Career Employer

FREE ISSAP Study Guide 2026: All 4 Domains

The most important things the CISSP-ISSAP tests — an interactive study guide with built-in quizzes and flashcards, organized by all 4 ISC2 domains.

Check sections to boost your score

Don't know where to start?

To find us again, just search “Career Employer ISSAP

By

This free ISSAP study guide walks through every domain the CISSP-ISSAP (Information Systems Security Architecture Professional) exam tests, organized to the current ISC2 exam outline.[1]

It’s interactive, not a wall of text: every module has built-in checkpoint quizzes, flashcards, and practice questions, so you learn by doing — not just reading.

The ISSAP tests four official domains and is a CISSP concentration — it assumes CISSP-level breadth and goes deeper on how a security architect designs solutions. We teach one study module per domainand weight your time toward the heaviest, Infrastructure & System Security (32%).

Read a module, test yourself at each checkpoint, then drill gaps with our free practice test and flashcards. This guide is a high-yield overview that maps the official content — not a full security-architecture textbook.

ISSAP is one of the 9 ISC2 certifications — explore our ISC2 study guides to compare and prep across the whole family.

ISSAP Exam Snapshot

ISSAP exam at a glance
DetailCISSP-ISSAP Exam
Questions125 items
FormatMultiple choice + advanced innovative item types
Time3 hours
Passing score700 out of 1000 points (scaled)
Administered byISC2, delivered at Pearson VUE
Certifying bodyISC2 (formerly (ISC)²)
PrerequisiteActive CISSP in good standing
Eligibility2 years' experience in 1+ ISSAP domains
Cost$599 USD
Recertification3-year CISSP cycle — 120 CPE credits + $135 annual maintenance fee (covers concentrations)

The ISSAP covers four domains, and unlike the CISSP the weights are uneven — Infrastructure & System Security dominates at 32%, and IAM Architecture is the second-largest at 25%.[1] Study by weight:

ISSAP weighting by domain (ISC2 exam outline)
Infrastructure & System Security32% · Domain 3
Identity & Access Management Architecture25% · Domain 4
Security Architecture Modeling22% · Domain 2
Governance, Risk & Compliance21% · Domain 1

Module 1 · Governance, Risk & Compliance (GRC)

One official domain, 21% of the exam. This domain is where the architect connects security design to the business: choosing architecture frameworks, analyzing risk, and proving that the design meets legal and regulatory obligations. Every later design decision should trace back to a requirement captured here.

1.1 Architecture Frameworks & Governance

A is governed within an enterprise framework. Know the big three: is a taxonomy (a matrix of perspectives × interrogatives), is a method (the Architecture Development Method) for building and governing architecture, and is a business-driven, risk-focused framework built for security specifically.[10] A then captures proven patterns so designs stay consistent across the enterprise.

Governance also means duties: (doing the research and building the plan) and (acting on it and maintaining controls) form the “prudent person rule.” The architect works within the organization’s and uses a security policy hierarchy — policy, standard, procedure, guideline — to express decisions.[3]

Enterprise architecture frameworks compared
FrameworkWhat it isSecurity focus
ZachmanA taxonomy/matrix of perspectives × interrogativesOrganizes artifacts; not security-specific
TOGAFA method (ADM) to develop and govern architectureGeneral EA; security woven through phases
SABSAA business-driven, risk-focused frameworkPurpose-built for security architecture

1.2 Risk Analysis for Architects

drives the architecture: you design controls to bring risk within tolerance. Risk is assessed two ways — qualitative (subjective high/medium/low) and quantitative (dollar-based). The architect must be fluent in the quantitative formulas: the , the , and the .[4]

After assessing risk, you choose a treatment — mitigate, transfer, avoid, or accept — and whatever you do, remains and must be formally accepted. A control should never cost more than the ALE it reduces. The architect documents this with a so every control ties to a requirement and every requirement ties to a control.

