🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
ISSAP
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
ISSAP ISC2 Coming Soon

ISSAP

The ISSAP training equips CISSP‑certified professionals with expert‑level mastery of security architecture modeling, infrastructure security, IAM design, governance, compliance, risk management, and security operations architecture, enabling them to design and evaluate enterprise‑wide security solutions.

180
Minutes
125
Questions
700/1000
Passing Score
$599
Exam Cost

Who Should Take This

It is intended for senior security architects, lead consultants, or managers who already hold CISSP certification and have several years of experience designing, implementing, and evaluating complex security frameworks across multiple domains. These professionals seek to deepen their architectural expertise, align security programs with governance and risk objectives, and qualify for the ISSAP credential.

What's Covered

1 All domains in the ISC2 ISSAP (Information Systems Security Architecture Professional) exam outline: Domain 1 Security Architecture Modeling
2 , Domain 2 Infrastructure Security
3 , Domain 3 Identity and Access Management Architecture
4 , Domain 4 Architect for Governance Compliance and Risk Management
5 , Domain 5 Security Operations Architecture
6 , Domain 6 Application Security Architecture

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

69 learning goals
1 Domain 1: Security Architecture Modeling
3 topics

Security architecture frameworks and methodologies

  • Apply the SABSA framework layered model to decompose business security requirements into contextual, conceptual, logical, physical, and component architecture views for enterprise security design.
  • Apply TOGAF Architecture Development Method phases to integrate security architecture deliverables into enterprise architecture governance cycles and architecture repository artifacts.
  • Evaluate competing security architecture frameworks including SABSA, TOGAF, OSA, and NIST Cybersecurity Framework to determine optimal framework selection based on organizational maturity and business context.
  • Design a tailored security architecture methodology that integrates elements from multiple frameworks to align with organizational governance structures, risk appetite, and regulatory obligations.

Security reference architectures and patterns

  • Implement defense-in-depth reference architectures with layered security controls spanning network perimeter, internal segmentation, host hardening, application security, and data protection boundaries.
  • Apply zero trust architecture principles per NIST SP 800-207 including policy decision points, policy enforcement points, and continuous authentication and authorization verification.
  • Analyze security zone models and trust boundary placement to determine optimal segmentation strategies that balance operational efficiency with risk containment across enterprise network topologies.
  • Architect a security reference model that maps security services, capabilities, and controls to business process requirements using traceability matrices and security service catalogs.

Threat modeling and architecture risk analysis

  • Apply STRIDE and PASTA threat modeling methodologies to systematically identify threats against architectural components, data flows, and trust boundaries in enterprise system designs.
  • Evaluate attack surface exposure across architectural tiers using attack trees, misuse cases, and data flow diagrams to prioritize security control placement and residual risk acceptance.
  • Design an architecture risk analysis process that integrates threat modeling outputs with business impact assessments to produce prioritized security architecture remediation roadmaps.
2 Domain 2: Infrastructure Security
4 topics

Network security architecture

  • Implement network segmentation architectures using VLANs, software-defined networking, and micro-segmentation to enforce least-privilege network access and contain lateral movement.
  • Configure next-generation firewall architectures with application-layer inspection, intrusion prevention, SSL/TLS decryption, and policy orchestration across distributed enforcement points.
  • Deploy secure DNS architecture including DNSSEC validation, DNS sinkholing, DNS-over-HTTPS/TLS, and split-horizon configurations to protect name resolution integrity and confidentiality.
  • Evaluate network security architecture designs by analyzing traffic flow patterns, chokepoint effectiveness, and control coverage gaps to identify residual risks and compensating control requirements.
  • Architect an enterprise network security strategy that integrates perimeter defense, internal segmentation, and zero trust micro-segmentation with unified policy management and monitoring.

Endpoint and host security architecture

  • Implement endpoint protection platform architectures with EDR, application whitelisting, host-based firewalls, and device compliance posture assessment for managed and unmanaged endpoints.
  • Deploy secure configuration baseline architectures using CIS Benchmarks, STIG hardening guides, and configuration management automation to enforce consistent host security posture at scale.
  • Assess endpoint security architecture maturity by comparing detection coverage, response automation capabilities, and integration depth across EDR, XDR, and SOAR platform options.

Cloud and virtualization security architecture

  • Implement cloud security reference architectures addressing shared responsibility boundaries, cloud-native security controls, and workload protection across IaaS, PaaS, and SaaS deployment models.
  • Configure container and Kubernetes security architectures including image signing, runtime protection, network policies, pod security standards, and secrets management for orchestrated workloads.
  • Evaluate multi-cloud security posture management strategies by comparing CSPM capabilities, control consistency, and visibility gaps across heterogeneous cloud provider environments.
  • Architect a hybrid and multi-cloud security strategy that unifies identity, network controls, data protection, and monitoring across on-premises and multiple cloud provider environments.

