ISSMP: Certified Information Systems Security Management Professional

  1. Home
  2. ISSMP: Certified Information Systems Security Management Professional
ISSMP Tutorials and Preparatory guide

The ISSMP Certified Information Systems Security Management Professional certification shows that you excel at establishing, presenting and governing information security programs. It validates your management and leadership skills. ISSMPs direct the alignment of security programs with the organization’s mission, goals, and strategies in order to meet enterprise financial and operational requirements in support of its desired risk position.

This certification opens new realms in your career and helps you grab professional excellence. You can crack the exam with the right set of resources. Here we present you our Tutorials and Preparatory Guide to set you on the right track for this exam.

Target Audience

The CISSP-ISSMP is ideal for those working in roles such as:

  • Firstly, Chief information officer
  • Secondly, Chief information security officer
  • Then, Chief technology officer
  • Also, Senior security executive

CISSP- ISSMP Exam Format

Before beginning with your preparations it is advised to have clarity about the exam details. Lets have a look at basic exam details and policies of CISSP-ISSMP.

The ISC2 Information Systems Security Management Professional CISSP-ISSMP exam covers 125 questions. These CISSP- ISSMP Exam Questions are in Multiple Choice and Multi-Response Format. Further you get 180 minutes to complete the exam. The CISSP- ISSMP Questions are available in English Language only. Most importantly, you must achieve passing score of 700 to clear the exam.

Exam NameISC2 Information Systems Security Management Professional
Exam Code CISSP-ISSMP
Number of Questions 125
Exam Duration 180 mins
Exam Format Multiple Choice and Multi-Response Questions
Pass Score 700 (On a scale of 1-1000)
Exam Language English

Prerequisites for the Exam

To be eligible for the ISSMP exam candidates must be a CISSP in good standing and have 2 years cumulative paid work experience in 1 or more of the 6 domains of the ISSMP exam.

Scheduling the ISSMP Exam

To schedule the exam follow the steps:

  1. Firstly, Create an account with Pearson VUE, the exclusive global administrator of all (ISC)² exams.
  2. Then, Select the (ISC)² certification exam you are pursuing.
  3. Finally, Schedule your exam and testing location with Pearson VUE

Exam Retake Policy

(ISC)² grants a chance to retake your failed exam. Moreover, you can sit for the exam up to three times a year. The following are the rules in order to retake the exam:

  • To begin with, if you don’t pass the exam the first time, you can retest after 90 days of the actual exam
  • Similarly, if you don’t pass a second time, you can retest after an additional 90 days
  • Further, if you don’t pass a third time, you can retest after 180 days

Recertification Policy

Once you have passed the ISSMP exam and are certified, you need to recertify every three years. You can recertify by earning 20 continuing professional education (CPE) credits each year.

Exam FAQ

For further clarity about the exam policies Visit Certified Information Systems Security Management Professional FAQ

ISSMP  FAQ

CISSP- ISSMP Exam Outline

The exam outline covers descriptive details for all the domains covered in this exam. Further, these domains are divided into various subtopics. Familiarising with the Exam Outline will help you tailor your study plan around the exam concepts.

