Top of Page

Online Training

Official ISC2 ISSAP Online Self-Paced Training

Course Description

< Return to Listing

Official ISC2 ISSAP Online Self-Paced Training

Course Summary

This course is designed for the chief security architect or analyst. Drawing from the comprehensive Informational Systems Security Architecture Professional (ISSAP) Common Body of Knowledge (CBK®), the course provides a deep understanding of the broad spectrum of topics included in the CBK® and addresses new threats, technologies, regulations, standards and practices. This self-paced training covers the following six domains of the CISSP-ISSAP CBK®:

  • • Domain 1: Architect for Governance, Compliance and Risk Management
  • • Domain 2: Security Architecture Modeling
  • • Domain 3: Infrastructure Security Architecture
  • • Domain 4: Identity and Access Management (IAM) Architecture
  • • Domain 5: Architect for Application Security
  • • Domain 6: Security Operations Architecture 

Course Learning Objectives

At the end of this course, learners will be able to:

  • • Create an Information Security Architecture that meets the requirements of governance, compliance and risk management.
  • • Evaluate Security architecture models and frameworks.
  • • Develop an infrastructure security program.
  • • Produce an identity and access management architecture.
  • • Integrate security principles into applications development.
  • • Design a security operations architecture.

Note: Chapter learning objectives provided below.

How this Course Works

This is an interactive online self-paced course offering the learner the flexibility to work through the content and activities at their own pace over a 180-day period. Estimated time to complete the course is 40 hours.

Content will be taught using a series of lecture-based videos, audio presentations, interactive exercises, readings and assessments. In addition to viewing audio and video lectures, learners will be asked to work through and complete the following activities:

  • • Approximately 14 hours of multimedia learning resources (videos, narrated power points, scenarios, etc.)
  • • 15 Applied Scenarios demonstrating a real-world application of concepts taught in the course.
  • • 40 content specific activities (includes knowledge checks and other interactive exercises.)
  • • 6 end of chapter quizzes with answer explanation to assess comprehension.
  • • 126 question post course assessment with answer explanation highlighting areas for further study.
  • • Flashcards


All materials are included in the course.

Requirements for Completion

In order to complete the course, receive a certificate of completion and earn ISC2 continuing professional education (CPE) credits learners must:

  • • Complete all learning activities within the course.
  • • Complete a course evaluation.
  • • Score 70% or higher on the end of chapter quizzes and final assessment.


Course content is offered in English.

Course Type:

Self-Paced - Online go at your own pace training with interactive study materials, no instructor, and available 24/7.

CPE Credits:

40 CPE Credits


Pricing available at checkout.


This course covers the following chapters:

Chapter 1: Architect for Governance, Compliance and Risk Management

Learning Objectives:

