Domain Refresh

Effective Date: October 14, 2020

Please note: The CISSP-ISSAP Exam Outline is the official document

outlining the domains, weights and subdomains of the certification exam.
This document is intended as a supplementary resource only.
 CISSP-ISSAP Domain Refresh
On October 14, 2020, the domains for the (ISC)2 CISSP-ISSAP® credential exam will be
refreshed and the current CISSP-ISSAP is available on our website.

The content of the CISSP-ISSAP has been refreshed to reflect the most pertinent issues that
cybersecurity architecture professionals currently face. Some topics have been updated
while others have been realigned. The result is an exam that most accurately reflects best
practices for developing, designing and analyzing security solutions.

As a result of the content refresh, the domain and subdomain names have been updated to
describe the topics accurately. The weights for the domains have also changed. Please see
the comparison table on the next page.

CISSP-ISSAP Domain Refresh 2

 Domain Comparison
July 2017 – October 13, 2020 Effective October 14, 2020

Domain 1: Domain 1:
Identity and Access Management Architect for Governance, Compliance,
Architecture and Risk Management

• Design Identity Management • Determine legal, regulatory,

and Lifecycle organizational, and industry
• Design Access Control Management requirements
and Lifecycle • Manage risk

Exam Weight: 19% Exam Weight: 17%

July 2017 – October 13, 2020 Effective October 14, 2020

Domain 2: Domain 2:
Security Operations Architecture Security Architecture Modeling

• Determine Security Operation • Identify security architecture approach

Capability Requirements and Strategy • Verify and validate design (e.g.,
• Design Continuous Security Functional Acceptance Testing (FAT),
Monitoring (e.g., SIEM, insider threat, regression)
enterprise log management, cyber
crime, advanced persistent threat)
• Design Continuity, Availability, and
Recovery Solutions
• Define Security Operations (e.g.,
interoperability, scalability, availability,
supportability)
• Integrate Physical Security Controls
• Design Incident Management
Capabilities
• Secure Communications and Networks

Exam Weight: 17% Exam Weight: 15%

CISSP-ISSAP Domain Refresh 3

 July 2017 – October 13, 2020 Effective October 14, 2020

Domain 3: Domain 3:
Infrastructure Security Infrastructure Security Architecture

• Determine Infrastructure Security • Develop infrastructure security

Capability Requirements and Strategy requirements
• Design Layer 2/3 Architecture (e.g., • Design defense-in-depth architecture
access control segmentation, • Secure shared services (e.g., wireless,
out-of-band management, OSI layers) e-mail, Voice over Internet Protocol
• Secure Common Services (e.g., (VoIP), Unified Communications (UC),
wireless, e-mail, VoIP, unified • Domain Name System (DNS), Network
communications) Time Protocol (NTP))
• Architect Detective, Deterrent, • Integrate technical security controls
Preventative, and Control Systems
• Design and integrate infrastructure
• Architect Infrastructure Monitoring monitoring
• Design Integrated Cryptographic • Design infrastructure cryptographic
Solutions (e.g., Public Key solutions
Infrastructure (PKI), identity
system integration) • Design secure network and
communication infrastructure (e.g.,
Virtual Private Network (VPN), Internet
Protocol Security (IPsec), Transport
Layer Security (TLS))
• Evaluate physical and environmental
security requirements

Exam Weight: 19% Exam Weight: 21%

CISSP-ISSAP Domain Refresh 4

 July 2017 – October 13, 2020 Effective October 14, 2020

Domain 4: Domain 4:
Architect for Governance, Compliance, Identity and Access Management (IAM)
and Risk Management Architecture

• Architect for Governance and • Design identity management and

Compliance lifecycle
• Design Threat and Risk Management • Design access control management
Capabilities and lifecycle
• Architect Security Solutions for • Design identity and access solutions
Off-Site Data Use and Storage
• Operating environment (e.g.,
virtualization, cloud computing)

Exam Weight: 16% Exam Weight: 14%

CISSP-ISSAP Domain Refresh 5

 July 2017 – October 13, 2020 Effective October 14, 2020

Domain 5: Domain 5:
Security Architecture Modeling Architect for Application Security

• Identify Security Architecture • Integrate Software Development

Approach (e.g., reference Life Cycle (SDLC) with application
architectures, build guides, security architecture (e.g.,
blueprints, patterns) Requirements Traceability Matrix (RTM),
• Verify and Validate Design security architecture documentation,
(e.g., POT, FAT, regression) secure coding)
• Determine application security
capability requirements and strategy
(e.g., open source, Cloud Service
Providers (CSP), Software as a Service
(SaaS)/Infrastructure as a Service
(IaaS)/Platform as a Service (PaaS)
environments)
• Identify common proactive controls
for applications (e.g., Open Web
Application Security Project (OWASP))

Exam Weight: 14% Exam Weight: 13%

CISSP-ISSAP Domain Refresh 6

 July 2017 – October 13, 2020 Effective October 14, 2020

Domain 6: Domain 6:
Architect for Application Security Security Operations Architecture

• Review Software Development Life • Gather security operations

Cycle (SDLC) Integration of requirements (e.g., legal, compliance,
Application Security Architecture organizational, and business
(e.g., requirements traceability matrix, requirements)
security architecture documentation, • Design information security monitoring
secure coding) (e.g., Security Information and Event
• Review Application Security (e.g., Management (SIEM), insider threat,
custom, commercial off-the-shelf threat intelligence, user behavior
(COTS), in-house, cloud) analytics, Incident Response (IR)
• Determine Application Security procedures)
Capability Requirements and Strategy • Design Business Continuity (BC) and
(e.g., open source, cloud service resiliency solutions
providers, SaaS/IaaS providers) • Validate Business Continuity Plan (BCP)/
• Design Application Cryptographic Disaster Recovery Plan (DRP)
Solutions (e.g., cryptographic API architecture
selection, PRNG selection, software- • Design Incident Response (IR)
based key management) management
• Evaluate Application Controls Against
Existing Threats and Vulnerabilities
• Determine and establish application
security approaches for all system
components (mobile, web, and thick
client applications; proxy, application,
and database services)

Exam Weight: 15% Exam Weight: 18%

CISSP-ISSAP Domain Refresh 7

Additional Examination Information
Supplementary References
Candidates are encouraged to supplement their education and experience by reviewing
relevant resources that pertain to the CBK and identifying areas of study that may need
additional attention.

View the full list of supplementary references at www.isc2.org/certifications/References.

Examination Policies and Procedures

(ISC)2 recommends that CISSP-ISSAP candidates review exam policies and procedures
prior to registering for the examination. Read the comprehensive breakdown of this
important information at www.isc2.org/Register-for-Exam.

Legal Info
For any questions related to (ISC)2’s legal policies, please contact the (ISC)2 Legal
Department at legal@isc2.org.

Any Questions?
(ISC)2 Americas
Tel: +1.866.331.ISC2 (4722)
Email: membersupport@isc2.org

(ISC)2 Asia-Pacific
Tel: +852.2850.6951
Email: membersupportapac@isc2.org

(ISC)2 EMEA
Tel: +44.203.960.7800
Email: membersupportemea@isc2.org

Feb 2020