The Information Security Management Systems Certification (ISO 27001:2013) helps organizations prove they are managing the security of clients’ and stakeholders’ information, and can generate the need for three types of vendors: certification body, internal audit and implementation.
The certification body (CB) is an organization accredited by a recognized accrediting body (UKAS, ANAB, etc.,) for its competence to audit and issue certification confirming that an organization’s processes meets the requirements of the ISO 27001:2013 standard. The certification is valid for three years with a successful annual audit and no major non-conformance for the duration of the certification. Organizations that are proceeding with certification for the first time have to undergo Stage I and Stage II audits from a certification body. The stage I audit is a preliminary documentation audit in which policies, procedures, risks, objectives, etc., are audited against the standard, and readiness for Stage II is assessed. In stage II, audit implementation and effectiveness of standards are evaluated. Certification cannot be done in-house, so the CB vendor needs to be on-boarded. Apart from cost and business requirements, the organization has to ensure that it gets certified from an accredited CB.
Internal auditor audits are based on ISO 27001 standards, which is done prior to external audit (certification body stage I and stage II audit). Internal audits can be done by in-house personnel or by a vendor. If organizations are deploying in-house personnel, they have to ensure that internal audits are done independently and impartially (i.e., the auditor shall not audit his or her own work). Internal auditors that are selected should be competent with ISO 27001 Lead Auditor certification, preferably by the International Register of Certificated Auditors with a CISA or similar certification. The experience of the auditor should be at least three years. A CV and project sign-off statement from previous clients can help evaluate competency.
Implementation then involves doing a risk assessment, training, formulating policies and procedures, creating awareness training, analyzing metrics, conducting a management review meeting, etc. This activity can be performed either by in-house personnel or by a vendor. The implementation should be done by a competent ISO 27001 Lead Implementer/Lead Auditor certified preferably by IRCA, with experience of three years post-certification along with CISA, CISM, CISSP or similar certification. Again, a CV and project sign-off statement from previous clients of the implementer can be helpful.
The time required for these three activities varies, but generally, the assignment would be for three years. A point of contact who has knowledge of the entire certification cycle is recommended. Activities of the certification body and internal auditor involve preparing the audit schedule, conducting audits, audit reporting and approving a Corrective Action Plan (CAP). CAP is the plan one submits to the auditor mentioning how the identified gaps during the audit would be closed. The duration of the audit depends on the number of people, number of locations, number of processes/departments involved, etc.
Implementation is generally of a much longer duration than the audits, as it involves multiple activities being performed in parallel. Inputs of the implementer are important during audits, and they need to be deployed in the organization for a few months to complete the certification process. For an organization that has a single location and about 100 people, the certification process would typically take three-to-six months to complete.
Part of growing as a young professional is being willing to continually learn and knowing your education should never stop. To continue your education and customize it to your career goals, certifications can be helpful. Obtaining a certification can provide internal and external validation of expertise, and demonstrate you have a certain skillset with the test results to prove it. Certifications demonstrate your expertise to peers, superiors, business partners and clients.
Certifications should not just check a box
Do not get a certification to meet the criteria of a particular job. Think proactively about what a certification can do for you. Does is it open you up to a new opportunity? Will training for the certification be a valuable learning opportunity? Obtaining certifications should be part of your personal and professional development plans – those that are formally documented at your job and those that excite you to get out of bed each day.
Ask others for advice
If you are unsure about what certification is right for you or want some additional validation, ask a mentor, sponsor or manager for recommendations on what certifications might be right for you based on your goals. While you may have a certification in mind, it does not hurt to have an outside, experienced perspective to consider before you commit. Also, reach out to individuals at your company who have a certification you are interested in pursuing to find out what value it has provided for them, plus any tips they have.
Be ready to invest in yourself
Certifications can be costly, especially those that are highly technical and specialized. Make sure you are ready to make the monetary and time investment necessary to make the expense worthwhile. See if your company sponsors certifications/training and be ready to provide business justification if you are asking for reimbursement for your training.