  • Module 1: Determine Legal, Regulatory, Organizational and Industry Requirements.
    • Ensure that the security architect is aware of legal requirements and designs (builds-in) the ability to support audit and compliance functionality into information systems and the information security framework.
    • Ensure that the security architect is aware the core privacy principles adopted by the OECD.
    • Understand the requirements of the General Data Protection Regulations (GDPR).
    • Understand the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH).
    • Understand the requirements of the North American Electric Reliability Corporation – Critical Infrastructure Protection.
    • Understand the requirements of privacy and information security laws in the United Kingdom.
    • Understand the requirements of information security laws in the Asia Pacific region.
    • Understand the requirements of information security laws in Latin America.
    • Ensure that the security architect is aware of the requirements of the Electronic Communications Privacy Act (ECPA).
    • Understand the capabilities and techniques used to develop an enterprise security architecture based on common architectural frameworks.
    • Understand the requirements of information management laws: Gramm-Leach0Bliley Act (GLBA) and Sarbanes-Oxley Act.
  • Module 2: Determine Applicable Information Security Standards and Guidelines.
    • Understand the process of evaluating and selecting architectural standards.
    • Understand the requirements of the National Institute of Standards and Technology for information systems protection.
    • Understand the requirements of the Information Security Management System (ISMS) as documented in ISO/IEC 27001.
    • Understand the capabilities and techniques used to develop an enterprise security architecture based on common architectural frameworks.
    • Understand the requirements of the payment card industry for protection of payment cards.
    • Understand the requirements to support audit and compliance services and demonstrate the design, implementation and management of good security practices.
  • Module 3: Determine Applicable Sensitive/Personal Data Standards, Guidelines and Privacy Regulations.
    • Introduce the importance of compliance with privacy laws in the context of the real world.
  • Module 4: Designing Systems for Auditability
    • Understand the requirements to design systems to support audit and accountability standards.
    • Understand the process of Control Self-Assessment (CSA) and know how to design systems to support CSA.
    • Understand the requirements to design a system for auditability.
    • Understand the process of digital forensics and the examination of evidence.
    • Understand the requirements of working with external entities in the event of an incident.
    • Understand the process of architecting relationships with outsourcing suppliers and partners.
  • Module 5: Manage Risk
    • Review the importance of risk management in relation to the establishment of an information security program.
    • Understand the process of determining the relationship between assets and business mission.
    • Understand the Risk Management Framework and risk management process.
    • Understand the principles of risk assessment and risk treatment.
    • Be familiar with quantitative and qualitative risk assessment.
    • Understand the principles and practices of asset identification and classification.
    • Understand the process of determining asset value.
    • Understand the types of threat actors.
    • Understand the types of human threats, natural threats and supply chain risk.
    • Understand the risk related to technology.
    • Understand the process of determining risk.
    • Understand the process of risk reporting and the risk register.
  • Module 6: Overview of Risk Treatment
    • Review the principles of risk treatment and risk response.
    • Be familiar with the requirement to perform a cost–benefit analysis when considering control options.
  • Module 7: Risk Monitoring
    • Understand the principles of risk monitoring.
    • Understand the impact of emerging threats and vulnerabilities on the level of risk faced by the organization.
    • Understand the factors that can affect risk, such as changes to business processes.
    • Understand the importance of reporting current and emerging risk to management.
    • Be familiar with a risk register and how to use it.

Chapter 2: Security Architecture Modeling

Learning Objectives:

  • Module 1: Identify Security Architecture Approach
    • Understand the various architectural approaches and identify the impact upon security of each approach.
    • Understand new security challenges as the types of systems and networks evolve.
    • Understand the security needs as organizations move from systems architecture to enterprise architecture.
    • Be familiar with the security requirements that are unique to each of the common architectural models.
    • Be familiar with the concepts of Service - Oriented Architecture (SOA).
    • Understand the challenges that the Internet of Things (IoT) places on security architecture.
    • Review the security considerations associated with SCADA systems.
    • Review the fundamental security models and various forms of enterprise configurations.
    • Understand the value of benchmarks and baseline configurations.
    • Remember the benefits and types of network segmentation.
    • Be familiar with the evolution of networking and network technologies.
  • Module 2: Review Physical Security Requirements.
    • Understand the importance of physical security as related to information security.
    • Understand the methods used to validate physical security controls.
    • Understand the generally accepted data center design tiers.
    • Understand the various options to control physical access to data centers.
    • Understand the deployment of closed-circuit television (CCTV).
    • Review the principles of perimeter-based security.
    • Review the principles of fire management.
  • Module 3: Verify and validate Design
    • Understand the process of testing and validating the project deliverables.
    • Understand the process of regression testing and avoiding single points of failure.
    • Understand the process of independent verification and validation of infrastructure and control design.

Chapter 3: Infrastructure Security Architecture

Learning Objectives:

