🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
ISSMP
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
ISSMP ISC2 Coming Soon

ISSMP

The ISSMP certification course equips CISSP‑qualified professionals with advanced expertise in security leadership, lifecycle governance, risk assessment, threat intelligence, and contingency planning, enabling them to steer enterprise security strategy.

180
Minutes
125
Questions
700/1000
Passing Score
$599
Exam Cost

Who Should Take This

Senior security leaders, such as CISO, VP of Security, or security program directors, who hold CISSP certification and have five or more years directing security initiatives, are ideal candidates. They seek to deepen their mastery of governance, risk, and incident response to align security programs with business objectives and regulatory demands.

What's Covered

1 All domains in the ISC2 ISSMP (Information Systems Security Management Professional) exam outline: Domain 1 Leadership and Business Management
2 , Domain 2 Systems Lifecycle Management
3 , Domain 3 Risk Management
4 , Domain 4 Threat Intelligence and Incident Management
5 , Domain 5 Contingency Management
6 , Domain 6 Law Ethics and Security Compliance Management

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

74 learning goals
1 Domain 1: Leadership and Business Management
4 topics

Security program leadership and governance

  • Establish a security governance framework that defines security organizational structure, reporting relationships, decision authority matrices, and accountability mechanisms aligned with corporate governance.
  • Implement security steering committee structures with charter documents, meeting cadences, escalation procedures, and decision-making frameworks for cross-functional security governance.
  • Evaluate security program maturity using CMMI, NIST CSF, and ISO 27001 maturity models to identify capability gaps and prioritize improvement initiatives against organizational risk tolerance.
  • Develop a multi-year security program roadmap that sequences capability investments, maturity targets, and transformation milestones aligned with business strategy and risk appetite evolution.

Security budget and financial management

  • Apply security budget development methodologies including zero-based budgeting, risk-based allocation, and total cost of ownership analysis for capital and operational security expenditures.
  • Implement security investment justification using ROI analysis, risk reduction quantification, cost-benefit analysis, and business case development to secure executive funding approval.
  • Evaluate security spending effectiveness by comparing cost-per-control, cost-per-incident, and risk-reduction-per-dollar metrics across security program investment categories to optimize allocation.
  • Formulate a security financial strategy that balances preventive investment, detective capability, and incident response readiness spending against organizational risk appetite and budget constraints.

Security workforce management

  • Establish security team organizational structures with role definitions, competency frameworks, career progression paths, and skills gap analysis for building and retaining security talent.
  • Implement security awareness and training programs with role-based curricula, phishing simulation campaigns, metrics-driven effectiveness measurement, and regulatory training compliance tracking.
  • Assess security workforce readiness by analyzing staffing ratios, skill distribution across NICE framework categories, certification coverage, and turnover risk for critical security roles.

Executive communication and stakeholder management

  • Create board-level security reporting packages with risk dashboards, trend analysis, peer benchmarking, and strategic initiative progress updates tailored to non-technical executive audiences.
  • Implement security metrics and KPI frameworks using balanced scorecard approaches to measure and communicate security program performance across prevention, detection, response, and governance dimensions.
  • Evaluate stakeholder engagement effectiveness by analyzing security decision velocity, cross-functional security adoption rates, and executive risk acceptance documentation quality.
  • Design a security communication strategy that tailors messaging, metrics, and risk narratives for board, C-suite, business unit, and technical audiences to drive security-aligned decision-making.
2 Domain 2: Systems Lifecycle Management
4 topics

Secure acquisition and procurement management

  • Implement security requirements in procurement processes including RFP security clauses, vendor security assessments, contractual security obligations, and SLA security performance metrics.
  • Apply vendor risk management processes with security due diligence questionnaires, third-party assessment reports (SOC 2, ISO 27001), and ongoing vendor security performance monitoring.
  • Evaluate third-party security risk concentration by analyzing vendor dependency criticality, supply chain single points of failure, and substitutability constraints across the vendor portfolio.

Secure development lifecycle governance

  • Establish secure SDLC governance with security gate criteria, security review checkpoints, and risk-based security testing requirements integrated into project management methodologies.
  • Implement software security assurance metrics with vulnerability density tracking, security defect escape rates, remediation velocity, and security debt quantification for development portfolio management.
  • Assess software security program maturity using BSIMM and SAMM frameworks to benchmark organizational secure development capabilities against industry peers and identify improvement priorities.
  • Develop a DevSecOps transformation strategy that embeds security automation, shared responsibility models, and security champion programs into organizational software delivery pipelines.

Security architecture governance

  • Establish security architecture review boards with defined review criteria, exception management processes, and architectural decision records for maintaining security design consistency.
  • Evaluate security architecture technical debt by analyzing legacy system security control gaps, deferred remediation backlogs, and unsupported technology risks across the enterprise portfolio.
  • Plan a security architecture modernization strategy that prioritizes legacy system remediation, cloud migration security requirements, and technical debt reduction based on risk exposure and business value.

