Exam Profile: Certified Information Security Manager (CISM)

Date: Jul 13, 2011

Return to the article

The Certified Information Security Manager exam requires a broad understanding of 5 content areas. The exam blends hand-on knowledge with a strategic level awareness of management. The exam is quite challenging to most who tackle it, but achieving it can open up career opportunities unlike any other certification. This article gives an overview of the exam, covers “pain points,” and offers practical tips on preparation you can use today to pass this difficult exam.

The CISM certification is less than 10 years old. The Information Systems Audit and Control Association (ISACA) created it to satisfy a demand for experienced information security managers. The exam requires a strong understanding of and years’ experience in risk management, governance, and information security program management.

Over a relatively short lifespan, the CISM is being adopted at a respectable pace. Today, there are already about 16,000 candidates worldwide who have successfully passed the CISM. The typical successful candidate is moderately experienced. Over a quarter of CISM holders are senior managers, 20% of which hold executive (CEO, CIO, CISO, CTO, CSO, etc) positions. Due to the somewhat senior demographic, the CISM is repeatedly recognized as one of the most highly paid certifications.

Respect for the CISM is consistent through all regions worldwide, unlike other certifications such as CompTIA’s Security+, which is fairly “US-heavy.” In the United States, the CISM is distinguished by the US Department of Defense as one of the few formally recognized certifications by the DoD.

CISM versus CISA

Just so there is no confusion, here are a few facts differentiating CISM from CISA:

As you compare the two certifications, bear in mind as the CISM nears its 10-year birthday, the CISA will be 35 years old. The demands in the workforce are always changing and information security technologies are changing more rapidly. However, one constant is the need for established information security management.

For much more on how the CISA differs from the CISM, see the Pearson IT article Comparing CISA and CISM in the Real World.

Earning the CISM Certification

Passing the exam is one of two requirements for gaining the CISM designation. The second is meeting the required amount of work experience. The most straightforward way to complete the requirement is to have 5 years of information security management experience, but several variants of exceptions and substitutions exist, e.g. having an advanced degree in IT.

While a candidate could pass the CISM exam before gaining the work experience, it wouldn’t be easy. That said, ISACA encourages candidates to study for and try the exam at any time, but the certification will be awarded only after a candidate meets the experience requirement. A candidate has 5 years after their exam to meet this requirement and apply for the certification.

There are other agreements for a candidate regarding ethics and continued education to obtain the CISM. But this article is about the exam, so consult the ISACA website for more details on gaining the certification.

Exam Details

Trouble Spots

Trouble Spots

The first trouble spot for exam candidates is the sheer scope of material. Without actually knowing the scope, someone may shrug off the exam as simply a non-technical, IT auditing exam. But after a few minutes reviewing the scope, that opinion may change to overwhelm they read through the exam’s 5 content areas and grasps the depth of each area.

After a review of all five content areas, or domains, the structure and pattern takes shape. In time, a candidate can associate their own strengths and gaps against them. So, what may appear overwhelming at first will fast create a list of priority areas to study.

The CISM exam covers 5 domains. Those domains are as follows:

Experience Pays Off

With ISACA being an auditing-centric association, you might fear the CISM is loaded with auditing related questions. Not true. Instead, the exam has a large base of information risk management. This gives anyone with experience in information risk a strong advantage. Almost equally so, anyone with experience in information security program management will also have an easier time.

To possess an introductory level across a few of the 5 domains requires a few years of relevant experience. Let’s say, for example, you have 3 years experience in information risk management and 2 years with incident response, and then you will have enough hands-on knowledge to be quite familiar with 2 of the 5 domains. Any experience in information security program development and management should raise your confidence even higher. Confidence in the material will increase motivation to study more unfamiliar areas. So experience definitely pays off in time and motivation during your study.

