ISSAP Training

← Back

What ISSAP Is

8 min read · Free preview

The Information Systems Security Architecture Professional — ISSAP — is one of ISC2's three advanced concentrations built on top of the CISSP. Where the CISSP validates broad managerial and technical mastery of information security, the ISSAP narrows the lens to a single discipline: designing the security architecture of enterprise systems. That includes on-premises networks, cloud and hybrid environments, industrial and operational technology, and the identity fabric that stitches everything together.

The credential is aimed at practitioners who have moved past hands-on operations and are now responsible for shaping how security is embedded in systems from the earliest design decisions. That means working with business stakeholders to understand mission and risk, choosing frameworks and reference architectures, modeling threats, and specifying the controls that engineering teams then build. It also means giving management risk-based guidance, not just technical recommendations.

Who ISSAP is for

ISC2 offers two eligibility paths. The traditional path requires an active CISSP in good standing plus two years of cumulative full-time experience in one or more of the current ISSAP domains. A newer path, opened in late 2023 and refined in 2025, allows candidates without the CISSP to qualify with seven years of cumulative full-time experience in two or more of the ISSAP domains — a post-secondary degree in a related field or another ISC2-approved credential can substitute for one year of that requirement.

The typical ISSAP holder has titles such as Security Architect, Chief Security Architect, Enterprise Security Architect, or Principal Security Consultant. Many are consultants who design security architectures for multiple client organizations. Others sit inside enterprise architecture teams and act as the security voice in every major solution design.

What the exam covers (as of August 1, 2025)

The 2025 refresh consolidated the previous six domains into four, and shifted more weight toward infrastructure and identity — the two areas where architects spend the most time in modern hybrid and cloud environments. The current domains and weights are:

  • Domain 1: Governance, Risk, and Compliance (GRC) — 21%
  • Domain 2: Security Architecture Modeling — 22%
  • Domain 3: Infrastructure and System Security Architecture — 32%
  • Domain 4: Identity and Access Management (IAM) Architecture — 25%

Notice what happened to the old topics. Application Security is now embedded inside Infrastructure and System Security, not a domain of its own. Security Operations Architecture is largely absorbed into Infrastructure monitoring and IAM accounting. Cryptography moved under Infrastructure as well. The exam still expects you to understand these topics — the outline just organizes them differently.

Format and scoring

The exam is linear (not adaptive, unlike the CISSP): 125 multiple-choice items, 3 hours, delivered in English at Pearson VUE test centers. The passing score is 700 out of 1000 on a scaled system — that means raw percentages are not directly comparable across candidates because item difficulty is weighted. As a working benchmark, most study guides suggest aiming for roughly 80% or better on practice materials to be comfortable on exam day.

Retake rules: 30 days after a first failure, 60 days after a second, 90 days after a third, with a maximum of four attempts per credential in any twelve-month period.

What this course does

This course is built to the 2025 exam outline, not the legacy six-domain version. Every lesson maps to a specific subdomain or subtopic in the current CBK. The intent is to give you an architect's working vocabulary and the pattern library you need to reason about design decisions — not to memorize facts. On the exam and on the job, the ISSAP tests judgment: given a business context, a set of constraints, and a threat model, what is the best architectural choice?

Pair this training with hands-on architecture work, the practice exam bank, and at least one full read of the current ISSAP Exam Outline. The reference frameworks — SABSA, TOGAF, NIST SP 800-53 and 800-207, ISO 27001, the Cloud Security Alliance guidance, and OWASP — are the vocabulary of the discipline. Fluency there is what separates a solid candidate from someone who is guessing.