Domain 1- Leadership and Business Management 20%

  • 1.1 Establish Security’s Role in Organizational Culture, Vision, and Mission
    • Define information security program vision and mission
    • Align security with organizational goals, objectives and values
    • Define security’s relationship to the overall business processes
    • Define the relationship between organizational culture and security
  • 1.2 Align Security Program with Organizational Governance
    • Identify and navigate organizational governance structure
    • Validate roles of key stakeholders
    • Validate sources and boundaries of authorization
    • Advocate and obtain organizational support for security initiatives
  • 1.3 Define and Implement Information Security Strategies
    • Identify security requirements from business initiatives
    • Evaluate capacity and capability to implement security strategies
    • Manage implementation of security strategies
    • Review and maintain security strategies
    • Prescribe security architecture and engineering theories, concepts and methods
  • 1.4 Define and maintain security policy framework Determine applicable external standards
    • Determine applicable external standards
    • Determine data classification and protection requirements
    • Establish internal policies
    • Obtain organizational support for policies
    • Develop procedures, standards, guidelines, and baselines
    • Ensure periodic review of security policy framework
  • 1.5 Manage Security Requirements in Contracts and Agreements
    • Evaluate service management agreements (e.g., risk, financial)
    • Govern managed services (e.g., infrastructure, cloud services)
    • Manage impact of organizational change (e.g., mergers and acquisitions, outsourcing)
    • Ensure that appropriate regulatory compliance statements and requirements are included in contractual agreements
    • Monitor and enforce compliance with contractual agreements
  • 1.6 Manage security awareness and training programs
    • Promote security programs to key stakeholders
    • Identify needs and implement training programs by target segment
    • Monitor and report on effectiveness of security awareness and training programs
  • 1.7 Define, Measure, and Report Security Metrics
    • Identify Key Performance Indicators (KPI)
    • Associate Key Performance Indicators (KPI) to the risk posture of the organization
    • Use metrics to drive security program development and operations
  • 1.8 Prepare, Obtain, and Administer Security Budget
    • Manage and report financial responsibilities
    • Adjust budget based on evolving risks and threat landscape
    • Manage and report financial responsibilities
  • 1.9 Manage Security Programs
    • Define roles and responsibilities
    • Determine and manage team accountability
    • Build cross-functional relationships
    • Resolve conflicts between security and other stakeholders
    • Identify communication bottlenecks and barriers
    • Integrate security controls into human resources processes
  • 1.10 Apply Product Development and Project Management Principles
    • Incorporate security into project lifecycle
    • Identify and apply appropriate project management methodology
    • Analyze project time, scope and cost relationship

Domain 2- Systems Lifecycle Management 18%

  • 2.1 Manage Integration of Security into System Development Lifecycle (SDLC)
    • Integrate information security gates (decision points) and milestones into lifecycle
    • Implement security controls into system lifecycle
    • Oversee configuration management processes
  • 2.2 Integrate New Business Initiatives and Emerging Technologies into the SecurityArchitecture
    • Integrate security into new business initiatives and emerging technologies
    • Address impact of new business initiatives on security posture
  • 2.3 Define and oversee comprehensive vulnerability management programs (e.g., vulnerability scanning, penetration testing, threat analysis)
    • Identify, classify and prioritize assets, systems and services based on criticality to business
    • Prioritize threats and vulnerabilities
    • Manage security testing
    • Manage mitigation and/or remediation of vulnerabilities based on risk
  • 2.4 Manage Security Aspects of Change Control
    • Integrate security requirements with change control process
    • Identify and coordinate with the stakeholders
    • Manage documentation and tracking
    • Ensure policy compliance (e.g., continuous monitoring)

Domain 3- Risk Management 19%

  • 3.1 Develop and Manage a Risk Management Program
    • Identify risk management program objectives
    • Communicate risk management objectives with risk owners and other stakeholders
    • Determine scope of organizational risk program
    • Identify organizational security risk tolerance/appetite
    • Obtain and verify organizational asset inventory
    • Analyze organizational risks
    • Determine countermeasures, compensating and mitigating controls
    • Perform cost-benefit analysis (CBA) of risk treatment options
  • 3.2 Conduct Risk Assessments (RA)
    • Identify risk factors
  • 3.3 Manage security risks within the supply chain (e.g., supplier, vendor, third-party risk)
    • Identify supply chain security risk requirements
    • Integrate supply chain security risks into organizational risk management
    • Validate security risk control within the supply chain
    • Monitor and review the supply chain security risks

