The CISSP-ISSAP is one of the most specialised credentials in enterprise cybersecurity — a concentration designed exclusively for professionals who architect security solutions rather than simply implement them. Earning it requires an active CISSP, two years of architecture experience, and the ability to think at the system-design level across four domains covering governance and risk, security architecture modelling, infrastructure and system security, and identity and access management. This guide explains exactly what the CISSP-ISSAP exam covers, how the four domains break down by weight, how the credential compares to the other CISSP concentrations, and what preparation strategy gives you the best chance of achieving the 700/1000 passing score required on this $599 advanced exam.
What Is the CISSP-ISSAP and Who Should Pursue It?
The CISSP-ISSAP (Information Systems Security Architecture Professional) is an advanced ISC2 concentration credential that validates expertise in designing, developing, and analysing enterprise security architectures. Unlike the base CISSP, which tests broad cybersecurity knowledge, the CISSP-ISSAP specifically targets professionals whose primary role is creating security blueprints, evaluating architectural trade-offs, and translating organisational risk requirements into technical security designs.
Candidates eligible for CISSP-ISSAP must hold an active CISSP in good standing and demonstrate at least two years of cumulative paid work experience within one or more of the four CISSP-ISSAP domains. ISC2 positions the credential within its advanced professional tier, typically requiring seven or more years of overall cybersecurity experience to be competitive on the exam.
The credential carries significant institutional recognition. It is approved under the U.S. Department of Defense Directive 8140, making it a qualifying credential for federal government security architecture roles. It is also ANAB accredited to ISO/IEC Standard 17024, giving it international recognition for professionals working across borders or with multinational enterprise clients.
The right candidate is someone whose daily work involves designing security controls rather than configuring them — enterprise security architects, chief security architects, security solution architects, and senior security engineering leads who have transitioned into design and advisory roles. If you spend your time building and presenting architecture decisions rather than operating systems, the CISSP-ISSAP validates exactly those skills. Learn more about the full credential portfolio on the ISC2 CISSP-ISSAP certification page.
How Is the CISSP-ISSAP Exam Structured?
The CISSP-ISSAP exam consists of 125 multiple-choice questions delivered over 180 minutes through Pearson VUE’s computer-based testing network. The passing score is 700 out of 1,000 using ISC2’s scaled scoring model, and the exam fee is $599 USD per attempt. Unlike the base CISSP, which uses a computerised adaptive testing format, the CISSP-ISSAP follows a linear fixed-form structure — all 125 questions must be answered within the allotted time.
| Exam Detail | Specification |
|---|---|
| Questions | 125 multiple choice |
| Duration | 180 minutes |
| Passing Score | 700/1,000 (scaled) |
| Exam Cost | $599 USD |
| Format | Linear multiple choice |
| Delivery | Pearson VUE CBT |
| Prerequisite | Active CISSP + 2 years architecture experience |
At 125 questions in 180 minutes, you have approximately 1.44 minutes per question. This is tighter than it may seem for scenario-based questions that require architectural reasoning rather than simple recall. Many questions present a business scenario or technical constraint and ask you to select the best architectural decision — which means speed and depth of understanding must coexist.
ISC2 applies scaled scoring across four weighted domains. Because the Infrastructure and System Security domain carries the highest weight at 32%, a weak performance there has an outsized effect on your total scaled score. Candidates who sit the exam without domain-specific preparation often underestimate how different the question style is from the base CISSP — the ISSAP tests design rationale and architectural trade-offs, not procedural knowledge.
Registration requires a valid, active CISSP in good standing with no outstanding compliance issues. Annual ISC2 maintenance fees and CPE requirements continue to apply alongside any CISSP-ISSAP specific requirements.
What Are the Four CISSP-ISSAP Domains?
The CISSP-ISSAP exam is organised into four weighted domains covering every dimension of enterprise security architecture — from governance and risk management through infrastructure design to identity systems. Infrastructure and System Security carries the highest weight at 32%, followed by Identity and Access Management Architecture at 25%, making these two domains the highest priority for exam preparation. Together the four domains total 100% and span the full scope of what security architects design and deliver.
