This free ISSMP study guide walks through every domain the CISSP-ISSMP (Information Systems Security Management Professional) exam tests, organized to the current ISC2 exam outline.[1]
It’s interactive, not a wall of text: every module has built-in checkpoint quizzes, flashcards, and practice questions, so you learn by doing — not just reading.
The ISSMP is a CISSP concentration for security leaders, and it tests six official domains from a manager’s and director’s perspective. We teach all six in six study modules, leading with the heaviest-weighted content.
Read a module, test yourself at each checkpoint, then drill gaps with our free practice test and flashcards. This guide is a high-yield overview that maps the official content — not a full security textbook.
ISSMP is one of the 9 ISC2 certifications — explore our ISC2 study guides to compare and prep across the whole family.
ISSMP Exam Snapshot
| Detail | CISSP-ISSMP Exam |
|---|---|
| Questions | 125 multiple-choice items |
| Format | Linear, fixed-form (not adaptive) |
| Time | 3 hours (180 minutes) |
| Passing score | 700 out of 1000 points |
| Administered by | ISC2, delivered at Pearson VUE |
| Certifying body | ISC2 (formerly (ISC)²) |
| Prerequisite | Active CISSP + 2 years' experience in 1+ ISSMP domain |
| Cost | $599 USD |
| Recertification | On the CISSP cycle — every 3 years via CPEs + annual maintenance fee |
| Credential | A CISSP concentration (CISSP-ISSMP) |
The ISSMP covers six domains, weighted toward leadership and risk. Leadership & Organizational Management is the largest (~21%), closely followed by Risk Management (~20%), so that is where to invest first.[1] Study by weight:
Leadership & Organizational Management
21% of the exam
Systems Lifecycle Management
15% of the exam
Risk Management
20% of the exam
Security Operations
18% of the exam
Contingency Management
12% of the exam
Law, Ethics & Security Compliance Management
14% of the exam
Module 1 · Leadership & Organizational Management
One official domain, the largest at ~21%. This domain is the heart of the ISSMP: how a security leader governs, aligns, funds, and staffs an enterprise security program. The exam rewards the manager’s answer — the one that addresses governance, accountability, and business value, not just the technical fix.
1.1 Security Governance & Alignment
is the system by which senior management directs and oversees security so it serves the business. The single biggest driver of success is tone at the top — visible executive commitment — and , which ties the program’s goals and metrics to the mission. The leader expresses this in a (3–5 years), from which tactical and operational plans flow.[1]
Governance lives in a document hierarchy. Know it cold: (high-level intent) → (mandatory specific) → baseline (minimum level) → (step-by-step) → (optional). Roles are clarified with a , and the exam loves the distinction — accountability cannot be delegated.
| Document | What it is | Mandatory? |
|---|---|---|
| Policy | High-level management statement of intent and goals | Yes |
| Standard | Specific mandatory requirements (e.g., 'use AES-256') | Yes |
| Baseline | A minimum required level of security | Yes |
| Procedure | Detailed step-by-step instructions | Yes |
| Guideline | Recommended, discretionary best practice | No |
1.2 Policy, People & Awareness
People are the most-exploited and most-trainable control, so the ISSMP manages them deliberately. A keeps everyone mindful of threats; remember the depth ladder — awareness (changes behavior) → training (builds a skill) → education (builds understanding). Personnel controls reduce insider risk across the employment lifecycle, from screening and onboarding to prompt offboarding.
Several administrative controls recur on the exam: (no one person completes a sensitive task), and (minimum access), and the fraud-detection pair and .
| Control | What it does | Primary purpose |
|---|---|---|
| Separation of duties | Splits a sensitive task across people | Prevent fraud (requires collusion) |
| Least privilege | Grants only the access a role needs | Limit blast radius of compromise |
| Need to know | Restricts info to those whose duties require it | Narrow disclosure further than clearance |
| Job rotation | Moves staff between roles periodically | Detect fraud, cross-train, reduce dependence |
| Mandatory vacation | Forces leave so others cover duties | Surface concealed fraud or errors |
Checkpoint · Leadership & Organizational Management
Question 1 of 8
A CISO is asked to demonstrate that the information security program directly supports the organization's strategic objectives. Which artifact best establishes this linkage?
