This free ISSAP study guide walks through every domain the CISSP-ISSAP (Information Systems Security Architecture Professional) exam tests, organized to the current ISC2 exam outline.[1]
It’s interactive, not a wall of text: every module has built-in checkpoint quizzes, flashcards, and practice questions, so you learn by doing — not just reading.
The ISSAP tests four official domains and is a CISSP concentration — it assumes CISSP-level breadth and goes deeper on how a security architect designs solutions. We teach one study module per domainand weight your time toward the heaviest, Infrastructure & System Security (32%).
Read a module, test yourself at each checkpoint, then drill gaps with our free practice test and flashcards. This guide is a high-yield overview that maps the official content — not a full security-architecture textbook.
ISSAP is one of the 9 ISC2 certifications — explore our ISC2 study guides to compare and prep across the whole family.
ISSAP Exam Snapshot
| Detail | CISSP-ISSAP Exam |
|---|---|
| Questions | 125 items |
| Format | Multiple choice + advanced innovative item types |
| Time | 3 hours |
| Passing score | 700 out of 1000 points (scaled) |
| Administered by | ISC2, delivered at Pearson VUE |
| Certifying body | ISC2 (formerly (ISC)²) |
| Prerequisite | Active CISSP in good standing |
| Eligibility | 2 years' experience in 1+ ISSAP domains |
| Cost | $599 USD |
| Recertification | 3-year CISSP cycle — 120 CPE credits + $135 annual maintenance fee (covers concentrations) |
The ISSAP covers four domains, and unlike the CISSP the weights are uneven — Infrastructure & System Security dominates at 32%, and IAM Architecture is the second-largest at 25%.[1] Study by weight:
Governance, Risk, and Compliance (GRC)
21% of the exam
Security Architecture Modeling
22% of the exam
Infrastructure and System Security
32% of the exam
Identity and Access Management (IAM) Architecture
25% of the exam
Module 1 · Governance, Risk & Compliance (GRC)
One official domain, 21% of the exam. This domain is where the architect connects security design to the business: choosing architecture frameworks, analyzing risk, and proving that the design meets legal and regulatory obligations. Every later design decision should trace back to a requirement captured here.
1.1 Architecture Frameworks & Governance
A is governed within an enterprise framework. Know the big three: is a taxonomy (a matrix of perspectives × interrogatives), is a method (the Architecture Development Method) for building and governing architecture, and is a business-driven, risk-focused framework built for security specifically.[10] A then captures proven patterns so designs stay consistent across the enterprise.
- 1
Contextual (Business view)
Business requirements, drivers, risk appetite — what the business needs and why.
- 2
Conceptual (Architect's view)
Security strategy, principles, and the conceptual control framework.
- 3
Logical (Designer's view)
Security services, entities, and information flows independent of technology.
- 4
Physical (Builder's view)
Mechanisms, products, and data structures that realize the logical design.
- 5
Component (Tradesman's view)
Specific tools, standards, and configurations — the concrete components.
- 6
Operational (Management view)
Running, monitoring, and maintaining the architecture across its lifecycle.
Governance also means duties: (doing the research and building the plan) and (acting on it and maintaining controls) form the “prudent person rule.” The architect works within the organization’s and uses a security policy hierarchy — policy, standard, procedure, guideline — to express decisions.[3]
| Framework | What it is | Security focus |
|---|---|---|
| Zachman | A taxonomy/matrix of perspectives × interrogatives | Organizes artifacts; not security-specific |
| TOGAF | A method (ADM) to develop and govern architecture | General EA; security woven through phases |
| SABSA | A business-driven, risk-focused framework | Purpose-built for security architecture |
1.2 Risk Analysis for Architects
drives the architecture: you design controls to bring risk within tolerance. Risk is assessed two ways — qualitative (subjective high/medium/low) and quantitative (dollar-based). The architect must be fluent in the quantitative formulas: the , the , and the .[4]
SLE = AV × EF
Single Loss Expectancy = Asset Value × Exposure Factor (the % of the asset lost per event).
