So, I recently received confirmation from the ISC2 (International Information Systems Security Certification Consortium) that I passed the ISSAP exam. This is a secure architecture concentration in addition to the CISSP (Certified Information Systems Security Professional) certification.
While I believe this should be a worthwhile addition to my CISSP and of course my CV, while also helping progress my current role, I felt I should write a post about my preparation for the exam.
As with the CISSP (Certified Information Systems Security Professional) the best way to be prepared is to have a solid grounding in the subject matter – e.g. IT security and technical / solutions architecture. Indeed several years of industry experience is a prerequisite for obtaining these certifications.
Also as with the CISSP I chose to cover off the bulk of the revision by using the ISC2 recommended course text. With the CISSP I used the well regarded Shon Harris ‘CISSP all in one guide’ that was well written and very comprehensive.
For the ISSAP I used the ISC2 Official study guide to the CISSP-ISSAP. Currently this is the only book specifically for the ISSAP exam that claims to cover all aspects of the exam. Personally I found this book to be very badly written and hard to read. The first chapter must have used the phrase ‘Confidentiality Integrity Availability’ in almost every sentence, yes we all know that CIA is important and what we are aiming for but there is no need to repeat it so often.
Other sections of the book only skimmed over areas that were quite heavily covered in the exam.
In short if you did not already have a very solid grounding and experience in the areas covered by the exam, this official guide would not be anywhere near enough to pass the exam. Obviously the ISC2 may argue that you are supposed to have industry experience, but this does not necessarily include all the areas covered in the exam such as specific components of the common body of knowledge or other specific standards.
If you are a CISSP involved in designing secure architectures then this certainly seems like a worthwhile certification to go for. I would advise doing some supplementary reading covering the Common Body of Knowledge and something like ‘Enterprise Security Architecture’ along with of course a solid background in both security and architecture.
As an aside I am a firm believer that study and / or involvement in IT related work such as creating white papers, contributing to open source etc. is a great way to not only improve your skills and knowledge, but also essential to show current and future employers that you are genuinely passionate about what you do rather than it just being a job.