Prepare for certification maintenance
Keep in mind the ongoing obligations that come with certain professional certifications. Some require ongoing continuing education, annual fees and other efforts on your part to show the maintenance of your certification. Make sure when you seek the initial certification that you are prepared for the later requirements that may follow.
Keep learning your whole career
Getting certified should not be a one-time event, but instead should be part of your lifelong learning plan that evolves with your career. Set a schedule for yourself to review your certifications and look for new opportunities as your career path winds. Setting goals that include learning as a key element will help you remain satisfied in your career and prove to partners and clients that you are invested in personal growth.
Editor’s note: For more resources for young professionals, visit www.isaca.org/young-professionals. For information on ISACA’s certifications, visit www.isaca.org/certification.
Earlier this year, when I earned the last one of the Fab 4 of ISACA certifications – CISM, CISA, CRISC and CGEIT – I decided to write a post about my experience and the lessons I learned along the way. I hope this will be useful for anyone preparing to obtain these industry-recognized credentials.
1. The disclaimer.
2. The motivation.
Several people have asked me why I did it and if there is any value to getting all four of these certifications. I would say that for many in jobs focusing on siloed aspects of information security, the answer is “No”- they would be better served by getting the one or two certifications most relevant to them. But, for an information security and risk consultant like me whose work encompasses a wider universe, there’s definite value in preparing for and getting all of these certifications. At the same time, I believe anyone desirous of expanding his or her overall knowledge in this area will find them useful.
On a more personal note, there’s also a sense of personal achievement tied to this. Balancing client, firm and family commitments in order to study and take these exams was a major motivator.
3. The preparation.
To my mind, the best preparation for getting the ISACA certifications is getting experience in the field. The second best would be to get the CISSP. I believe the CISSP covers a much broader area than any individual ISACA exam and puts one in good stead to ace ISACA’s certification exams later. However, none of these are deal-breakers – you can definitely succeed at the ISACA exams without the CISSP or 12-plus years of experience (like me).
As for the materials I used, I confess that I found the official manuals to be dry. I focused on Questions & Answers databases after going through the free training videos available at Cybrary.it. I would extensively take notes while watching the videos and when reviewing my answers on practice tests using the databases. When reviewing before the exams, I would refer only to my notes.
As many before me have surmised, there IS an ISACA way. Don’t be alarmed; it’s not completely at odds with your knowledge gained from experience, but there may be subtle variations. The best way to understand it is to analyze, with a fine-toothed comb, the answers to the database questions. The wrong answers should also be part of your analysis, as they clearly explain why they are NOT right for a particular question but can be for a different one.
Rule of thumb: if you’re consistently scoring 75 percent in the database Q&A for a particular test, you’re ready for the actual one!
4. The key takeaways.
- IT exists to serve business. Business exists to serve stakeholders’ interests.
- People are the most valuable asset; people are also the weakest link in security.
- Governance is “doing the right things”; management is “doing things right.”
- Security and audit decisions should be risk-based and meet business requirements. Organizational structure and culture are key decision factors.
- The first step before implementing change is to understand the current state.
• Understand the composition and responsibilities of the board, senior management, operational management, IT Strategy Committee, IT Steering Committee and IT Architecture Review Board.
- Understand the composition of the IT Strategic Plan, IT Investment Portfolio, IT Operational Plan, IT Acquisition Plan, IT Implementation Plan, IT Outsourcing Plan, IT Risk Register, Enterprise Architecture, IT Balanced Scorecard, policies, standards and procedures, etc.
- Realize that accountability and responsibility are different things. Usually, the board or senior management are held accountable for security-related decisions. The term “ultimate responsibility” refers to accountability.
- IT strategy should be an extension of enterprise strategy. Enterprise architecture aligns IT strategy with enterprise strategy.