The four risk treatment options
TreatmentWhat you doArchitectural example
Mitigate (reduce)Add controls to lower likelihood or impactAdd MFA and segmentation to a high-value zone
TransferShift the financial impact to a third partyBuy cyber-insurance; outsource to a vetted provider
AvoidStop the activity that creates the riskDrop a risky integration from the design
AcceptFormally tolerate the residual riskManagement signs off on a low-impact residual risk

1.3 Compliance & Privacy by Design

The architecture must demonstrably satisfy obligations — GDPR, HIPAA, PCI DSS, and standards such as .[9] Two ideas the exam tests heavily: (build privacy in from the start, not afterward) and (store and process data within the required jurisdiction). The architect turns each obligation into a concrete, testable design constraint.

Compliance drivers the architecture must satisfy
DriverWhat it requiresDesign implication
GDPRLawful basis, data-subject rights, breach notificationPrivacy by design, data minimization, EU data residency
HIPAASafeguards for electronic protected health informationEncryption, access control, and audit logging for ePHI
PCI DSSProtect cardholder dataSegment the cardholder data environment; tokenize where possible
ISO/IEC 27001A risk-based ISMSControls selected and justified against assessed risk

Checkpoint · Governance, Risk & Compliance

Question 1 of 10

A security architect is designing controls to support a new regulatory mandate that requires demonstrable data residency. Which architectural artifact most directly enables auditors to verify that the design satisfies the residency requirement?

Module 2 · Security Architecture Modeling

One official domain, 22% of the exam. This domain is about turning requirements into models: the formal security models a system enforces, how you threat-model a design, and the secure-design principles — including zero trust — that shape a trustworthy architecture.

2.1 Security Models & the Reference Monitor

A formalizes a policy into rules a system can enforce. The two you must know cold are (confidentiality) and (integrity) — they are mirror images. A third, , protects integrity through well-formed transactions and .

Core security models
ModelProtectsKey idea
Bell-LaPadulaConfidentialityNo read up, no write down
BibaIntegrityNo read down, no write up
Clark-WilsonIntegrityWell-formed transactions + separation of duties
Brewer-Nash (Chinese Wall)ConfidentialityAccess changes dynamically to prevent conflicts of interest

Underneath the models, the mediates every access between subjects and objects — it must be tamperproof, always invoked, and verifiable. It is implemented by the security kernel within the . A marks where trust level changes, and that is where the architect concentrates controls.

2.2 Threat Modeling

identifies and prioritizes threats during design so countermeasures are built in, not bolted on. The most-tested taxonomy is ; it is often applied to a data flow diagram, examining each element and . Reducing the is a primary goal of every design.

STRIDE threat categories
ThreatWhat it meansCounters
SpoofingPretending to be someone/something elseStrong authentication, MFA
TamperingUnauthorized modification of dataHashing, digital signatures, integrity controls
RepudiationDenying an action was performedLogging, non-repudiation, audit trails
Information disclosureExposing data to the wrong partyEncryption, access control
Denial of serviceMaking a system unavailableRedundancy, rate limiting, filtering
Elevation of privilegeGaining rights beyond authorizationLeast privilege, secure defaults

2.3 Secure Design Principles & Zero Trust

Trustworthy architecture rests on principles: (overlapping layers), , , secure defaults, complete mediation, economy of mechanism, and vs. fail-safe decisions. The dominant modern model is : assume no implicit trust by network location and verify every request.[6]

In a zero-trust design, a evaluates identity, device, and context, and a enforces the decision. then contains lateral movement so a breach in one place cannot spread.

Checkpoint · Security Architecture Modeling

Question 1 of 10

A security architecture model uses a layered abstraction to relate business drivers down to technical implementation across contextual, conceptual, logical, physical, component, and operational views. Which framework is being described?

Module 3 · Infrastructure & System Security

One official domain, 32% of the exam — the largest. This is where the architecture meets the wire: secure networks, cryptography and PKI, cloud and endpoints, and the resilience that keeps it all running. Invest the most study time here.

