CISSP concentrations: ISSAP, ISSEP, ISSMP

Once you hold the CISSP, ISC2 offers three concentrations to deepen one track: architecture, engineering or management. Here is who they are for and how to choose.

The three concentrations

ConcentrationTrackTarget profile
ISSAPSecurity architectureSecurity architect
ISSEPSecurity engineeringSecurity engineer, critical systems
ISSMPSecurity managementCISO, program manager

The shared prerequisite: already being a CISSP

Concentrations cannot be taken on their own: you must hold the CISSP in good standing (active certification) and have about 2 years of experience in the concentration's area. Each concentration has its own exam.

ISSAP — the architect

The ISSAP (Information Systems Security Architecture Professional) targets those who design security architectures: trust models, applied cryptography, infrastructure and access security. It's the natural next step for an architect.

ISSEP — the engineer

The ISSEP (Engineering) is for security engineering of systems, often in demanding contexts (public sector, critical systems), with a lifecycle and security-integration approach.

ISSMP — the manager

The ISSMP (Management) deepens steering: governance, security program management, crisis management and compliance. Relevant for a CISO or program lead.

Do you need a concentration?

For most candidates, the CISSP alone is enough and remains the most requested. A concentration makes sense if you want to signal a strong specialty (architecture, engineering, management) and your career clearly heads that way. Otherwise, consolidate the CISSP and aim for complementary certifications (cloud, audit).

Frequently asked questions

What are the CISSP specializations?

ISSAP (architecture), ISSEP (engineering), ISSMP (management).

Do you need the CISSP to take the ISSAP?

Yes, hold the CISSP in good standing + about 2 years of experience in the concentration.

First, earn the CISSP

The gateway to all concentrations.

How to pass the CISSP

See also: CISSP vs CISM and maintenance (CPE). CISSP®, ISSAP®, ISSEP®, ISSMP® are marks of (ISC)².