What ISSEP Is
The engineer, not the analyst
The Information Systems Security Engineering Professional — ISSEP — is one of three concentration credentials that ISC2 layers on top of the CISSP. The other two are ISSAP, which focuses on security architecture, and ISSMP, which focuses on security management. ISSEP is the engineering track. The distinction matters because CISSP is a generalist credential written for the person who understands security across eight domains. ISSEP is written for the person who builds the system with security engineered in from the first requirements meeting through decommissioning.
ISC2 describes an ISSEP as a "security leader who specializes in the practical application of systems engineering principles and processes to develop secure systems." That phrasing is deliberate. The ISSEP is not the security analyst who reviews a design after the fact and files a memo about what the developers should have done differently. The ISSEP is on the systems engineering team, participating in requirements decomposition, trade studies, configuration management, and verification and validation planning — doing all of that work with a security engineer's eye.
Why the credential exists
ISSEP grew out of a partnership between ISC2 and the U.S. National Security Agency in the early 2000s. The federal government needed a way to identify people who could apply the systems security engineering process to national-security systems, and the credential was originally aligned to the NSA's IATF (Information Assurance Technical Framework) and to the NIST family of publications, particularly what has since become NIST SP 800-160 Volume 1, Engineering Trustworthy Secure Systems. That NIST publication remains the single most important reference for ISSEP preparation, even now that the exam outline has been broadened for commercial as well as government use.
The ISSEP is still heavily used by federal contractors, defense integrators, and civilian agencies that develop or acquire large systems under formal engineering programs. But the current outline is written to be neutral about sector — the same principles apply to any organization that builds a system complex enough to have a documented lifecycle, a stakeholder register, and traceable requirements.
The five domains
The August 1, 2025 exam outline organizes the ISSEP body of knowledge into five domains. The weights tell you where to spend your study time:
- Domain 1 — Systems Security Engineering Foundations (24%). Trust concepts, structural design principles, integration with the system development methodology, technical management, procurement, and resource analysis. The largest domain.
- Domain 2 — Risk Management (20%). Applying risk management principles, and doing it twice: once for risk to the system and once for risk to operations, with the same six-step pattern each time.
- Domain 3 — Security Planning and Engineering (22%). Analyzing the environment, applying system security principles, developing system requirements, and creating the system security design.
- Domain 4 — Systems Security Implementation, Verification, and Validation (20%). Actually building and integrating security into the system, then verifying that it works.
- Domain 5 — Secure Operations, Change Management, and Disposal (14%). The rest of the lifecycle after acceptance: monitoring, incident response support, secure change control, and disposal.
What the exam looks like
ISSEP is a 125-item exam with a three-hour time limit. It is available in English only, delivered at Pearson VUE test centers, and the passing score is 700 out of 1000 on ISC2's scaled scoring. Item formats are multiple choice and "advanced item types" — usually drag-and-drop ordering and hotspot selections. Scenario prompts are common: you will read a paragraph describing a program situation and be asked what the ISSEP does next. The correct answer is often the most disciplined engineering step, not the most technically clever fix.
Prerequisites and experience
ISSEP is a concentration, not a standalone credential. The base requirement is a CISSP in good standing plus two years of cumulative full-time experience in one or more of the ISSEP domains. There is an alternative path for candidates without CISSP — seven years of experience in two or more ISSEP domains — but in practice almost everyone comes in through CISSP.
The good news is that if you passed CISSP, you already have most of the vocabulary. The trap is that ISSEP asks you to apply that vocabulary through the systems engineering lifecycle rather than as isolated security controls. The exam favors candidates who can talk about requirements traceability, configuration management, and trade studies as fluently as they talk about defense in depth.
How this course is organized
This training course follows the exam outline domain by domain. Each module is one domain, and the lesson count in each module roughly matches the domain weight. Module 1 (this one) has twelve lessons because the Foundations domain is the largest at 24%. Modules 2 and 4 have ten lessons each; Module 3 has eleven; Module 5 has seven. Every lesson closes with a short key-terms list and further-reading pointers so you can build a personal reference sheet as you go.
Pair this course with the Certifym ISSEP practice exam bank when you are ready to test yourself against full-length practice sets.