| Domain | Weight | Core Topics |
|---|---|---|
| 1. Governance, Risk, and Compliance (GRC) | 21% | Legal and regulatory requirements, third-party obligations, privacy regulations, risk assessment and treatment, auditability design, compliance monitoring |
| 2. Security Architecture Modeling | 22% | Architecture frameworks (TOGAF, SABSA), threat modelling (STRIDE, CVSS), reference architectures, design verification and validation, code review methodologies |
| 3. Infrastructure and System Security | 32% | Network and cloud security (IaaS, PaaS, SaaS), platform and endpoint security, OT/ICS/SCADA, cryptographic solutions and key management, storage security, physical security controls |
| 4. Identity and Access Management (IAM) Architecture | 25% | Identity lifecycle design, authentication protocols (SAML, RADIUS, Kerberos, OAuth), authorisation models (RBAC, ABAC, PAM), identity accounting and audit, regulatory compliance (PCI-DSS, FISMA, HIPAA, GDPR) |
Domain 1 — Governance, Risk, and Compliance (21%): Covers two major task areas: identifying applicable requirements (standards, regulatory obligations, supply chain, privacy regulations) and architecting for GRC (asset identification, monitoring design, auditability, risk assessment, and advising on risk treatment strategies — mitigate, transfer, accept, or avoid). Candidates must understand how to translate governance requirements into architecture decisions, not just compliance audits.
Domain 2 — Security Architecture Modeling (22%): Tests two core competencies: selecting the right architecture approach (scope, frameworks, reference architectures) and verifying/validating designs (threat modelling outputs, gap identification, alternative controls, peer review, code review methodologies). The SABSA and TOGAF frameworks are explicitly listed in the syllabus. Candidates unfamiliar with formal enterprise architecture frameworks should dedicate significant preparation time here.
Domain 3 — Infrastructure and System Security (32%): The highest-weighted domain spans three task areas: identifying infrastructure requirements, architecting the full security control set (physical, platform, network, storage, cloud, OT, endpoint, shared services, third-party integrations, content monitoring, and out-of-band communications), and architecting cryptographic solutions including key management lifecycle. The breadth of this domain — from ICS/SCADA to container security to VPN architecture — reflects its dominant weight.
Domain 4 — IAM Architecture (25%): Structured across four task areas: identity lifecycle (provisioning and de-provisioning), authentication architecture (protocols and trust relationships), authorisation design (models, workflows, PAM, SSO), and identity accounting (audit logging, log management, regulatory compliance). IAM architecture is the trust enforcement layer in any security design — this domain tests whether candidates can design identity systems, not just configure them.
How Does CISSP-ISSAP Compare to ISSEP and ISSMP?
The CISSP-ISSAP is one of three advanced CISSP concentrations offered by ISC2. Choosing the right one depends entirely on your primary professional role — the three concentrations are not interchangeable and are not ranked by difficulty. CISSP-ISSAP validates security architecture (design), CISSP-ISSEP validates security engineering (build), and CISSP-ISSMP validates security management (govern). All three share the same exam structure: 125 questions, 180 minutes, Pearson VUE delivery, and the $599 fee.
| Credential | Focus | Best For | Key Activities Validated |
|---|---|---|---|
| CISSP-ISSAP | Architecture (Design) | Enterprise security architects, solution architects | Designing security blueprints, evaluating architecture trade-offs, translating risk into technical design |
| CISSP-ISSEP | Engineering (Build) | Security engineers, system security engineers | Building and integrating secure systems, applying systems engineering principles, technical implementation |
| CISSP-ISSMP | Management (Govern) | CISOs, security programme directors, risk managers | Security programme leadership, policy governance, risk management, executive communication |
The practical decision test is straightforward: if your primary output is security architecture documents, reference architectures, and design decisions — ISSAP. If your primary output is deployed, built, and integrated security systems — ISSEP. If your primary output is security programme strategy, governance, and organisational leadership — ISSMP.
Candidates who are considering ISSAP solely because they have passed the CISSP and want an additional credential should examine whether their actual job responsibilities genuinely reflect security architecture work. The CISSP-ISSAP exam questions test design reasoning at an advanced level, and professionals whose daily experience is operational or managerial will find the domain content significantly more challenging than the base CISSP.
How Does Zero Trust Architecture Align With CISSP-ISSAP?
Zero Trust Architecture is directly embedded in the CISSP-ISSAP exam through Domain 3 (Infrastructure and System Security, 32%) and Domain 4 (Identity and Access Management Architecture, 25%) — the two domains together covering 57% of the total exam weight. According to NIST SP 800-207, Zero Trust Architecture moves security defences “from static, network-based perimeters to focus on users, assets, and resources” — a principle that sits at the core of what security architects are designing in enterprise environments today. Understanding ZTA design is not optional for CISSP-ISSAP candidates in 2026.
The NIST Zero Trust Architecture publication establishes the foundational framework that enterprise architects reference when scoping ZTA programmes. Domain 3 tests your ability to design infrastructure that eliminates implicit trust — the syllabus explicitly lists software-defined perimeters, network segmentation, cloud security models, and endpoint security controls as required architecture competencies, all of which are direct ZTA implementation concerns.