Domain 4- Threat Intelligence and Incident Management 17%

  • 4.1 Establish and Maintain Threat Intelligence Program
    • Aggregate threat data from multiple threat intelligence sources
    • Conduct baseline analysis of network traffic, data and user behavior
    • Detect and analyze anomalous behavior patterns for potential concerns
    • Conduct threat modeling
    • Identify and categorize an attack
    • Correlate related security event and threat data
    • Create actionable alerting to appropriate resources
  • 4.2 Establish and Maintain Incident Handling and Investigation Program
    • Develop program documentation
    • Establish incident response case management process
    • Establish Incident Response Team
    • Understand and apply incident management methodologies
    • Establish and maintain incident handling process
    • Establish and maintain investigation process
    • Quantify and report financial and operational impact of incidents and investigations to stakeholders
    • Conduct Root Cause Analysis (RCA)

Domain 5-Contingency Management 15%

  • 5.1 Oversee Development of Contingency Plans (CP)
    • Identify and analyze factors related to the Continuity of Operations Plan (COOP)
    • Identify and analyze factors related to the business continuity plan (BCP) (e.g., time, resources, verification)
    • Identify and analyze factors related to the disaster recovery plan (DRP) (e.g., time, resources, verification)
    • Coordinate contingency management plans with key stakeholders
    • Define internal and external crisis communications plans
    • Define and communicate contingency roles and responsibilities
    • Identify and analyze contingency impact on business processes and priorities
    • Manage third-party dependencies
    • Prepare security management succession plan
  • 5.2 Guide Development of Recovery Strategies
    • Identify and analyze alternatives
    • Recommend and coordinate recovery strategies
    • Assign recovery roles and responsibilities
  • 5.3 Maintain contingency plan, Continuity of Operations Plan (COOP), business continuity plan (BCP) and disaster recovery plan (DRP)
    • Plan testing, evaluation, and modification
    • Determine survivability and resiliency capabilities
    • Manage plan update process
  • 5.4 Manage Recovery Process
    • Declare disaster
    • Implement plan
    • Restore normal operations
    • Gather lessons learned
    • Update plan based on lessons learned

Domain 6- Law, Ethics, and Security Compliance Management 11%

  • 6.1 Identify the impact of laws and regulations that relate to information security
    • Identify applicable privacy laws
    • Identify legal jurisdictions the organization and users operate within (e.g., trans-border data flow)
    • Identify export laws
    • Identify intellectual property (IP) laws
    • Identify applicable industry regulations
    • Identify and advise on non-compliance risks
  • 6.2 Adhere to the (ISC)2 Code of Ethics as related to management issues
  • 6.3 Validate Compliance in Accordance with Applicable Laws, Regulations, and Industry BestPractices
    • Inform and advise senior management
    • Evaluate and select compliance framework(s)
    • Implement the compliance framework(s)
    • Define and monitor compliance metrics
  • 6.4 Coordinate with Auditors, and Assist with the Internal and External Audit Process
    • Prepare
    • Schedule
    • Perform audit
    • Evaluate and validate findings
    • Formulate response
    • Validate implemented mitigation and remediation actions
  • 6.5 Document and Manage Compliance Exceptions
    • Identify and document compensating controls and workarounds
    • Report and obtain authorized approval of risk waiver

Preparatory Guide: ISSMP

The Certified Information Systems Security Management Professional can be quite challenging and may require a lot of effort during its preparations. Clearing such exams is possible only through right set of resources. Follow the step by step CISSP- ISSMP Study Guide to achieve this much valued credential.

Preparatory Guide: ISSMP

Step 1- Deeply Analyse the ISSMP Exam Objectives

Fistly start off by visiting the  (ISC)² Official Site. This will unquestionably put you on the right track. Remember, the official website is the most trusted website to get the authentic information. After you’ve gone through the basic exam details. It’s time to hit the exam guide. The CISSP- ISSMP Exam Guide provides detailed description about the course objectives that help you master the exam concepts. Further, a thorough analysis will let you align yourself more deeply with the chief objectives of the exam. Familiarise yourself with all 6 domains of this exam:

  • Leadership and Business Management 22%
  • Systems Lifecycle Management 19%
  • Risk Management 18%
  • Threat Intelligence and Incident Management 17%
  • Contingency Management 10%
  • Law, Ethics, and Security Compliance Management 14%

Step 2- Know your Study Resources

Cracking the certification becomes difficult when the set of resources chosen is not apt. You should be very careful while choosing the resources as they will determine actually how well you will pass the exam. There are numerous resources that can be used for CISSP- ISSMP Exam Preparations. Let us look at some of the available resources –

Enrol for Training Course

Training courses are a must while preparing for any exam. They offer practical experience that helps you gain better clarity about the exam concepts. (ISC)²  offers its own training courses to aid your preparations.

