Career Employer

FREE ISSEP Study Guide 2026: All 5 Domains

The most important things the CISSP-ISSEP tests — an interactive study guide with built-in quizzes and flashcards, organized by all 5 ISC2 domains.

Check sections to boost your score

Don't know where to start?

To find us again, just search “Career Employer ISSEP

By

This free ISSEP study guide walks through every content domain the CISSP-ISSEP (Information Systems Security Engineering Professional) exam tests, organized to the current ISC2 exam outline.[1]

It’s interactive, not a wall of text: every module has built-in checkpoint quizzes, flashcards, and practice questions, so you learn by doing — not just reading.

ISSEP is a CISSP concentration for engineers: it goes deep on building security into systems and projects across the entire system life cycle, leaning heavily on NIST SP 800-160 systems security engineering and the Risk Management Framework (RMF). We teach all five official domains as five study modules and lead with the heaviest-weighted content.

Read a module, test yourself at each checkpoint, then drill gaps with our free practice test and flashcards. This guide is a high-yield overview that maps the official content — not a full engineering textbook.

ISSEP is one of the 9 ISC2 certifications — explore our ISC2 study guides to compare and prep across the whole family.

ISSEP Exam Snapshot

CISSP-ISSEP exam at a glance
DetailISSEP Exam
Questions125 multiple-choice items
FormatLinear, fixed-form (not adaptive)
Time3 hours
Passing score700 out of 1000 points (scaled)
Administered byISC2, delivered at Pearson VUE
Certifying bodyISC2 (formerly (ISC)²)
PrerequisiteHold a CISSP in good standing
Experience2 years cumulative paid work in 1+ ISSEP domain
Cost$599 USD (confirm current pricing on isc2.org)
TypeCISSP concentration (systems security engineering focus)

ISSEP has five domains. The weights are uneven, and the two engineering domains — Foundations (24%) and Security Planning & Engineering (22%) — together make up nearly half the exam, so that is where to invest first.[2] Study by weight:

ISSEP weighting by domain (ISC2 exam outline)
Systems Security Engineering Foundations24% · Domain 1
Security Planning & Engineering22% · Domain 3
Risk Management20% · Domain 2
Implementation, Verification & Validation20% · Domain 4
Secure Operations, Change Mgmt & Disposal14% · Domain 5

Module 1 · Systems Security Engineering Foundations

One official domain, 24% of the exam — the largest. This domain is the conceptual bedrock of ISSEP: what systems security engineering is, what it means for a system to be trustworthy, and the design principles that make security work. Master it and the rest of the exam follows.

1.1 What Systems Security Engineering Is

applies engineering discipline to build trustworthy systems that satisfy stakeholders’ — what must be protected and the losses to avoid. The foundational reference is , which adapts the life-cycle processes of to security.[3] The key idea: security is engineered into a system from concept onward, never bolted on after fielding.

Everything traces back to a need. Protection needs come from the mission and the that support it, and every must trace back to one — a discipline called .

1.2 Trustworthiness, Assurance & the TCB

ISSEP draws a sharp line between . Trust is a willingness to depend on a system; is the demonstrated, evidence-based property that justifies that trust. You build trustworthiness with — grounds for confidence — captured in an : a structured argument, backed by evidence, that the security claims hold.

Underneath, the mediates every access between subjects and objects. To be effective it must be tamperproof, always invoked (), and small enough to verify. It is implemented by the within the — the totality of mechanisms that enforce the security policy.

The reference monitor's three required properties
PropertyMeaning
TamperproofIt cannot be altered or bypassed by subjects
Always invokedEvery access is mediated — complete mediation, no bypass paths
VerifiableSmall and simple enough to be analyzed and proven correct

1.3 Security Design Principles

A handful of timeless principles guide secure design. layers diverse, overlapping controls so one failure doesn’t expose the asset. grants only the minimum access needed; splits sensitive tasks; and keeps mechanisms simple enough to verify.[3]

Core security design principles
PrincipleWhat it means
Defense in depthLayer diverse, overlapping controls so one failure doesn't compromise the asset
Least privilegeGrant only the minimum access and capability needed to do the job
Separation of dutiesSplit a sensitive task so no one person can complete it alone
Complete mediationCheck every access against the policy on every request
Economy of mechanismKeep mechanisms simple and small enough to analyze and verify
Open designDon't rely on the secrecy of the design (no security through obscurity)

Checkpoint · Systems Security Engineering Foundations

Question 1 of 10

Within the systems security engineering (SSE) process described in NIST SP 800-160 Vol. 1, the primary purpose of defining the 'protection needs' early in the life cycle is to:

Module 2 · Risk Management

One official domain, 20% of the exam. This is where ISSEP meets the federal — how a system is categorized, how controls are selected and assessed, and how an grants an .