Module 2 · Systems Lifecycle Management
One official domain, ~15% of the exam. This domain is about integrating security into a system from cradle to grave — through the development lifecycle, the supply chain, and the formal process of authorizing a system to operate.
2.1 Security in the SDLC
Security must be woven through the , not bolted on at the end, because flaws are far cheaper to fix the earlier they are caught. Define security requirements up front, apply () in design, enforce secure coding and review in build, and run security testing before release.[5] A secure supply chain matters too: and vendor assessments manage risk from third-party components.
Day-to-day, the secure baseline is preserved by and , and at end of life by secure decommissioning — defeating data remanence with proper (clear, purge, or destroy).[8]
2.2 Certification, Accreditation & the RMF
Two terms candidates confuse: is the technical evaluation that the controls work; is the management decision to accept the residual risk and grant an . Certify first, then accredit. The structured process behind this is the .[5]
- 1
Prepare
Establish context, roles, risk strategy, and a baseline understanding of the organization's risk.
- 2
Categorize
Classify the system by the impact (low/moderate/high) a loss of confidentiality, integrity, or availability would cause.
- 3
Select
Choose a baseline of security controls for that category, then tailor them to the actual environment.
- 4
Implement
Deploy the selected controls and document how they are configured in the system.
- 5
Assess
Evaluate whether the controls are implemented correctly and operating as intended (certification).
- 6
Authorize
The authorizing official accepts the residual risk and grants an Authorization to Operate (accreditation).
- 7
Monitor
Continuously monitor controls, configurations, and risk so authorization stays current.
| Activity | Who does it | Output |
|---|---|---|
| Certification | Technical assessors (the Assess step) | Evidence the controls are implemented and effective |
| Accreditation | The authorizing official (the Authorize step) | Formal acceptance of residual risk + Authorization to Operate |
| Continuous monitoring | Operations (the Monitor step) | Ongoing assurance the authorization stays valid |
Checkpoint · Systems Lifecycle Management
Question 1 of 8
Which approach best integrates security requirements into a new software development initiative from the outset?
Module 3 · Risk Management
One official domain, ~20% of the exam — the second largest. Risk management is the analytical engine of the whole program: identifying what could go wrong, sizing it, and deciding what to do about it.
3.1 Risk Assessment & Analysis
is the chance a exploits a to harm an asset. The risk management lifecycle is a continuous loop: identify, assess, treat, implement, and monitor.[4]
- 1
Identify assets & threats
Inventory and value assets; identify threats and vulnerabilities that could affect them.
- 2
Assess risk
Estimate likelihood and impact — qualitatively (high/medium/low) or quantitatively (ALE = SLE × ARO).
- 3
Choose a risk treatment
Mitigate (add controls), transfer (insurance), avoid (stop the activity), or accept the residual risk.
- 4
Implement controls
Deploy administrative, technical, and physical controls cost-effectively — a control should not cost more than the asset.
- 5
Record & accept residual risk
Capture risks in the risk register; senior management (the risk owner) formally accepts what remains.
- 6
Monitor & review
Continuously monitor with KRIs; reassess as assets, threats, and the business change.
You analyze risk two ways. is subjective — ranking risks high/medium/low (fast, but not in dollars). is dollar-based, and the exam loves its formulas. The is the percentage of an asset lost per event; = Asset Value × EF; the is events per year; and = SLE × ARO is the expected yearly cost.
SLE = AV × EF
Single Loss Expectancy = Asset Value × Exposure Factor (the % of the asset lost per event).
ALE = SLE × ARO
Annualized Loss Expectancy = Single Loss Expectancy × Annualized Rate of Occurrence (events per year).
