In this blog post, I'll show you how I passed CISM (Certified Information Security Manager) for the first time, learning materials and strategies, exam experience, and tips for passing the exam. The best time to get a safety certification. Not only is their high demand in the market, but according to Gartner, the unemployment rate of cybersecurity professionals is zero. This means that there are more jobs than qualified candidates. Personally, I've spent a lot of time and effort getting both CISM and CISSP certifications. These are the most respected certifications for cybersecurity executives and practitioners. However, getting certified is not that easy as it requires a lot of time and money to invest in the process.
Brief Introduction about Security Certifications
If you're trying to break into the world of security and become a security expert or manager, you already know that there are several security agencies that offer globally recognized security certifications. Their institutions are independent non-profit organizations such as:
- International Information System Security Certification Consortium (ISC) ²-And offers certifications like CISSP, one of the most recognized security certifications in the world.
- ECCouncil – And they offer certifications like Certified Ethical Hacker (CEH).
- ISACA – And provides certifications like CISM.
Many begin CISSP certification for (ISC) ² before obtaining other security certifications. This is like the de facto standard that CISSP covers almost every aspect of information security and is a mandatory certification if you want to work in a security position. Including government offices. However, it doesn't matter what order you get them, so you can get the CISM and then select CISSP.
From my experience, I got CISSP certification in March 2019 and then CISM certification in July of the same year. There are many common themes between the two to make the CISM material easier to read and understand. Risk management, business continuity, disaster recovery, governance, etc. are common themes for both certifications. I felt like I already knew 25% of the CISM material, which made the CISM material easier to read.
ISACA
- Certified Information Systems Auditor (CISA).
- Certified in Risk and Information Systems Control (CRISC).
- Certified Information Security Manager (CISM).
- Certified in the Governance of Enterprise IT (CGEIT)
Of the four certifications listed above, CISA and CISM are the most popular, and each of these certifications covers a different professional role. CISM is intended for information security managers and CISA is intended for auditors. In fact, this is a great 90-minute YouTube video that explains both and how to get a higher score by understanding the certification requirements and questions.
Who Should Take CISM?
Unlike CISSP, which is an interesting option for many professionals in different disciplines, CSIM targets more specific jobs. It is intended for individuals who lead information security teams within an organization and demonstrates a complete understanding of technical capabilities and business goals related to data security. Focus on the part of your business goals.
Understanding the technical parts of the story is not enough, but part of your role as an information security manager is to understand your organization's business goals and align those goals with those of your security program. You need to be aware of it. How to continue and react in daily work from the manager's spirit in various situations.
If you are the CISO of your company, this is one of the reasons this exam can help you advance your career. As a CISO, you need to create a security program, manage risk as part of it, define security strategies, present business cases to management, and then report to senior management. All of these topics are explained in detail in these certifications. Many IT professionals may be interested in CISSP, but CISM is a management-level certification and may not be interested in it at all.
CISM Exam Domains
Unlike the 8 domains in CISSP, CISM only has four domains:
- Information Security Governance
- Managing Information Risk
- Developing and managing an information security program
- Information Security Incident Management
Information security managers need to learn these to advance their careers, as evidenced by the four areas covered by the CISM exam.
In the area of information security governance, learn how information security strategies match your organization's goals and objectives and test your ability to develop and supervise information security governance frameworks to guide activities that support information security strategies. need to do it. In the field of information risk management, you will learn how to manage risk to an acceptable level according to your organization's risk needs while helping you achieve your organization's goals and objectives. To do this, you need to classify your information assets so that the measures taken to protect them are proportional to their business value.
Developing and maintaining an information security program provides an opportunity to develop and maintain an information security program that identifies, manages, and protects an organization's assets in line with its business goals. Finally, Information Security Incident Management learns how to plan, configure, and manage information security incident detection, investigation, response, and recovery to minimize the impact on your business.
My Study Materials
After taking the CISSP exam in March, I started preparing for the CISM exam. I used two main learning materials. First, the CISM Certified Information Security Manager All in One exam guidebook is available from Amazon. Easy to read by any security expert, this 500-page book is half the pages you need to read compared to the Cybex CISSP exam preparation guide. The other thing I did is to attend the CISM training video series on PluralSight. The course contains five sub-courses that target the four CISM domains and it is high-quality training that helps you understand key concepts and how security managers should think in different situations.
How I Passed CISM – Exam Experience
The CISM exam may only be taken at different times of the year, so schedule your exam in advance. With extensive experience in the two CISM domains and recently passing the CISSP exam, it took me a month to prepare for the exam. During that month, I studied for 3 hours every day except on weekends. I planned a learning strategy of reading a chapter in the book and then watching the Pluralsight course in that chapter. Primarily, all chapters of the book are mapped to domains and all Pluralsight courses are mapped to domains, which makes my life easier.
After reading the entire book once and seeing the accompanying Pluralsight course, I spent a week practicing and answering the exam questions. The exam is difficult, but at least it requires a lot of attention, and these questions need attention. Sometimes I'm 100% sure that both (a) and (b) are the correct answers, but I know I only have to choose between them. You really want to answer the question in the spirit of a security manager. Always remember that your job is to align your security strategies and goals with your business goals.
Related Reading: Certified F5 201 Specialist | How to become an F5