- IT goals should align with enterprise goals. Any IT investment has to be supported by a business case.
- “You cannot manage what you cannot measure” – understand metrics (KPIs and KRIs), how they are selected and measured, and what kind of information they can provide.
5. The D-Day experience.
The best preparation is of little use unless put into practice. Here are some tips around exam day:
- Try to schedule practice tests and the actual exam at the same time of the day. I can’t quote any scientific studies to support this, but I believe the body and mind acclimatize themselves for peak performance during the time you practice most.
- Read the question carefully to understand your role – are you the advisor, auditor or implementer? Your role will determine the answer you should choose.
- For multiple choice questions, it’s usually easier to eliminate two of the four options; selecting the right option from the remaining two is where the difficulty lies.
- The questions often mention “first” or “best”; this is very important when choosing the answer. Multiple options may be right, but only one will be “first” or “best.”
- If “first” is not explicitly mentioned, choose the option that is the root cause. For example, if option A leads to option B and both are correct answers to the question, choose option A.
- If you’re stuck on one question, mark it for review and move on. There’s enough time for you to revisit it later.
- Take frequent breaks. Four hours should be enough to answer all 150 questions and review them. Use the time wisely to pace yourself. I personally took a break after every 50 questions.
- Ensure you answer all questions. There are no negative points for wrong answers, and even a completely random choice has a 25 percent chance of success. Best of luck!
My motivation to pursue ISACA’s CRISC certification was to improve my skills, knowledge and understanding of enterprise and IT risk management.
The CRISC exam is the most rigorous assessment available to evaluate the risk management proficiency of IT professionals, and CRISC is among the leading GRC certifications, according to CIO magazine.
During my career, I have worked at different enterprises in IT/IS at various functional levels. I hold PMP and GCIH, which I consider to be significant factors in passing this exam.
Despite the fact that my preparation time for the CRISC exam was relatively short, I strongly believe in proper planning, execution and monitoring to succeed in any endeavor, no matter the amount of time you have. I am delighted to share with you some tips and advice of how I prepared for the exam:
- Do your own research about the certification that you are interested in. One of the best starting points is to check the ISACA website; all information that you need should be available there. Then, speak with your trainer, or others who are being certified, and ask for some assistance.
- To get all ISACA benefits and discounts on certification exams, including CRISC, become a member.
- Start with the official CRISC study materials (Review Manual, Questions, Answers and Explanations), and make sure to get the latest editions. Reading the review manual at least twice cover-to-cover was a great help for me, as well as practicing QAEs as much as possible before the exam. It is important to grasp the underlying logic behind all concepts across all domains.
- For more understanding and practice, enroll in a CRISC training course, or you can choose to self-study.
- Continuously evaluate your understanding level, and challenge yourself with questions to bridge any knowledge gaps and weaknesses. Remember: practice makes perfect!
- Don’t stop researching and reading while you study from various sources. Risk management is full of abstract concepts. I found these resources valuable for preparation: The Risk IT Framework, Measuring and Managing Information Risk: A FAIR Approach, and other ISACA publications.
- Go to the exam with a reasonable confidence level and an understanding of the risk management process cycle. Remember: confidence can make or break any exam!
CRISC is an important journey in my professional life, and I appreciate it much more than before having gone through the process. I posted more tips here after I passed the exam.
I wish you much luck with your CRISC journey!
New highly validated data from 3,305 employers reveals that the average cash market value for hundreds of tech certifications is at its lowest point in four years. Meanwhile, pay premiums for non-certified skills in the same period have gained 6 percent in value on average. What gives?
There’s always been a tug of war within employers about hiring tech people with skill certifications versus those who have learned by experience on the job. Eventually the question of comparable pay arises, shining a light on whether certification is a valid factor when measuring a worker’s value or potential on the job. And if it isn’t, then how should employers be assessing skills competence?