2.1 The Risk Management Framework (RMF)

The RMF has seven steps: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. Each step produces evidence that flows into the authorization decision.[5]

2.2 Categorization, Controls & the ATO

Categorization starts with : rate the potential impact (low, moderate, high) for confidentiality, integrity, and availability. The system’s overall level uses the — the highest of the three. then mandates selecting an appropriate from , which you refine through .[11]

Assessment produces a . Together with the and the , it forms the authorization package the AO reviews to accept .

2.3 Three Tiers, Treatment & Supply-Chain Risk

Risk is managed at three levels. The of NIST SP 800-39 runs from the organization (Tier 1, governance and ) to mission/business processes (Tier 2) to the information system (Tier 3, the RMF).[6]

For any assessed risk you pick a : accept, avoid, mitigate, or transfer/share — judged against the organization’s risk tolerance. And because modern systems depend on suppliers, (NIST SP 800-161) manages the risk from components and services — counterfeit parts, tampering, and untrusted code.[12]

The four risk treatment options
TreatmentWhat you doExample
Mitigate (reduce)Add controls to lower likelihood or impactDeploy MFA to reduce account takeover
Transfer/shareShift the financial impact to a third partyBuy cyber-insurance
AvoidStop the activity that creates the riskDrop a risky feature
AcceptFormally tolerate the residual riskThe AO signs off on a low-impact risk

Checkpoint · Risk Management

Question 1 of 10

Under the NIST Risk Management Framework (RMF), 'categorize' (the first step) requires the ISSEP to:

Module 3 · Security Planning and Engineering

One official domain, 22% of the exam — the second largest. This module is the heart of the engineering work: turning protection needs into requirements, shaping a , and designing for against capable adversaries.

3.1 From Protection Needs to Requirements

Requirements are how protection needs become buildable. ISSEP distinguishes : functional requirements state what a control must do; assurance requirements state the evidence needed to trust that it does it. Both must be verifiable and tied back to a need.[3]

Functional vs. assurance requirements
TypeAnswersExample
FunctionalWhat must the control do?Encrypt data at rest with an approved algorithm
AssuranceHow do we know it does it?Independent testing and design evidence to a defined rigor

3.2 Security Architecture & Design

A positions controls and components to satisfy the requirements while shrinking the . Good design is informed by — systematically identifying and prioritizing threats during design (e.g., with STRIDE or attack trees) so controls target real attack paths, not guesses.

3.3 Cyber Resiliency & Zero Trust

Capable adversaries will get in, so modern systems are engineered for : the ability to anticipate, withstand, recover, and adapt (the four ) using techniques like redundancy, diversity, and segmentation (NIST SP 800-160 Vol. 2).[4] A complementary model is — assume no implicit trust and verify every request on identity, device, and context before granting least-privilege access.

The four cyber-resiliency goals
GoalWhat it means
AnticipateMaintain readiness for adversity and prepare to limit its impact
WithstandContinue essential mission functions during an attack or compromise
RecoverRestore mission functions after a disruption
AdaptChange in response to threat trends and lessons learned

Checkpoint · Security Planning and Engineering

Question 1 of 10

An ISSEP is asked to apply 'least privilege' at the architectural level. The most architecturally sound application is to:

Module 4 · Implementation, Verification & Validation

One official domain, 20% of the exam. This module is about proving the engineered security actually works — building it, then verifying and validating it through testing and assessment up to the authorization decision.

4.1 Verification vs. Validation

The most-tested distinction here is vs. . Verification confirms the system meets its specified requirements (“did we build the system right?”); validation confirms it satisfies stakeholder needsin the operational environment (“did we build the right system?”).[3] When the team must be independent of development, it’s called .

