CISSP-ISSAP
CISSP Information Systems Security Architecture Professional
Architecture concentration on top of CISSP — trust boundaries, identity / crypto / network composition, defense-in-depth design.
› Quality score
Four-axis SecProve rubric, each 0–10. SecProve editorial assessment — each axis carries a written justification so you can push back on any single call without dismissing the whole score.
› Market signals
public, citable inputs to the recognition score› Built for these roles
› Exam format
125 multiple-choice questions over 3 hours, English. Pearson VUE proctored. AMF is shared with your active CISSP — no separate fee.
Standard ISC2 retake schedule: 30/60/90 day waits.
› Recertification
90 CPEs over the three-year cycle (avg 30/yr), included under your CISSP $135/yr Annual Maintenance Fee.
› Core domains covered
The 7 domains this cert is centrally about. Passing the exam demonstrates working knowledge of each.
Reference architectures, control frameworks (NIST SP 800-53, CIS Controls), secure-by-design patterns, threat modeling, trust-boundary design, technology standards.
Zero trust principles, micro-segmentation, NIST SP 800-207, ZTNA, continuous verification, BeyondCorp.
Symmetric/asymmetric, PKI, TLS/SSL, hashing, post-quantum cryptography, key management.
AuthN/AuthZ, SSO, MFA, PAM, RBAC/ABAC, identity governance, FIDO2/passkeys, plus non-human identity: service accounts, workload identity, agent / plugin identities.
Firewalls, IDS/IPS, network segmentation, DNS security, SD-WAN, VPN, traffic analysis, wireless security.
AWS/Azure/GCP security controls, IAM policies, CSPM, container security, shared responsibility model.
Risk frameworks (NIST RMF, ISO 31000, FAIR), policy development, audit, regulatory compliance, third-party risk.
› Also touched
Present in the blueprint but not the primary focus — you’ll be introduced but shouldn’t expect depth.
OWASP Top 10, secure SDLC, SAST/DAST/IAST, API security, code review, DevSecOps.
Data classification, encryption-at-rest/in-transit, DLP, tokenization, privacy-by-design, plus the regulatory stack (GDPR, CCPA, HIPAA) that sets the bar.
SBOM, vendor risk assessment, software supply chain attacks, dependency management.
› Prerequisites
Requires an active CISSP in good standing plus two years of professional experience in the ISSAP concentration domains.
- Trust boundaries and identity architecture
- Cryptographic and network composition
- Defense-in-depth design patterns
› Progression
requiredrecommendedWhere this cert fits in the typical learning path. Required edges are vendor-gated; recommended edges reflect de facto industry progression.
No de facto priors typically expected.
No certs require this one.
› Study materials
Curated starting points. Not exhaustive — vet each against your learning style and the current exam version.
- Official (ISC)² ISSAP CBK Reference, 4th Ed. — Wiley/ISC2
- Boson ExSim-Max for ISSAP
› Version & lifecycle
ISSAP CBK has not been refreshed since 2017 — content gaps relative to current cloud/AI architecture practice.
› Salary signal
Security architect, US, 7+ years. Requires active CISSP.
Robert Half Salary Guide + Glassdoor 'Security Architect' aggregations · 2024 · US base only · p25–p75 range
› How it compares
Vendor-neutral architecture (ISSAP) vs Microsoft-stack architecture (SC-100).
↔ Compare side-by-sideCCSP is cloud-deep architecture; ISSAP is broader vendor-neutral architecture.
↔ Compare side-by-side› Careers that commonly pursue this cert
Prepare for the post-quantum era. Understand quantum threats and lead cryptographic migration efforts.
Senior design role — defines how pillar A components fit together across identity, crypto, network, cloud, and data — and, increasingly, how pillar C bolts into it.
› Common exam traps to study
Cybersecurity cert exams reuse the same 25 distractor patterns over and over — category confusion, RTO vs RPO, IDS vs IPS, MD5 vs SHA-256, and more. Once you can name the trap, you stop falling for it. Each archetype page covers what it is, the specific pairs candidates confuse, and how to avoid it.
See this cert’s domains highlighted on the interactive map, or compare it against the rest of the catalog.