Pay disparities between certified and non-certified tech skills
While the performance of ISACA certifications in the compensation landscape has been mixed, as a group they are earning the equivalent of 12.4 percent of base salary in average pay premium, with CGEIT and CRISC earning the most. Compare this to the 7.5 percent average premium across all 466 certs reported in Foote Partners’ quarterly updated IT Skills and Certifications Pay Index™ (ITSCPI).
The fact is, employers have been perfectly willing to throw cash at both certified and non-certified skills for many years, typically in the form of premiums above and beyond base salary. Foote Partners has been capturing and reporting these cash premiums since 2000. Until 2007, certified skills were earning more on average than non-certified skills, but beginning in mid-2007 this trend reversed. Since then, the gap in pay premiums between the two has widened, with 551 non-certified skills now earning, on average, the equivalent of nearly 2 percent of base salary among more than 466 tech certifications tracked at more than 3,300 employers.
Certifications had a long run of consistently losing overall value from late 2006 to 2012. These were dark years marked by charges of fraud in the certifications-testing business and a prevailing opinion by many that certifications were simply too easy to attain, in particular those being offered by vendors to support their product lines. Technology vendors and vendor-independent certifying organizations fought back by adding prerequisites to sites for exams, real-time labs and peer-review panels.
It seemed to work, as certifications pay began to rise, although not nearly to the level of non-certified skills premiums, often for the same technologies. More and more management, process, and methodology skills and certifications gained popularity in the growth years for both intermediate and advanced skill levels, and pay continued to rise for both segments until about two years ago.
Average pay premiums for tech certifications recorded in the ITSCPI have most recently decreased in the last quarter of 2018, down 1.8 percent overall. They lost 2.4 percent of their value in calendar year 2018 and nearly 3 percent over the last two years. In the last three months of 2018, 57 certifications recorded cash pay premium losses against 17 gaining value.
Meanwhile cash pay premiums for non-certified skills increased 0.6 percent overall in October-November-December with 87 of these skills recording pay premium gains and 72 losing market value. Pay gains have been consistently higher in most quarters in each of the past three years.
Declines in certification market value can be misleading
Certification values decline in the marketplace for a number of obvious and not-so-obvious reasons.
Pay premiums diminish as certifications expire, are retired, or as technology evolves, and they’re replaced with more appropriate certifications. Since certifications have traditionally been attached to infrastructure tech (networking, systems, security) they have natural market pay volatility: nearly 17 percent per calendar quarter in the past four years. Volatility measures the percent of total certs that reported that change value every three months.
There also are certifications for architecture and for processes such as project management, frameworks and methodologies; as a group, they earn the highest average premiums among all categories reported, but they have their non-certified skill counterparts. This subjects them to pay erosion as employers feel more confident measuring talent in these disciplines based on work experience, especially at intermediate and advanced certification levels.
Non-certified skills can be found in far greater numbers than certifications in other segments such as programming and applications development, web, and database. Again, employers devise their own ways to judge proficiency in these areas; for example, coding tests, evaluating past work experience, references, and trial-to-hire employment. They drive down certification values by building their own robust internal training and development program, in effect devising their own certification programs.
There also remains a lingering bias that passing a proctored exam does not necessarily confer onto the test-taker an expertise in a subject, especially in cases when the pass rate entails getting only 70 percent of answers correct. Adding a laboratory requirement only works if the lab is a sufficient test of a candidate’s capabilities in the real world.
But, in a counterintuitive twist, cash market value can be a victim of a certification’s success. As interest in a certification escalates and more people attain the certification, the gap between supply and demand for the certification narrows, driving down its price as the laws of scarcity would dictate. This has been documented in the case of hundreds of certifications over the almost two decades of Foote Partners tracking and reporting cash pay premiums. The media rarely recognizes this contradiction in its reporting.
Perhaps the most common reason for certification values falling is a fundamental weakness that persists in the certification industry: a vast number of popular tech skills simply do not have a certification associated with them. No vendor owns the particular tech with products that are supported by certification training necessary to ensure sales and upgrade investments.