System disposal and data lifecycle management

  • Implement data retention and disposal policies with classification-based retention schedules, legal hold procedures, and verified sanitization processes for end-of-life data management.
  • Assess data lifecycle management compliance by evaluating retention policy adherence, disposal certification completeness, and regulatory evidence sufficiency across data repositories.
3 Domain 3: Risk Management
3 topics

Risk program establishment and governance

  • Establish an enterprise security risk management program with risk governance structures, risk appetite statements, risk tolerance thresholds, and risk reporting hierarchies per ISO 31000 principles.
  • Implement risk register management processes with risk identification, categorization, ownership assignment, treatment tracking, and periodic risk review cycles for enterprise risk visibility.
  • Evaluate risk program effectiveness by analyzing risk assessment coverage, treatment plan execution rates, risk acceptance documentation quality, and alignment with organizational risk appetite.
  • Design a risk management integration strategy that connects security risk processes with enterprise risk management, internal audit, and strategic planning functions for unified organizational risk governance.

Risk assessment methodologies

  • Apply quantitative risk analysis using FAIR methodology to model loss event frequency, loss magnitude, and risk exposure in financial terms for security investment prioritization.
  • Execute qualitative risk assessments using likelihood-impact matrices, risk heat maps, and scenario-based analysis to communicate risk levels to non-technical business stakeholders.
  • Compare quantitative and qualitative risk assessment approaches by evaluating data requirements, analytical rigor, stakeholder comprehension, and decision-support value for different risk contexts.

Risk treatment and transfer

  • Implement risk treatment plans with control selection, implementation timelines, resource allocation, and effectiveness measurement for risk mitigation, transfer, avoidance, and acceptance decisions.
  • Apply cyber insurance procurement practices including coverage evaluation, policy comparison, claims process understanding, and alignment of insurance coverage with residual risk exposure profiles.
  • Evaluate residual risk acceptability by analyzing control effectiveness evidence, compensating control adequacy, and risk acceptance authority thresholds for informed risk treatment decisions.
  • Recommend an optimized risk treatment portfolio that balances control investments, insurance coverage, and accepted residual risk against organizational risk appetite and available security budget.
4 Domain 4: Threat Intelligence and Incident Management
3 topics

Threat intelligence program management

  • Establish a threat intelligence program with intelligence requirements gathering, collection management frameworks, source reliability evaluation, and dissemination processes per the intelligence lifecycle.
  • Implement threat intelligence sharing capabilities using STIX/TAXII standards, ISAC/ISAO membership, and trusted sharing partnerships for collaborative defense against sector-specific threats.
  • Evaluate threat intelligence program value by analyzing intelligence-to-action conversion rates, threat detection improvement metrics, and strategic threat assessment accuracy over time.
  • Develop a threat-informed defense strategy that integrates tactical, operational, and strategic intelligence with risk management, security architecture, and security operations decision-making.

Incident response program management

  • Establish incident response program governance with team structure, roles and responsibilities, authority delegation, external communication protocols, and legal/regulatory notification requirements.
  • Implement incident classification and escalation frameworks with severity levels, impact criteria, escalation triggers, and executive notification thresholds for consistent incident handling.
  • Deploy incident response retainer and managed detection and response contracts with defined SLAs, engagement procedures, and performance measurement criteria for supplementary response capacity.
  • Assess incident response program readiness by evaluating exercise frequency, detection-to-containment timelines, post-incident review quality, and lessons-learned implementation rates.
  • Architect an incident response maturity improvement plan that advances capabilities from reactive to proactive, incorporating threat hunting, automated containment, and predictive threat analysis.

Security operations management

  • Implement security operations center management practices with analyst tier structures, shift coverage planning, workload balancing, and burnout prevention for sustainable 24/7 monitoring operations.
  • Evaluate SOC operational efficiency by comparing alert-to-incident ratios, false-positive rates, analyst utilization metrics, and automation coverage to identify operational improvement opportunities.
  • Recommend a security operations optimization strategy that balances in-house SOC capabilities, managed security service provider augmentation, and automation investments for cost-effective threat detection.
5 Domain 5: Contingency Management
4 topics

Business impact analysis and continuity planning

  • Execute business impact analysis with process dependency mapping, financial loss quantification, maximum tolerable downtime determination, and recovery priority sequencing for critical business functions.
  • Implement business continuity plan development with recovery strategy selection, plan documentation, communication trees, and alternate processing site arrangements per ISO 22301 requirements.
  • Evaluate business continuity plan adequacy by analyzing recovery time objective alignment, plan completeness, stakeholder awareness levels, and dependency coverage across business functions.

Disaster recovery management

  • Implement disaster recovery plans with technology recovery procedures, data restoration processes, infrastructure failover sequences, and return-to-normal operations checklists for IT service continuity.
  • Evaluate disaster recovery site strategies by comparing hot, warm, cold, and cloud-based recovery options against RTO/RPO requirements, cost constraints, and geographic risk diversification needs.
  • Recommend a disaster recovery strategy that optimizes recovery capabilities, cost efficiency, and resilience against the organization's specific threat landscape and regulatory recovery requirements.

