🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
ISSEP
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
ISSEP ISC2 Coming Soon

ISSEP

The ISSEP certification exam validates expertise in applying systems security engineering principles across the entire development lifecycle, covering foundations, risk management, design, implementation, verification, validation, and secure operations.

180
Minutes
125
Questions
700/1000
Passing Score
$599
Exam Cost

Who Should Take This

CISSP‑certified professionals who design, develop, or manage complex information systems and have several years of experience in security engineering are ideal candidates. They seek to deepen their mastery of risk‑based design, verification methods, and operational controls to lead secure system initiatives throughout the product lifecycle.

What's Covered

1 All domains in the ISC2 ISSEP (Information Systems Security Engineering Professional) exam outline: Domain 1 Systems Security Engineering Foundations
2 , Domain 2 Risk Management
3 , Domain 3 Security Planning and Design
4 , Domain 4 Systems Implementation Verification and Validation
5 , Domain 5 Secure Operations Change Management and Disposal

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

64 learning goals
1 Domain 1: Systems Security Engineering Foundations
4 topics

Systems security engineering processes and lifecycle

  • Apply NIST SP 800-160 Volume 1 systems security engineering processes to integrate security activities into each phase of the system development lifecycle from concept through disposal.
  • Implement the ISSE (Information Systems Security Engineering) process model phases including discovery of needs, requirements definition, architecture design, detailed design, and system implementation.
  • Evaluate systems engineering lifecycle models including waterfall, spiral, incremental, and agile to determine appropriate security engineering integration points and deliverables for each methodology.
  • Design an organizational systems security engineering process framework that tailors NIST SP 800-160 and ISSE processes to organizational maturity, project complexity, and assurance requirements.

Security engineering principles and concepts

  • Apply foundational security engineering principles including least privilege, separation of duties, defense in depth, fail-secure defaults, and economy of mechanism to system design decisions.
  • Implement trusted computing base concepts including security perimeter definition, reference monitor requirements, and kernel-level security enforcement mechanisms in system architectures.
  • Evaluate security models including Bell-LaPadula, Biba, Clark-Wilson, and Brewer-Nash to determine appropriate confidentiality, integrity, and conflict-of-interest enforcement for specific system contexts.
  • Analyze multilevel security architecture requirements by comparing cross-domain solution approaches, guard architectures, and data diode mechanisms for processing information at multiple classification levels.

Systems engineering integration

  • Apply systems engineering management processes including technical planning, requirements management, configuration management, and interface management to security engineering program execution.
  • Implement traceability mechanisms linking security requirements to design decisions, implementation artifacts, and test cases using requirements traceability matrices and systems modeling tools.
  • Assess the effectiveness of security engineering integration within systems engineering programs by evaluating requirement coverage, design traceability gaps, and security deliverable quality metrics.
  • Develop a security engineering integration strategy that embeds security practitioners, artifacts, and decision gates into the organizational systems engineering governance framework.

Assurance and trust frameworks

  • Apply Common Criteria (ISO/IEC 15408) concepts including protection profiles, security targets, security functional requirements, and security assurance requirements to system evaluation planning.
  • Evaluate evaluation assurance levels (EAL1 through EAL7) to determine appropriate assurance requirements based on system criticality, threat environment, and cost-benefit analysis of evaluation rigor.
  • Formulate an assurance strategy that integrates Common Criteria evaluation, FIPS 140-3 validation, and organizational assurance processes to establish appropriate trust in system security mechanisms.
2 Domain 2: Risk Management
3 topics

Risk assessment and analysis

  • Apply NIST SP 800-30 risk assessment methodology to identify threats, vulnerabilities, and likelihoods for system components and determine risk levels using qualitative and quantitative techniques.
  • Execute threat analysis using MITRE ATT&CK framework tactics, techniques, and procedures to characterize adversary capabilities and map attack scenarios to system vulnerabilities.
  • Evaluate risk assessment results by comparing threat-vulnerability pairings, impact severity, and exploitation likelihood to prioritize security engineering investments and control selection.

Risk management framework integration

  • Apply the NIST Risk Management Framework (RMF) per SP 800-37 including categorization, control selection, implementation, assessment, authorization, and continuous monitoring steps for system authorization.
  • Implement security control selection from NIST SP 800-53 control catalog by mapping organizational risk assessment results to appropriate control baselines and applying tailoring guidance.
  • Analyze security control inheritance patterns and common control providers to optimize control implementation efficiency across interconnected systems and shared service architectures.
  • Design an enterprise RMF implementation strategy that scales authorization processes across large system portfolios using reciprocity, continuous monitoring, and automated assessment capabilities.