And what about so-called soft skills? Employers often are just as willing to recognize their value with pay premiums both inside and outside of salary, especially if they are combined with hard tech skills and industry, domain, or customer knowledge and experience.
Author’s note: For more information on certification market value in 2018, view this news release summarizing our latest IT Skills Demand and Pay Trends Report.
Editor’s note: The ISACA Now blog occasionally highlights the impact ISACA certifications have in the evolving business landscape, as well as how certifications have impacted individual members of the ISACA professional community. Today, we profile Marco Schulz, CISM, CISA, CGEIT, CEO at marconcert GmbH (Germany). For more information on ISACA certifications, visit www.isaca.org/certification.
ISACA Now: What motivated you to pursue your CISA certification?
As a CISO, I was subject to internal and external reviews for many years and impressed by the instincts of some natural-born auditors. When I took a new supervisory role, I had to conduct on-site audits of subsidiaries around the globe and I suspected I needed to learn some basics before comfortably leading bigger audit engagements. Oh, and there was still some space left next to the CISM on my business card.
ISACA Now: What was your biggest key to success in passing the exam?
Undoubtedly it was my professional experience. When I took the CISA exam in 2008, I had already worked in information security for 12-plus years. From the CISM exam the year before, I was already familiar with the line of questioning and – I should probably not confess – went to the exam with only very little preparation.
ISACA Now: How does the knowledge you gained through CISA fit in with the current technology landscape?
In my view the general IT audit principles have not changed much over the decades. In the meantime, the complexity of technology and its business relevance have gone through the roof. More than ever, a risk-based approach and continuous compliance monitoring are needed to manage IT compliance in a cost-effective manner. The CISA knowledge domains support these objectives and are regularly updated to incorporate major business changes.
ISACA Now: How has the CISA helped advance your professional development and career objectives?
The CISA designation helped me to demonstrate IT audit competencies. It was also a formal prerequisite for some client engagements.
ISACA Now: What does it mean to be part of a global network of ISACA-certified professionals?
Even though I enjoyed speaking at ISACA conferences at times, I had been a rather passive member for many years. But in November 2018 I decided to engage in the German chapter and started to manage our social media accounts on Twitter, LinkedIn and a closed member group on XING. Today I am working from the German chapter office in Berlin, where recently I was dining with the president and the CEO of our Kenyan chapter. I like the professional and personal exchanges in our community and call some ISACA member my friends.
Anyone can succeed with the right information and tools. One of the best ways for information systems professionals to ensure career success with all its attendant benefits is to earn ISACA's CISA certification. The CISA certification has made a tremendous difference in the lives of thousands of people across the globe. In fact, it is one of the certifications that will retain its relevance because of several drivers discussed below.
Increasing criticality of information. Decades ago, traditional assets like land, buildings, oil wells, gold and cash used to be the main considerations for businesses. In this century, it is possible to run a multi-million dollar business with a single laptop and internet connection. Data life cycle management has become extremely critical to the survival of businesses. For organizations regardless of size or geography, information is the business. Because of their expertise in the areas of IS audit, controls, assurance and security, CISA certification-holders will continue to be in demand, as they have been for the past 40 years.
Increased sophistication of cyberattacks. Denial of service, ransomware, phishing, spam, zero-day attacks and other threats are becoming rampant, causing extensive losses to individuals and businesses. Research has shown that businesses lose up to 5 percent of their annual revenue to fraud and irregularities. This reality is prompting many businesses to implement preventive controls by hiring CISA certification-holders to provide assurance on information security and risk management.
Improved governance awareness from boards of directors. ISACA frameworks such as COBIT, Val IT and Risk IT have yielded considerable fruits as business leaders have become more open to the alignment of IT and the business. This commitment from boards of directors is making approval of funds and setup of assurance functions easier than before for many organizations.
