ISC2 ISSAP®: Information Systems Security Architecture Professional

The Information Systems Security Architecture Professional (ISSAP) is an advanced security credential for professionals who design enterprise security solutions and provide risk-based architectural guidance aligned to organizational mission, strategy, and regulatory requirements.

In this intensive one-day course, learners explore the four domains of the ISSAP Common Body of Knowledge (CBK®), gaining practical insight into governance, security architecture modeling, infrastructure and system protection, and identity and access management (IAM) architecture.

Successful participants strengthen their ability to align security architecture with business objectives, regulatory mandates, and evolving threat landscapes across enterprise, cloud, and hybrid environments.

ISC2 ISSAP®: Information Systems Security Architecture Professional Benefits

• Course Benefits

  • Align enterprise security architecture with governance, risk, and compliance requirements
  • Apply security architecture modeling frameworks, threat modeling, and validation techniques
  • Design secure infrastructure, system, and cryptographic architectures across hybrid environments
  • Architect scalable identity, authentication, authorization, and auditing solutions
  • Provide risk-informed architectural guidance to organizational leadership

  Prerequisites

  Candidates must meet one of the following:

  • Hold an active CISSP in good standing and have two years of cumulative full-time experience in one or more ISSAP domains
    OR
  • Possess seven years of cumulative full-time experience in two or more ISSAP domains

  Experience Substitution:

  • A relevant bachelor’s or master’s degree or an approved ISC2 credential may substitute for one year of experience
  • Part-time work and internships may count toward experience requirements

ISSAP Security Architecture Certification Outline

Learning Objectives

Domain 1: Governance, Risk, and Compliance (GRC)

• Legal, regulatory, organizational, and industry security requirements
• Sensitive data protection and privacy regulations
• Third-party and contractual obligations
• Asset identification, stakeholder alignment, and business objectives
• Monitoring, reporting, auditability, and forensic readiness
• Risk assessment integration and treatment strategies

Domain 2: Security Architecture Modeling

• Enterprise, cloud, network, and service-oriented architecture approaches
• Frameworks such as TOGAF®, SABSA, and reference architectures
• Threat modeling methods including STRIDE and CVSS
• Design validation, testing, and peer review
• Gap analysis, mitigations, and compensating controls
• Code review and security analysis methodologies

Domain 3: Infrastructure and System Security Architecture

Security Requirements & Deployment Models

• On-premises, cloud, and hybrid environments
• IT, OT, and physical security considerations
• Monitoring, cryptography, and secure application architecture

Architecture Design & Protection Controls

• Platform, network, storage, and cloud security
• Endpoint protection, shared services, and third-party integrations
• Infrastructure and content monitoring
• Business continuity, disaster recovery, and incident communications
• Security control applicability across system components

Cryptographic Architecture

• Design constraints, algorithms, and lifecycle considerations
• Encryption in transit, at rest, and in use
• Key generation, storage, distribution, and management

Domain 4: Identity and Access Management (IAM) Architecture

Identity Lifecycle Architecture

• Identity establishment, verification, provisioning, and de-provisioning
• Identity technologies and governance

Authentication Architecture

• Single-factor, multi-factor, and risk-based authentication
• Protocols such as SAML, RADIUS, Kerberos, and OAuth
• Trust models and federation

Authorization Architecture

• Least privilege, separation of duties, and authorization models
• Role-, rule-, attribute-, and token-based access control
• Privileged access management (PAM) and digital rights management

Accounting, Auditing, and Compliance

• Audit logging, alerts, integrity, and retention
• Log analysis, reporting, and forensic readiness
• Compliance alignment with PCI DSS, FISMA, HIPAA, and GDPR
• Enhanced ability to design security into systems from the start