Information Systems Security Engineering Professional (CISSP - ISSEP) Practice Exam

Information Systems Security Engineering Professional (CISSP - ISSEP) Practice Exam

The Information Systems Security Engineering Professional (ISSEP) is a security expert who specializes in applying systems engineering principles and processes to develop secure systems practically. ISSEP professionals analyze organizational needs, define security requirements, design security architectures, develop secure designs, implement system security, and provide support for system security assessment and authorization for both government and industry sectors.

Exam Experience Requirements:

To qualify for the ISSEP certification, candidates must meet the following criteria:

• Hold a CISSP certification in good standing and possess at least two years of cumulative, full-time experience in one or more of the five domains outlined in the ISSEP curriculum, or
• Have a minimum of seven years of cumulative, full-time experience in two or more of the domains outlined in the ISSEP curriculum. Additionally, obtaining a post-secondary degree (bachelor's or master's) in computer science, information technology (IT), or related fields, or acquiring an additional credential from the ISC2 approved list, may fulfill one year of the required experience. Part-time employment and internships may also contribute to meeting the experience requirement.

Who should take the exam?

The ISSEP is ideal for those working in roles such as:

• Senior Systems Engineer
• Information Assurance Systems Engineer
• Information Assurance Officer
• Information Assurance Analyst
• Senior Security Analyst

Exam Details

• Exam Code: CISSP - ISSEP
• Exam Name: Information Systems Security Engineering Professional
• Exam Languages: English
• Exam Questions: 125 Multiple choice and advanced items
• Time: 3 hours
• Passing Score: 700 out of 1000 points

 

Exam Course Outline 

The Exam covers the given topics  - 

Domain 1: Systems Security Engineering Foundations

1.1 Apply systems security engineering fundamentals

• Systems security engineering trust concepts and hierarchies
• Relationships between systems and security engineering processes
• Structural security design principles (e.g., National Institute of Standards and Technology (NIST) engineering framework, International Organization for Standardization (IS0) 27001)

1.2 Execute systems security engineering processes (e.g., hardware, software, data)

• Organizational security authorities (e.g., internal, external)
• System security governance and compliance (e.g., laws, regulations, standards)
• Design concepts (e.g., open, proprietary, modular)

1.3 Integrate with system development methodology

• Security tasks and activities
• Security requirements verification throughout the process
• Assurance methods (e.g., software, hardware, virtual, cloud)
• Models (e.g., System Development Life Cycle (SDLC), International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 24641:2023, Model based systems engineering)

1.4 Perform technical management

• Project management processes participation
• Configuration management (CM) processes
• Information management processes
• Measurement processes
• Quality assurance (QA) processes
• Security process automation solution evaluations

1.5 Participate in the technology procurement management

• Security requirements for acquisitions
• Selection process
• Supply chain risk management (SCRM)
• Review security related contractual deliverables (e.g., hardware, software, services, documentation)

1.6 Resource Analysis (e.g., Cost estimation, personnel costs, probabilities and statistics (Monte Carlo))

• Cost estimation
• Personnel costs
• Probabilities and statistics (Monte Carlo method, mean time between failures (MTBF), Maximum Tolerable Downtime (MTD), mean time to failure (MTTF), mean time to repair (MTTR), mean time to recovery (MTTR))

Domain 2: Risk Management

2.1 Apply security risk management principles

• Security risk management alignment with enterprise risk management
• Risk management integration throughout the lifecycle

2.2 Manage risk to the system

• Establish risk context 
• Identify system security risks (e.g., threats, events, vulnerabilities, impact) 
• Perform inherent risk analysis 
• Perform risk evaluation 
• Monitoring and evaluate changes to risk posture (e.g., residual, changed, new) 
• Documenting risk posture (e.g., findings, decisions)

2.3 Manage risk to operations

• Establish risk context 
• Identify system security risks (e.g., threats, events, vulnerabilities, impact) 
• Perform inherent risk analysis 
• Perform risk evaluation 
• Monitoring and evaluate changes to risk posture (e.g., residual, changed, new) 
• Documenting risk posture (e.g., findings, decisions)

Domain 3: Security Planning and Design

3.1 Analyze organizational and operational environment

• Capture stakeholder requirements
• Identify roles and responsibilities
• Identify relevant constraints and assumptions
• Prepare security validation plan

3.2 Apply system security principles

• Resiliency methods (e.g., redundancy, component diversity/disparity)
• Layered security concepts (e.g., defense-in-depth, Zero Trust, secure-by-default)
• Fail-safe defaults (e.g., fail open, fail secure, fail closed)
• Single points of failure
• Least privilege
• Economy of mechanism
• Separation of interfaces, functions, services, and roles
• Automation (e.g., threat response, SecDevOps, emerging technologies)
• Software assurance
• Data security

3.3 Develop system requirements

• Develop system security context
• Identify functions within the system and security concept of operations
• Document system security requirements baseline
• Analyze system security requirements

3.4 Create system security design

• Develop functional analysis and allocation
• Develop system security design components
• Maintain traceability between specified design and system requirements
• Perform trade-off studies
• Validate design

Domain 4: Systems Implementation, Verification and Validation

4.1 Implement and integrate security solutions

• Perform system security implementation and integration
• Support on-going system security activities (e.g., Continuous Integration and Continuous Delivery (CI/CD), DevSecOps) 

4.2 Verify successful implementation

• Develop security test plans
• Support system security verification
• Review and update risk analysis
• Document stakeholder acceptance in system implementation

Domain 5: Secure Operations, Change Management and Disposal

5.1 Develop secure operations plan

• Identify roles, responsibilities, and requirements for system security personnel conducting operations
• Specify requirements for security related event reporting

5.2 Support secure operations

• Design continuous monitoring functionality (e.g., personnel, processes, technology)
• Support the incident response process
• Develop secure maintenance procedures

5.3 Participate in change management

• Participate in change reviews
• Assess change impact
• Perform verification and validation of changes
• Update risk assessment documentation

5.4 Participate in the disposal process

• Identify disposal security requirements
• Develop secure disposal plan
• Develop decommissioning and disposal procedures
• Audit results of the decommissioning and disposal process
• Implement data retention policies