  • Module 1: Develop Infrastructure Security Requirements.
    • Understand the process of developing infrastructure security requirements.
    • Understand the security requirements of various types of system deployments.
    • Understand the application of security in a cloud environment.
  • Module 2: Design Defense-in-Depth Architecture.
    • Understand the principles of defense in depth and be able to design a defense-in-depth solution for their organization.
    • Understand the role of management networks in protecting and monitoring information systems and system components.
    • Review the core security concepts in relation to infrastructure.
    • Understand the security of various system components.
    • Understand cloud security risk.
  • Module 3: Review Secure Shared Services
    • Understand the Network Time Protocol (NTP), Domain Name Systems (DNS), and Voice over Internet Protocol (VoIP).
  • Module 4: Design Boundary Protection with Enterprise Security Requirements Considered
    • Understand boundary protection.
    • Understand the security requirements when acquiring, deploying and managing various devices.
    • Understand the need for security of mobile devices.
    • Understand cloud virtualization and cloud virtual storage.
  • Module 5: Design Infrastructure monitoring
    • Understand the design of monitoring systems.
    • Understand the methods of active and passive data collection.
    • Design the systems to monitor network traffic.
    • Understand security analytics.
  • Module 6: Review introduction to cryptographic principles.
    • Understand the legal requirements concerning the design, implementation and operation of cryptographic solutions.
  • Module 7: Design infrastructure Cryptographic Solutions
    • Understand the design of infrastructure cryptographic solutions.
  • Module 8: Asymmetric Algorithms
    • Understand the principles of asymmetric encryption.
    • Understand the principles of RSA certificates.
    • Understand the process of elliptic curve cryptography.
    • Understand the composition and use of digital signatures.
    • Understand the process of certificate validation.
    • Review the processes of ensuring message integrity through the use of a hash function.
    • Review the SHA3 Algorithm.
    • Understand use of a VPN using Diffie-Hellman.
    • Understand the ElGamal algorithm.
  • Module 9: Internet Protocol Security (IPSec)
    • Understand Internet Protocol Security (IPSec).
    • Review the operations of TLS using RSA+.

Chapter 4: Identity and Access Management (IAM) Architecture

Learning Objectives:

  • Module 1: Evaluate Enterprise Identity Management Requirements
    • Be able to identify and evaluate the requirements for identity management.
    • Understand the process of assigning identifiers to entities.
    • Understand the core principle of information security based on the use of multi-factor authentication to protect systems from unauthorized access.
    • Understand the principles of identification, authentication, authorization and accounting as they relate to identity management.
    • Understand the challenges of digital identities.
    • Be able to establish processes to identify personnel and facilitate trust relationships.
    • Be able to define multi-factor authentication.
    • Be able to design risk-based and location-based access controls.
    • Be able to design knowledge-based and object-based access controls.
    • Understand biometrics.
    • Be able to recognize authentication protocols and technology.
    • Understand Security Assertion Markup Language (SAML), RADIUS, and Kerberos.
  • Module 2: Access Control Concepts and Principles
    • Understand access control concepts and principles.
    • Be able to design access control management, including the access control management lifecycle.
  • Module 3: Design Identity and Access Solutions
    • Understand how to design an identity and access solution for an organization.
    • Understand various access control protocols and technologies.
    • Understand various credential management technologies.
    • Understand the advantages and disadvantages of centralized versus decentralized identity and access management systems.
    • Understand the different types of identity and access management implementations.
    • Understand the risk and requirements for managing privileged accounts.
    • Review the accounting or audit aspect of identity and access management.

Chapter 5: Architect for Application Security

Learning Objectives:

  • Module 1: Assess and Align Application Security with the Enterprise
    • Understand the process of assessing and aligning application security with the enterprise.
    • Understand how to use the SDLC to design resilient secure systems.
    • Understand how to address security in the SDLC.
    • Understand the requirements traceability matrix (RTM).
    • Understand the principles of secure software coding.
    • Review the principles of security architecture documentation.
  • Module 2: Assess Code Review Methodology and Testing
    • Understand the processes and methodologies used to assess software code.
    • Review the principles of static code testing.
    • Review the principles of dynamic code testing.
    • Review the principles of creating valid test data.
    • Review the security concerns associated with APIs.
    • Understand the principles of protecting systems through runtime application self-protection (RASP).
    • Review the principles of anti-malware tools.
    • Review the implementation of encryption in an application.
    • Determine appropriate cryptographic solution for applications.
    • Be familiar with the methodologies used to assess software code and implementations.
    • Understand the principles of a secure code repository.
    • Understand the value and process of version control.
  • Module 3: Determine Application Security Capability Requirements and Strategy
    • Understand the process to determine application security requirements.
    • Determine the security requirements for applications operating in a platform as a service (PaaS) deployment.
    • Understand the requirements to secure the infrastructure used in supporting applications.
    • Understand the role that network security plays in supporting secure operations of applications.
    • Understand the requirements to secure the endpoint devices and desktops that support applications.
    • Understand the requirements to secure data storage for an application.
    • Evaluate applicability of security controls for system components.
  • Module 4: Identify Common Proactive Controls for Applications
    • Understand some of the common controls used to protect applications.
    • Review the CIS critical security controls.