3.1 Network Security Architecture

Sound network design starts with — zones that stop a breach from spreading. A isolates public-facing services, an enforces app- and identity-aware policy, and provide detection and inline prevention. Secure the traffic itself with (Layer 3 VPNs) and (application traffic).

Network controls and where they fit
ControlRoleNote
Segmentation / VLANsLimit lateral movementFoundation of containment
DMZ (screened subnet)Isolate public servicesBetween two firewalls
NGFWApp/identity-aware filteringAdds IPS and deep inspection
IDS / IPSDetect / prevent attacksIDS alerts; IPS blocks inline
IPsec VPNEncrypt IP traffic (Layer 3)Tunnel or transport mode
TLSEncrypt application trafficHTTPS; TLS 1.3 current

3.2 Cryptography & PKI

(AES) is fast but hard to distribute keys for; (RSA, ECC) is slower but solves key exchange and enables signatures. Real systems are hybrid. A gives integrity, authenticity, and non-repudiation, and all of this trust is managed by .

Encrypt vs. sign — which key do you use?
GoalUse this keyResult
Confidentiality (encrypt for someone)Recipient's PUBLIC keyOnly the recipient's private key can decrypt
Authenticity (sign a message)Sender's PRIVATE keyAnyone can verify with the sender's public key
IntegrityHash function (no key)A changed message produces a different digest

The architect also designs the key management lifecycle — generation, distribution, storage, rotation, and destruction — often anchored by a to keep private keys off general-purpose hosts. Build in so algorithms can be swapped as standards (including post-quantum) evolve.

3.3 Cloud, Endpoint & Resilience

In the cloud, the sets who secures what — and the customer’s share shrinks from IaaS to SaaS. Endpoints need layered protection (hardening, EDR, encryption, patching), and media reaching end of life must defeat through proper .[8]

Resilience is an architecture property: design with redundancy, clustering, and load balancing, and eliminate every . Backups (full, incremental, differential) and recovery sites (hot, warm, cold) round out the design.

Cloud responsibility and resilience building blocks
ConceptDetail
IaaSCustomer manages OS upward; provider manages the infrastructure
PaaSCustomer manages apps/data; provider manages the platform
SaaSProvider manages most of the stack; customer still owns data and access
Hot siteFully equipped, near-real-time failover — fastest, most expensive
Warm siteHardware ready, data restored on demand — moderate cost/speed
Cold siteSpace with power/cooling only — cheapest, slowest
Media sanitizationClear (reuse), Purge (release externally), Destroy (NIST SP 800-88)

Checkpoint · Infrastructure & System Security

Question 1 of 10

An architect is designing network segmentation for an enterprise. Which approach best limits lateral movement after an endpoint compromise?

Module 4 · Identity & Access Management (IAM) Architecture

One official domain, 25% of the exam — the second-largest. This domain is about designing how identities are established, proven, authorized, federated, and governed across their lifecycle.

4.1 Authentication & Access Control

Access control is a four-step sequence: (claim an identity) → (prove it) → (what you may do) → (log it). Strong authentication means — factors from different categories (know, have, are).[7] Authorization is enforced through access control models.

The three authentication factor categories
FactorTypeExamples
Something you knowKnowledgePassword, PIN, passphrase
Something you havePossessionSmart card, hardware token, phone
Something you areInherence (biometric)Fingerprint, iris, face

4.2 Federation & Identity Lifecycle

Enterprises tie identity together with and . Know the protocols by purpose: (web SSO/federation), (delegated authorization), and (authentication on top of OAuth). On a network, provides ticket-based SSO.

Identity protocols — what each one is for
ProtocolPurposeIssues
SAMLWeb SSO and federationXML authentication/authorization assertions
OAuth 2.0Delegated authorization (not authentication)Access token (what an app may do)
OpenID ConnectAuthentication on top of OAuth 2.0ID token (who the user is)
KerberosTicket-based network SSOTickets via a KDC; needs time sync

Identity is governed across its lifecycle — provisioning, modification, and de-provisioning — and the architect adds with for administrators and to remove access creep.