Worked example
Asset = $1,000,000; a breach destroys 30% (EF = 0.3) → SLE = $300,000. A breach every 5 years (ARO = 0.2) → ALE = $300,000 × 0.2 = $60,000/year. Spend less than $60,000/year to mitigate.
3.2 Risk Treatment & Controls
Once a risk is sized, the leader chooses a treatment: mitigate (add controls), transfer (insurance/outsourcing), avoid (stop the activity), or accept (tolerate it with management sign-off). Whatever you do, remains, and the risk owner formally accepts it. The choice is set against the organization’s and , with giving early warning.
| Treatment | What you do | Example |
|---|---|---|
| Mitigate (reduce) | Add controls to lower likelihood or impact | Deploy MFA to reduce account takeover |
| Transfer | Shift the financial impact to a third party | Buy cyber-insurance |
| Avoid | Stop the activity that creates the risk | Discontinue a risky product feature |
| Accept | Formally tolerate the residual risk | Management signs off on a low-impact risk |
Controls themselves are categorized two ways: by function (preventive, detective, corrective, deterrent, recovery, and ) and by category (administrative, technical, physical). combines all three.
Checkpoint · Risk Management
Question 1 of 8
A security manager must calculate annualized loss expectancy (ALE) for a risk. Which formula is correct?
Module 4 · Security Operations
One official domain, ~18% of the exam. Operations is where security runs every day — monitoring, responding to incidents, handling evidence, and using threat intelligence to stay ahead. The ISSMP manages the capability, not the keyboard.
4.1 Monitoring & Incident Response
Continuous monitoring runs through the , often anchored by a that aggregates and correlates logs. When an event becomes an , the team follows the .[6]
1 · Preparation
Build the capability before an incident — plans, tools, training, and communications.
2 · Detection & Analysis
Identify that an incident occurred; determine its scope, type, and severity.
3 · Containment, Eradication & Recovery
Limit the spread (stop the bleeding), remove the cause, and restore clean systems.
4 · Post-Incident Activity
Capture lessons learned and improve plans, controls, and training — the step teams skip.
The order matters on the exam: preparation happens before anything goes wrong; (stop the bleeding) comes before eradication and recovery; and the post-incident review — lessons learned — is the step teams forget.
| Phase | What happens |
|---|---|
| Preparation | Build plans, tools, training, and communications before an incident |
| Detection & Analysis | Identify the incident and determine scope, type, and severity |
| Containment | Limit the spread and damage (short- and long-term) |
| Eradication | Remove the cause — malware, accounts, the exploited weakness |
| Recovery | Restore clean systems to normal operation and monitor |
| Post-Incident Activity | Capture lessons learned and improve plans and controls |
4.2 Forensics & Threat Intelligence
When an incident may become a legal matter, evidence must hold up. collects and analyzes evidence in a defensible way, preserving the and following the (capture the most-volatile data — memory — before disk).
Looking outward, helps the leader anticipate adversaries and prioritize defenses. Remember the distinction the exam tests: a vulnerability scan finds known weaknesses automatically, while a penetration test authorizedly exploits them to prove real impact.
Checkpoint · Security Operations
Question 1 of 8
What is the primary purpose of a threat intelligence program within a security management function?
Module 5 · Contingency Management
One official domain, ~12% of the exam. Contingency management is how the organization survives a disruption — through business continuity and disaster recovery planning, driven by a clear-eyed analysis of what matters most.
5.1 BCP, DRP & the BIA
Two plans work together: the keeps the whole business running through a disruption, while the restores the IT that supports it — DRP serves the BCP. Both are driven by the , which identifies critical functions and sets the recovery targets every other decision serves.[7]
- 1
Project scope & planning
Get senior management buy-in, form the BCP team, and define scope and resources.
- 2
Business Impact Analysis (BIA)
Identify critical functions and set MTD, RTO, and RPO; quantify the impact of disruption.
- 3
Continuity / recovery strategy
Choose recovery options that meet the RTO — hot, warm, or cold sites; backups; redundancy.
