CISSP-ISSAPISC2 certification

How ISSAP renewal works

Crucially, these come from the same CPE pool: an architecture-domain activity counts toward both the ISSAP's 60 and your CISSP's 120. You don't earn 180 — you earn your 120 for CISSP, of which at least 60 must qualify as architecture CPEs.

ISC2 charges a single annual maintenance fee per member that maintains the CISSP and its concentrations together (around $135/year in recent years — verify the current amount and structure in your ISC2 account). CPEs are logged in the same ISC2 portal, tagged to the ISSAP domains.

What counts as an architecture CPE

ISSAP's domains take the architect's view: identity and access management architecture, security operations architecture, infrastructure security, governance/risk/compliance, and the architecture of cryptography and network/communications security. A CPE needs to tie to one of these to count for the concentration.

High-leverage sources: enterprise security-architecture frameworks (SABSA, the security content in TOGAF / The Open Group), cloud security-architecture training (AWS/Azure/GCP reference architectures and well-architected security pillars), zero-trust design courses, and the architecture tracks at conferences (RSA, ISC2 Security Congress, vendor architecture summits).

As with the CISSP, 1 CPE = 1 hour of qualifying content, logged with provider, date, description, and a tie to an ISSAP domain. The ~5%/cycle audit rate and documentation expectations are the same as the base CISSP.

Why this is cheaper than “an extra 60 CPEs” sounds

The same-pool rule is the whole story. A practicing security architect generates architecture CPEs as a byproduct of normal professional development — and every one also counts toward the CISSP. If your work and learning already lean architectural, the ISSAP adds little marginal effort; you're mostly tagging CPEs you'd earn anyway.

The cost appears only if your CPEs skew away from architecture (you've been doing mostly hands-on or management content). Then you owe 60 specifically-architecture CPEs inside your 120, which constrains where the credits come from.

Practical plan: make at least 20 of your 40 annual CISSP CPEs architecture-qualifying. That satisfies the ISSAP automatically and leaves the other 20/year free for anything CISSP-relevant.

Common pitfalls (and how to avoid them)

Pitfall 1: Letting the CISSP lapse. A concentration cannot outlive its base cert — if the CISSP expires, the ISSAP goes with it. Maintain the CISSP first; the concentration rides on it.

Pitfall 2: Mis-tagging CPEs. ISC2 wants each ISSAP CPE tied to an architecture domain. A generic “security webinar” with no architecture angle counts toward the CISSP but not the ISSAP — and an audit will reject the concentration credit.

Pitfall 3: Assuming a separate fee or deadline. The concentration shares the CISSP's maintenance fee and cycle; there's no separate invoice or end-date. Confirm the bundling in your ISC2 account so a surprise doesn't lapse you.