Supply chain risk management

  • Apply NIST SP 800-161 supply chain risk management practices to evaluate third-party component risks, establish vendor security requirements, and implement provenance verification controls.
  • Evaluate software supply chain security by analyzing software bill of materials (SBOM) completeness, dependency vulnerability exposure, and build pipeline integrity verification mechanisms.
  • Develop a supply chain risk management strategy that integrates hardware and software provenance assurance, vendor risk tiering, and continuous supply chain monitoring into system acquisition processes.
3 Domain 3: Security Planning and Design
4 topics

Security requirements engineering

  • Apply security requirements elicitation techniques including stakeholder interviews, misuse case analysis, and regulatory compliance mapping to derive comprehensive security requirements specifications.
  • Implement security requirements classification and prioritization using MoSCoW, risk-weighted scoring, and assurance-driven methods to allocate engineering resources to highest-impact requirements.
  • Analyze security requirements conflicts and tradeoffs between confidentiality, integrity, availability, usability, and performance to recommend balanced requirement sets for complex system designs.
  • Develop a security requirements management strategy that ensures bidirectional traceability, change impact analysis, and requirements validation throughout the system engineering lifecycle.

Security architecture design

  • Apply security architecture design patterns including defense in depth layering, security domain separation, mediated access, and security kernel isolation to system architectural decisions.
  • Implement network security architecture designs with segmentation zones, demilitarized zones, security gateways, and encrypted tunnels based on data flow analysis and trust boundary definitions.
  • Configure cryptographic subsystem designs with algorithm selection, key management architectures, PKI integration, and crypto-module deployment for data protection at rest, in transit, and in use.
  • Evaluate security architecture design alternatives by comparing attack surface exposure, control coverage completeness, single points of failure, and architectural complexity against security requirements.
  • Architect a security design review process that validates architectural decisions against security requirements, threat models, and organizational security policies before proceeding to detailed design.

Secure system detailed design

  • Implement secure authentication and authorization subsystem designs with credential management, session control, privilege escalation prevention, and audit logging mechanisms.
  • Deploy secure logging and audit subsystem designs with tamper-evident log storage, log integrity verification, centralized collection, and correlation capabilities for security monitoring.
  • Apply secure interface design principles including input validation, output encoding, error handling, and boundary protection mechanisms for inter-component and external system interfaces.
  • Evaluate detailed security design specifications for completeness by verifying all security requirements have traceable design elements and all trust boundary interfaces have defined protection mechanisms.

Resilience and availability engineering

  • Implement system resilience designs with redundancy, failover mechanisms, graceful degradation, and self-healing capabilities to maintain security functionality during adverse conditions.
  • Analyze system failure modes and their security implications by evaluating fail-safe, fail-secure, and fail-open behaviors across critical system components and security enforcement points.
  • Design a cyber resilience strategy per NIST SP 800-160 Volume 2 that integrates anticipate, withstand, recover, and adapt techniques into system engineering to address advanced persistent threats.
4 Domain 4: Systems Implementation, Verification, and Validation
3 topics

Secure implementation practices

  • Apply secure coding standards including CERT C/C++, OWASP secure coding guidelines, and language-specific security best practices to implementation of security-critical software components.
  • Implement secure build pipeline configurations with reproducible builds, code signing, dependency verification, and build environment hardening for trusted software artifact production.
  • Evaluate implementation security quality by analyzing static analysis findings, code review coverage, and secure coding standard compliance metrics across development team outputs.

Security verification and testing

  • Implement security verification test plans with unit-level security tests, integration security tests, and system-level security acceptance criteria mapped to security requirements specifications.
  • Execute security testing methodologies including penetration testing, fuzz testing, static analysis, dynamic analysis, and formal verification techniques appropriate to the system assurance level.
  • Assess security test results by evaluating finding severity, exploitability, and business impact to prioritize remediation efforts and determine readiness for security certification activities.
  • Plan a comprehensive security verification strategy that balances automated testing, manual review, and independent assessment activities to achieve required assurance levels within schedule and budget constraints.