Verification vs. validation
ActivityQuestion it answersMeasured against
VerificationDid we build the system right?The specified security requirements
ValidationDid we build the right system?Stakeholder needs and intended operational use

4.2 Testing, Assessment & Authorization

Evidence comes from testing. A finds known weaknesses automatically; a actively exploits weaknesses to prove impact under written rules of engagement. confirms controls meet requirements before authorization, and products can be evaluated against .

Assessment activities compared
ActivityWhat it doesNotes
Vulnerability scanFinds known weaknesses automaticallyFrequent, low-risk, no exploitation
Penetration testExploits weaknesses to prove impactAuthorized; rules of engagement required
Security test & evaluation (ST&E)Confirms controls meet requirementsFeeds the SAR and authorization
Common Criteria evaluationRates product assurance (EAL1–7)Against a protection profile / security target

Checkpoint · Implementation, Verification & Validation

Question 1 of 10

In secure system implementation, 'secure configuration' should be derived from:

Module 5 · Secure Operations, Change Management & Disposal

One official domain, 14% of the exam. A system’s risk posture keeps changing after it’s fielded, so this module covers running it securely, controlling change, and disposing of it safely at end of life.

5.1 Secure Operations & Continuous Monitoring

Once a system operates, (NIST SP 800-137) maintains ongoing awareness of security, vulnerabilities, and threats so risk decisions stay current — replacing periodic, point-in-time reviews.[9] This is the RMF’s Monitor step in action, and it enables ongoing authorization rather than fixed reauthorization cycles.

5.2 Configuration & Change Management

identifies and controls a system’s components and their changes against a . Every proposed change runs through , where a determines how the change affects the security state before a approves it.

5.3 Secure Disposal & Retirement

At end of life, a system must be retired securely. (NIST SP 800-88) eliminates with three levels — Clear (overwrite for reuse), Purge (degauss/cryptographic erase to release externally), and Destroy (shred/incinerate) — matched to data sensitivity.[10] also means destroying cryptographic keys and documenting the disposition.

NIST SP 800-88 sanitization levels
LevelWhat it doesUse when
ClearOverwrite to resist simple recoveryReusing media inside the organization
PurgeDegauss or cryptographic eraseReleasing media outside the organization
DestroyShred, pulverize, or incinerateMost sensitive data; media not reused

Checkpoint · Secure Operations, Change Management & Disposal

Question 1 of 10

During secure operations, the principal value of continuous monitoring is to:

How to Use This ISSEP Study Guide

This guide is built to be worked, not just read. The most efficient path to a pass:

  • Study by weight. Lead with the two engineering domains — Foundations (24%) and Security Planning & Engineering (22%) — which together are nearly half the exam.
  • Think like an engineer, life-cycle first. ISSEP rewards answers that trace to stakeholder protection needs and span the whole life cycle, not a single product or quick fix.
  • Anchor on the frameworks. Know NIST SP 800-160 (SSE), the RMF (SP 800-37), the three tiers (SP 800-39), and the supporting publications cold.
  • Check off as you go. Use the Study Guide Contents to mark each section done; it raises your exam-readiness score.
  • Drill the weak domain. Send your weak area into the flashcards and a practice test until the score climbs comfortably above 700.

ISSEP Concept Questions

Common CISSP-ISSEP concepts candidates search while studying — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.

ISSEP Glossary

The high-yield ISSEP terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.