ALE = SLE × ARO
Annualized Loss Expectancy = Single Loss Expectancy × Annualized Rate of Occurrence (events per year).
Worked example
Asset = $400,000; an outage destroys 50% (EF = 0.5) → SLE = $200,000. An event every 5 years (ARO = 0.2) → ALE = $200,000 × 0.2 = $40,000/year. Justify a control only if it costs less than $40,000/year.
After assessing risk, you choose a treatment — mitigate, transfer, avoid, or accept — and whatever you do, remains and must be formally accepted. A control should never cost more than the ALE it reduces. The architect documents this with a so every control ties to a requirement and every requirement ties to a control.
| Treatment | What you do | Architectural example |
|---|---|---|
| Mitigate (reduce) | Add controls to lower likelihood or impact | Add MFA and segmentation to a high-value zone |
| Transfer | Shift the financial impact to a third party | Buy cyber-insurance; outsource to a vetted provider |
| Avoid | Stop the activity that creates the risk | Drop a risky integration from the design |
| Accept | Formally tolerate the residual risk | Management signs off on a low-impact residual risk |
1.3 Compliance & Privacy by Design
The architecture must demonstrably satisfy obligations — GDPR, HIPAA, PCI DSS, and standards such as .[9] Two ideas the exam tests heavily: (build privacy in from the start, not afterward) and (store and process data within the required jurisdiction). The architect turns each obligation into a concrete, testable design constraint.
| Driver | What it requires | Design implication |
|---|---|---|
| GDPR | Lawful basis, data-subject rights, breach notification | Privacy by design, data minimization, EU data residency |
| HIPAA | Safeguards for electronic protected health information | Encryption, access control, and audit logging for ePHI |
| PCI DSS | Protect cardholder data | Segment the cardholder data environment; tokenize where possible |
| ISO/IEC 27001 | A risk-based ISMS | Controls selected and justified against assessed risk |
Checkpoint · Governance, Risk & Compliance
Question 1 of 10
A security architect is designing controls to support a new regulatory mandate that requires demonstrable data residency. Which architectural artifact most directly enables auditors to verify that the design satisfies the residency requirement?
Module 2 · Security Architecture Modeling
One official domain, 22% of the exam. This domain is about turning requirements into models: the formal security models a system enforces, how you threat-model a design, and the secure-design principles — including zero trust — that shape a trustworthy architecture.
2.1 Security Models & the Reference Monitor
A formalizes a policy into rules a system can enforce. The two you must know cold are (confidentiality) and (integrity) — they are mirror images. A third, , protects integrity through well-formed transactions and .
| Model | Protects | Key idea |
|---|---|---|
| Bell-LaPadula | Confidentiality | No read up, no write down |
| Biba | Integrity | No read down, no write up |
| Clark-Wilson | Integrity | Well-formed transactions + separation of duties |
| Brewer-Nash (Chinese Wall) | Confidentiality | Access changes dynamically to prevent conflicts of interest |
Underneath the models, the mediates every access between subjects and objects — it must be tamperproof, always invoked, and verifiable. It is implemented by the security kernel within the . A marks where trust level changes, and that is where the architect concentrates controls.
2.2 Threat Modeling
identifies and prioritizes threats during design so countermeasures are built in, not bolted on. The most-tested taxonomy is ; it is often applied to a data flow diagram, examining each element and . Reducing the is a primary goal of every design.
| Threat | What it means | Counters |
|---|---|---|
| Spoofing | Pretending to be someone/something else | Strong authentication, MFA |
| Tampering | Unauthorized modification of data | Hashing, digital signatures, integrity controls |
| Repudiation | Denying an action was performed | Logging, non-repudiation, audit trails |
| Information disclosure | Exposing data to the wrong party | Encryption, access control |
| Denial of service | Making a system unavailable | Redundancy, rate limiting, filtering |
| Elevation of privilege | Gaining rights beyond authorization | Least privilege, secure defaults |
2.3 Secure Design Principles & Zero Trust
Trustworthy architecture rests on principles: (overlapping layers), , , secure defaults, complete mediation, economy of mechanism, and vs. fail-safe decisions. The dominant modern model is : assume no implicit trust by network location and verify every request.[6]
Subject + device
Requests access — never trusted by network location alone.