Cryptographic architecture and key management

  • Implement PKI architectures with root and subordinate certificate authority hierarchies, certificate lifecycle management, revocation mechanisms, and trust chain validation processes.
  • Deploy enterprise key management architectures using HSMs, KMS services, and key escrow mechanisms with automated key rotation, separation of duties, and cryptoperiod enforcement.
  • Evaluate cryptographic algorithm selection for data-at-rest and data-in-transit protection by comparing AES-256, ChaCha20, RSA, ECDSA, and post-quantum algorithm readiness for enterprise deployment.
  • Develop a cryptographic migration strategy for transitioning enterprise systems to post-quantum cryptography including algorithm selection, hybrid transition mechanisms, and crypto-agility architecture.
3 Domain 3: Identity and Access Management Architecture
3 topics

Identity lifecycle and governance architecture

  • Implement identity lifecycle management architectures with automated provisioning, joiner-mover-leaver workflows, and integration with HR systems for authoritative identity sourcing.
  • Deploy identity governance and administration platforms with access certification campaigns, segregation-of-duties enforcement, and role mining for continuous access compliance.
  • Assess identity governance maturity by evaluating orphan account prevalence, access recertification coverage, role explosion indicators, and policy enforcement consistency metrics.

Authentication architecture

  • Implement multi-factor authentication architectures integrating FIDO2/WebAuthn passwordless authentication, TOTP, push notification, and risk-based adaptive authentication mechanisms.
  • Configure federated identity architectures using SAML 2.0, OpenID Connect, and OAuth 2.0 for cross-organizational single sign-on with appropriate trust establishment and claim mapping.
  • Evaluate authentication architecture resilience by analyzing session management security, token lifecycle protections, credential stuffing mitigations, and authentication bypass attack vectors.
  • Recommend an enterprise authentication strategy that consolidates disparate authentication mechanisms into a unified identity platform with progressive passwordless adoption and adaptive risk scoring.

Authorization and access control architecture

  • Implement role-based and attribute-based access control architectures with policy decision points, policy information points, and centralized policy administration for enterprise authorization.
  • Deploy privileged access management architectures with session recording, just-in-time elevation, credential vaulting, and break-glass procedures for high-risk administrative access.
  • Analyze authorization model effectiveness by comparing RBAC role explosion risks, ABAC policy complexity, and ReBAC relationship modeling capabilities for different organizational access patterns.
  • Architect a zero trust access control strategy that integrates identity-aware proxies, continuous authorization evaluation, and context-based policy enforcement across all enterprise resource types.
4 Domain 4: Architect for Governance, Compliance, and Risk Management
3 topics

Security governance architecture

  • Establish security governance architectures that align security program structure, reporting lines, and decision authorities with enterprise governance frameworks such as COBIT and ISO 27014.
  • Implement security policy architecture with hierarchical policy frameworks spanning governance policies, standards, procedures, and guidelines with automated compliance verification mechanisms.
  • Design a security metrics and reporting architecture that provides actionable KPIs and KRIs to executive stakeholders for informed security investment and risk acceptance decisions.

Compliance and regulatory architecture

  • Implement compliance-as-code architectures with automated control testing, continuous compliance monitoring, and evidence collection for regulatory frameworks including SOX, PCI DSS, HIPAA, and GDPR.
  • Evaluate regulatory control mapping architectures by analyzing control overlap, gap identification, and unified control framework implementation across multiple concurrent compliance obligations.
  • Architect a data sovereignty and cross-border compliance strategy that addresses jurisdictional data residency requirements, transfer mechanisms, and privacy-by-design architectural controls.

Risk management architecture

  • Apply quantitative risk analysis methodologies including FAIR (Factor Analysis of Information Risk) to model annualized loss expectancy, single loss expectancy, and risk exposure in financial terms.
  • Evaluate control effectiveness and residual risk by analyzing compensating controls, risk transference through cyber insurance, and risk acceptance criteria alignment with organizational risk appetite.
  • Formulate an enterprise risk management integration strategy that connects security architecture risk assessments with organizational ERM processes, risk registers, and board-level risk reporting.
5 Domain 5: Security Operations Architecture
4 topics

SOC and SIEM architecture

  • Implement SIEM architectures with log collection, normalization, correlation rule engines, and tiered storage for centralized security event management across enterprise infrastructure.
  • Deploy SOAR platform architectures with automated playbook orchestration, case management workflows, and threat intelligence enrichment to accelerate incident response and reduce analyst fatigue.
  • Evaluate SOC maturity models by analyzing detection coverage metrics, mean time to detect, mean time to respond, and analyst workload distribution to identify capability gaps.
  • Architect a next-generation SOC strategy integrating XDR telemetry fusion, AI-driven alert triage, automated containment actions, and threat hunting programs for proactive threat detection.

