What the ISSMP is and who it's for
The credential in one sentence
The Information Systems Security Management Professional (ISSMP) is an ISC2 advanced certification for security leaders who establish, present, and govern information security programs. Where the CISSP tests the breadth of the security practitioner's body of knowledge, the ISSMP concentrates on the management, leadership, and governance layer that sits on top of it.
Position in the ISC2 family
The ISSMP is one of three ISC2 advanced concentrations. The other two — the ISSAP (architecture) and the ISSEP (engineering) — cover the same body of knowledge but from different vantage points. All three were formerly styled with a "CISSP-" prefix (e.g., CISSP-ISSMP). ISC2 dropped the prefix and, as of October 2023, removed the hard CISSP prerequisite. You can now qualify for the ISSMP by holding the CISSP plus two years of ISSMP-domain experience, or by having seven cumulative years of full-time experience in two or more ISSMP domains without holding the CISSP.
The six-domain outline (effective August 1, 2025)
ISC2 refreshed the ISSMP outline through a Job Task Analysis (JTA) and released the current version on August 1, 2025. The six domains and their average weights are:
- Leadership and Organizational Management — 21%
- Systems Lifecycle Management — 15%
- Risk Management — 20%
- Security Operations — 18%
- Contingency Management — 12%
- Law, Ethics, and Security Compliance Management — 14%
The updated outline weaves AI security throughout — MLSecOps, AIOps, adversarial AI, model drift as a continuity risk, and legal frameworks like the EU AI Act and NIST AI RMF now appear as subtopics inside the traditional domains rather than as a separate track.
Exam mechanics
The ISSMP is a three-hour, 125-item exam delivered at Pearson VUE (in person or online-proctored). Items are multiple choice plus advanced item types (drag-and-drop, scenario-based). The passing grade is 700 out of 1000 on a scaled score. English is the only supported language. Unlike the CISSP, the ISSMP is not currently adaptive — you sit the full item bank.
What the certification is actually testing
Every question on this exam is written from the perspective of the person accountable for the security program, not the person configuring the firewall. When a scenario says "the CISO discovers…" or "the security manager is asked to…," the correct answer is almost always the one that treats security as a business function: aligned to organizational strategy, funded through a defensible budget process, measured with metrics that mean something to the board, and defensible under legal scrutiny. Candidates who fail the ISSMP typically fail because they answer as a senior engineer would — reaching for the technically strongest control instead of the option that best fits governance, communication, or business alignment.
How to use this course
The 51 lessons here are organized to match the six domains and their weights. Domain 1 (this module) has 11 lessons because it is the heaviest of the six. Every lesson closes with key terms and further reading. Once you finish the course, the ISSMP practice exam bank drills the same material with scenario-format questions modeled on the actual exam.