Policy Enforcement Point (PEP)
Intercepts the request and enforces the decision.
Policy Decision Point (PDP)
Policy engine + administrator evaluate identity, device, and context, then grant least-privilege access or deny.
In a zero-trust design, a evaluates identity, device, and context, and a enforces the decision. then contains lateral movement so a breach in one place cannot spread.
Checkpoint · Security Architecture Modeling
Question 1 of 10
A security architecture model uses a layered abstraction to relate business drivers down to technical implementation across contextual, conceptual, logical, physical, component, and operational views. Which framework is being described?
Module 3 · Infrastructure & System Security
One official domain, 32% of the exam — the largest. This is where the architecture meets the wire: secure networks, cryptography and PKI, cloud and endpoints, and the resilience that keeps it all running. Invest the most study time here.
3.1 Network Security Architecture
Sound network design starts with — zones that stop a breach from spreading. A isolates public-facing services, an enforces app- and identity-aware policy, and provide detection and inline prevention. Secure the traffic itself with (Layer 3 VPNs) and (application traffic).
- 1
Untrusted (Internet)
Hostile by default — all inbound traffic is suspect.
- 2
DMZ (screened subnet)
Public-facing services (web, email) isolated between two firewalls.
- 3
Internal network
Corporate systems, segmented by VLAN/subnet with least-privilege flows.
- 4
Restricted / high-value
Crown-jewel data and systems — microsegmented and tightly monitored.
| Control | Role | Note |
|---|---|---|
| Segmentation / VLANs | Limit lateral movement | Foundation of containment |
| DMZ (screened subnet) | Isolate public services | Between two firewalls |
| NGFW | App/identity-aware filtering | Adds IPS and deep inspection |
| IDS / IPS | Detect / prevent attacks | IDS alerts; IPS blocks inline |
| IPsec VPN | Encrypt IP traffic (Layer 3) | Tunnel or transport mode |
| TLS | Encrypt application traffic | HTTPS; TLS 1.3 current |
3.2 Cryptography & PKI
(AES) is fast but hard to distribute keys for; (RSA, ECC) is slower but solves key exchange and enables signatures. Real systems are hybrid. A gives integrity, authenticity, and non-repudiation, and all of this trust is managed by .
| Goal | Use this key | Result |
|---|---|---|
| Confidentiality (encrypt for someone) | Recipient's PUBLIC key | Only the recipient's private key can decrypt |
| Authenticity (sign a message) | Sender's PRIVATE key | Anyone can verify with the sender's public key |
| Integrity | Hash function (no key) | A changed message produces a different digest |
The architect also designs the key management lifecycle — generation, distribution, storage, rotation, and destruction — often anchored by a to keep private keys off general-purpose hosts. Build in so algorithms can be swapped as standards (including post-quantum) evolve.
3.3 Cloud, Endpoint & Resilience
In the cloud, the sets who secures what — and the customer’s share shrinks from IaaS to SaaS. Endpoints need layered protection (hardening, EDR, encryption, patching), and media reaching end of life must defeat through proper .[8]
Resilience is an architecture property: design with redundancy, clustering, and load balancing, and eliminate every . Backups (full, incremental, differential) and recovery sites (hot, warm, cold) round out the design.
| Concept | Detail |
|---|---|
| IaaS | Customer manages OS upward; provider manages the infrastructure |
| PaaS | Customer manages apps/data; provider manages the platform |
| SaaS | Provider manages most of the stack; customer still owns data and access |
| Hot site | Fully equipped, near-real-time failover — fastest, most expensive |
| Warm site | Hardware ready, data restored on demand — moderate cost/speed |
| Cold site | Space with power/cooling only — cheapest, slowest |
| Media sanitization | Clear (reuse), Purge (release externally), Destroy (NIST SP 800-88) |
Checkpoint · Infrastructure & System Security
Question 1 of 10
An architect is designing network segmentation for an enterprise. Which approach best limits lateral movement after an endpoint compromise?
