With 11th June, 2016 approaching fast, I am sure many of our aspiring readers would be looking for information on Certified Information Security Manager (CISM) certification. Wouldn’t it be beneficial, in terms of time and effort, if you could get all your questions answered in one place? Wait! You’re at that place already.
Given the value that CISM Certification holds, I would like to share my experience (as much as I can without violating the NDA) . I hope that those of you who are currently preparing for it or wish to pursue it in future may find something to take away from this article. For the benefit of the readers who have just started their careers in or are planning to enter the Information Security field I’ll start with a brief introduction of the certification.
About the CISM Certification
Certified Information Security Manager (CISM), conducted by Information Systems Audit and Control Association (ISACA), is a must have for those who are responsible for managing Information Security of their organization. Given the nature of the field, it is easy for an Information Security (IS) manager to get lost in details when they are expected to deliver results on strict timelines. Another challenge face by IS managers is speaking in the language that senior management could understand. This is where the CISM certification comes into the picture. It provides detailed insights into the role IS managers are expected to play in their organizations. You can learn more about the certification from here.
What does it cover?
Curriculum for CISM is divided into following four job practices:
- Domain 1— Information Security Governance (24%)
- Domain 2—Information Risk Management and Compliance (33%)
- Domain 3—Information Security Program Development and Management (25%)
- Domain 4—Information Security Incident Management (18%)
The numbers in brackets indicate the weight-age given to each domain in the exam. The domains are further represented in terms of knowledge statements. While it’s important to understand the knowledge statements and the objective they serve, one doesn’t need to mug them.
How to prepare for the exam?
The only thing you need to pass the exam is ISACA’s CISM Review Manual (CRM). It’s around 288 pages priced at $105 (INR 6,615) for members and $135 (INR 8,505) for non-members. Compliment this with ISACA’s CISM Question Database for effective learning. It is essential to have a good understanding of concepts in order to clear the exam, mugging up won’t help. The question database is also available in book format.
Once you’re through CRM, start with the question database and keep practicing until you consistently get a score of above 90%. In addition to Question db, ISACA also provides a free self-assessment test containing 50 questions. This test will help candidates in gauging the level and type of questions asked in CISM examination.
What’s the exam like?
CISM is a paper based examination. 200 questions need to be answered in a duration of 4 hours. ISACA uses a 200-800 point scale with 450 as the passing mark for the exam. A scaled score is a conversion of the raw score on an exam to a common scale. Candidates won’t find any questions from CRM or question db. Questions are application based, therefore, candidates need to make sure that they are clear with the concepts.
The exam fee may vary from $440 (INR 27,720) to $750 (INR 47,250) based on whether or not you’re an ISACA member. You can start the exam registration process from here. Same goes with the cost of exam preparation material. Candidates can opt for ISACA Memebership prior to taking the exam. ISACA has a ton of wonderful material, all free to members. In the unfortunate event of failing the exam, you need to pay the exam fee again to retake it. You can read more about the examination process here.
Once you’ve given the CISM examination, you’ll have to wait for 5 weeks to know the results. I didn’t mind the wait except at the end of the fifth week.
What’s next after clearing the exam?
- 5 years of professional experience in at least two of the five domains
- Adherence to the ISACA Code of Professional Ethics
- Comply with the CISM Continuing Professional Education (CPE) Policy
Once you’ve cleared the exam, ISACA requires you to fill a CISM Application for Certification. In this application you’ll need to list at least five years of cumulative work experience in at least three CISM domains. Candidates who do not meet the experience requirements have five years, from the date of clearing the exam, to gain the relevant experience. You can read more about the certification process here.
In order to maintain the certification certification holders must earn and submit certain number of CPE points annually and every three years. In addition to CPEs, Annual Maintenance Fees also needs to paid annually. Learn more about the credential maintenance requirements here.
If I have left out anything or if readers have any additional queries please leave them in the comments below. Please note that questions regarding sharing and distribution of pre-owned material will not be entertained as it amounts to piracy.
Uday Mittal is a cybersecurity professional with rich working experience working with various industries including telecom, publishing, consulting and finance. He holds internationally recognized certifications such as CRTP, OSCE, OSCP, CISSP, CISA, CISM, CRISC among others. He speaks on cybersecurity awareness, offensive security research etc. and has authored various articles on topics related to cyber security and software development for a leading magazine on open source software.