Incident response and forensics architecture

  • Implement incident response architectures with defined escalation paths, communication channels, evidence preservation procedures, and integration with legal and regulatory notification requirements.
  • Deploy digital forensics architectures with chain-of-custody controls, forensic imaging capabilities, network packet capture, and memory analysis tooling for post-incident investigation support.
  • Evaluate incident response effectiveness by analyzing tabletop exercise outcomes, post-incident reviews, detection-to-containment timelines, and lessons-learned integration into architecture improvements.

Business continuity and disaster recovery architecture

  • Implement disaster recovery architectures with defined RTO and RPO targets, replication strategies, failover automation, and geographic redundancy for critical business systems.
  • Evaluate disaster recovery architecture designs by comparing hot, warm, and cold site strategies against recovery time objectives, cost constraints, and data loss tolerance for each business function.
  • Architect a resilience strategy that integrates business continuity planning, disaster recovery, and cyber resilience capabilities with regular testing, dependency mapping, and recovery orchestration.

Vulnerability and patch management architecture

  • Implement vulnerability management architectures with authenticated scanning, risk-based prioritization using CVSS and EPSS scores, and integration with asset inventory and configuration databases.
  • Assess vulnerability management program effectiveness by analyzing patch compliance rates, remediation SLA adherence, vulnerability recurrence patterns, and exception management processes.
6 Domain 6: Application Security Architecture
3 topics

Secure SDLC and DevSecOps architecture

  • Implement secure SDLC architectures integrating security requirements gathering, threat modeling, secure coding standards, and security testing gates into agile and CI/CD development workflows.
  • Deploy DevSecOps pipeline architectures with SAST, DAST, SCA, container image scanning, and infrastructure-as-code security validation integrated as automated quality gates in CI/CD pipelines.
  • Evaluate application security testing strategy effectiveness by comparing SAST false-positive rates, DAST coverage depth, SCA vulnerability detection accuracy, and developer remediation velocity.

API and web application security architecture

  • Implement API security architectures with OAuth 2.0 authorization flows, API gateway rate limiting, request validation, and API key management for internal and external API consumption patterns.
  • Deploy web application firewall architectures with OWASP Core Rule Set tuning, bot management, DDoS mitigation layers, and content delivery network security integration for internet-facing applications.
  • Analyze application attack surface reduction by evaluating input validation coverage, output encoding consistency, and OWASP Top 10 mitigation control implementation across the application portfolio.
  • Recommend an application security architecture strategy that balances developer velocity with security control integration using risk-based application classification and tiered security requirements.

Data protection and privacy architecture

  • Implement data classification architectures with automated discovery, labeling, and DLP policy enforcement for structured and unstructured data across on-premises and cloud storage repositories.
  • Deploy data masking, tokenization, and anonymization architectures for protecting sensitive data in non-production environments, analytics pipelines, and third-party data sharing scenarios.
  • Architect a comprehensive data protection strategy that integrates classification, encryption, access controls, retention policies, and privacy-enhancing technologies aligned with data governance objectives.

Scope

Included Topics

  • All domains in the ISC2 ISSAP (Information Systems Security Architecture Professional) exam outline: Domain 1 Security Architecture Modeling (21%), Domain 2 Infrastructure Security (21%), Domain 3 Identity and Access Management Architecture (16%), Domain 4 Architect for Governance Compliance and Risk Management (16%), Domain 5 Security Operations Architecture (14%), Domain 6 Application Security Architecture (12%).
  • Enterprise security architecture frameworks including SABSA, TOGAF Security Architecture, and the Sherwood Applied Business Security Architecture layered model for aligning security services to business requirements.
  • Zero trust architecture design principles per NIST SP 800-207 including policy decision points, policy enforcement points, micro-segmentation, continuous verification, and least-privilege access models.
  • Defense-in-depth strategy across network, host, application, and data layers including security reference architectures, security zones, trust boundaries, and compensating controls.
  • Security architecture for cloud, hybrid, and multi-cloud environments including shared responsibility models, cloud security reference architectures, and cloud-native security service integration.
  • Cryptographic architecture including PKI design, key management lifecycle, certificate authority hierarchies, HSM integration, and cryptographic algorithm selection for data-at-rest and data-in-transit protection.

Not Covered

  • Hands-on tool configuration syntax, vendor-specific CLI commands, and implementation-level scripting that is below the architecture decision-making level tested by ISSAP.
  • Entry-level security fundamentals already covered by the base CISSP certification prerequisite; ISSAP assumes full CISSP-level knowledge as a baseline.
  • Vendor-specific product pricing, licensing models, and rapidly changing commercial details not stable for enduring architecture specifications.
  • Offensive security techniques, penetration testing methodologies, and exploit development that fall outside the defensive architecture scope of ISSAP.

Official Exam Page

Learn more at ISC2

Visit

ISSAP is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

(ISC)²®, CISSP®, CCSP®, SSCP®, CSSLP®, and all (ISC)² certification marks are registered trademarks of (ISC)². (ISC)² does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.