SecProve
ExpertVendor-neutralISC2· issued from US

ISSMP

Information Systems Security Management Professional

ISC2 specialization for security management. Requires CISSP. Focus on Leadership, Risk Management, Security Operations, and Compliance Management. For CISOs and senior security executives.

Official page at ISC2↔ Compare with another cert
Exam fee
$599
Ongoing
$125/yr AMF · 20 CPE/yr
Study time
120–250 hrs
Delivery
Test center
Validity
3 yrs (renewal cycle)

› Quality score

19.0 / 40

Four-axis SecProve rubric, each 0–10. SecProve editorial assessment — each axis carries a written justification so you can push back on any single call without dismissing the whole score.

Blueprint rigor
How well-defined and rigorous the exam blueprint is.
CISSP concentration on security management — leadership, governance, risk frameworks.
8.0/10
Practical evidence
Hands-on labs / written reports vs pure MCQ.
Pure MCQ. No program artefact or board scenario.
1.0/10
Currency & upkeep
How aggressively content is kept current with the field.
Refresh cadence trails CISM; current content covers contemporary governance topics.
5.0/10
Market recognition
How often this signal actually moves a hiring decision.
Recognised among CISSP-tracked managers; CISM is the more common management signal. [Holders: 2k, 2024-12] [DoD 8140 listed]
5.0/10

› Market signals

public, citable inputs to the recognition score
Holders worldwide
1,500
as of 2024-12 · source
DoD 8140 baseline
Listed
IAM-III, CSSP-Manager

› Built for these roles

CISOsCIOsCTOsSecurity Directors

› Exam format

Linear, 125 questions, 3 hours, 700/1000

Passing score
700/1000 (scaled)
Retake policy
Fee: $599 per attempt
Wait: 30d between attempts
Cap: 4 attempts/year

30/60/90 day waits for retakes 1/2/3 in a rolling 12-month window.

› Recertification

60-140 CPEs per 3-year cycle, $135/year AMF

› 3-year cost of ownership

Exam (1×)
$599
AMF (3×)
$375@$125/yr
Total
$974

Excludes study materials, training, retake risk, and lost-wage opportunity. Use as a floor estimate.

› NICE Framework work roles

The NIST NICE work-role IDs this cert maps to. NICCS lookup.

OG-WRL-014OG-WRL-007
Recognition
Global
Exam languages
en

› Core domains covered

The 3 domains this cert is centrally about. Passing the exam demonstrates working knowledge of each.

A18Security Leadership

Cyber risk quantification, board communication, security program development, budget & ROI.

A1Governance, Risk & Compliance

Risk frameworks (NIST RMF, ISO 31000, FAIR), policy development, audit, regulatory compliance, third-party risk.

A7Incident Response & Forensics

IR playbooks, memory/disk/network forensics, chain of custody, malware analysis.

› Prerequisites

Experience

Active CISSP + 2 years experience in the respective specialization

› Progression

requiredrecommended

Where this cert fits in the typical learning path. Required edges are vendor-gated; recommended edges reflect de facto industry progression.

Required prereqs (1)
CISSPISC2
Recommended priors (0)

No de facto priors typically expected.

ISSMP
ISC2
Required by (0)

No certs require this one.

Recommended next (0)

No follow-on certs reference this one yet.

› Study materials

Curated starting points. Not exhaustive — vet each against your learning style and the current exam version.

Official guides
  • Official (ISC)² ISSMP CBK ReferenceWiley/ISC2
Practice tests
  • Boson ExSim-Max for ISSMP
Free / community

› Version & lifecycle

Current version
2024 CBK refresh
Released
2024-04

› Salary signal

Senior security manager / director, US, 7+ years. Requires active CISSP.

$150K$220K
median $180K

Robert Half Salary Guide + Glassdoor 'Security Manager' aggregations · 2024 · US base only · p25–p75 range

› How it compares

vs
CISM

ISSMP is the ISC2 management concentration; CISM is the standalone ISACA equivalent — both target the same role.

↔ Compare side-by-side
vs
CISSP

ISSMP layers manager-track depth on top of CISSP.

↔ Compare side-by-side

› Careers that commonly pursue this cert

CISO / Security Leader

Lead security strategy, communicate risk to the board, and build security programs. Executive-level cybersecurity leadership.

› Common exam traps to study

Cybersecurity cert exams reuse the same 25 distractor patterns over and over — category confusion, RTO vs RPO, IDS vs IPS, MD5 vs SHA-256, and more. Once you can name the trap, you stop falling for it. Each archetype page covers what it is, the specific pairs candidates confuse, and how to avoid it.

Browse all 25 cert-exam trapsStart with: BEST vs correct

See this cert’s domains highlighted on the interactive map, or compare it against the rest of the catalog.

Highlight on the domain mapBrowse all certifications