Information Systems Security Architecture Professional (ISSAP)
The Information Systems Security Architecture Professional (ISSAP) certification is a specialized credential offered by (ISC)², which stands for the International Information System Security Certification Consortium. ISSAP is aimed at professionals who possess a deep understanding of security architecture principles and possess the expertise to develop, design, and analyze security solutions.
The Information Systems Security Architecture Professional (ISSAP) is a security leader who specializes in designing security solutions and providing management with risk-based guidance to meet organizational goals. ISSAPs facilitate the alignment of security solutions within the organizational context (e.g., vision, mission, strategy, policies, requirements, change, and external factors). The broad spectrum of topics included in the ISSAP body of knowledge ensure its relevancy across all disciplines in the field of information security. Successful candidates are competent in the following six domains:
- Architect for Governance, Compliance, and Risk Management
- Security Architecture Modeling
- Infrastructure Security
- Identity and Access Management Architecture
- Architect for Application Security
- Security Operations Architecture
The Information Systems Security Architecture Professional (ISSAP) course aims to provide participants with the knowledge and skills necessary to design and develop effective security solutions within complex enterprise environments. The primary objectives of the ISSAP course include:
- Gain a comprehensive understanding of security architecture principles, methodologies, and best practices.
- Learn about various enterprise security frameworks and how they apply to designing secure systems and networks.
- Explore risk management concepts and techniques to identify, assess, and mitigate security risks within an organization’s infrastructure.
- Learn about access control models, mechanisms, and technologies to enforce security policies and protect critical assets.
- Explore strategies for integrating security architecture into the overall enterprise architecture and ensuring interoperability with existing systems and applications.
By completing the ISSAP course, participants are equipped with the expertise needed to design resilient and adaptable security architectures that protect organizations against evolving cyber threats and support their strategic objectives. Additionally, certification in ISSAP demonstrates a high level of proficiency and credibility in the field of information systems security architecture.
- Chief Information Security Officer
- Chief Information Officer
- Director of Security
- IT Director/Manager
- Security Systems Engineer
- Security Analyst
- Security Manager
- Security Auditor
- Security Architect
- Security Consultant
- Network Architect
Pre-Requisites
Candidates must be a CISSP in good standing and have two years cumulative, full-time experience in one or more of the six domains of the current ISSAP outline.
Or
Candidates must have a minimum of seven years cumulative, full-time experience in two or more of the domains of the current ISSAP outline. Earning a post-secondary degree (bachelors or masters) in computer science, information technology (IT) or related fields or an additional credential from the ISC2 approved list may satisfy one year of the required experience. Part-time work and internships may also count towards the experience requirement.
Exam Information
| Exam Name | Information Systems Security Architecture Professional (ISSAP) |
| Exam Type | Multiple-choice Questions |
| Total Questions | 125 Questions |
| Exam Duration | 3 Hours |
| Passing Score | 700 out of 1000 |
| Languages | English |
Course Duration : 5 Days
Course Syllabus
1.1 Determine legal, regulatory, organizational and industry requirements
» Determine applicable information security standards and guidelines
» Identify third-party and contractual obligations (e.g., supply chain, outsourcing, partners)
» Determine applicable sensitive/personal data standards, guidelines and privacy regulations
» Design for auditability (e.g., determine regulatory, legislative, forensic requirements, segregation, high assurance systems)
» Coordinate with external entities (e.g., law enforcement, public relations, independent assessor)
1.2 Manage Risk
» Identify and classify risks
» Assess risk
» Recommend risk treatment (e.g., mitigate, transfer, accept, avoid)
» Risk monitoring and reporting
2.1 Identify security architecture approach
» Types and scope (e.g., enterprise, network, Service-Oriented Architecture (SOA), cloud, Internet of Things (IoT), Industrial Control Systems (ICS)/Supervisory Control and Data Acquisition (SCADA))
» Frameworks (e.g., Sherwood Applied Business Security Architecture (SABSA), Service-Oriented Modeling Framework (SOMF))
» Reference architectures and blueprints
» Security configuration (e.g., baselines, benchmarks, profiles)
» Network configuration (e.g., physical, logical, high availability, segmentation, zones)
2.2 Verify and validate design (e.g., Functional Acceptance Testing (FAT), regression)
» Validate results of threat modeling (e.g., threat vectors, impact, probability)
» Identify gaps and alternative solutions
» Independent Verification and Validation (IV&V) (e.g., tabletop exercises, modeling and simulation, manual review of functions)
3.1 Develop infrastructure security requirements
» On-premise, cloud-based, hybrid
» Internet of Things (IoT), zero trust
3.2 Design defense-in-depth architecture
» Management networks
» Industrial Control Systems (ICS) security
» Network security
» Operating systems (OS) security
» Database security
» Container security
» Cloud workload security
» Firmware security
» User security awareness considerations
3.3 Secure shared services (e.g., wireless, e-mail, Voice over Internet Protocol (VoIP), Unified Communications (UC), Domain Name System (DNS), Network Time Protocol (NTP))
3.4 Integrate technical security controls
» Design boundary protection (e.g., firewalls, Virtual Private Network (VPN), airgaps, software defined perimeters, wireless, cloud-native)
» Secure device management (e.g., Bring Your Own Device (BYOD), mobile, server, endpoint, cloud instance, storage)
3.5 Design and integrate infrastructure monitoring
» Network visibility (e.g., sensor placement, time reconciliation, span of control, record compatibility)
» Active/Passive collection solutions (e.g., span port, port mirroring, tap, inline, flow logs)
