve editorial assessment — each axis carries a written justification so you can push back on any single call without dismissing the whole score.
› Market signals
public, citable inputs to the recognition score› Built for these roles
› Exam format
125 multiple-choice questions over 3 hours, English. Pearson VUE proctored. AMF is shared with your active CISSP — no separate fee.
Standard ISC2 retake schedule: 30/60/90 day waits.
› Recertification
90 CPEs over the three-year cycle (avg 30/yr), included under your CISSP $135/yr Annual Maintenance Fee.
› Core domains covered
The 7 domains this cert is centrally about. Passing the exam demonstrates working knowledge of each.
Reference architectures, control frameworks (NIST SP 800-53, CIS Controls), secure-by-design patterns, threat modeling, trust-boundary design, technology standards.
Zero trust principles, micro-segmentation, NIST SP 800-207, ZTNA, continuous verification, BeyondCorp.
Symmetric/asymmetric, PKI, TLS/SSL, hashing, post-quantum cryptography, key management.
AuthN/AuthZ, SSO, MFA, PAM, RBAC/ABAC, identity governance, FIDO2/passkeys, plus non-human identity: service accounts, workload identity, agent / plugin identities.
Firewalls, IDS/IPS, network segmentation, DNS security, SD-WAN, VPN, traffic analysis, wireless security.
AWS/Azure/GCP security controls, IAM policies, CSPM, container security, shared responsibility model.
Risk frameworks (NIST RMF, ISO 31000, FAIR), policy development, audit, regulatory compliance, third-party risk.
› Also touched
Present in the blueprint but not the primary focus — you’ll be introduced but shouldn’t expect depth.
OWASP Top 10, secure SDLC, SAST/DAST/IAST, API security, code review, DevSecOps.
Data classification, encryption-at-rest/in-transit, DLP, tokenization, privacy-by-design, plus the regulatory stack (GDPR, CCPA, HIPAA) that sets the bar.
SBOM, vendor risk assessment, software supply chain attacks, dependency management.
› Prerequisites
Requires an active CISSP in good standing plus two years of professional experience in the ISSAP concentration domains.
- Trust boundaries and identity architecture
- Cryptographic and network composition
- Defense-in-depth design patterns
› Progression
requiredrecommendedWhere this cert fits in the typical learning path. Required edges are vendor-gated; recommended edges reflect de facto industry progression.
No de facto priors typically expected.
No certs require this one.
› Study materials
Curated starting points. Not exhaustive — vet each against your learning style and the current exam version.
- Official (ISC)² ISSAP CBK Reference, 4th Ed. — Wiley/ISC2
- Boson ExSim-Max for ISSAP
› Version & lifecycle
ISSAP CBK has not been refreshed since 2017 — content gaps relative to current cloud/AI architecture practice.
› Salary signal
Security architect, US, 7+ years. Requires active CISSP.
Robert Half Salary Guide + Glassdoor 'Security Architect' aggregations · 2024 · US base only · p25–p75 range
› How it compares
Vendor-neutral architecture (ISSAP) vs Microsoft-stack architecture (SC-100).
↔ Compare side-by-sideCCSP is cloud-deep architecture; ISSAP is broader vendor-neutral architecture.
↔ Compare side-by-side› Careers that commonly pursue this cert
Prepare for the post-quantum era. Understand quantum threats and lead cryptographic migration efforts.
Senior design role — defines how pillar A components fit together across identity, crypto, network, cloud, and data — and, increasingly, how pillar C bolts into it.
See this cert’s domains highlighted on the interactive map, or compare it against the rest of the catalog.