A client called me a few weeks ago asking about advanced ISC2 certifications. He had his CISSP, eight years of experience, and was targeting a principal security architect role at a financial services firm. He’d heard of ISSAP, ISSEP, and ISSMP but didn’t fully understand what they were or whether they were still tied to the CISSP. That confusion is more common than you’d think, because ISC2 made a significant change to these certifications back in 2023 that a lot of people missed.
ISSAP, ISSEP, and ISSMP are no longer CISSP concentrations. As of October 2023, ISC2 made them fully standalone certifications. You can pursue any of them without holding a CISSP at all if you have enough relevant experience. They also got major exam overhauls in August 2025, so if you’ve seen older information about domain weights and exam structure, a lot of it is out of date. This article covers what each certification actually is now, who each one is built for, and how to figure out if any of them belongs on your roadmap.
ISC2 transformed ISSAP, ISSEP, and ISSMP into standalone advanced certifications in 2023. You no longer need a CISSP to earn any of them. That changes the career calculation for a lot of people.
How These Certifications Work Now
There are now two paths to earn any of the three certifications. If you hold an active CISSP, you need two years of cumulative full-time experience in one or more of the domains of whichever certification you’re targeting. If you don’t hold a CISSP, you need seven years of cumulative full-time experience across two or more relevant domains. A degree in computer science, IT, or a related field, or certain other ISC2-approved credentials, can substitute for one of those required years.
Maintenance requirements differ between the two paths as well. If you have a CISSP, your certification term syncs with your existing CISSP renewal cycle and you need 60 CPE credits per three-year term with no additional annual maintenance fee. Without a CISSP, you’re looking at 140 CPE credits per three-year term and an annual maintenance fee of $125, or $75 if you already hold a different ISC2 certification. The exam format itself is the same either way: 125 questions, three hours, Pearson VUE testing centers, with a passing score of 700 out of 1000.
⚠ Heads Up on Study Materials
ISC2 updated all three exam outlines in August 2025. The domain structure and weights changed considerably. The 2025 updates to ISSAP, ISSEP, and ISSMP are significant enough that pre-2025 study guides won’t fully prepare you for the current exams. Always pull the current exam outline directly from ISC2 before you start.
ISSAP: The Security Architecture Certification
The Information Systems Security Architecture Professional targets people whose work centers on designing security frameworks at the enterprise level. Think translating business requirements into security architecture, evaluating how different components of an environment interact from a security standpoint, and advising on the structural design of systems and networks across an organization.
The August 2025 update restructured ISSAP from six domains down to four. Infrastructure and System Security Architecture is now the dominant domain at 32 percent, which makes sense given how much security architecture work now revolves around cloud environments and hybrid infrastructure. Identity and Access Management Architecture carries 25 percent, reflecting the reality that identity has become the primary security perimeter in most enterprise environments. Security Architecture Modeling accounts for 22 percent, and Governance, Risk, and Compliance covers the remaining 21 percent.
That infrastructure domain at nearly a third of the exam is worth paying attention to. This is where cloud security architecture, zero trust design, and hybrid environment security live in the new outline. If you’re studying with materials that treat these as secondary topics, you’re underprepared for a significant portion of the test.
Who the ISSAP Is For
Enterprise security architects, solutions architects, and consultants who scope security frameworks for clients are the core audience. It shows up most often in financial services, healthcare, and large technology companies where security architecture is its own role rather than something layered on top of an engineering position. The client I mentioned at the start went with ISSAP for exactly this reason. His day-to-day work was already heavily architectural, and the role he was targeting specifically listed it as a preferred credential. That alignment made the decision easy.
If you’re still mostly hands-on in a technical operations role, the ISSAP is probably a few years ahead of where you are. The exam content maps to the kind of design-level thinking that comes with senior architect experience, and trying to study material you’re not doing at work every day is a harder road than it needs to be.
ISSEP: The Security Engineering Certification
The Information Systems Security Engineering Professional has the most clearly defined target audience of the three. It was developed in collaboration with the NSA and is rooted in systems security engineering principles with a heavy emphasis on federal frameworks. If you work in the defense sector, support federal agencies, or work for a contractor whose clients are government programs, ISSEP has a level of recognition in those environments that the other two simply don’t carry.