Covering Both Operational and Policy Levels

Another trouble spot is the combination of both low-level and high-level understanding of the domains required of the candidate. Be aware, a candidate having a few years of experience in a domain does not guarantee they know the entire domain. Each domain covers job duties and knowledge that spans multiple levels of a job. For example, let’s consider Domain 4, covering systems maintenance. On an operational level of systems maintenance, a candidate will be more familiar with questions about procedures and implementation. On a higher, more management level of systems maintenance, the candidate is more familiar with policies and standards. Domain 4 spans both levels and much more.

No person is expected to know all areas solely based on experience. This means you must study and should not rely on experience alone for any domain.

Preparation Hints

Preparation Hints

Your best approach to preparation is to break down your studying according to the 5 domains listed above.

On the ISACA website, under the CISM exam section, click on the link titled “Prepare for the Exam.” There will be a helpful guide called “The Candidate's Guide to the CISM Exam” available for free.

Proportion of Domains Per Exam

I mentioned earlier that the 5 domains are not covered equally in the CISM exam. The domain distribution is as follows:

This distribution is called the Job Practice for the exam, as ISACA developed this using industry practitioners and subject matter experts.

In a figure taken from the ISACA website, they illustrate this distribution like this:

Figure 1

Use this distribution for studying. In other words, don’t invest equal study time for Domain 4 (24% of the exam) on Domain 5 (only 14% of the exam). A more reasonable strategy is to use study time in a similar proportion per domain.

Important: Because ISACA routinely updates the job practice areas, they already disclosed that the December 10th 2011 exam is the last CISM exam date that uses this exact distribution listed above.

Task and Knowledge Statements

“The Candidate's Guide to the CISM Exam” lists the several task statements and knowledge statements per domain. Task statements specify a job objective, while knowledge statements declare some specific awareness about an area. Between all domains, the CISM exam covers 45 task statements and 93 knowledge statements.

An example of a task statement would be “Ensure that threat and vulnerability evaluations are performed on an ongoing basis.” That’s task statement #4 of Domain 2: Information Risk Management. An example of a knowledge statement would be “Knowledge of risk assessment and analysis methodologies (including measurability, repeatability and documentation).” That’s statement #5 of the same Domain 2.

I strongly recommend you to read through these task and knowledge statements. To see them all, visit the ISACA website, go to the CISM section, under Prepare for the Exam / Job Practice Areas. Consider the task and knowledge statements as your recipe for mastering the CISM exam.

Study with Structure

Armed with the task and knowledge statements, you have a structured framework for studying. Depending on your preference, you may wish to check off the topics you feel already comfortable with, prioritizing the most unfamiliar areas to concentrate on. Or you may wish to briefly visit the most well-known areas, which may provide you more insight on the detail level expected across all areas. In any case, use the domain breakdown to your advantage, as a checklist and path to covering all required of you.

Important: ultimately, your strategy for studying should reflect both this domain proportion and your prior experience. And you can execute this strategy with a definite structure.

Study What Counts the MOST or What Comes FIRST

Know that CISM exam questions frequently use superlatives to distinguish the right answer. Superlatives like “best,” “most,” and “greatest” are common. In other words, from the four answers available there might be many correct answers, but there’s only one BEST answer.

Another common question type is to ask about priority or order. You’ll read questions asking for the primary goal or role. And it’s common to pose a situation, and then you are asked what would be the first step in a series of tasks.

So, just recognizing what steps are necessary is not good enough; know what order the steps should follow.

Recommended Pace for Taking the CISM Exam

Recommended Pace for Taking the CISM Exam

You are given 4 hours to answer the 200 questions. That may seem like a lot, but it’s not. Sure, some people are out early, but this could be their second or third time. Let’s talk more about a smart pace.

