Certified Information Systems Security Management Professional (ISSMP) Practice Exam

The Information Systems Security Management Professional (ISSMP) is an expert in security leadership, specializing in establishing, managing, and governing information security programs while demonstrating strong management and leadership capabilities. ISSMPs manage the alignment of security initiatives with the organization’s mission, goals, and strategies to fulfill enterprise financial and operational needs while maintaining the desired risk posture.

Who should take the exam?

To qualify, candidates must meet either of the following criteria:

• Hold a valid CISSP certification in good standing and possess a minimum of two years of cumulative, full-time experience in one or more of the six domains outlined in the current ISSMP framework.

OR

• Have a minimum of seven years of cumulative, full-time experience in two or more domains covered in the current ISSMP framework. Additionally, earning a post-secondary degree (bachelor's or master's) in computer science, information technology (IT), or related fields, or obtaining an additional credential from the ISC2 approved list, may substitute one year of the required experience. Part-time employment and internships may also contribute toward fulfilling the experience requirement.

Exam Details

• Exam Name: Certified Information Systems Security Management Professional (ISSMP)
• Length of exam: 3 hours
• Number of items: 125
• Item format: Multiple Choice
• Passing grade: 700 out of 1000 points
• Language: English

Course Outline 

The Exam covers the given topics  - 

Domain 1: Overview of Leadership and Business Management 20%

1.1 Establish security’s role in organizational culture, vision and mission

1.2 Align security program with organizational governance

1.3 Define and implement information security strategies

1.4 Define and maintain security policy framework Determine applicable external standards

1.5 Manage security requirements in contracts and agreements

1.6 Manage security awareness and training programs

1.7 Define, measure and report security metrics

1.8 Prepare, obtain and administer security budget

1.9 Manage security programs

1.10 Apply product development and project management principles

Domain 2: Understand Systems Lifecycle Management 18%

2.1 Manage integration of security into Systems Development Life Cycle (SDLC)

2.2 Integrate new business initiatives and emerging technologies into the security architecture

2.3 Define and oversee comprehensive vulnerability management programs (e.g., vulnerability scanning, penetration testing, threat analysis)

2.4 Manage security aspects of change control

Domain 3: Learn about Risk Management 19%

3.1 Develop and manage a risk management program

3.2 Conduct risk assessments

3.3 Manage security risks within the supply chain (e.g., supplier, vendor, third-party risk)

Domain 4: Learn Threat Intelligence and Incident Management 17%

4.1 Establish and maintain threat intelligence program

4.2 Establish and maintain incident handling and investigation program

Domain 5: Understand Contingency Management 15%

5.1 Facilitate development of contingency plans

5.2 Develop recovery strategies

5.3 Maintain contingency plan, Continuity of Operations Plan (COOP), business continuity plan (BCP) and disaster recovery plan (DRP)

5.4 Manage disaster response and recovery process

Domain 6: Learn about Law, Ethics and Security Compliance Management 11%

6.1 Identify the impact of laws and regulations that relate to information security

6.2 Adhere to the (ISC)2 Code of Ethics as related to management issues

6.3 Validate compliance in accordance with applicable laws, regulations and industry best practices

6.4 Coordinate with auditors and regulators in support of the internal and external audit processes

6.5 Document and manage compliance exceptions