ISC2 ISSMP Certification

Certification guide

The Information Systems Security Management Professional (ISSMP) is ISC2’s credential for the people who run security programs — the managers and executives who set strategy, win budgets, govern risk, direct security operations, keep the business running through a disaster, and answer to regulators and boards. Where the CISSP proves breadth across the profession, the ISSMP proves you can lead it: aligning the security program with the organization’s mission, making risk decisions defensible, and translating threats into the language of business impact. Originally a CISSP concentration, it is now a standalone advanced certification — one of the three highest-bar credentials ISC2 offers — and a natural fit for security managers, directors, and those on the CISO track.

The exam outline was refreshed effective August 1, 2025, and the update matters: ISC2 restructured the domains around today’s management job and embedded AI governance throughout. Alongside the classic management material — policy frameworks, KPIs and KRIs, budget cases, risk treatment and cost-benefit analysis, supply chain risk, SOC and incident program governance, BIA-driven contingency planning, audit coordination — today’s ISSMP expects you to reason about shadow AI policy, ethical AI governance models, the NIST AI RMF and ISO/IEC 42001, MLSecOps decision gates, prompt injection and data poisoning response, model artifacts as continuity dependencies, and the EU AI Act’s risk tiers.

125 questions 3-hour exam Pass: 700 / 1000 scaled 6 domains Outline effective Aug 1, 2025 Pearson VUE

Leadership and Organizational Management

Domain 1 · 21%

The heaviest domain, and the heart of the credential: establishing security’s role in culture, vision, and mission; navigating governance and boundaries of authority; building policy frameworks (policies, standards, baselines, guidelines); managing contracts, managed services, and the security impact of mergers; running awareness programs that change behavior; defining KPIs and KRIs; preparing and defending budgets; and applying project management principles — including embedding security into agile delivery and governing the organization’s use of AI.

Systems Lifecycle Management

Domain 2 · 15%

Integrating security throughout the system life cycle rather than bolting it on: phase-gate governance, configuration management oversight, and folding new initiatives and emerging technology into the security architecture. It also owns the vulnerability management program — asset-criticality-driven prioritization, penetration test governance, remediation and compensating controls — and the security side of change control, from impact analysis to continuous compliance monitoring, extending to MLSecOps gates and treating model weight updates as formal system changes.

Risk Management

Domain 3 · 20%

The second-heaviest domain: building and running the risk program — appetite and tolerance, asset inventory, qualitative and quantitative assessment (SLE, ARO, ALE), treatment options and cost-benefit analysis, the risk register, and who actually gets to accept risk. Supply chain risk gets deep coverage: vendor tiering, independent attestation, fourth-party flow-downs, and continuous monitoring. The 2025 refresh adds the NIST AI RMF, ISO/IEC 42001, generative AI procurement terms, and model weights as crown-jewel assets.

Security Operations

Domain 4 · 18%

Governing the operational machine: SOC charters and documentation, threat intelligence programs built on priority intelligence requirements, baselining and anomaly detection, event correlation, and engineering actionable alerts. Incident management gets equal weight — policy-plan-playbook hierarchy, case management and chain of custody, team models, methodology (contain first), impact quantification for executives, and root cause analysis — plus the AI-era additions: prompt injection and data poisoning response, AIOps guardrails, and ML engineers as formal incident stakeholders.

Contingency Management

Domain 5 · 12%

Resilience from analysis to return-to-normal: the BIA as foundation; COOP, BCP, and DRP distinctions; crisis communications and declaration authority; third-party and cloud dependencies; succession planning; recovery strategy selection against RTO and RPO (and the RTO + WRT ≤ MTD arithmetic); the test-type ladder from tabletop to full interruption; plan maintenance triggers; and disciplined disaster response and recovery — now including model artifacts and retraining time as continuity considerations.

Law, Ethics, and Security Compliance Management

Domain 6 · 14%

The manager as the organization’s legal and ethical conscience: mapping jurisdictions and trans-border data flows, breach notification duties, intellectual property protection for security-relevant assets (including trade secrecy for model weights), and the ISC2 Code of Ethics and its ordered canons. Compliance management covers framework selection and implementation, compliance metrics, audit coordination from planning through remediation validation, and governed exception and risk waiver processes — with the EU AI Act and automated decision-making rights joining the syllabus.

Our practice exam mirrors the real thing: 125 original questions per attempt, a three-hour timer, and every question weighted to the official domain percentages. The pass mark is set at 70% — the honest raw-score equivalent of ISC2’s 700-out-of-1000 scaled passing grade — so a passing score here means genuine coverage across all six domains, not luck in the heavy ones. Every question is written at the management level the ISSMP tests: several options are defensible, one is most correct, and each explanation tells you why the best answer beats the near-misses.

ISC2 ISSMP - Practice Exam

Full-length ISSMP practice exam: 125 original management-level questions weighted to the official ISC2 exam outline effective August 1, 2025 (Leadership 21%, Lifecycle 15%, Risk 20%, Security…

125 questions 180 min pass 70%
Subscribe to start

Trademark notice & independence. Certifym.net is operated by Certifym Exam Services, LLC and is not affiliated with, endorsed by, or sponsored by ISC2, Inc. ISC2®, ISSMP®, CISSP®, and CBK® are registered marks of ISC2, Inc. The ISSMP exam outline and its domain structure are the property of ISC2, Inc.; candidates should download the official, current exam outline directly from isc2.org.

All questions, answers, and explanations on Certifym are original content created for practice purposes. They are not actual ISC2 examination questions and are not represented as such. Practicing with these materials does not guarantee a passing result on any live certification exam.