The updated exam outline covers five domains. Security Planning and Engineering is the largest at 30 percent. Systems Security Engineering Foundations accounts for 25 percent. Secure Operations, Change Management and Disposal covers 17 percent. Systems Security Implementation, Verification and Validation and Risk Management split the remaining share at 14 percent each. The emphasis on engineering foundations and planning reflects what this certification is really testing: whether you understand how to engineer secure systems from conception through disposal, not just how to configure security tools.
One thing candidates who took the updated ISSEP have flagged: the new exam goes deeper into systems engineering methodology than the official textbook covers. NIST SP 800-160, INCOSE Systems Engineering principles, secure-by-design practices, and supply chain risk management are all well represented. If you’re not already working with these frameworks regularly, they require dedicated study time beyond the standard prep materials.
🏛️ ISSEP: Know Before You Study
Developed With
The NSA. That origin gives it strong name recognition in defense and intelligence community hiring specifically.
Heaviest Domain
Security Planning and Engineering at 30 percent. Expect to go deeper on NIST 800-160 than the official textbook alone will take you.
Best Fit
Federal agencies, DoD programs, and government contractors where RMF and ATO processes are part of your daily work.
Skip It If
Your work is entirely private sector. The federal framework content is real exam weight, not background color, and it won’t translate to a commercial enterprise role.
Who the ISSEP Is For
Systems security engineers, information assurance engineers, and security professionals embedded in government program offices. It’s also a strong credential for consultants whose client base skews heavily toward federal contracts. If your resume regularly goes in front of contracting officers reviewing labor category requirements, having ISSEP alongside your experience on those contracts makes you a more credible match for senior technical roles. I’ve talked to people in that world who say it was the specific credential that got their resume past initial screening. That kind of targeted recognition is hard to manufacture with a generic certification.
ISSMP: The Security Management Certification
The Information Systems Security Management Professional sits at the intersection of security leadership, program oversight, and organizational risk. The 2025 update kept the six-domain structure but significantly updated the content within each domain to reflect where security management roles have actually evolved. Leadership and Organizational Management is the heaviest domain, which is the clearest signal of what ISC2 is testing. This is a management credential with a security specialization, not a technical credential with a management layer on top.
The six domains are Leadership and Organizational Management, Systems Lifecycle Management, Risk Management, Security Operations, Contingency Management, and Law, Ethics, and Security Compliance Management. The Security Operations domain now covers more ground on continuous monitoring, security analytics, and operational resilience. Contingency Management was updated to address business continuity in cloud and hybrid environments rather than just traditional disaster recovery planning. These aren’t cosmetic changes. They reflect what security management roles actually look like in practice today.
ISSMP vs CISM: The Question I Get Every Time
Any time the ISSMP comes up, someone asks how it compares to CISM. Both cover security management and organizational risk. The practical difference is in which ecosystem they belong to and who’s reading your resume. The CISM vs CISSP question has a lot of overlap with this one, and the same logic applies here. ISACA-heavy organizations in banking and audit tend to weight CISM more heavily because ISACA is deeply embedded in how those industries think about governance. Organizations where ISC2 is the default framework will view ISSMP as the natural advanced credential for a security leader with that background.
Neither is objectively stronger. Think about who’s reading your resume and what certification framework their organization runs on. That’s the answer.
“
Senior security managers, directors, and professionals moving toward CISO roles are the most common ISSMP candidates. If you regularly present risk posture to leadership or boards, the content maps closely to what those conversations actually require.
Where ISSMP Shows Up
Picking the Right One
Most people who call me about these certifications already have a rough sense of where their career is heading. The confusion usually comes from the names looking similar, not from the certifications themselves being ambiguous once you understand what each one covers.
ISSAP
Architecture
You design security frameworks at the enterprise level. Your title includes “architect” or you spend most of your time on structural decisions rather than operations. Private sector or consulting focused.
ISSEP
Engineering
You work in systems security engineering for federal agencies, DoD programs, or government contractors. RMF and ATO processes are part of your regular work. If that doesn’t describe you, move on.
ISSMP
Management
You lead or manage a security function, present risk posture to executive leadership, and spend more time on program oversight than hands-on technical work. You’re heading toward CISO territory or already there.
There’s no rule against eventually holding more than one. Some senior security leaders do end up with multiple. But chasing all three for credential collection reasons is not a strategy I’d recommend. Pick the one that connects to what you’re doing at work right now and where you’re heading over the next few years. A credential that doesn’t map to your actual experience is harder to study for, harder to pass, and harder to leverage once you have it.