Security validation and certification

  • Apply security certification and accreditation processes per NIST RMF to compile authorization packages with system security plans, security assessment reports, and plans of action and milestones.
  • Evaluate security validation evidence sufficiency by comparing test coverage against security requirements, assessing residual risk acceptability, and verifying compensating control adequacy.
  • Recommend authorization decisions based on comprehensive risk analysis that integrates security assessment findings, operational environment factors, and organizational risk tolerance thresholds.
5 Domain 5: Secure Operations, Change Management, and Disposal
4 topics

Secure operations and continuous monitoring

  • Implement continuous monitoring architectures per NIST SP 800-137 with automated security control assessment, vulnerability scanning, and security status reporting for ongoing authorization maintenance.
  • Deploy security information and event management capabilities with log collection, correlation rules, alerting thresholds, and incident escalation procedures for operational security monitoring.
  • Evaluate operational security posture by analyzing continuous monitoring data trends, security control effectiveness over time, and emerging threat impact on existing security architectures.
  • Develop a continuous monitoring strategy that optimizes monitoring frequency, assessment depth, and reporting cadence based on system criticality, threat environment, and organizational risk tolerance.

Configuration and change management

  • Implement security configuration management processes with baseline establishment, deviation detection, and automated remediation for maintaining system security integrity during operations.
  • Apply security impact analysis processes to evaluate proposed system changes for their effects on security controls, authorization boundaries, and residual risk before approving change implementation.
  • Assess change management effectiveness by evaluating unauthorized change detection rates, security regression frequency, and configuration drift metrics across the operational system portfolio.

Incident response engineering

  • Implement incident response procedures per NIST SP 800-61 with preparation, detection, containment, eradication, recovery, and post-incident analysis phases integrated with engineering processes.
  • Analyze incident root causes using fault tree analysis, event reconstruction, and evidence correlation to identify systemic engineering deficiencies and recommend design improvements.
  • Formulate a lessons-learned integration strategy that feeds incident response findings back into security requirements, design patterns, and testing procedures for continuous engineering improvement.

Secure system disposal and decommissioning

  • Apply secure disposal procedures per NIST SP 800-88 including media sanitization techniques (clear, purge, destroy), verification methods, and sanitization documentation for data-bearing devices.
  • Implement system decommissioning plans that address data migration, credential revocation, interconnection termination, and authorization boundary updates for retiring systems from operational use.
  • Evaluate decommissioning completeness by verifying data sanitization certification, archive record integrity, dependency impact analysis, and regulatory retention compliance for disposed systems.

Scope

Included Topics

  • All domains in the ISC2 ISSEP (Information Systems Security Engineering Professional) exam outline: Domain 1 Systems Security Engineering Foundations (25%), Domain 2 Risk Management (14%), Domain 3 Security Planning and Design (30%), Domain 4 Systems Implementation Verification and Validation (14%), Domain 5 Secure Operations Change Management and Disposal (17%).
  • NIST SP 800-160 Volume 1 systems security engineering processes including stakeholder requirements definition, requirements analysis, architectural design, implementation, integration, verification, validation, transition, operation, maintenance, and disposal.
  • Information Systems Security Engineering (ISSE) methodology per NSA/NIST guidance including discover needs, define system requirements, design system architecture, develop detailed design, and implement system.
  • Common Criteria (ISO/IEC 15408) evaluation framework including protection profiles, security targets, evaluation assurance levels (EAL1-EAL7), and security functional requirements and security assurance requirements.
  • Systems engineering lifecycle models including waterfall, spiral, agile, and DevSecOps with security engineering activity integration at each phase for secure system development.
  • Verification and validation techniques including security testing, formal methods, penetration testing, code review, static analysis, and security certification and accreditation processes.

Not Covered

  • Hands-on exploit development, reverse engineering, and offensive security techniques that fall outside the defensive engineering and assurance scope of ISSEP.
  • Entry-level security fundamentals already covered by the base CISSP certification prerequisite; ISSEP assumes full CISSP-level knowledge as a baseline.
  • Vendor-specific product pricing, licensing, and rapidly changing commercial details not stable for enduring engineering specifications.
  • Pure enterprise architecture and business strategy content not directly tied to systems security engineering processes and technical assurance activities.

Official Exam Page

Learn more at ISC2

Visit

ISSEP is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

(ISC)²®, CISSP®, CCSP®, SSCP®, CSSLP®, and all (ISC)² certification marks are registered trademarks of (ISC)². (ISC)² does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.