Module 4 · Identity & Access Management (IAM) Architecture
One official domain, 25% of the exam — the second-largest. This domain is about designing how identities are established, proven, authorized, federated, and governed across their lifecycle.
4.1 Authentication & Access Control
Access control is a four-step sequence: (claim an identity) → (prove it) → (what you may do) → (log it). Strong authentication means — factors from different categories (know, have, are).[7] Authorization is enforced through access control models.
DAC — Discretionary
The data owner decides who gets access (e.g., file permissions, ACLs). Flexible but error-prone.
MAC — Mandatory
The system enforces access from labels/clearances (e.g., classified data). Rigid and high-security.
RBAC — Role-Based
Access is granted by job role, not the individual. Scales well in enterprises.
ABAC — Attribute-Based
Access decided by attributes/policy (user, resource, time, location). The most granular; central to zero trust.
Rule-Based
Global rules applied to everyone (e.g., a firewall ruleset, time-of-day restrictions).
| Factor | Type | Examples |
|---|---|---|
| Something you know | Knowledge | Password, PIN, passphrase |
| Something you have | Possession | Smart card, hardware token, phone |
| Something you are | Inherence (biometric) | Fingerprint, iris, face |
4.2 Federation & Identity Lifecycle
Enterprises tie identity together with and . Know the protocols by purpose: (web SSO/federation), (delegated authorization), and (authentication on top of OAuth). On a network, provides ticket-based SSO.
| Protocol | Purpose | Issues |
|---|---|---|
| SAML | Web SSO and federation | XML authentication/authorization assertions |
| OAuth 2.0 | Delegated authorization (not authentication) | Access token (what an app may do) |
| OpenID Connect | Authentication on top of OAuth 2.0 | ID token (who the user is) |
| Kerberos | Ticket-based network SSO | Tickets via a KDC; needs time sync |
Identity is governed across its lifecycle — provisioning, modification, and de-provisioning — and the architect adds with for administrators and to remove access creep.
Joiner — Provision
Create the identity and grant least-privilege access matched to the role.
Mover — Modify
Adjust access on role change; remove now-unneeded rights to prevent access creep.
Leaver — De-provision
Promptly disable the identity and revoke all access on departure.
Checkpoint · IAM Architecture
Question 1 of 10
An architect is designing identity federation between an enterprise IdP and a SaaS provider. Which protocol is most commonly used for browser-based SSO assertions in enterprise settings?
How to Use This ISSAP Study Guide
This guide is built to be worked, not just read. The most efficient path to a pass:
- Study by weight. Infrastructure & System Security is the largest domain (32%) and IAM Architecture the second (25%) — invest there first, but cover all four.
- Think like an architect. ISSAP questions ask which design best satisfies a set of business, risk, and compliance requirements — not just which control is technically valid.
- Check off as you go. Use the Study Guide Contents to mark each section done; it raises your exam-readiness score.
- Take every checkpoint. The end-of-module quizzes show you exactly which domains need another pass.
- Drill the weak domain. Send your weak area into the flashcards and a practice test until the score climbs comfortably above 700.
ISSAP Concept Questions
Common ISSAP concepts candidates search while studying — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.
ISSAP Glossary
The high-yield ISSAP terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.
- Access recertification
- Periodic review where managers attest that each user's access is still appropriate, removing excess privilege.
- Accountability
- Tying actions back to a specific identity through logging and monitoring.
- Annualized Loss Expectancy (ALE)
- The expected yearly cost of a risk: ALE = SLE × ARO. Used to cost-justify controls.
- Annualized Rate of Occurrence (ARO)
- The expected number of times a specific risk event will occur in one year.
- Asymmetric encryption
- Encryption using a public/private key pair (e.g., RSA, ECC); solves key exchange and enables digital signatures.