Checkpoint · IAM Architecture

Question 1 of 10

An architect is designing identity federation between an enterprise IdP and a SaaS provider. Which protocol is most commonly used for browser-based SSO assertions in enterprise settings?

How to Use This ISSAP Study Guide

This guide is built to be worked, not just read. The most efficient path to a pass:

  • Study by weight. Infrastructure & System Security is the largest domain (32%) and IAM Architecture the second (25%) — invest there first, but cover all four.
  • Think like an architect. ISSAP questions ask which design best satisfies a set of business, risk, and compliance requirements — not just which control is technically valid.
  • Check off as you go. Use the Study Guide Contents to mark each section done; it raises your exam-readiness score.
  • Take every checkpoint. The end-of-module quizzes show you exactly which domains need another pass.
  • Drill the weak domain. Send your weak area into the flashcards and a practice test until the score climbs comfortably above 700.

ISSAP Concept Questions

Common ISSAP concepts candidates search while studying — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.

ISSAP Glossary

The high-yield ISSAP terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.

Access recertification
Periodic review where managers attest that each user's access is still appropriate, removing excess privilege.
Accountability
Tying actions back to a specific identity through logging and monitoring.
Annualized Loss Expectancy (ALE)
The expected yearly cost of a risk: ALE = SLE × ARO. Used to cost-justify controls.
Annualized Rate of Occurrence (ARO)
The expected number of times a specific risk event will occur in one year.
Asymmetric encryption
Encryption using a public/private key pair (e.g., RSA, ECC); solves key exchange and enables digital signatures.
Attack surface
The sum of all points where an attacker can attempt to enter, extract data, or affect a system; good architecture minimizes it.
Attribute-based access control (ABAC)
Access decided by attributes and policy (user, resource, time, location); the most granular and context-aware.
Authentication
Proving a claimed identity with a credential (knowledge, possession, or inherence factor).
Authorization
Determining what an authenticated identity is permitted to access and do.
Bell-LaPadula model
A confidentiality model: Simple Security Property (no read up) and *-Property (no write down) — 'no read up, no write down.'
Biba model
An integrity model: Simple Integrity Axiom (no read down) and *-Integrity Axiom (no write up) — 'no read down, no write up.'
Clark-Wilson model
An integrity model enforcing well-formed transactions and separation of duties through the access triple (subject-program-object).
Compliance
Adherence to laws, regulations, standards, and contractual obligations the architecture must demonstrably support (e.g., GDPR, HIPAA, PCI DSS).
Control traceability matrix
An artifact mapping each requirement to the specific architectural controls that satisfy it, giving auditors a direct line of evidence.
Crypto-agility
Designing systems so cryptographic algorithms and keys can be replaced quickly as standards evolve or weaknesses emerge.
Data remanence
Residual data that remains on media after deletion or formatting and may be recoverable.
Data residency
A requirement that data be stored and processed within a specific jurisdiction; the architect designs storage and replication to satisfy it.
Defense in depth
Layering multiple, overlapping controls so that if one fails, others still protect the asset.
Digital signature
A hash of a message encrypted with the sender's private key, providing integrity, authenticity, and non-repudiation.
Discretionary access control (DAC)
Access decided by the data owner (e.g., file permissions, ACLs).
DMZ
A screened subnet between the internet and the internal network that hosts public-facing services, isolating them from internal assets.
Due care
Acting on due diligence by implementing and maintaining reasonable controls — what a prudent person would do.
Due diligence
Doing the research and developing the plans and policies needed to protect the organization — the homework before acting.
Fail-secure
On failure, the system denies access (fail-closed) to protect data; contrast with fail-safe (fail-open) to protect life and safety.
Federated identity
Trust established across organizations so a user authenticated by their home identity provider can access a partner's resources.
Hardware Security Module (HSM)
A tamper-resistant hardware device that generates, stores, and uses cryptographic keys, keeping private keys off general-purpose systems.
High availability
Designing redundancy (clustering, load balancing, failover) so services remain available despite component failures.
Identification
A subject claiming an identity (e.g., a username) — the first step of access control.
IDS vs. IPS
An IDS detects and alerts on malicious activity out of band; an IPS sits inline and can actively block it.
IPsec
A Layer 3 protocol suite securing IP traffic; AH provides integrity/authentication, ESP adds confidentiality, with tunnel or transport mode.
ISO/IEC 27001
The international standard for an Information Security Management System (ISMS) — a risk-based framework for establishing and improving security.
ISSAP
Information Systems Security Architecture Professional — an ISC2 CISSP concentration validating the design of security solutions and enterprise security architecture.
Just-in-time (JIT) access