- 4
Plan development
Document the BCP and DR plans, roles, call trees, and emergency procedures.
- 5
Test, train & maintain
Exercise the plan (checklist → tabletop → simulation → parallel → full interruption) and keep it current.
5.2 Recovery Objectives, Sites & Testing
Know the recovery metrics cold. is the outer limit a function can be down. is the target time to restore it (RTO must be less than MTD). is the maximum acceptable data loss, which dictates how often you back up.
Recovery site choices trade cost against speed — from a fully redundant mirror down to a bare .
Mirror / redundant site
Real-time replication, immediate failover.
Highest cost · Instant
Hot site
Fully equipped, near-real-time failover.
High cost · Minutes–hours
Warm site
Hardware & connectivity; data restored on demand.
Moderate cost · Hours–days
Cold site
Power, cooling, and space only.
Lowest cost · Days–weeks
Finally, plans are only as good as their last test. The testing ladder runs from least to most disruptive: checklist → tabletop/walk-through → simulation → parallel → full interruption (the most thorough and riskiest, requiring management approval).
| Test | What happens | Disruption |
|---|---|---|
| Checklist | Reviewers verify the plan's contents and contacts on paper | None |
| Tabletop / walk-through | The team talks through roles in a simulated scenario | None |
| Simulation | Response steps are exercised in a controlled scenario | Low |
| Parallel | Recovery systems run alongside production to confirm they work | Low (production stays up) |
| Full interruption | Production is actually failed over to recovery systems | High (needs approval) |
Checkpoint · Contingency Management
Question 1 of 8
What is the primary purpose of conducting a Business Impact Analysis (BIA)?
Module 6 · Law, Ethics & Security Compliance Management
One official domain, ~14% of the exam. This domain holds the security leader to a professional and legal standard — the ISC2 ethics every member signs, the legal duties of due care, and the regulatory and privacy obligations the organization must meet.
6.1 ISC2 Ethics & Legal Duties
Every ISC2 member, including ISSMP holders, signs the . Its four canons are applied in order — when two conflict, the earlier one wins.[3]
- 1
Protect society, the common good, necessary public trust and confidence, and the infrastructure.
- 2
Act honorably, honestly, justly, responsibly, and legally.
- 3
Provide diligent and competent service to principals.
- 4
Advance and protect the profession.
The legal backbone is the prudent-person rule: (do the research and build the plan) and (implement and maintain reasonable controls). Demonstrating both is how an organization limits liability and rebuts a claim of negligence after an incident.
6.2 Compliance & Privacy Management
The leader runs a compliance program that maps obligations to controls. Distinguish (mandated by law — HIPAA, GDPR, SOX) from contractual compliance (agreed in contracts — PCI DSS, SLAs); both are enforceable.
Privacy adds its own roles: under law the decides why and how personal data is processed, while a acts on the controller’s instructions.[9] When litigation looms, a suspends deletion and governs producing the data.
| Obligation | Type | What it governs |
|---|---|---|
| GDPR | Regulatory (law) | Processing of EU residents' personal data |
| HIPAA | Regulatory (law) | Privacy and security of protected health information |
| SOX | Regulatory (law) | Internal controls over financial reporting |
| PCI DSS | Contractual | Protection of cardholder data |
| SOC 2 | Contractual / assurance | A service organization's security and availability controls |
Checkpoint · Law, Ethics & Compliance Management
Question 1 of 8
Which type of law involves disputes between individuals or organizations, typically resulting in monetary damages rather than imprisonment?
How to Use This ISSMP Study Guide
This guide is built to be worked, not just read. The most efficient path to a pass:
- Study by weight. Lead with Leadership & Organizational Management (~21%) and Risk Management (~20%) — together nearly half the exam — then work down the list.
- Think like a director, not a technician. ISSMP questions reward the answer that addresses governance, accountability, and business value — the manager’s best answer.
