CISSP-ISSAP, now commonly referred to as ISSAP, is the ISC2 Information Systems Security Architecture Professional certification. It is an advanced security architecture certification for professionals who design, analyse and validate security solutions and provide risk-based guidance to meet organisational goals.

How many questions are on the ISSAP exam?

The ISSAP exam is listed by ISC2 as a 3-hour exam with 125 items, using multiple choice and advanced item types, with a passing grade of 700 out of 1000 points.

Does this page include CISSP-ISSAP practice questions?

This page includes practice prompts and scenario-style study questions to help candidates think like a security architect. They are not exam dumps or copied exam questions.

Is there a CISSP-ISSAP PDF study guide?

This page is designed as a free online CISSP-ISSAP study guide. A downloadable PDF version can be added later, but the interactive mind map is the main study resource.

Free CISSP-ISSAP Mind Map — All 4 Domains Explained

Q: What are the CISSP-ISSAP domains?

The current ISSAP exam outline has 4 domains: Governance, Risk and Compliance (21%), Security Architecture Modeling (22%), Infrastructure and System Security Architecture (32%), and Identity and Access Management Architecture (25%).

Q: What is the difference between CISSP and CISSP-ISSAP?

CISSP is a broad cybersecurity leadership and management certification across multiple security domains. ISSAP is a deeper security architecture certification focused on designing secure architectures, validating designs, advising on risk treatment, and aligning security solutions with organisational objectives.

Q: Is CISSP-ISSAP worth it?

CISSP-ISSAP can be worth it for security architects, enterprise architects, senior security consultants, system designers and security leaders who need to prove advanced architecture capability. It is most useful when your role involves designing security solutions rather than only operating tools.

Q: What are the CISSP-ISSAP experience requirements?

ISC2 states that candidates can qualify with a CISSP in good standing plus two years of cumulative full-time experience in one or more ISSAP domains, or through a non-CISSP route with seven years of cumulative full-time experience in two or more ISSAP domains.

CISSP-ISSAP is commonly used to describe the ISC2 ISSAP security architecture certification. The current ISSAP outline focuses on designing security solutions, validating architecture decisions and giving risk-based guidance to meet organisational goals.

Unlike a broad CISSP study page, this guide is deliberately architecture-led. It focuses on the decisions a security architect must make: how to translate legal and business obligations into controls, how to choose a security architecture approach, how to design infrastructure and cryptographic protections, and how to build identity and access management architecture that can be governed, audited and defended.

This page is also written around common search questions such as what is CISSP ISSAP, CISSP-ISSAP vs CISSP, CISSP-ISSAP study material, CISSP-ISSAP practice questions, CISSP-ISSAP exam, CISSP ISSAP PDF and is CISSP-ISSAP worth it.

Interactive tool

Explore the CISSP-ISSAP mind map

If the mind map does not load, open the CISSP-ISSAP interactive mind map directly.

Exam domains

CISSP-ISSAP domains and weights

Domain 1: Governance, Risk and Compliance — 21%

Covers legal, regulatory, organisational and industry requirements, plus how the architect designs for governance, risk, compliance, monitoring, reporting, auditability and risk treatment.

Domain 2: Security Architecture Modeling — 22%

Covers architecture approaches, frameworks such as TOGAF and SABSA, reference architectures, threat modelling, design validation, compensating controls and review methods.

Domain 3: Infrastructure and System Security Architecture — 32%

The largest ISSAP domain. Covers deployment models, IT and OT, physical security, platform security, network security, storage, cloud, endpoints, monitoring, DLP and cryptographic architecture.

Domain 4: IAM Architecture — 25%

Covers identity lifecycle, authentication, authorisation and accounting architecture, including federation, SSO, PAM, access reviews, audit events, log integrity and reporting.

Domain weights and exam details should always be checked against the official ISC2 ISSAP exam outline.

Explainer

What is CISSP-ISSAP?

CISSP-ISSAP is the security architecture specialism associated with ISC2’s ISSAP certification. It is aimed at experienced professionals who design and analyse security solutions, sit between senior leadership and implementation teams, and provide risk-based architecture guidance.

The exam is not asking you to think like a tool administrator. It is asking whether you can design a secure architecture that meets business objectives, regulatory obligations, risk appetite, operational constraints and assurance requirements.

Good fit for

Security architects, chief security architects, enterprise architects, system designers, senior security consultants, security analysts and leaders who provide architecture direction.

Less useful for

People looking for entry-level security knowledge, hands-on tool training only, or a general cyber qualification without a security architecture focus.

Comparison

CISSP-ISSAP vs CISSP

CISSP

CISSP is a broad security leadership certification. It tests whether you understand security governance, risk, architecture, engineering, IAM, operations, assessment and software security from a managerial and risk-based viewpoint.