Granting elevated privileges only for the moment and duration needed, then revoking them to limit standing privilege.
Kerberos
A symmetric-key SSO authentication protocol using tickets and a Key Distribution Center (KDC); it requires time synchronization.
Least privilege
Granting users, processes, and systems only the minimum access needed to do their job, and nothing more.
Mandatory access control (MAC)
Access enforced by the system from labels and clearances; rigid and high-security.
Media sanitization
Removing data from media via clearing, purging, or destruction so it cannot be recovered (NIST SP 800-88).
Microsegmentation
Dividing a network into granular, individually policed zones (often per-workload) so lateral movement is contained.
Multi-factor authentication (MFA)
Using two or more factors from different categories — something you know, have, and are.
Network segmentation
Dividing a network into zones (VLANs, subnets) so a compromise in one zone cannot freely reach others.
NGFW
Next-generation firewall — integrates deep packet inspection, application awareness, intrusion prevention, and user identity into one policy point.
OAuth 2.0
An authorization framework that grants an app delegated, scoped access to a resource via tokens; it is not an authentication protocol.
OpenID Connect (OIDC)
An identity layer on top of OAuth 2.0 that adds authentication via an ID token, enabling federated login for apps and APIs.
Policy Decision Point (PDP)
The component (policy engine and administrator) that decides whether to grant access based on policy and context in a zero-trust design.
Policy Enforcement Point (PEP)
The component that enforces the PDP's decision, allowing or blocking the subject's connection to the resource.
Privacy by design
Embedding privacy protections into the architecture from the start — data minimization, restrictive defaults, end-to-end security — rather than bolting them on later.
Privileged Access Management (PAM)
Controls that secure, monitor, and rotate privileged credentials, often with vaulting, session recording, and just-in-time access.
Public Key Infrastructure (PKI)
The framework of certificate authorities, certificates, and policies that manages public keys and trust.
Reference architecture
A reusable, standardized template of proven patterns and controls that guides consistent solution designs across the enterprise.
Reference monitor
The abstract concept that mediates all access between subjects and objects; it must be tamperproof, always invoked, and verifiable.
Residual risk
The risk that remains after controls are applied; senior management formally accepts it.
Risk
The likelihood that a threat will exploit a vulnerability, and the resulting impact on an asset.
Risk appetite
The amount and type of risk an organization is willing to pursue or retain in pursuit of its objectives.
Role-based access control (RBAC)
Access granted by job role rather than the individual; scales well in enterprises.
SABSA
Sherwood Applied Business Security Architecture — a business-driven, risk-focused framework that builds security architecture top-down through a layered matrix.
SAML
Security Assertion Markup Language — an XML standard for exchanging authentication and authorization assertions, used for web SSO and federation.
Security architecture
A unified design describing the structure, behavior, and relationships of an organization's security controls so they coherently meet business, risk, and compliance requirements.
Security model
A formal statement of the rules a system enforces (e.g., Bell-LaPadula, Biba) that turns a policy into enforceable access rules.
Separation of duties
Splitting a sensitive task so no single person can complete it alone, reducing fraud and error.
Shared responsibility model
A division where the cloud provider secures the cloud (infrastructure) and the customer secures what they put in it — scope shifts across IaaS, PaaS, and SaaS.
Single Loss Expectancy (SLE)
The expected monetary loss from a single occurrence of a risk: SLE = Asset Value × Exposure Factor.
Single point of failure (SPOF)
A component whose failure would stop the whole system; the architect eliminates SPOFs through redundancy.
Single sign-on (SSO)
One authentication that grants access to multiple systems, improving usability while centralizing control.
STRIDE
A threat taxonomy: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege.
Symmetric encryption
Encryption using one shared secret key for both encrypting and decrypting (e.g., AES); fast, but key distribution is hard.
Threat modeling
Systematically identifying and prioritizing threats against a design so countermeasures can be built in before build (e.g., using STRIDE).
TLS
Transport Layer Security — protects application traffic (HTTPS) with authentication, confidentiality, and integrity; TLS 1.3 is current.
TOGAF
The Open Group Architecture Framework — a method (the ADM) and structure for developing and governing enterprise architecture across business, data, application, and technology layers.
Trust boundary
A line in an architecture across which trust level changes; controls (validation, authentication, encryption) are concentrated here.
Trusted Computing Base (TCB)
The totality of hardware, software, and firmware that enforces a system's security policy.
Zachman Framework
An enterprise-architecture taxonomy organizing artifacts in a matrix of perspectives against the interrogatives What, How, Where, Who, When, and Why.
Zero trust architecture
A model that assumes no implicit trust by network location; every request is continuously verified by identity, device, and context (NIST SP 800-207).