- Check off as you go. Use the Study Guide Contents to mark each section done; it raises your exam-readiness score.
- Take every checkpoint. The end-of-module quizzes show you exactly which domains need another pass.
- Drill the weak domain. Send your weak area into the flashcards and a practice test until the score climbs comfortably above 700.
ISSMP Concept Questions
Common CISSP-ISSMP concepts candidates search while studying — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.
ISSMP Glossary
The high-yield ISSMP terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.
- Accountable vs. responsible
- Accountable is the single owner answerable for the outcome (cannot be delegated); responsible are those who do the work. Management is accountable for security.
- Accreditation (system)
- Management's formal decision (the authorizing official's) to accept the residual risk and authorize a system to operate.
- Annualized Loss Expectancy (ALE)
- The expected yearly cost of a risk: ALE = SLE × ARO; the basis for cost-justifying a control.
- Annualized Rate of Occurrence (ARO)
- The expected number of times a specific risk event will occur in one year.
- Authorization to Operate (ATO)
- The formal approval, signed by the authorizing official, that a system may go live with its risk accepted — the outcome of accreditation.
- Business Continuity Plan (BCP)
- A plan to keep critical business functions operating during and after a disruption; broader than DR.
- Business Impact Analysis (BIA)
- The analysis that identifies critical functions and sets recovery objectives (MTD, RTO, RPO); the heart of continuity planning.
- Certification (system)
- The technical evaluation of a system's controls against requirements to confirm they are implemented and effective; precedes accreditation.
- Chain of custody
- Documentation showing who handled evidence, when, and how — preserving its integrity and admissibility for legal use.
- Change management
- A controlled process to request, assess, approve, implement, and document changes so they do not introduce unmanaged risk.
- CISSP-ISSMP
- An ISC2 advanced concentration for CISSPs who build, lead, and govern an enterprise security program; it tests security management, not hands-on technical depth.
- Cold site
- An alternate site with power, cooling, and space only — the cheapest option but slowest to bring online.
- Compensating control
- An alternative control deployed when a required control is impractical, providing equivalent protection and a documented justification.
- Configuration management
- Identifying, controlling, and recording the state of system components so changes are deliberate and the secure baseline is preserved.
- Containment
- Limiting the spread and damage of an incident before eradication — stop the bleeding first.
- Data controller
- Under privacy law, the entity that decides why and how personal data is processed.
- Data processor
- A party that processes personal data on behalf of, and on the documented instructions of, the controller.
- Defense in depth
- Layering multiple, overlapping controls so that if one fails, others still protect the asset.
- Digital forensics
- The disciplined collection, preservation, examination, and analysis of digital evidence in a defensible manner.
- Disaster Recovery Plan (DRP)
- The procedures to restore IT systems, data, and infrastructure after a disruptive event; a subset of the BCP.
- Due care
- Acting on due diligence by implementing and maintaining reasonable controls — what a prudent person would do.
- Due diligence
- Doing the research, planning, and ongoing investigation needed to understand and protect the organization — the homework before acting.
- eDiscovery
- The legal process of identifying, preserving, and producing electronically stored information for litigation or investigation.
- Exposure Factor (EF)
- The percentage of an asset's value lost if a specific risk event occurs.
- Guideline
- A recommended, discretionary best practice — the only non-mandatory document in the hierarchy.
- Hot site
- A fully equipped, staffed alternate site offering near-real-time failover — the fastest recovery and most expensive option.
- Incident
- An event that actually or potentially harms confidentiality, integrity, or availability and warrants a response.
- Incident response lifecycle
- NIST's four phases: Preparation; Detection & Analysis; Containment, Eradication & Recovery; and Post-Incident Activity.
- ISC2 Code of Ethics
- Four canons every member must follow, applied in order: protect society and the infrastructure; act honorably; provide diligent service to principals; advance and protect the profession.
- Job rotation
- Periodically moving staff between roles to detect fraud, reduce single-person dependence, and cross-train — an administrative control.
