Information Systems Security Management Professional (ISSMP)

The Information Systems Security Management Professional (ISSMP) examination evaluates a candidate’s ability to establish, direct, and govern enterprise information security programs that support organizational mission, strategy, and risk tolerance. The assessment is organized around six interrelated domains: leadership and organizational management; systems lifecycle management; risk management; security operations; contingency management; and law, ethics, and security compliance management. Successful candidates are expected to combine foundational technical knowledge of information security principles and lifecycle practices with managerial capabilities such as policy development, stakeholder engagement, budgeting, program metrics, and team accountability. Systems lifecycle topics emphasize integrating security decision points into design and configuration management, vulnerability identification and remediation, and secure change control. Risk management covers program development, risk assessment methodologies (qualitative and quantitative), supply chain and third-party risk oversight, control selection and evaluation, and cost–benefit analysis of treatment options. Security operations focuses on establishing and operating a security operations center, building threat intelligence and detection capabilities, incident management and investigation, and turning telemetry into actionable alerts and reports. Contingency management addresses business continuity, disaster recovery, resilience planning, crisis communications, third-party dependencies, plan testing, and lessons-learned processes. The compliance and ethics domain expects practitioners to interpret applicable laws and standards, select and validate compliance frameworks, coordinate audits and regulators, and manage documented exceptions while adhering to professional ethical obligations. Cross-cutting themes that run through the domains include governance and accountability, measurement through KPIs and KRIs, contractual and vendor security requirements, continuous monitoring and quality assurance of controls, and the practical trade-offs between risk reduction, cost, and operational impact. The credential targets experienced security leaders who typically hold the CISSP and possess management-level experience; the exam emphasizes program-level decision making, governance, and oversight rather than low-level engineering tasks, and assesses the ability to translate strategy into implementable controls, maintain program resiliency, and steward legal and regulatory compliance across the enterprise.