Increasing pressure from the regulatory authorities. For many businesses, it is no longer business as usual. Regulators are coming up with stringent rules with dire consequences in cases of non-compliance. The Sarbanes-Oxley Act (SOX) changed the face of corporate reporting in the US, with ripple effects felt globally. More recently, this year, the General Data Protection Regulation (GDPR) began affecting businesses that process personal data of European customers. In order to ensure compliance, businesses will need the services of CISA-certification holders for implementation and audit of the processes.
Increasing relevance of standards and IT frameworks. Certifications and frameworks by bodies such as the International Organization for Standardization (ISO) are fast becoming tools for competitive edge. Globalization is shifting the advantage to the customers, who can be more discerning in their purchase decisions. ISO 27001, ISO 22301, ISO 20000, ITIL, COBIT 5, PCI DSS and other frameworks are being implemented as a result of regulatory directives and as an agent of differentiation. This trend is creating opportunities for CISA certification-holders, who are hired to implement and audit the related considerations.
Increasing disruptive trends in computerization. The reduction in pace of digital change is nowhere in sight. We are now talking of smart cities, e-government, blockchain technology, mobile banking, and so on. Artificial Intelligence and robotics engineering are taking over the manufacturing and aviation sectors. The increased dependence on technology will ensure that CISA certification-holders continue to be needed for assurance and security functions. The certification is being updated to keep pace with the changing technology environment.
With all these benefits for CISA certification-holders, you should consider taking the CISA exam. Here is some guidance on approaching the exam:
Attend an online or classroom lecture. I am an advocate of learning from CISA veterans who can share their own academic and field “war stories.” Their experience can position you to pass with ease.
Master the knowledge statements. Every domain has task and knowledge statements. The task statements contain tasks you should be able to carry out at the end of the study. The knowledge statements contain knowledge you are supposed to have at the end of the study. After reading through a domain, review the knowledge statements to determine if you understand the required concepts. In order to ensure that you have mastered the concepts, read through the CISA Review Manual at least twice (I did it thrice).
Realize that the database is non-negotiable. It is difficult (perhaps impossible) to pass the CISA exam without effectively using the database. Read through the database at least twice. Do not cram the answers. Focus on the detailed justifications made in determining the correct answers.
Choose your answers using the elimination method. The greatest challenge with the CISA exam is that there are similarities among the answer options. This is where many candidates make wrong decisions. Do not just pick an option that “jumps” at you. Analyze each option carefully and justify its correctness or incorrectness based on your knowledge of CISA concepts.
Get practical IS audit experience. Having practical IS audit experience will help you to pass the CISA exam with ease. Arrange for a relevant internship, part-time work or full-time work. If this is not possible, interact with professionals, attend ISACA local chapter meetings/conferences and read articles written by IS audit veterans.
In conclusion, the CISA certification will open doors for global opportunities. Thousands of CISA-certified professionals all over the world will confirm to you that CISA is an investment worth making – perhaps now more than ever.
Of all the certifications represented annually in the Global Knowledge IT Skills and Salary Report, ISACA is more prominent in our top-paying certifications list than any others. This year, ISACA occupies five spots in the top 20, including three in the top six worldwide.
ISACA is associated with two important truths for business technology professionals:
- Enhancing a wide range of careers
- High salaries
ISACA’s certifications in cybersecurity and governance produce the highest salaries. This is in line with our overall salary data, as governance ranks second and security fifth in average global salaries by category.
Here’s a list of the five top-paying ISACA certifications for 2018 (average salaries are for North America):
1. CGEIT: Certified in the Governance of Enterprise IT
Average salary: $117,544
CGEIT is the top-paying certification in the United States and ranks third worldwide ($92,821). Its North American salary is 34% higher than the average for all certified professionals. This certification is designed for individuals who manage, advise or provide assurance services around enterprise IT governance.
