In this blog post, I want to share with you how I passed CISM (Certified Information Security Manager) from the first time, my studying materials and strategy, the exam experience and some tips that helps me pass the exam.
It is just the perfect time to get a security certifications. Not only they are in high demand in the market, but because according to Gartner, the unemployment rate for cybersecurity professionals is zero. This means there are more jobs than qualified candidates.
I personally invested a lot of time and effort in taking both the CISM and CISSP certifications because they are the most highly regarded certifications for cybersecurity leaders and practitioners. However, it is not that easy to et the certifications as you need to invest a lot of time and money during the process.
Brief Introduction about Security Certifications
If you are trying to enter the security world and become a security professional or manager, then most likely you know by now that there are several security institutions that provides security certifications that are globally recognized. There institutions are independent and non profit organizations like:
- The International Information System Security Certification Consortium, or (ISC)² – and they provide certifications like CISSP, one of the most recognized security certifications in the world.
- EC-Council – and they provide certifications like Certified Ethical Hacker (CEH).
- ISACA – and they provide certifications like CISM.
Many people start with the CISSP certification from (ISC)² before going after other security certifications as CISSP is like the de-facto standard that covers almost every aspect of information security and it is a required certifications if you are going to work in many security positions including government positions. But it doesn’t make a difference what order you get them, so you can take CISM and then go for CISSP.
From my experience, I took the CISSP certification in March 2019 before taking the CISM certification in July from the same year. There are many common topics between the two that makes it easy for me to read and understand the CISM material.
Things like risk management, business continuity, disaster recovery and governance are all common topics between both certifications. I felt like I already know 25% of the CISM material already which makes it easier for me to read the CISM material.
ISACA is an independent, nonprofit, global association that was previously known as the Information Systems Audit and Control Association. Today, ISACA serves 140,000 professionals in 180 countries.
ISACA is well-known of its COBIT governance framework and many information certifications like:
- Certified Information Systems Auditor (CISA).
- Certified in Risk and Information Systems Control (CRISC).
- Certified Information Security Manager (CISM).
- Certified in the Governance of Enterprise IT (CGEIT)
From the above four certifications, CISA and CISM are the most popular ones, and each of these certifications target different job role. CISM is targeted for information security managers while CISA is for auditors. In fact, here is a great 90 minutes YouTube video that talks about both and how to get a higher score by understanding the certification requirements and questions.
Who Should Take CISM?
Unlike CISSP that can be an interesting choice to many professionals in different specialties, CSIM is targeted for more specific job roles. It is targeted for those who manage enterprise information security teams and it shows you have an all-around knowledge of technical competence and understanding of business objectives around data security, and please focus on the business objectives part.
It is not enough that you know the technical part of the story, but you have to acknowledge that part of your role as information security manager is to understand the business objective of your organization, and then align these objectives with the security program objectives you are about to carry on, and then how you would response in different situations during your day-to-day work from a manager mentality.
If you are a CISO in your company, then this is one of the reasons why taking this exam helps you advance your career. Because as a CISO, you want to create a security program and have risk management as part of it, define your security strategy, present business cases to the management, and then report back to your senior management. All these topics are covered in great details in this certifications.
While many IT technical professionals might be interested in CISSP, they might not be interested at all about CISM as it is a managerial level certifications.
CSIM Exam Domains
Unlike the 8 domains in CISSP, CISM only have four domains:
- Information Security Governance
- Managing Information Risk
- Developing and managing an information security program
- Information Security Incident Management
As you can see from the four domains covered in the CISM exam, those are what an information security manager would need to learn to advance his career.
In in the information security governance domain, the goal is for you to learn how information security strategy should be aligned with organizational goals and objectives and test your ability to develop and oversee an information security governance framework to guide activities that support the information security strategy.
While in the managing information risk domain, you lean how to manage risk to an acceptable level in accordance with organizational risk appetite, while facilitating the attainment of organizational goals and objectives. This requires you to classify information assets to ensure measures taken to protect assets are proportional to their business value.
In the developing and managing an information security program domain, you get the chance to develop and maintain an information security program that identifies, manages and protects the organization’s assets while aligning with business goals.
And finally, in the information security incident management domain, you learn how to plan, establish and manage detection, investigation, response and recovery from information security incidents in order to minimize business impact.
Here is the official document from ISACA that talks about the CISM certification.
My Study Materials
I took my CISSP exam on march and then started preparing form my CISM exam. I used two main studying material sources:
First, the “CISM Certified Information Security Manager All-in-One Exam Guide” book which you can get from Amazon here. Reading this book is easy for any security professional and it has 500 pages, which is half the pages you need to read compared to Cybex CISSP exam preparation guide.
The other thing I did is to attend the CISM training video series on PluralSight. The course contains five sub-courses that target the four CISM domains and it is a high quality training that helps you understand key concepts and how security manager should think in different situations.
Of course you can register for free and get 30 days of free access to all Pluralsight courses which is great.
How I Passed CISM – Exam Experience
Make sure you schedule the exam way a head in time as I guess you can take the CISM exam only during different time periods across the year. It took me one month preparing for the exam, given that I have good experience working in two of the CISM domains and I have recently passed the CISSP exam.
During this month, I dedicated three hours each day to study, excluding weekends. I have planned a study strategy where I read a chapter in the book, then I go and watch the Pluralsight course related to that chapter. Mainly, each chapter in the book is mapped to one of the domain and each Pluralsight course is mapped to one domain, which makes my life easier.
After reading the whole book once and watching the related Pluralsight courses, I spent one week practicing and answering exam questions.
The exam is difficult one, well, at least it requires a lot of attention and these questions are tricky. I sometimes feel 100% sure that both (a) and (b) are correct answers, but I know I only have to choose one. You really want to answer the questions with the mentality of a security manager and always keep in mind that your job is to align your security strategy and goals to the business goals.
Of course, after you pass the exam, which I did from the first time, you wait couple of days and receive a detailed report of how well you performed in each of the four CISM domains.
Next, to get certified, you have to start the process of the CISM application for certification, which you can find more details about right here.
I published other blog posts about “How I Passed AWS Solutions Architect Associate Exam” , “How I Passed AZ-500 Azure Security Engineer Exam” , “How I Passed MS-500 Microsoft 365 Security Administration Exam” and also “How To Become Microsoft MVP – My Journey“.