Domain 4 maps equally directly to ZTA’s core operating model: identity is the new perimeter in a zero-trust environment. The IAM Architecture domain covers authentication protocol design (SAML, OAuth, Kerberos), authorisation models including attribute-based access control, federated trust relationships, and PAM — all of which become the trust decision mechanisms that replace traditional network-location trust assumptions in a ZTA model.
Domain 1 (Governance, Risk, and Compliance) provides the policy architecture context that ZTA implementations require. Architects cannot design a Zero Trust programme without a risk framework that defines what assets require protection, what regulatory constraints apply, and what risk tolerance governs access decisions. CISSP-ISSAP candidates who have practical experience scoping ZTA programmes for enterprise clients will find that the exam scenario questions mirror real architectural decisions they have already made.
How Should You Prepare for the CISSP-ISSAP Exam?
Effective CISSP-ISSAP preparation starts with domain weighting — Infrastructure and System Security (32%) and IAM Architecture (25%) together account for 57% of the exam, making them the highest-priority study areas. Most candidates with active CISSP status already have solid conceptual foundations, but the ISSAP exam tests architecture design reasoning at a more advanced and specific level, requiring targeted study across all four domains rather than relying on CISSP base knowledge alone.
Official ISC2 resources: ISC2 publishes official CISSP-ISSAP study materials through its training portal, including the official CBK (Common Body of Knowledge) guide, adaptive self-paced training, and official practice tests. These materials are built directly from the exam outline and should form the foundation of any preparation plan. Access the full range of ISC2 official study materials through their training portal.
Architecture frameworks: Domain 2 (Security Architecture Modeling, 22%) requires familiarity with SABSA, TOGAF, and the Service-Oriented Modeling Framework — none of which are covered in the base CISSP. If you are not working with formal enterprise architecture frameworks in your current role, this domain will require additional study time. The syllabus also covers code review methodologies (dynamic, manual, static, source composition analysis), which positions Domain 2 at the intersection of architecture validation and development security practices.
Practice examinations: Scenario-based question practice is essential for the CISSP-ISSAP because the exam tests architectural decision-making, not knowledge recall. Working through CISSP-ISSAP practice questions that simulate the exam’s scenario format helps calibrate your timing at 1.44 minutes per question and builds confidence in selecting the best architectural response under exam conditions.
Domain 3 and application security sub-topics: Domain 3 (Infrastructure and System Security) includes application security as a sub-topic — covering Requirements Traceability Matrix, documentation, and secure coding as part of identifying infrastructure requirements. For candidates whose background is infrastructure rather than software development, broadening your understanding of how secure coding certifications approach SDLC security from the developer side helps frame how architects design the controls and requirements that govern those same development processes.
Study timeline: Most active CISSP holders report 60–120 days of dedicated preparation for the CISSP-ISSAP, depending on how closely their current role aligns with the four domains. Candidates working as practising security architects with hands-on framework experience typically sit at the lower end of that range. Candidates moving into architecture from an operational or management role should plan for the full 120 days.
Is the CISSP-ISSAP Worth It for Security Architects in 2026?
The CISSP-ISSAP delivers measurable career value for security architects who spend their working time on design and architecture activities. The global median salary for CISSP-ISSAP holders reaches $140,620 according to ISC2 — positioning it among the highest-compensated ISC2 credentials and reflecting the premium organisations place on certified security architecture expertise. For professionals already holding CISSP, the concentration converts a generalist credential into a specialist one that explicitly validates architecture-level capabilities.
The DoD 8140 approval is significant beyond the U.S. federal government market. Many global defence contractors, intelligence community suppliers, and critical infrastructure organisations align their hiring and credentialing standards with DoD 8140 frameworks. CISSP-ISSAP holders are directly eligible for architecture roles within this ecosystem in a way that CISSP alone does not guarantee. For architects targeting federal civilian, defence, or cleared sector roles, CISSP-ISSAP is often a stated requirement rather than a preference.
The ANAB accreditation to ISO/IEC 17024 adds international portability. Enterprise architects working with multinational clients or in regulated industries where ISO-accredited credentials are required — financial services, healthcare, energy — benefit from the additional validation that ISO 17024 accreditation provides beyond what a vendor-backed or non-accredited certification delivers.
From a career differentiation standpoint, the CISSP-ISSAP separates professionals who can articulate security architecture decisions from those who can execute security operations. As organisations build out dedicated security architecture functions separate from security engineering and operations, the credential provides a clear signal to hiring managers and procurement officers. Combining CISSP-ISSAP with operational security depth — for example, through a digital forensics certification that validates investigation and incident response expertise — positions security architects to lead both the design and operational oversight dimensions of enterprise security programmes.