Tenure is among the reasons CGEIT-certified professionals typically have higher salaries. To take the exam, an individual needs at least five years of experience in at least three of the five domains the certification covers, including at least one year in the IT governance framework area.
2. CRISC: Certified in Risk and Information Systems Control
Average salary: $107,968
CRISC ranks sixth in North America and second worldwide in average salary. Its average salary is 23% higher than the average for certified professionals. CRISC is a risk management and security credential designed for IT professionals, project managers and others whose job it is to identify and manage IT and business risks through information systems controls.
Globally, six security certifications made our top-20 list, with CRISC trailing only CISSP in average salary. Cybersecurity positions in general pay well, with the average among North American respondents at $101,083, which is more than $13,000 above the average.
Related training: CRISC - Certified in Risk and Information Systems Control Prep Course
3. CISM: Certified Information Security Manager
Average salary: $105,926
CISM ranks seventh in North American salary and sixth globally. It’s aimed at information security management professionals, focusing on security strategy and assessing the systems and policies in place. To take the exam, certification candidates are required to have at least five years of experience in IS, with at least three as a security manager.
It’s now common that many government agencies require their IS and IT professionals to have a CISM certification.
Related training: CISM - Certified Information Security Manager Prep Course
4. COBIT 5 Foundation
Average salary: $102,112
This premier governance credential has a North American salary that tops $100,000 and a worldwide salary that ranks 11th overall ($77,300). COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT.
ISACA’s governance credentials (COBIT 5 Foundation and CGEIT) are two main reasons why governance certifications have the second highest average salary globally ($84,420).
Related training: COBIT 5 Foundation
5. CISA: Certified Information Systems Auditor
Average salary: $97,117
CISA ranks 13th in the US and globally in average salary. It’s also the most popular certification amongst our survey respondents, with 1,923 CISA-certified professionals. The CISA is perfect for individuals whose job responsibilities include auditing, monitoring, controlling and assessing IT and business systems. The exam tests the ability to manage vulnerabilities.
Originating in 1978 and now in its 40th year, CISA is ISACA’s oldest certification. It requires at least five years of experience in information systems auditing, control or security.
Check out these additional Global Knowledge resources to learn more:
Last year, I passed the Certified Information Security Manager (CISM) exam and, surprisingly to me, earned the top global score. It is a great achievement for me in my professional educational activities, and I was glad to be recognized at the 2018 EuroCACS conference in Edinburgh, Scotland. Below are some insights and guidance from my experience that I hope will be useful to other CISM candidates.
Why CISM certification is important for me
CISM is a worldwide-recognized certification and is of great benefit for me as an information security professional and for my organization. It helps me to advance my career and be recognized among other information security practitioners.
In my professional activities, CISM certification helps me to adapt and adopt best practices, standards and frameworks that best fit my organization and align our information security program with business objectives and regulatory requirements. In addition, it helps my organization get competitive advantages, provide our customers with professional expertise, secure products and put in place advanced security services that meet their demands.
If you decide to take the CISM exam and become certified, it would be a good incentive for your professional growth and great opportunity to advance your career.
I would like to share some tips for preparing for and passing the CISM exam that may be useful for you.
Before you start
I recommend identifying the study materials and additional resources you’ll need to prepare for the exam and accomplish your goal.
I used the following study materials:
The CISM Review Manual helps to refresh your existing knowledge in the field of information security and also get additional knowledge and relevant information. The CISM Review Questions, Answers and Explanations Database is a very useful resource during the preparation and before passing the exam. It helps you evaluate the level of knowledge in each CISM domain and test your readiness for an exam. It also helps to test yourself in conditions that mimic the actual CISM exam.
This might be enough if you already have a broad knowledge and work experience in the field of information security. If not, ISACA’s exam prep courses and additional resources may be useful. You may also join the CISM Exam Study Community to connect with other professionals who are on the path to CISM certification or have already successfully passed the CISM exam.