- Attack surface
- The sum of all points where an attacker can attempt to enter, extract data, or affect a system; good architecture minimizes it.
- Attribute-based access control (ABAC)
- Access decided by attributes and policy (user, resource, time, location); the most granular and context-aware.
- Authentication
- Proving a claimed identity with a credential (knowledge, possession, or inherence factor).
- Authorization
- Determining what an authenticated identity is permitted to access and do.
- Bell-LaPadula model
- A confidentiality model: Simple Security Property (no read up) and *-Property (no write down) — 'no read up, no write down.'
- Biba model
- An integrity model: Simple Integrity Axiom (no read down) and *-Integrity Axiom (no write up) — 'no read down, no write up.'
- Clark-Wilson model
- An integrity model enforcing well-formed transactions and separation of duties through the access triple (subject-program-object).
- Compliance
- Adherence to laws, regulations, standards, and contractual obligations the architecture must demonstrably support (e.g., GDPR, HIPAA, PCI DSS).
- Control traceability matrix
- An artifact mapping each requirement to the specific architectural controls that satisfy it, giving auditors a direct line of evidence.
- Crypto-agility
- Designing systems so cryptographic algorithms and keys can be replaced quickly as standards evolve or weaknesses emerge.
- Data remanence
- Residual data that remains on media after deletion or formatting and may be recoverable.
- Data residency
- A requirement that data be stored and processed within a specific jurisdiction; the architect designs storage and replication to satisfy it.
- Defense in depth
- Layering multiple, overlapping controls so that if one fails, others still protect the asset.
- Digital signature
- A hash of a message encrypted with the sender's private key, providing integrity, authenticity, and non-repudiation.
- Discretionary access control (DAC)
- Access decided by the data owner (e.g., file permissions, ACLs).
- DMZ
- A screened subnet between the internet and the internal network that hosts public-facing services, isolating them from internal assets.
- Due care
- Acting on due diligence by implementing and maintaining reasonable controls — what a prudent person would do.
- Due diligence
- Doing the research and developing the plans and policies needed to protect the organization — the homework before acting.
- Fail-secure
- On failure, the system denies access (fail-closed) to protect data; contrast with fail-safe (fail-open) to protect life and safety.
- Federated identity
- Trust established across organizations so a user authenticated by their home identity provider can access a partner's resources.
- Hardware Security Module (HSM)
- A tamper-resistant hardware device that generates, stores, and uses cryptographic keys, keeping private keys off general-purpose systems.
- High availability
- Designing redundancy (clustering, load balancing, failover) so services remain available despite component failures.
- Identification
- A subject claiming an identity (e.g., a username) — the first step of access control.
- IDS vs. IPS
- An IDS detects and alerts on malicious activity out of band; an IPS sits inline and can actively block it.
- IPsec
- A Layer 3 protocol suite securing IP traffic; AH provides integrity/authentication, ESP adds confidentiality, with tunnel or transport mode.
- ISO/IEC 27001
- The international standard for an Information Security Management System (ISMS) — a risk-based framework for establishing and improving security.
- ISSAP
- Information Systems Security Architecture Professional — an ISC2 CISSP concentration validating the design of security solutions and enterprise security architecture.
- Just-in-time (JIT) access
- Granting elevated privileges only for the moment and duration needed, then revoking them to limit standing privilege.
- Kerberos
- A symmetric-key SSO authentication protocol using tickets and a Key Distribution Center (KDC); it requires time synchronization.
- Least privilege
- Granting users, processes, and systems only the minimum access needed to do their job, and nothing more.
- Mandatory access control (MAC)
- Access enforced by the system from labels and clearances; rigid and high-security.
- Media sanitization
- Removing data from media via clearing, purging, or destruction so it cannot be recovered (NIST SP 800-88).
- Microsegmentation
- Dividing a network into granular, individually policed zones (often per-workload) so lateral movement is contained.
- Multi-factor authentication (MFA)
- Using two or more factors from different categories — something you know, have, and are.