» Security analytics (e.g., Security Information and Event Management (SIEM), log collection, machine learning, User Behavior Analytics (UBA))
3.6 Design infrastructure cryptographic solutions
» Determine cryptographic design considerations and constraints
» Determine cryptographic implementation (e.g., in-transit, in-use, at-rest)
» Plan key management lifecycle (e.g., generation, storage, distribution)
3.7 Design secure network and communication infrastructure (e.g., Virtual Private Network
(VPN), Internet Protocol Security (IPsec), Transport Layer Security (TLS))
3.8 Evaluate physical and environmental security requirements
» Map physical security requirements to organizational needs (e.g., perimeter protection and internal zoning, fire suppression)
» Validate physical security controls
4.1 Design identity management and lifecycle
» Establish and verify identity
» Assign identifiers (e.g., to users, services, processes, devices)
» Identity provisioning and de-provisioning
» Define trust relationships (e.g., federated, standalone)
» Define authentication methods (e.g., Multi-Factor Authentication (MFA), risk-based, location-based, knowledge-based, object-based, characteristicsbased)
» Authentication protocols and technologies (e.g., Security Assertion Markup Language (SAML), Remote Authentication Dial-In User Service (RADIUS), Kerberos)
4.2 Design access control management and lifecycle
» Access control concepts and principles (e.g., discretionary/mandatory, segregation/Separation of Duties (SoD), least privilege)
» Access control configurations (e.g., physical, logical, administrative)
» Authorization process and workflow (e.g., governance, issuance, periodic review, revocation)
» Roles, rights, and responsibilities related to system, application, and data access control (e.g., groups, Digital Rights Management (DRM), trust relationships)
» Management of privileged accounts
» Authorization (e.g., Single Sign-On (SSO), rulebased, role-based, attribute- based)
4.3 Design identity and access solutions
» Access control protocols and technologies (e.g., eXtensible Access Control Markup Language (XACML), Lightweight Directory Access Protocol (LDAP))
» Credential management technologies (e.g., password management, certificates, smart cards)
» Centralized Identity and Access Management (IAM) architecture (e.g., cloud-based, on-premise, hybrid)
» Decentralized Identity and Access Management (IAM) architecture (e.g., cloud-based, on-premise, hybrid)
» Privileged Access Management (PAM) implementation (for users with elevated privileges)
» Accounting (e.g., logging, tracking, auditing)
5.1 Integrate Software Development Life Cycle (SDLC) with application security architecture
(e.g., Requirements Traceability Matrix (RTM), security architecture documentation, secure
coding)
» Assess code review methodology (e.g., dynamic, manual, static)
» Assess the need for application protection (e.g., Web Application Firewall (WAF), anti-malware, secure Application Programming Interface (API), secure Security Assertion Markup Language (SAML))
» Determine encryption requirements (e.g., at-rest, in-transit, in-use)
» Assess the need for secure communications between applications and databases or other endpoints
» Leverage secure code repository
5.2 Determine application security capability requirements and strategy (e.g., open source,
Cloud Service Providers (CSP), Software as a Service (SaaS)/Infrastructure as a Service
(IaaS)/ Platform as a Service (PaaS) environments)
» Review security of applications (e.g., custom, Commercial Off-the-Shelf (COTS), in-house, cloud)
» Determine application cryptographic solutions (e.g., cryptographic Application Programming Interface (API), Pseudo Random Number Generator (PRNG), key management)
» Evaluate applicability of security controls for system components (e.g., mobile and web client applications; proxy, application, and database services)
5.3 Identify common proactive controls for applications (e.g., Open Web Application Security Project (OWASP))
6.1 Gather security operations requirements (e.g., legal, compliance, organizational, and
business requirements)
6.2 Design information security monitoring (e.g., Security Information and Event Management (SIEM), insider threat, threat intelligence, user behavior analytics, Incident Response (IR) procedures)
» Detection and analysis
» Proactive and automated security monitoring and remediation (e.g., vulnerability management, compliance audit, penetration testing)
6.3 Design Business Continuity (BC) and resiliency solutions
» Incorporate Business Impact Analysis (BIA)
» Determine recovery and survivability strategy
» Identify continuity and availability solutions (e.g., cold, warm, hot, cloud backup)
» Define processing agreement requirements (e.g., provider, reciprocal, mutual, cloud, virtualization)
» Establish Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)
» Design secure contingency communication for operations (e.g., backup communication channels, Out-of-Band (OOB))
6.4 Validate Business Continuity Plan (BCP)/Disaster Recovery Plan (DRP) architecture
6.5 Design Incident Response (IR) management
» Preparation (e.g., communication plan, Incident Response Plan (IRP), training)
» Identification
» Containment
» Eradication
» Recovery
» Review lessons learned
- Advanced Expertise: ISSAP certification demonstrates a high level of expertise in designing and implementing security solutions within complex information systems environments. It showcases your advanced knowledge and skills in security architecture.
- Career Advancement: Holding an ISSAP certification can open up new career opportunities and pathways. It may qualify you for higher-level security roles, such as security architect, security consultant, or chief information security officer (CISO).
- Increased Marketability: Employers value certifications like ISSAP as they validate your proficiency in a specialized area of information security. It enhances your resume and makes you more attractive to potential employers or clients.
- Global Recognition: The ISSAP certification is recognized internationally, allowing you to pursue career opportunities in various countries or regions where information security expertise is in demand.
- Networking Opportunities: Through the process of obtaining the ISSAP certification, you may connect with other security professionals, both online and through training programs. Networking can lead to valuable collaborations, knowledge sharing, and career growth opportunities.
Up-coming Schedule:
Please contact us to know about the upcoming schedule.