The $599 exam cost and the ongoing CISSP maintenance requirements represent the primary investment. Candidates should weigh that investment against their target roles — for those actively pursuing enterprise security architect or chief security architect positions, the credential’s DoD approval, ISO accreditation, and salary premium typically justify the cost within the first promotion or contract cycle.
Frequently Asked Questions About the CISSP-ISSAP Exam
What is the CISSP-ISSAP certification?
The CISSP-ISSAP (Information Systems Security Architecture Professional) is an advanced concentration credential from ISC2 for professionals who design and analyse enterprise security architectures. It requires an active CISSP certification and two years of security architecture experience. It is DoD 8140 approved and accredited to ISO/IEC Standard 17024.
How many questions are on the CISSP-ISSAP exam?
The CISSP-ISSAP exam contains 125 multiple-choice questions delivered in a linear fixed format over 180 minutes through Pearson VUE computer-based testing centres.
What is the passing score for CISSP-ISSAP?
The CISSP-ISSAP passing score is 700 out of 1,000 using ISC2’s scaled scoring model. Unlike the base CISSP’s computerised adaptive testing format, the CISSP-ISSAP uses a linear exam structure where all 125 questions are attempted.
How much does the CISSP-ISSAP exam cost?
The CISSP-ISSAP exam costs $599 USD per attempt when booked through Pearson VUE. This is in addition to ISC2 annual maintenance fees that apply to active CISSP holders. Retake fees are the same as the initial attempt.
What are the prerequisites for the CISSP-ISSAP?
You must hold an active, valid CISSP certification in good standing, have a minimum of two years of cumulative paid work experience in one or more CISSP-ISSAP domains, adhere to the ISC2 Code of Ethics, and maintain ongoing CPE requirements. There is no separate application or endorsement process beyond the active CISSP requirement.
How is the CISSP-ISSAP different from the base CISSP?
The CISSP is a broad cybersecurity credential covering eight general domains. The CISSP-ISSAP is a specialist concentration covering four architecture-specific domains. The CISSP tests foundational cybersecurity knowledge across multiple disciplines; the CISSP-ISSAP tests advanced architectural design reasoning for professionals whose primary role is designing and evaluating security architectures rather than implementing or operating them.
What are the four CISSP-ISSAP domains?
The four CISSP-ISSAP domains are: (1) Governance, Risk, and Compliance — GRC (21%), (2) Security Architecture Modeling (22%), (3) Infrastructure and System Security (32%), and (4) Identity and Access Management Architecture (25%). Domain 3, Infrastructure and System Security, carries the highest exam weight at 32%.
How long should I study for the CISSP-ISSAP exam?
Most active CISSP holders preparing for the CISSP-ISSAP report 60–120 days of dedicated study, depending on how closely their current role aligns with the four domains. Practising security architects with hands-on enterprise framework experience typically prepare in 60–90 days. Candidates transitioning from operational or management roles should plan for the full 120 days.
Is the CISSP-ISSAP approved for DoD 8140?
Yes. The CISSP-ISSAP is approved under U.S. Department of Defense Directive 8140 (formerly DoD 8570), qualifying holders for federal government security architecture positions that require DoD-approved credentials. This approval also benefits professionals working with defence contractors and critical infrastructure organisations that align hiring standards to DoD 8140 frameworks.
What is the average salary for CISSP-ISSAP holders?
The global median salary for CISSP-ISSAP holders is $140,620 according to ISC2, placing it among the highest-compensated credentials in the ISC2 portfolio. Salaries vary by geography, industry, and seniority, with U.S.-based enterprise security architects in regulated industries and federal contracting typically exceeding the global median.
Start Your CISSP-ISSAP Journey
The CISSP-ISSAP is a strategically valuable credential for security professionals who have moved — or are moving — into architecture-focused roles. The four domains are demanding and require genuine architectural reasoning, not just CISSP-level recall. Infrastructure and System Security at 32% and IAM Architecture at 25% are your highest-priority study areas, and the SABSA and TOGAF frameworks are worth mastering for the Security Architecture Modeling domain regardless of your current enterprise architecture experience.
At $140,620 global median salary, DoD 8140 approval, and ISO/IEC 17024 accreditation, the credential delivers tangible career returns for professionals targeting enterprise security architect, chief security architect, or federal architecture roles. Begin with the official ISC2 study resources, allocate at least 60–90 focused study days if your current role is architecture-aligned, and use scenario-based practice exams to sharpen your architectural decision-making before exam day.