- Network segmentation
- Dividing a network into zones (VLANs, subnets) so a compromise in one zone cannot freely reach others.
- NGFW
- Next-generation firewall — integrates deep packet inspection, application awareness, intrusion prevention, and user identity into one policy point.
- OAuth 2.0
- An authorization framework that grants an app delegated, scoped access to a resource via tokens; it is not an authentication protocol.
- OpenID Connect (OIDC)
- An identity layer on top of OAuth 2.0 that adds authentication via an ID token, enabling federated login for apps and APIs.
- Policy Decision Point (PDP)
- The component (policy engine and administrator) that decides whether to grant access based on policy and context in a zero-trust design.
- Policy Enforcement Point (PEP)
- The component that enforces the PDP's decision, allowing or blocking the subject's connection to the resource.
- Privacy by design
- Embedding privacy protections into the architecture from the start — data minimization, restrictive defaults, end-to-end security — rather than bolting them on later.
- Privileged Access Management (PAM)
- Controls that secure, monitor, and rotate privileged credentials, often with vaulting, session recording, and just-in-time access.
- Public Key Infrastructure (PKI)
- The framework of certificate authorities, certificates, and policies that manages public keys and trust.
- Reference architecture
- A reusable, standardized template of proven patterns and controls that guides consistent solution designs across the enterprise.
- Reference monitor
- The abstract concept that mediates all access between subjects and objects; it must be tamperproof, always invoked, and verifiable.
- Residual risk
- The risk that remains after controls are applied; senior management formally accepts it.
- Risk
- The likelihood that a threat will exploit a vulnerability, and the resulting impact on an asset.
- Risk appetite
- The amount and type of risk an organization is willing to pursue or retain in pursuit of its objectives.
- Role-based access control (RBAC)
- Access granted by job role rather than the individual; scales well in enterprises.
- SABSA
- Sherwood Applied Business Security Architecture — a business-driven, risk-focused framework that builds security architecture top-down through a layered matrix.
- SAML
- Security Assertion Markup Language — an XML standard for exchanging authentication and authorization assertions, used for web SSO and federation.
- Security architecture
- A unified design describing the structure, behavior, and relationships of an organization's security controls so they coherently meet business, risk, and compliance requirements.
- Security model
- A formal statement of the rules a system enforces (e.g., Bell-LaPadula, Biba) that turns a policy into enforceable access rules.
- Separation of duties
- Splitting a sensitive task so no single person can complete it alone, reducing fraud and error.
- Shared responsibility model
- A division where the cloud provider secures the cloud (infrastructure) and the customer secures what they put in it — scope shifts across IaaS, PaaS, and SaaS.
- Single Loss Expectancy (SLE)
- The expected monetary loss from a single occurrence of a risk: SLE = Asset Value × Exposure Factor.
- Single point of failure (SPOF)
- A component whose failure would stop the whole system; the architect eliminates SPOFs through redundancy.
- Single sign-on (SSO)
- One authentication that grants access to multiple systems, improving usability while centralizing control.
- STRIDE
- A threat taxonomy: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege.
- Symmetric encryption
- Encryption using one shared secret key for both encrypting and decrypting (e.g., AES); fast, but key distribution is hard.
- Threat modeling
- Systematically identifying and prioritizing threats against a design so countermeasures can be built in before build (e.g., using STRIDE).
- TLS
- Transport Layer Security — protects application traffic (HTTPS) with authentication, confidentiality, and integrity; TLS 1.3 is current.
- TOGAF
- The Open Group Architecture Framework — a method (the ADM) and structure for developing and governing enterprise architecture across business, data, application, and technology layers.
- Trust boundary
- A line in an architecture across which trust level changes; controls (validation, authentication, encryption) are concentrated here.
- Trusted Computing Base (TCB)
- The totality of hardware, software, and firmware that enforces a system's security policy.
- Zachman Framework
- An enterprise-architecture taxonomy organizing artifacts in a matrix of perspectives against the interrogatives What, How, Where, Who, When, and Why.
