ISSAP Feedback

CISSP_architecture_logoDisclaimer: It is not my intention to violate the ISC2′ NDA. Please do not email me specific questions related to the content of the exam. A copy of NDA can be found here.


I passed!

In my opinion, it was the most difficult exam I’ve ever taken because of the following reasons:

  • I studied a lot, a lot more than when I took CISSP.
  • I covered the official book at least 5 times + list of materials below (see STUDY PLAN).
  • I practised on https://www.freepracticetests.org (total = 3000 questions answered, although the database has only around 1400, so some questions were seen 2/3 times).

Yet, the exam presented me with the content I have not come across during my studies. I guess this is the trickiest part of the exam. After seeing the first 10 questions, I realized that I had to step back from the “ISSAP study knowledge” and start thinking heavily based on my IT Sec experience.


  • Read the question, read the question again and then read the question again (you get the idea).
  • Go through all the questions answering the ones you fairly sure about (confidence 90%+). Those which you can’t answer, mark for the second round. Go through the marked questions and think hard. Don’t give up! I ended up with 50 marked questions after the first round.
  • Do your best on every single question. Every question counts!!!
  • Think as an Architect, use your experience!
  • Don’t underestimate it or relay on CISSP knowledge, as you will not pass it!


The chapters below refer to the book – Ross Anderson “Security Engineering”:  http://www.cl.cam.ac.uk/~rja14/book.html

So, I read the official book a few times plus the materials outlined below:

Chapter 4 Access Control
Chapter 8 Multilevel Security
Chapter 9 Multilateral Security
Chapter 10 Banking and Bookkeeping
Chapter 15 Biometrics

Chapter 3 Protocols
Chapter 19 Electronic and Information Warfare
Chapter 20 Telecom System Security
Chapter 21 Network Attack and Defence
* Read NIST 800-48 [Wireless]
* Read NIST 800-58 [VOIP]

Chapter 5 Cryptography

Chapter 6 Distributed Systems
Chapter 25 Managing the Development of Secure Systems
Chapter 26 System Evaluation and Assurance
* Read NIST 800-64 [SDLC]

* NIST 800-30 [Risk Assessment]

Chapter 11 Physical Protection
Chapter 12 Monitoring and Metering
Chapter 16 Physical Tamper Resistance
Chapter 17 Emission Security

Other materials:
NIST 800-30 [Risk Assessment]
NIST 800-48 [Wireless]
NIST 800-58 [VOIP]
NIST 800-64 [SDLC]
Common Criteria v2.3

Jake Eliasz

Jake is a Chartered Lead Security Consultant with over 15 years' experience in Information Technology. Jake has performed many consultative engagements for retail, banking and government sectors in the EMEA region. Jake is currently focused on designing security controls, PCI DSS, PA DSS, ethical hacking and security risk/compliance. Prior to working for NCC Group, Jake worked as a Lead Security Consultant - QSA (Ambersail), Security Specialist (CreditCall) and Security Analyst (Symantec), where he was designing, implementing and managing various security controls for large, distributed networks. Jake has graduated from the University of Plymouth with the MSc degree in Information Security.

One Comment

  1. I can’t agree more with you Jake for reference to Ross Anderson’s “Security Engineering”. One of the ultimate sources to prepare for ISSAP. Another book I would suggest is Enterprise Security Architecture from John Sherwood, Andrew Clard and David Lynas.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.