Chapter 6: Security Operations Architecture

Learning Objectives:

  • Module 1: Gather Security Operations Requirements
    • Understand how to gather security operations requirements.
    • Understand the architect’s role in setting up monitoring and the benefits that an effective monitoring program will provide.
  • Module 2: Design Information Security Monitoring
    • Understand the techniques of monitoring and incident identification.
    • Understand the process of incident preparation.
    • Understand the process of incident detection.
    • Understand the process of incident response.
    • Review vulnerability assessments and penetration testing.
    • Work with and support audits, and benefit from the audit process.
  • Module 3: Design Business Continuity (BC) and Resiliency Solutions
    • Understand their role in designing business continuity and resiliency solutions.
    • Understand the basics of gathering resource requirements used to support business continuity (BC).
    • Understand their role in assisting in the creation of incident response and communications and training plans.
    • Understand the process of incident response management.
    • Understand the various response strategies that can be used.
    • Identify continuity and availability solutions.
  • Module 4: Validate Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) Architecture
    • Be able to participate in the validation of business continuity plans and disaster recovery plans.


Note: Throughout this course, exam domains may be covered in several chapters. Included in the course is a table indicating where the exam outline objectives are covered in this course. Unique icons are also used through the course materials to identify exam outline objectives.

Audience or Who Should Take this Course

This course is for individuals planning to pursue the CISSP-ISSAP certification. The CISSP-ISSAP is a CISSP who specializes in designing security solutions and providing management with risk-based guidance to meet organizational goals. ISSAPs facilitate the alignment of security solutions within the organizational context (e.g., vision, mission, strategy, policies, requirements, change, and external factors).

Experience Required

Prior to taking this course the learner should have the following experience, skills, or knowledge obtained while serving in the following roles:

  • • System Architect
  • • Chief Technology Officer
  • • System and Network Designer
  • • Business Analyst
  • • Chief Security Officer

Learner Support

ISC2 Authorized Instructors are available via email to assist learners with content related questions as they work through the course. Additional details are provided in the course.

Technology Requirements

The following are system requirements needed to enhance your overall learning experience.

A stable and continuous internet connection is required. In order to record your completion of the online learning courses, please ensure you are connected to the internet at all times while taking the course.

Hardware Specifications

  • • Processor 2 GHz +
  • • RAM 4 GB +
  • • Monitor minimum resolution (1024 x 768)
  • • Video Card
  • • Keyboard and Mouse or other assistive technology.

Computer Peripherals

  • • Speakers/Headphones – (Noise-cancelling headset is recommended)
  • • Microphone
  • • Camera

Supported Operating Systems

  • • Macintosh OS X 10.10 to present
  • • Windows 10 to present

Supported Browsers

  • • Google Chrome
  • • Microsoft Edge
  • • Mozilla Firefox

Application Software

Access Certificate of Completion

An electronic Certificate of Completion will be provided once you have completed the course by meeting all the requirements.We recommend that you download and retain the certificate of completion as proof of credits earned.

To download a PDF version of the certificate, goto the "Awards" tab of ISC2 Learn (top menu), select the course and then "Generate Certificate".

CPE Reporting

CPE credits for ISC2 credentials must be self-reported by members and associates through the ISC2 CPE Portal accessible via using your member login credentials.

CPE credits earned for this course may be eligible for continuing professional education credits for non-ISC2 certifications. Please visit the continuing education requirements established by the credentialing organization for eligibility.

For specific questions related to your CPE credits or the CPE portal please contact member support -


If are in North America and want to purchase this course on behalf of someone else or interested in quantity discounts, please contact:

ISC2 North America Regional Office - Email: or call Phone: +1-866-331-ISC2 (4722) ext. 2

Cancellation Policy

Refunds for any ISC2 courses will not be provided

Access Period

Access to course content 180 days.