- Key Risk Indicator (KRI)
- A metric that gives early warning that risk exposure is rising toward an unacceptable level.
- Least privilege
- Granting each user, process, and role only the minimum access needed to perform its function.
- Legal hold
- A directive to preserve all potentially relevant data when litigation is anticipated, suspending normal deletion.
- Mandatory vacation
- Requiring employees to take leave so others perform their duties, which can surface concealed fraud; an administrative detective control.
- Maximum Tolerable Downtime (MTD)
- The longest a function can be unavailable before the organization suffers unacceptable harm; it bounds the RTO.
- Media sanitization
- Removing data so it cannot be recovered, via clearing, purging, or destruction (NIST SP 800-88); defeats data remanence at end of life.
- Need to know
- Restricting access to information to those whose duties require it, even among users with the same clearance level.
- NIST Risk Management Framework (RMF)
- A seven-step process (Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor) for managing system security risk (NIST SP 800-37).
- Order of volatility
- Collecting evidence from most-volatile to least (RAM and cache before disk and archives) to avoid losing transient data.
- Policy
- A high-level, mandatory statement of management intent that sets the direction of the security program.
- Procedure
- Mandatory, detailed step-by-step instructions for performing a task.
- Qualitative risk analysis
- A subjective approach ranking risks high/medium/low; fast and good for prioritization but not expressed in dollars.
- Quantitative risk analysis
- An objective, dollar-based approach using formulas (SLE, ARO, ALE) to express risk financially and cost-justify controls.
- RACI matrix
- A responsibility chart marking who is Responsible, Accountable, Consulted, and Informed for each task — clarifying security roles and preventing gaps.
- Recovery Point Objective (RPO)
- The maximum acceptable amount of data loss measured backward in time; drives backup frequency.
- Recovery Time Objective (RTO)
- The target time to restore a system or function after a disruption; must be shorter than the MTD.
- Regulatory compliance
- Conforming to laws and regulations (e.g., HIPAA, GDPR, SOX, PCI DSS) that apply to the organization's data and industry.
- Residual risk
- The risk that remains after controls are applied; senior management (the risk owner) must formally accept it.
- Return on Security Investment (ROSI)
- A metric estimating a control's financial benefit relative to cost — typically (reduction in ALE − cost) ÷ cost.
- Risk
- The likelihood that a threat exploits a vulnerability, combined with the resulting impact on an asset.
- Risk appetite
- The broad amount and type of risk an organization is willing to pursue or retain to meet its objectives; set by the board.
- Risk register
- A living record of identified risks with owner, likelihood, impact, treatment, and status — the central artifact of risk management.
- Risk tolerance
- The acceptable variation around risk appetite for a specific objective — the threshold at which a risk must be treated.
- Security awareness program
- An ongoing effort to keep every employee mindful of threats and their security responsibilities; the human layer is the most-exploited control.
- Security governance
- The system of leadership, structures, and processes by which senior management directs and oversees the security program so it supports — and is accountable to — business objectives.
- Security Operations Center (SOC)
- The team and facility that continuously monitors, detects, and responds to security events across the enterprise.
- Security strategic plan
- A long-term (3–5 year) plan defining the security program's vision, goals, and roadmap in alignment with business strategy; tactical and operational plans flow from it.
- Separation of duties
- Dividing a sensitive task so no single person can complete it alone, reducing fraud and error; abuse would require collusion.
- SIEM
- Security Information and Event Management — a system that aggregates and correlates logs for detection, alerting, and investigation.
- Single Loss Expectancy (SLE)
- The expected monetary loss from one occurrence of a risk: SLE = Asset Value × Exposure Factor.
- Standard
- A mandatory, specific requirement that supports a policy (e.g., 'use AES-256').
- Strategic alignment
- Ensuring the security program's goals, investments, and metrics directly support the organization's mission and strategy rather than operating as a siloed IT function.
- STRIDE
- A threat-modeling taxonomy: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege.
