Preparing for the CISSP-ISSEP Exam: Domains, Resources, and Strategies

Introduction

Though the CISSP-ISSEP certification may not be widely popular outside the US (or even beyond the Department of Defense), it is crucial for developing the skills, knowledge, and expertise required by a system security engineer. These professionals are responsible for capturing and refining security requirements, incorporating security into system architectures, and ensuring secure development and configuration throughout the system development life cycle (SDLC). However, as of this writing, (ISC)² no longer lists an official guide to the ISSEP CBK, though it still provides a self-paced training course, official flashcards, and CBK suggested references for this certification. With the lack of an official guide to the CBK, preparing for this exam can be quite challenging. This article will share the resources I utilized and my approach to preparing for the exam.

Exam Domains

The CISSP-ISSEP examination is divided into five domains, each covering specific topics and tasks:

1. Domain 1: System Security Engineering Foundations: This domain focuses on applying system security engineering fundamentals, executing system security engineering processes, integrating with applicable system development methodologies, performing technical management, participating in the acquisition process, and designing Trusted Systems and Networks (TSN). Relevant NIST publications for this domain include NIST SP 800-160 Vol. 1 and NIST SP 800-160 Vol. 2.
2. Domain 2: Risk Management: In this domain, candidates are required to apply security risk management principles, address risk to systems, and manage risk to operations. Relevant NIST publications for this domain include NIST SP 800-39, NIST SP 800-30 Rev. 1, NIST SP 800-37 Rev. 2, NIST SP 800-53 Rev.5, NIST SP 800-53A Rev. 5, FIPS PUB 199, and NIST SP 800-161 Rev.1.
3. Domain 3: Security Planning and Design: This domain covers the analysis of organizational and operational environments, application of system security principles, development of system requirements, and creation of system security architecture and design. Relevant NIST publications for this domain include NIST SP 800-160 Vol. 1, NIST SP 800-53 Rev. 5, and NIST SP 800-47.
4. Domain 4: System Implementation, Verification, and Validation: Candidates are required to implement, integrate and deploy security solutions, as well as verify and validate security solutions in this domain. Relevant NIST publications for this domain include NIST SP 800-160 Vol. 1, NIST SP 800-53 Rev. 5, NIST SP 800-53A Rev. 5, and NIST SP 800-115.
5. Domain 5: Secure Operations, Change Management, and Disposal: This domain focuses on developing secure operation strategies, participating in secure operations, change management, and disposal processes. Relevant NIST publications for this domain include NIST SP 800-160 Vol.1, NIST SP 800-34 Rev.1, NIST SP 800-61 Rev. 2, NIST SP 800-88 Rev.1, NIST SP 800-40 Rev. 4, NIST SP 800-128, and NIST SP 800-137.

Study Resources

1. Official (ISC)² CISSP-ISSEP Flash Cards: A valuable resource to reinforce key concepts and definitions, helping you retain information more effectively.
2. CBK Suggested References: (ISC)² provides a list of suggested references that cover the necessary topics for the CISSP-ISSEP exam. These references can be found on the (ISC)² website.
3. The Official (ISC)² Guide to the CISSP-ISSEP CBK by Susan Hansche: This guide, though not currently listed as a self-study resource and somewhat outdated, can serve as a useful aid to comprehend the Information Assurance Technical Framework (IATF) version 3.1 (September 2002) Information System Security Engineering (ISSE) process. I made use of Chapters 1-7 to gain a grasp on the IATF ISSE process, substituting older references in the guide with updated versions of NIST SP documents. Additionally, Chapters 10-13 and 15 proved beneficial in supplementing my preparation for Domain 1, Domain 3, and Domain 4. Specifically, Chapter 10 on Technical Management provided insightful information on project management-related terms such as Statement of Work (SOW) and Work Breakdown Structure (WBS), which were instrumental for parts of Domain 1. I did, however, choose to skip Chapters 8, 9, and 14 due to their outdated nature.
4. NIST Special Publications (SP): As mentioned in the Exam Domains section, several NIST SP documents are relevant to each domain. Studying these documents is crucial to gaining a comprehensive understanding of the material covered in the exam. Particularly NIST SP 800-160 Vol.1: System Security Engineering - Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems provides a solid foundation for the exam.
5. Appendix E of the old Official (ISC)² Guide to the CISSP-ISSEP CBK: I utilized the sample questions in Appendix E to familiarize myself with the format and style of the exam questions.

Study Tips and Strategies

1. Understand the System Development Life Cycle (SDLC) through NIST SP 800-64 Rev.2 (NIST Basic SDLC), IATF ISSE Process, and NIST SP 800-160 Vol. 1. The respective phases of these frameworks cover Domain 3, Domain 4, and Domain 5.
2. Map the respective phases and processes of NIST Basic SDLC, IATF ISSE Process, Systems Security Engineering of SP 800-160, and NIST Risk Management Framework (RMF). This will help you see the relationships between these frameworks and better understand their applications in real-world scenarios.
3. Understand inputs, outputs, roles, and responsibilities in each phase of the various frameworks mentioned above. This will help you grasp the connections between different phases and the overall process.
4. Create a study schedule and stick to it. Allocate enough time to review each domain and NIST publication, and ensure you have ample time for revision and practice tests.
5. Use flashcards and practice questions to reinforce your understanding of key concepts and test your knowledge.

Conclusion

Preparing for the CISSP-ISSEP exam may seem daunting due to the extensive material covered and the relative scarcity of official study guides. However, by utilizing the resources mentioned in this article, mapping the relationships between various frameworks, and following the study tips and strategies provided, you can confidently approach the exam and demonstrate your expertise as a system security engineer.