Continuity testing and maintenance

  • Implement continuity testing programs with tabletop exercises, structured walkthroughs, simulation tests, parallel processing tests, and full interruption tests at progressive complexity levels.
  • Assess continuity program health by evaluating test frequency, scenario coverage, corrective action closure rates, and plan currency metrics across the business continuity management system.
  • Design a comprehensive contingency management strategy integrating business continuity, disaster recovery, crisis management, and cyber resilience into a unified organizational preparedness framework.

Crisis management and communication

  • Establish crisis management team structures with decision authority, communication protocols, media handling procedures, and regulatory notification workflows for organizational crisis response.
  • Evaluate crisis communication effectiveness by analyzing message consistency, stakeholder reach, reputation impact metrics, and regulatory notification compliance during and after crisis events.
6 Domain 6: Law, Ethics, and Security Compliance Management
4 topics

Legal and regulatory compliance management

  • Implement regulatory compliance management programs with obligation identification, control mapping, compliance monitoring, and regulatory change management for multi-jurisdictional organizations.
  • Apply privacy regulation compliance requirements including GDPR data protection impact assessments, CCPA consumer rights fulfillment, and cross-border data transfer mechanism implementation.
  • Evaluate regulatory compliance posture by analyzing control implementation completeness, audit finding remediation status, and regulatory examination readiness across applicable frameworks.
  • Develop a unified compliance management strategy that harmonizes overlapping regulatory obligations through common control frameworks to reduce compliance burden and audit fatigue.

Security audit and assurance management

  • Implement internal security audit programs with risk-based audit planning, audit execution methodologies, finding classification, and remediation tracking for continuous security assurance.
  • Apply external audit and certification management processes for SOC 2 Type II, ISO 27001, PCI DSS, and FedRAMP assessments including scope definition, evidence preparation, and finding remediation.
  • Assess audit program effectiveness by evaluating finding recurrence rates, control gap detection timeliness, and remediation completion velocity across internal and external audit cycles.

Ethics and professional conduct management

  • Establish organizational security ethics frameworks with codes of conduct, acceptable use policies, whistleblower protections, and ethics violation investigation procedures for security personnel.
  • Evaluate ethical dilemma scenarios in security management by analyzing competing obligations between organizational interests, individual privacy rights, regulatory requirements, and professional codes of conduct.

Forensics and legal proceedings support

  • Implement digital evidence management processes with chain-of-custody documentation, forensic imaging standards, evidence storage security, and preservation hold procedures for legal proceedings support.
  • Apply e-discovery and litigation support practices including data preservation, collection, processing, review, and production workflows for security-related civil and regulatory proceedings.
  • Determine the admissibility and evidentiary weight of digital evidence by evaluating collection methodology compliance, chain-of-custody integrity, and forensic analysis procedure validity.
  • Recommend a digital forensics readiness strategy that pre-positions evidence collection capabilities, establishes legal coordination protocols, and ensures investigative capacity for anticipated incident types.

Scope

Included Topics

  • All domains in the ISC2 ISSMP (Information Systems Security Management Professional) exam outline: Domain 1 Leadership and Business Management (22%), Domain 2 Systems Lifecycle Management (19%), Domain 3 Risk Management (18%), Domain 4 Threat Intelligence and Incident Management (17%), Domain 5 Contingency Management (12%), Domain 6 Law Ethics and Security Compliance Management (12%).
  • CISO-level security program management including security strategy development, security budget planning, staffing and talent management, security awareness programs, and board-level security reporting.
  • Security metrics, key performance indicators, and key risk indicators for measuring security program effectiveness, operational security posture, and return on security investment for executive stakeholders.
  • Business continuity and disaster recovery program management including BIA methodology, recovery strategy selection, plan development, testing programs, and plan maintenance lifecycle.
  • Threat intelligence program management including intelligence lifecycle, source evaluation, intelligence sharing frameworks (STIX/TAXII), and integration with security operations and risk management.
  • Legal and regulatory compliance management including privacy regulations (GDPR, CCPA), cross-border data transfer mechanisms, contractual security obligations, and forensic evidence handling requirements.

Not Covered

  • Hands-on technical configuration, scripting, and system administration tasks that are below the management decision-making level tested by ISSMP.
  • Entry-level security fundamentals already covered by the base CISSP certification prerequisite; ISSMP assumes full CISSP-level knowledge as a baseline.
  • Vendor-specific product pricing, licensing, and rapidly changing commercial details not stable for enduring management specifications.
  • Deep security architecture design and engineering implementation details that fall within ISSAP and ISSEP concentration scopes rather than ISSMP management scope.

Official Exam Page

Learn more at ISC2

Visit

ISSMP is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

(ISC)²®, CISSP®, CCSP®, SSCP®, CSSLP®, and all (ISC)² certification marks are registered trademarks of (ISC)². (ISC)² does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.