Preparing for the exam
During the preparation for the exam, I reviewed each domain in the CISM Manual and then answered relevant study questions in the Q&A Database after each domain. After the full preparation, it may be useful to dedicate additional time to:
- Go through the study materials one more time. You may spend several additional weeks, but it can have a good effect.
- Try to answer problem questions again (Q&A Database provides this function) and make sure the underlying concepts and knowledge statements are clear to you.
- Make several attempts to pass a full CISM exam (150 questions) to determine if you need to adjust the time needed for answering the questions. Test yourself in conditions as close to the real certification exam as possible. It will help you to avoid time issues during the exam.
After the exam preparation, you should have a strong understating of the underlying information security management principles, concepts, methodologies and frameworks. Try to map the study material to real-world tasks and scenarios to better understand the knowledge statements and how they can be applied to accomplish your work tasks. If you don’t have enough experience, you may contact other professionals and experts in your organization or in your professional community.
Taking the CISM exam
Before taking the exam, I recommend reviewing the exam information and recommendations regarding the exam process and time management, contained in CISM Review Manual.
During the exam:
- Try to not spend additional time on problem questions where the answer is not clear until you have completed the ones with which you are more confident.
- Bookmark problem questions so you can quickly return to them later to review you answers.
- If you have additional time after answering all the questions, review bookmarked questions and check your answers.
After passing the exam
If you successfully passed the CISM exam and became certified, do not forget about continuous professional educational activities. It is especially important in such rapidly changing business, regulatory and technology environments. In addition, ISACA conferences and online events may be beneficial for you.
I hope some of these tips are helpful on your path toward certification. Good luck!
The Certified Information Systems Auditor (CISA) certification has truly benefited my professional aspirations.
In 1997, when I transitioned from active duty as a Captain in the US Army, I had a 10-year-old computer science degree and not a great deal of experience in corporate America, particularly in the financial services industry. The extent of my background at that time was having an IRA. Fortunately, I was able to gain an entry level position as an IT Auditor at Prudential Insurance Company of America (now Prudential Financial) in Newark, New Jersey, through their junior military officer (JMO) hiring program.
It became very clear that on-the-job training was not going to be sufficient for me. During my first couple of months, I concluded that pursuing the CISA professional certification would give me the jump-start I needed to gain a baseline understanding of IT audit and risk management, IT general controls, and IT auditing—especially with regards to assessing applications and the technology environments they resided in. Studying for six months, two nights a week and a number of weekends, becoming a member of my local ISACA chapter, and taking full advantage of the available local chapter CISA preparation courses and materials enabled me to successfully pass the CISA examination and become a credentialed IT audit practitioner.
The professional payoff was immediate for my career development. Understanding IT risk management and associated controls to establish or maintain a well-controlled IT environment served to differentiate me from others in competing for positions and, honestly, just helped me be more successful in meeting or exceeding expectations. While these foundational audit and risk management skills helped to launch my IT audit career, more importantly, they also served to enhance what I had to offer in other risk management and project management roles.
As a result of increased threats to the digital processing environments and subsequent increased regulatory expectations, financial services companies gained an increased appreciation for employees who have the skills that the CISA certification fosters. Since my initial IT auditor role, I have continued to leverage the knowledge and experiences gained through not just the efforts required to gain the CISA certification, but also through completing required continuing education to stay abreast of emerging technologies and becoming a more active participant in ISACA-provided training (such as webinars, local chapter offerings, and attending or presenting at national conferences).
Whether managing IT or operational audit responsibilities at Wachovia, Wells Fargo, or TIAA, a mission-based company where I am fortunate to currently work, or performing project/risk management roles at previous employers such as Goldman Sachs and Ernst & Young, having an IT audit and risk management perspective has been a huge component of my personal success. I am grateful that for 40 years, ISACA has continued to provide the CISA certification, and I encourage all my employees and mentees to pursue the CISA to grow as professionals.