ISC2 ISSAP Certification

Certification guide

The Information Systems Security Architecture Professional (ISSAP) is ISC2’s advanced credential for security architects — the people who translate business strategy, risk appetite, and regulatory obligation into the design of enterprise security itself. Where the CISSP proves breadth, the ISSAP proves you can sit between the boardroom and the engineering floor and make defensible design decisions: which framework, which trust boundaries, which cryptographic lifecycle, which identity fabric. Originally a CISSP concentration, ISSAP became a standalone advanced certification in October 2023 — you can now qualify with a CISSP plus two years of domain experience, or with seven years of cumulative experience in two or more domains without holding the CISSP at all.

The exam outline was overhauled effective August 1, 2025, and the change is substantial: six legacy domains were consolidated into four, with application security and security operations absorbed into the surviving domains rather than standing alone. Infrastructure and System Security now carries nearly a third of the exam on its own, and AI is threaded throughout — architecting trusted execution environments that protect model weights, micro-segmenting AI workloads, placing monitoring probes for prompt injection and model evasion, designing identity for autonomous agents, and implementing the NIST AI RMF at the blueprint level. Study materials written for the old six-domain outline will not adequately prepare you for this exam.

125 questions 3 hours Multiple choice + advanced items Passing: 700 / 1000 Linear (non-adaptive) Pearson VUE English Outline effective Aug 1, 2025

Governance, Risk, and Compliance (GRC)

Domain 1 · 21%

Identifying the legal, regulatory, contractual, and privacy requirements that constrain a design — then architecting for them: monitoring and reporting pipelines, auditability and forensic readiness, segregation for high-assurance systems, risk assessment artifacts folded into blueprints, and risk treatment advice (mitigate, transfer, accept, avoid) that leadership can actually sign. The 2025 refresh adds vendor risk architecture for AI suppliers and designing transparent, explainable automated decision systems.

Security Architecture Modeling

Domain 2 · 22%

Choosing and applying the architecture approach: scope and types (enterprise, cloud, SOA), frameworks like TOGAF and SABSA, reference architectures and blueprints, and threat modeling with STRIDE, CVSS, and live threat intelligence. The second half is verification and validation — functional acceptance and regression testing, gap analysis, compensating controls, tabletop exercises, modeling and simulation, peer review, and code review methodology from static and dynamic analysis to source composition analysis.

Infrastructure and System Security

Domain 3 · 32%

The heavyweight domain, spanning deployment models (on-prem, cloud, hybrid), IT and OT, physical security and zoning, platform security from firmware to containers, network security (segmentation, SDP, NAC, VPN/IPsec, DNS, NTP, WAF, air gaps), storage and data repository security, cloud service models, ICS/SCADA, endpoints and BYOD, secure shared services, third-party integrations, infrastructure and content monitoring, out-of-band communications, and full cryptographic solution design — considerations, implementation across in-transit, in-use, and at-rest, and the key management lifecycle.

Identity and Access Management (IAM) Architecture

Domain 4 · 25%

Architecting the full identity lifecycle — proofing, identifiers for users, services, processes, and devices, joiner-mover-leaver provisioning — plus authentication (MFA, risk-based elevation, SAML, RADIUS, Kerberos, OAuth), authorization (SoD, least privilege, RBAC/ABAC, PAM, SSO models), and accounting: audit event definition, log management and integrity, analysis and reporting, and compliance with PCI-DSS, FISMA, HIPAA, and GDPR. Non-human identity for AI agents and service accounts is a new emphasis.

Our ISSAP practice exams are full-length, scenario-driven sets of 90 questions on a 130-minute clock — the same per-question pace as the real exam’s 125 questions in 3 hours — stratified to the official domain weights, so nearly a third of every attempt lands in Infrastructure and System Security, just like exam day. ISC2 scores the live exam on a 700-out-of-1000 scale rather than a raw percentage, so we set the pass mark at 70% as an honest raw-score equivalent: hitting it means you held your own across all four domains at their true weights, not that you got lucky in the heavy ones. Every question is written the way ISC2 writes at this level — multiple defensible options, one most correct answer — and every explanation tells you why the best answer beats the near-miss.

ISC2 ISSAP - Practice Exam

Full-length ISSAP practice exam aligned to the August 1, 2025 exam outline: 90 architect-level questions stratified across the four domains (GRC 21%, Security Architecture Modeling 22%,…

90 questions 130 min pass 70%
Subscribe to start

Trademark notice & independence. Certifym.net is an independent study resource operated by Certifym Exam Services, LLC. We are not affiliated with, endorsed by, or sponsored by ISC2, Inc. ISC2®, CISSP®, ISSAP®, and CBK® are registered marks of ISC2, Inc. The ISSAP exam outline and its domain structure are the property of ISC2, Inc.; candidates should download the official, current exam outline directly from isc2.org.

All questions, answers, and explanations on Certifym are original content created for practice purposes. They are not actual ISC2 examination questions and are not represented as such. Practicing with these materials does not guarantee a passing result on any live certification exam.