Asset
Anything of value to stakeholders — data, systems, capabilities, or missions — whose loss, corruption, or denial causes adverse consequences.
Assurance
The grounds for confidence — evidence and analysis — that a system meets its security objectives.
Assurance case
A structured, evidence-backed argument that a system's security claims are satisfied, used to justify a trust decision.
Attack surface
The set of points where an attacker can try to enter, affect, or extract data from a system; SSE minimizes it.
Authorization to Operate (ATO)
The formal decision by an authorizing official to accept residual risk and permit a system to operate.
Authorizing Official (AO)
The senior executive with authority to assume responsibility for operating a system at an acceptable level of risk.
Baseline configuration
A documented, approved set of specifications for a system at a point in time, the basis for change control.
Change Control Board (CCB)
The body that reviews and approves or rejects proposed changes, assessing security and operational impact.
Change management
The controlled process of requesting, evaluating, approving, testing, and documenting changes to a system.
Common Criteria (ISO/IEC 15408)
An international standard for evaluating the security assurance of IT products against protection profiles and security targets.
Complete mediation
Checking every access to every object against the security policy on each request, with no bypass paths.
Configuration management (CM)
Identifying, controlling, and documenting a system's configuration items and their changes throughout its life.
Continuous monitoring (ISCM)
Ongoing awareness of security, vulnerabilities, and threats (NIST SP 800-137) supporting risk-based decisions during operation.
Control baseline
A predefined minimum set of controls (low, moderate, or high) selected based on a system's FIPS 199 categorization.
Control tailoring
Adjusting a baseline by adding, removing, or refining controls and applying scoping and overlays for a specific system.
Cyber resiliency
The ability to anticipate, withstand, recover from, and adapt to adverse cyber conditions (NIST SP 800-160 Vol. 2).
Data remanence
Residual data remaining on media after deletion or formatting that may be recoverable without proper sanitization.
Defense in depth
Layering multiple, diverse, overlapping controls so the failure of one does not result in compromise of the asset.
Economy of mechanism
Keeping security mechanisms as simple and small as possible so they can be analyzed and verified.
FIPS 199
Standards for Security Categorization — assigns potential impact (low/moderate/high) to confidentiality, integrity, and availability.
FIPS 200
Minimum Security Requirements — mandates selecting an appropriate NIST SP 800-53 control baseline based on the categorization.
Functional vs. assurance requirements
Functional requirements state what a control must do; assurance requirements state the evidence needed to trust that it does it.
High-water mark
The FIPS 199 rule that a system's overall categorization equals the highest impact among its confidentiality, integrity, and availability ratings.
Independent verification and validation (IV&V)
V&V performed by a party independent of the development team to increase assurance.
ISO/IEC/IEEE 15288
The international standard defining the system life-cycle processes that systems security engineering adapts for security.
Least privilege
Granting each subject only the minimum access and capability needed to perform its function.
Media sanitization
Removing data from media via clearing, purging, or destruction so it cannot be recovered (NIST SP 800-88).
NIST SP 800-160 Vol. 1
Engineering Trustworthy Secure Systems — the foundational SSE publication that adapts the ISO/IEC/IEEE 15288 life-cycle processes to security engineering.
NIST SP 800-160 Vol. 2
Developing Cyber-Resilient Systems — covers anticipating, withstanding, recovering from, and adapting to advanced cyber threats.
NIST SP 800-37
Risk Management Framework for Information Systems and Organizations — defines the RMF steps, tasks, and roles.
NIST SP 800-53
Security and Privacy Controls for Information Systems and Organizations — the control catalog and baselines used in RMF Select.
Penetration testing
Authorized, simulated attacks that actively exploit weaknesses to demonstrate real impact under rules of engagement.
Plan of Action and Milestones (POA&M)
A document tracking identified weaknesses, planned remediation, resources, and milestones.
Protection needs
Stakeholder-driven statements of what must be protected and the losses to avoid; security requirements are derived from them.
Reference monitor
An abstract machine that mediates all access of subjects to objects; it must be tamperproof, always invoked, and small enough to verify.
Requirements traceability
Maintaining links from stakeholder needs through requirements, design, implementation, and test.
Residual risk
The risk that remains after controls are applied; the AO must formally accept it before an ATO.
Resiliency goals
Anticipate, Withstand, Recover, Adapt — the four objectives of cyber-resilient systems engineering.
Risk Management Framework (RMF)
NIST SP 800-37's seven-step process: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor.
Risk tolerance
The level of risk an organization is willing to accept in pursuit of its mission and objectives.
Risk treatment
Responding to an assessed risk by accepting, avoiding, mitigating, or transferring (sharing) it.
Secure disposal
Securely retiring systems and media — sanitizing data, destroying keys, and documenting disposition — at end of life.
Security architecture
The structure describing how security controls and components are positioned and related to satisfy protection needs.
Security Assessment Report (SAR)
The output of RMF Assess: findings on whether controls are implemented correctly, operating, and effective.
Security impact analysis (SIA)
An analysis of how a proposed change affects the security state of a system before it is approved.
Security kernel
The hardware, firmware, and software that implement the reference monitor concept.
Security requirement
A verifiable, traceable capability or constraint the system must satisfy to meet a protection need.
Security test and evaluation (ST&E)
Planned testing to determine whether controls are implemented correctly and meet requirements before authorization.
Security validation
Confirming the system satisfies stakeholder needs in the operational environment — 'did we build the right system?'
Security verification
Confirming the system meets its specified security requirements — 'did we build the system right?'
Separation of duties
Dividing a critical task so no single individual can complete it alone, reducing fraud and error.
Stakeholder
Any party with a legitimate interest in a system — owners, users, operators, regulators, or the public — whose needs drive requirements.
Supply chain risk management (SCRM)
Managing risks from suppliers, components, and services across a system's supply chain (NIST SP 800-161).
System Security Plan (SSP)
The document describing a system, its boundary, and how each selected security control is implemented.
Systems security engineering (SSE)
The disciplined application of engineering principles to design, build, and sustain trustworthy systems that meet stakeholders' protection needs across the whole system life cycle.
Threat modeling
Systematically identifying and prioritizing threats to a system during design (e.g., using STRIDE or attack trees).
Three-tier risk model
NIST SP 800-39's structure: Tier 1 organization, Tier 2 mission/business process, Tier 3 information system.
Trust vs. trustworthiness
Trust is a willingness to depend on a system; trustworthiness is the demonstrated property, backed by evidence, that justifies that trust.
Trusted Computing Base (TCB)
The totality of protection mechanisms — hardware, software, firmware — responsible for enforcing a system's security policy.
Trustworthiness
Justified, evidence-based confidence that a system meets its security requirements and behaves as intended — the central goal of SSE.
Vulnerability scanning
Automated identification of known weaknesses in a system without exploiting them.
Zero trust architecture
A model (NIST SP 800-207) that assumes no implicit trust and continuously verifies every access request before granting least-privilege access.