- Zero trust architecture
- A model that assumes no implicit trust by network location; every request is continuously verified by identity, device, and context (NIST SP 800-207).
ISSAP Study Guide FAQ
The CISSP-ISSAP exam has 125 questions and a 3-hour time limit. It uses multiple choice plus advanced innovative item types and is delivered at Pearson VUE test centers.
From the current ISC2 outline: Governance, Risk, and Compliance (GRC) at 21%, Security Architecture Modeling at 22%, Infrastructure and System Security at 32% (the largest), and Identity and Access Management (IAM) Architecture at 25%.
You need a scaled score of 700 out of 1000 points to pass. The scaled score normalizes for differences between exam forms, so it does not translate directly to a raw question percentage.
You must hold an active CISSP in good standing and have at least two years of cumulative, paid, full-time experience in one or more of the four ISSAP domains. ISSAP is a CISSP concentration, so CISSP is a prerequisite.
Study by weight. Infrastructure and System Security is the largest domain (32%), so invest most there, but cover all four. Read each module, take the checkpoint, then drill gaps with our free practice test and flashcards.
The ISSAP exam fee is about $599 USD. As an active ISC2 member you also pay a single annual maintenance fee (currently $135) that covers your CISSP and concentrations together.
The ISSAP is challenging because it tests design judgment, not just recall: questions ask which architecture or control best satisfies a set of business, risk, and compliance requirements. It assumes CISSP-level breadth and adds depth in architecture, infrastructure, and IAM.
The ISSAP is issued by ISC2 and delivered at Pearson VUE. This study guide, the checkpoints, the glossary, the practice test, and the flashcards are 100% free with no account required.
References
- 1.ISC2. “ISSAP Certification Exam Outline.” isc2.org. ↑
- 2.ISC2. “ISSAP — Information Systems Security Architecture Professional.” isc2.org. ↑
- 3.ISC2. “ISC2 Code of Ethics.” isc2.org. ↑
- 4.National Institute of Standards and Technology. “SP 800-30 Rev. 1: Guide for Conducting Risk Assessments.” csrc.nist.gov. ↑
- 5.National Institute of Standards and Technology. “SP 800-53 Rev. 5: Security and Privacy Controls.” csrc.nist.gov. ↑
- 6.National Institute of Standards and Technology. “SP 800-207: Zero Trust Architecture.” csrc.nist.gov. ↑
- 7.National Institute of Standards and Technology. “SP 800-63: Digital Identity Guidelines.” csrc.nist.gov. ↑
- 8.National Institute of Standards and Technology. “SP 800-88 Rev. 1: Guidelines for Media Sanitization.” csrc.nist.gov. ↑
- 9.International Organization for Standardization. “ISO/IEC 27001 — Information Security Management Systems.” iso.org. ↑
- 10.The Open Group. “TOGAF Standard.” opengroup.org. ↑
- 101.OWASP Foundation. “Threat Modeling Process.” owasp.org, accessed 21 June 2026. ↑
- 102.National Institute of Standards and Technology (NIST). “Cryptographic Standards and Guidelines.” csrc.nist.gov, accessed 21 June 2026. ↑
- 103.National Institute of Standards and Technology (NIST). “SP 800-145: The NIST Definition of Cloud Computing.” csrc.nist.gov, accessed 21 June 2026. ↑
- 104.National Institute of Standards and Technology (NIST). “SP 800-94: Guide to Intrusion Detection and Prevention Systems.” csrc.nist.gov, accessed 21 June 2026. ↑
- 105.National Institute of Standards and Technology (NIST). “SP 800-63C: Federation and Assertions.” csrc.nist.gov, accessed 21 June 2026. ↑
- 106.National Institute of Standards and Technology (NIST). “SP 800-162: Guide to Attribute Based Access Control (ABAC).” csrc.nist.gov, accessed 21 June 2026. ↑

Career Employer
Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.
All PostsCareer Employer’s Editorial Process
Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.