CISSP-ISSAP / ISSAP

ISSAP goes deeper into security architecture. It tests whether you can design, validate and defend security architectures that align with organisational goals, legal duties, risk decisions, infrastructure constraints and identity requirements.

Which should you do first?

For most people, CISSP comes first because it builds the broad governance and security foundation. ISSAP then makes sense when your role has moved into architecture, enterprise design, solution review, high-assurance systems, identity architecture or senior risk-based design decisions.

Concentrations

ISSAP, ISSEP and ISSMP — what is the difference?

ISSAP

Architecture. Best for security architects and people designing secure systems, infrastructure and IAM architectures.

ISSEP

Engineering. Best for security engineers, systems engineers and assurance-focused roles, especially in defence or high-assurance environments.

ISSMP

Management. Best for CISOs, security managers, governance leaders and people running security programmes.

Study material

CISSP-ISSAP study material and practice prompts

The best CISSP-ISSAP study material should help you reason like an architect. Do not only memorise definitions. Practise turning constraints into architecture decisions and then explaining why the design is appropriate, auditable and aligned to risk.

Use these study angles

Read the official outline, map each bullet to a real design decision, build your own architecture decision records, compare alternative control designs, and practise explaining residual risk.

Practice prompt examples

What architecture supports a regulated cloud migration? Where should trust boundaries sit? What compensating controls are acceptable? How would you prove auditability? What breaks if identity provisioning fails?

Important note on CISSP-ISSAP practice questions

Use practice questions to test architecture reasoning, not to memorise exam dumps. A good practice question should force you to balance risk, business objectives, compliance, operational constraints and assurance evidence. That is why this page uses scenario prompts rather than copied exam questions.

Exam overview

CISSP-ISSAP exam and requirements

Exam format

ISC2 lists the ISSAP exam as a 3-hour exam with 125 items. The item format is multiple choice and advanced item types, and the passing grade is 700 out of 1000 points.

Experience route

Candidates can qualify with CISSP in good standing plus 2 years of full-time experience in one or more ISSAP domains, or through a non-CISSP route with 7 years of cumulative full-time experience in two or more ISSAP domains.

Career value

Is CISSP-ISSAP worth it?

CISSP-ISSAP is worth considering if your target role involves architecture authority: designing security solutions, reviewing enterprise designs, advising senior stakeholders, translating regulation into technical architecture, or setting standards for infrastructure and IAM.

It is especially relevant for security architect, chief security architect, enterprise security architect, solution security architect, senior security consultant, system and network designer, and security leadership roles where architecture decisions have to be defended to both technical teams and executives.

PDF and course

CISSP-ISSAP PDF, book and online training

Free online guide

This page is the free online CISSP-ISSAP study guide. The interactive tool above gives you the domain map, topic breakdowns, architecture insights and exam traps in one place.

Future downloadable version

A CISSP-ISSAP PDF or printable guide can be added later. For now, use the web version so the content can be updated quickly when the official outline changes.

FAQ

Frequently asked questions about CISSP-ISSAP

What is CISSP-ISSAP?

CISSP-ISSAP refers to the ISC2 ISSAP security architecture certification. It validates advanced security architecture knowledge for professionals who design, analyse and validate security solutions.

What are the CISSP-ISSAP domains?

The 4 current ISSAP domains are Governance, Risk and Compliance; Security Architecture Modeling; Infrastructure and System Security Architecture; and Identity and Access Management Architecture.

What is the difference between CISSP and CISSP-ISSAP?

CISSP is broad and managerial. ISSAP is narrower and deeper, focused on architecture design, validation, assurance and risk-based guidance.

Is CISSP-ISSAP harder than CISSP?

It can be harder if you do not work in architecture. CISSP is broad; ISSAP is specialised. The difficulty is less about memorisation and more about applying architecture judgement to scenarios.

How should I study for CISSP-ISSAP?

Start with the official outline, then use the mind map to organise the domains. Build scenario notes, compare design options, practise explaining risk treatment and focus on architecture trade-offs.

Are there CISSP-ISSAP practice questions here?

This page includes practice prompts and scenario thinking. It does not provide exam dumps or copied exam content.

Is there a CISSP-ISSAP PDF?

A downloadable PDF can be added later. This page is currently the free online guide, supported by the interactive mind map.

What jobs is CISSP-ISSAP useful for?

It is useful for security architect, enterprise security architect, chief security architect, senior security consultant, system designer, network designer, CTO and security leadership roles.

Actions On Cyber

A full CISSP-ISSAP course can come next.

This free CISSP-ISSAP Mind Map is part of Actions On Cyber’s wider study resources. A full ISSAP course could expand this into video lessons, worked architecture scenarios, practice prompts, PDF notes and exam technique.

Also available free: CISSP Mind Map, CCSP Mind Map and CSSLP Mind Map.

Practical Guidance. Real Protection.

Get notified when the course launches