ISSEP Study Guide FAQ

The CISSP-ISSEP exam has 125 multiple-choice questions and a 3-hour time limit. It is a linear, fixed-form exam (not adaptive). A scaled score of 700 out of 1000 is required to pass.

References

  1. 1.ISC2. “CISSP-ISSEP Information Systems Security Engineering Professional.” isc2.org.
  2. 2.ISC2. “CISSP-ISSEP Certification Exam Outline.” isc2.org.
  3. 3.National Institute of Standards and Technology. “SP 800-160 Vol. 1 Rev. 1: Engineering Trustworthy Secure Systems.” csrc.nist.gov.
  4. 4.National Institute of Standards and Technology. “SP 800-160 Vol. 2 Rev. 1: Developing Cyber-Resilient Systems.” csrc.nist.gov.
  5. 5.National Institute of Standards and Technology. “SP 800-37 Rev. 2: Risk Management Framework.” csrc.nist.gov.
  6. 6.National Institute of Standards and Technology. “SP 800-39: Managing Information Security Risk.” csrc.nist.gov.
  7. 7.National Institute of Standards and Technology. “SP 800-30 Rev. 1: Guide for Conducting Risk Assessments.” csrc.nist.gov.
  8. 8.National Institute of Standards and Technology. “SP 800-53 Rev. 5: Security and Privacy Controls.” csrc.nist.gov.
  9. 9.National Institute of Standards and Technology. “SP 800-137: Information Security Continuous Monitoring (ISCM).” csrc.nist.gov.
  10. 10.National Institute of Standards and Technology. “SP 800-88 Rev. 1: Guidelines for Media Sanitization.” csrc.nist.gov.
  11. 11.National Institute of Standards and Technology. “FIPS 199: Standards for Security Categorization.” csrc.nist.gov.
  12. 12.National Institute of Standards and Technology. “SP 800-161 Rev. 1: Cybersecurity Supply Chain Risk Management.” csrc.nist.gov.
Career Employer

Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.

Follow Us:

All Posts

Career Employer’s Editorial Process

Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.