Four hours is 240 minutes, or one minute and twelve seconds per question. Even the most studious candidate shouldn’t try to concentrate for 4 hours straight. Instead, a candidate should take a break or two to refresh and reenergize. If a candidate takes two short breaks of 5-10 minutes each, that now leaves 220-230 minutes for the exam. Also consider that in any exam, it’s wise to allot time at the end to briefly scan your answer sheet for obvious mistakes (skipped or doubled-answered questions). A safe allotment of time would be 10%, or 20 minutes in this case. That leaves 200 minutes for 200 questions. With a break or two and some buffer time at the end, this gives a plain “one question per minute” pace. This pace is especially helpful as you work through the exam, since you can confidently check your pace against the spent time and your current question.

Recommended Study Resources

Recommended Study Resources

Job experience helps, but can only get you so far. Preparation requires studying. Take advantage of study material and make the best use of your valuable time.

You might find on the ISACA website a variety of resources, such as study guides and review courses (virtual) through their “eLearning Campus.” Depending on your location, you may also find an instructor-led course available in your area. It’s a personal preference, but all these are available at a price.

There is also expected a “CISM Exam Preparation Community” accessible through the ISACA website. At the time of writing, the community is not yet available, with ISACA stating, ”Exam preparation communities will open later this year.” However, given the next exam is December 10th, this doesn’t mean the community will be available long before (or earlier than) the exam itself.

Study guides are not restricted to ISACA. Proven guides are available by online book outlets, e.g. Amazon, and independent education providers. It is possible to get freely available, downloadable study guides and practice exams. However, be aware that these are often provided to help generate leads for retail exams.

Where to Go from Here

Where to Go from Here

If you can feasibly prepare for the exam before the exam date, you should immediately register for the exam. This obligation will help you to commit to a study and training regimen.

800 East 96th Street, Indianapolis, Indiana 46240

sale-70-410-exam    | Exam-200-125-pdf    | we-sale-70-410-exam    | hot-sale-70-410-exam    | Latest-exam-700-603-Dumps    | Dumps-98-363-exams-date    | Certs-200-125-date    | Dumps-300-075-exams-date    | hot-sale-book-C8010-726-book    | Hot-Sale-200-310-Exam    | Exam-Description-200-310-dumps?    | hot-sale-book-200-125-book    | Latest-Updated-300-209-Exam    | Dumps-210-260-exams-date    | Download-200-125-Exam-PDF    | Exam-Description-300-101-dumps    | Certs-300-101-date    | Hot-Sale-300-075-Exam    | Latest-exam-200-125-Dumps    | Exam-Description-200-125-dumps    | Latest-Updated-300-075-Exam    | hot-sale-book-210-260-book    | Dumps-200-901-exams-date    | Certs-200-901-date    | Latest-exam-1Z0-062-Dumps    | Hot-Sale-1Z0-062-Exam    | Certs-CSSLP-date    | 100%-Pass-70-383-Exams    | Latest-JN0-360-real-exam-questions    | 100%-Pass-4A0-100-Real-Exam-Questions    | Dumps-300-135-exams-date    | Passed-200-105-Tech-Exams    | Latest-Updated-200-310-Exam    | Download-300-070-Exam-PDF    | Hot-Sale-JN0-360-Exam    | 100%-Pass-JN0-360-Exams    | 100%-Pass-JN0-360-Real-Exam-Questions    | Dumps-JN0-360-exams-date    | Exam-Description-1Z0-876-dumps    | Latest-exam-1Z0-876-Dumps    | Dumps-HPE0-Y53-exams-date    | 2017-Latest-HPE0-Y53-Exam    | 100%-Pass-HPE0-Y53-Real-Exam-Questions    | Pass-4A0-100-Exam    | Latest-4A0-100-Questions    | Dumps-98-365-exams-date    | 2017-Latest-98-365-Exam    | 100%-Pass-VCS-254-Exams    | 2017-Latest-VCS-273-Exam    | Dumps-200-355-exams-date    | 2017-Latest-300-320-Exam    | Pass-300-101-Exam    | 100%-Pass-300-115-Exams    |
http://www.portvapes.co.uk/    | http://www.portvapes.co.uk/    |