- Supply chain risk management (SCRM)
- Managing security risk introduced by vendors, components, and software dependencies across acquisition, integration, and maintenance.
- Systems Development Life Cycle (SDLC)
- The structured phases through which a system is conceived, built, operated, and retired; security must be integrated into every phase.
- Threat
- Any potential event or actor that could cause harm to an asset by exploiting a vulnerability.
- Threat intelligence
- Evidence-based knowledge about adversaries, their tactics, and indicators, used to anticipate and prioritize defenses.
- Threat modeling
- Systematically identifying and prioritizing threats to a system during design (e.g., with STRIDE) so the right mitigations are built in.
- Vulnerability
- A weakness in a system, process, or control that a threat can exploit.
- Warm site
- An alternate site with hardware and connectivity but data restored on demand — moderate cost and recovery speed.
ISSMP Study Guide FAQ
The CISSP-ISSMP exam has 125 multiple-choice questions and a 3-hour (180-minute) time limit. It is a linear, fixed-form exam — not adaptive — delivered in English at Pearson VUE test centers.
From the ISC2 outline: Leadership & Organizational Management (~21%), Systems Lifecycle Management (~15%), Risk Management (~20%), Security Operations (~18%), Contingency Management (~12%), and Law, Ethics & Security Compliance Management (~14%).
You need a scaled score of 700 out of 1000 points to pass. Because items are weighted, a raw question count does not translate directly to a percentage; the 700 threshold reflects a consistent ability standard.
You must already hold the CISSP in good standing, and you need two years of cumulative, full-time experience in one or more of the six ISSMP domains. The ISSMP is a CISSP concentration, so the CISSP is required first.
The CISSP is broad and technical across eight domains; the ISSMP is a management concentration that goes deeper on leadership, program governance, risk management, operations, continuity, and compliance. ISSMP questions are framed from a manager's and director's perspective, not a hands-on technician's.
Study by weight. Lead with Leadership & Organizational Management (~21%) and Risk Management (~20%), then Security Operations, Law/Ethics/Compliance, Systems Lifecycle Management, and Contingency Management. Read each module, take the checkpoint, then drill gaps with our free practice test and flashcards.
The CISSP-ISSMP concentration exam fee is about $599 USD. The ISSMP recertifies on the same three-year cycle as your CISSP, through Continuing Professional Education (CPE) credits and the ISC2 annual maintenance fee.
The CISSP-ISSMP is issued by ISC2 and delivered at Pearson VUE test centers. This study guide, the checkpoints, the glossary, the practice test, and the flashcards are 100% free with no account required.
References
- 1.ISC2. “CISSP-ISSMP Certification Exam Outline.” isc2.org. ↑
- 2.ISC2. “CISSP-ISSMP — Information Systems Security Management Professional.” isc2.org. ↑
- 3.ISC2. “ISC2 Code of Ethics.” isc2.org. ↑
- 4.National Institute of Standards and Technology. “SP 800-30 Rev. 1: Guide for Conducting Risk Assessments.” csrc.nist.gov. ↑
- 5.National Institute of Standards and Technology. “SP 800-37 Rev. 2: Risk Management Framework for Information Systems.” csrc.nist.gov. ↑
- 6.National Institute of Standards and Technology. “SP 800-61 Rev. 2: Computer Security Incident Handling Guide.” csrc.nist.gov. ↑
- 7.National Institute of Standards and Technology. “SP 800-34 Rev. 1: Contingency Planning Guide for Federal Information Systems.” csrc.nist.gov. ↑
- 8.National Institute of Standards and Technology. “SP 800-88 Rev. 1: Guidelines for Media Sanitization.” csrc.nist.gov. ↑
- 9.International Organization for Standardization. “ISO/IEC 27001 — Information Security Management Systems.” iso.org. ↑
- 10.International Organization for Standardization. “ISO 22301 — Business Continuity Management Systems.” iso.org. ↑

Career Employer
Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.
All PostsCareer Employer’s Editorial Process
Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.