ISSAP Study Guide FAQ

The CISSP-ISSAP exam has 125 questions and a 3-hour time limit. It uses multiple choice plus advanced innovative item types and is delivered at Pearson VUE test centers.

References

  1. 1.ISC2. “ISSAP Certification Exam Outline.” isc2.org.
  2. 2.ISC2. “ISSAP — Information Systems Security Architecture Professional.” isc2.org.
  3. 3.ISC2. “ISC2 Code of Ethics.” isc2.org.
  4. 4.National Institute of Standards and Technology. “SP 800-30 Rev. 1: Guide for Conducting Risk Assessments.” csrc.nist.gov.
  5. 5.National Institute of Standards and Technology. “SP 800-53 Rev. 5: Security and Privacy Controls.” csrc.nist.gov.
  6. 6.National Institute of Standards and Technology. “SP 800-207: Zero Trust Architecture.” csrc.nist.gov.
  7. 7.National Institute of Standards and Technology. “SP 800-63: Digital Identity Guidelines.” csrc.nist.gov.
  8. 8.National Institute of Standards and Technology. “SP 800-88 Rev. 1: Guidelines for Media Sanitization.” csrc.nist.gov.
  9. 9.International Organization for Standardization. “ISO/IEC 27001 — Information Security Management Systems.” iso.org.
  10. 10.The Open Group. “TOGAF Standard.” opengroup.org.
  11. 101.OWASP Foundation. “Threat Modeling Process.” owasp.org, accessed 21 June 2026.
  12. 102.National Institute of Standards and Technology (NIST). “Cryptographic Standards and Guidelines.” csrc.nist.gov, accessed 21 June 2026.
  13. 103.National Institute of Standards and Technology (NIST). “SP 800-145: The NIST Definition of Cloud Computing.” csrc.nist.gov, accessed 21 June 2026.
  14. 104.National Institute of Standards and Technology (NIST). “SP 800-94: Guide to Intrusion Detection and Prevention Systems.” csrc.nist.gov, accessed 21 June 2026.
  15. 105.National Institute of Standards and Technology (NIST). “SP 800-63C: Federation and Assertions.” csrc.nist.gov, accessed 21 June 2026.
  16. 106.National Institute of Standards and Technology (NIST). “SP 800-162: Guide to Attribute Based Access Control (ABAC).” csrc.nist.gov, accessed 21 June 2026.
Career Employer

Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.

Follow Us:

All Posts

Career Employer’s Editorial Process

Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.