ISC2 ISSEP Certification

Certification guide

The Information Systems Security Engineering Professional (ISSEP) is ISC2’s credential for the people who build security into systems — the engineers who take an organization’s protection needs and turn them into requirements, architectures, designs, and verified, authorized systems. Where the CISSP proves breadth across the security profession, the ISSEP proves you can practice security as a systems engineering discipline: applying standards like NIST SP 800-160 and ISO/IEC/IEEE 15288, running trade studies, allocating security functions to components, and generating the verification evidence that authorization decisions rest on. It is the signature credential for security engineers in defense, intelligence, and other high-assurance environments — and it carries real weight anywhere resumes cross a contracting officer’s desk. Originally a CISSP concentration, it is now a standalone advanced certification, one of the three highest-bar credentials ISC2 offers.

The exam outline was refreshed effective August 1, 2025, and the update matters: the domains were revised from the latest Job Task Analysis, and AI security engineering now runs through all five — formal validation of ML components, adversarial threat modeling at requirements time, secure training-data pipelines, hardware-rooted protection of model weights, adversarial testing protocols, and drift-triggered retraining and rollback under change control. Study materials aligned to the pre-2025 outline will leave gaps. Eligibility runs two ways: hold the CISSP with two years of cumulative experience in one or more ISSEP domains, or qualify without the CISSP on seven years of cumulative experience in two or more domains.

125 questions 3 hours Multiple choice + advanced items Pass: 700 / 1000 Pearson VUE Outline effective Aug 1, 2025

Systems Security Engineering Foundations

Domain 1 · 24%

The heaviest domain covers the discipline itself: trust concepts and hierarchies, how security engineering integrates with the ISO/IEC/IEEE 15288 processes, structural design principles, governance and compliance, and integration with development methodologies including MBSE. It also owns technical management — configuration, information, measurement, and quality assurance processes — plus procurement and supply chain risk management, and resource analysis with Monte Carlo methods, MTBF, MTTR, and Maximum Tolerable Downtime.

Risk Management

Domain 2 · 20%

Security risk management aligned with enterprise risk management and integrated across the lifecycle. Expect the full cycle twice over — once for risk to the system and once for risk to operations: establishing context, identifying threats and vulnerabilities, inherent risk analysis, risk evaluation, monitoring changes to posture, and documenting findings and decisions in a form that survives audit and personnel turnover.

Security Planning and Engineering

Domain 3 · 22%

The design core: analyzing the organizational and operational environment, capturing stakeholder requirements, and applying system security principles — resiliency and diversity, defense-in-depth and Zero Trust, fail-safe defaults, single points of failure, least privilege, economy of mechanism, and separation of functions. It runs through developing the security requirements baseline, functional analysis and allocation, design traceability, trade-off studies, and design validation, with secure data pipelines and protected model weights for AI components.

Systems Security Implementation, Verification and Validation

Domain 4 · 20%

Turning design into fielded, evidenced reality: implementing and integrating security solutions, supporting CI/CD and DevSecOps, developing security test plans, supporting verification, updating the risk analysis as results come in, and documenting stakeholder acceptance. The 2025 outline adds adversarial testing of AI-driven controls and using machine learning to mine test data and logs for the edge cases manual review misses.

Secure Operations, Change Management and Disposal

Domain 5 · 14%

The lightest domain closes the lifecycle: secure operations plans with defined roles and event-reporting requirements, continuous monitoring design, incident response support, secure maintenance, change reviews and impact assessment with verification and validation of changes, and disposal — sanitization requirements, decommissioning procedures, audit of the results, and data retention policies. Model drift monitoring and secure model-update delivery now live here too.

Our practice exam mirrors the real thing: 125 questions in 180 minutes, drawn to the official domain weights — 30 questions from Foundations, 25 from Risk Management, 28 from Planning and Engineering, 25 from Implementation and V&V, and 17 from Operations, Change Management and Disposal. We set the pass mark at 70%, the honest raw-score equivalent of ISC2’s 700-out-of-1000 scaled grade — so a pass here means you covered the blueprint, not luck in the heavy ones. Every question is scenario-based with an explanation that tells you why the best answer beats the near misses.

ISC2 ISSEP - Practice Exam

Full-length ISSEP practice exam — 125 questions apportioned to the official August 1, 2025 exam outline weights across all five domains, with scenario-based items and detailed…

125 questions 180 min pass 70%
Subscribe to start

Trademark notice & independence. ISC2®, ISSEP®, CISSP®, and CBK® are registered marks of ISC2, Inc. Certifym.net is operated by Certifym Exam Services, LLC and is not affiliated with, endorsed by, or sponsored by ISC2. For official exam registration, policies, and the authoritative exam outline, visit isc2.org.

All practice questions on this site are original works created by Certifym.net to align with the publicly available exam outline. They are not actual exam questions. Practicing with these materials does not guarantee a passing result on any live certification exam.