Official (ISC)² ISSMP Self-Paced Training

The Official (ISC)² ISSMP Self-Paced Training learning solution that covers the content aligned with all the domains of this exam. This training course provides rich content equal to classroom training. It meets certification course requirements. Following are the Learning Objectives of this training:

  • Firstly, Evaluate the role of security, connect the security program with organizational governance, and prioritize security requirements in support of business initiatives to obtain support for the security program.
  • Secondly, Recommend a documented security program that includes security awareness and training and a process for analyzing, managing and enforcing security requirements for contracts and agreements.
  • Then, Apply metrics, budgeting, project management and management of security team and cross-functional and stakeholder associations to achieve a security program.
  • Further, Understand the management of security into organizational security architecture throughout the system lifecycle.
  • Moreover, Understand the organizational requirements necessary to establish an effective Risk Management Program.
  • Subsequently, Understand the general processes employed in the identification of system assets, potential system threats, in-place safeguards, and vulnerabilities in the conduct and analysis of system risk assessments.
  • Furthermore, Understand the principles and practices necessary to establish and maintain a successful incident handling and investigation program.
  • Additionally, Understand the processes and collaboration requirements necessary to establish, maintain, and benefit from a successful threat intelligence program.
  • Finally, Understand the various benefits that the proper conduct of a Business Impact Analysis provides to the organization.
Learn with Official Study Guide
ISSMP Official Guide

Preparation for any exam without books seems unreasonable and unproductive at the same time. So, you should search for relevant and credible books by expert authors for your exam preparation. Books are a comprehensive source of information for candidates to prepare. You can access a detailed explanation of various concepts and strengthen your knowledge. We suggest you to include the following books in your preparation journey:

  • The Official Exam Guide by (ISC)² for the Certified Information Systems Security Management Professional ISSMP exam
  • Information Security Management Handbook, Sixth Edition by Harold F. Tipton and Micki Krause. Publisher: CRC Press.
  • Security Policies and Implementation Issues, Second Edition by Robert Johnson. Publisher: Jones & Bartlett Learning.
Official (ISC)² CISSP-ISSMP Flash Cards
Official ISSMP Flash Cards

Study for the ISSMP exam anytime, anywhere with Official ISSMP Flash Cards. This unique, interactive way tests your knowledge of industry terms while providing you with immediate feedback about whether or not your answer is correct.

Step 3- Join an Community

One thing that will be beneficial during the exam preparation time is to join study groups. These groups will help you to stay connected with the other people who are on the same pathway as yours. Moreover, here you can start any discussion about the issue related to the exam or any query. By doing so, you will get the best possible answer to your doubts. Also, multiple viewpoints make the stuff more dynamic. These discussions make your studies more comprehensive.

Step 4- Check your progress with CISSP- ISSMP Practice Test

Finally, we are on the last step of your preparations for the ISSMP exam. This last step will provide you with the exact insight of where you need to work on. Take CISSP- ISSMP Practice Exams to build your own exam-taking endurance. Make sure you’re going through practice tests only after you have gone through the whole syllabus. Moreover, all the practice tests are designed in such a way that you encounter the real exam environment around you. The results of practice tests can confirm that you’re as knowledgeable as you think, or that you need to step up your studying game. Above all, remember the more you test yourself the better you’re going to become. Start Practising Now to self evaluate your performance 

ISSMP free practice tests
Elevate your career by qualifying ISSMP Certified Information Systems Security Management Professional exam. Start Your Preparations Now!
Menu