CISM Certification Experience

A few months ago I decided to take it to CISM. I would like to share my experience in preparing and passing the exam.

What is CISM?

Certified Information Security Manager. Detailed descriptions can be found at isaca.org.

In general, it is one of the most respected certificates in the field of information security. For example, one well-known IS site included CISM in the top certificates for 2012.

Motivation

Personal motivation is a personal matter. Regarding the motivation on the part of employers in the CIS, one should not particularly expect, therefore, as a rule, it all starts with one's own initiative. Personally, I just told my manager about the benefits of certification - that it structures knowledge, attracts customers, etc. And we have included CISM in my development plan. Fortunately, I work in a large international IT company, so there were no special misunderstandings on this issue.

The process of preparation / training.

1) ISACA membership

The first thing to consider is becoming an ISACA member .
This is the cost of acquiring the exam itself and the literature to prepare for it. Also, this is access to extensive materials, access to the community.

2) Sources of training

The two most important: CISM Review Manual and CD with questions. On some issues, Google naturally helped. It's also nice to join different groups - I signed up for several groups in linkedin. Help a little, at least keep in good shape.

3) Time and practice

I think it’s ideal to start 4 months before the exam so that:

• read 2 times fully manual

The manual is quite complicated.
In general, while I read the manual once - I have already forgotten the first chapter. But the second time - it was read faster, and really was deposited in the head.

• go through all the questions in the database

The questions in the final exam will be completely different. But having passed all the questions in the test base, you will be imbued with Isakovsky spirit and logic, and this is absolutely necessary for passing the exam.
It is recommended to achieve at least 80% in all 5 domains.
For some reason, in my first round, I couldn’t beat out more than 70%. Probably my “common wrong” sense fought with the conceptual traps of isaki.

• deal with new areas

For me, for example, there was a new area of ​​cryptography. And indeed, many technical terms had to be disassembled for the first time. For example, DMZ (well, I did not know what it was), types of attacks, Internet protocols.

In the exam preparation groups, people wrote that they spend 4 hours a day for 2-3 months. I think this is too much. Live (and work) when?
So, it would be nice to allocate one hour of time 2-3 times a week for training.
At one point, I couldn’t maintain the rhythm, and 2 weeks before the exam I realized that I didn’t have time. Therefore, I took a vacation. He sent his wife and children to relatives and spent more than a week just preparing. That's how people sometimes go crazy, the line between madness and reason is illusory.

Another practice

• when reading the manual, you should pay close attention to places that have excellent forms in the text , such as most, least, biggest , etc.

The fact is that probably half of all questions on the exam contain these words in the wording. For example - what's the MOST practical approach for information security manager to start with security strategy building. Well and so on. Therefore, if you encounter something there in the most manual, you should figure out what isaca highlights.

• The manual is composed by many people, which explains its diversity.

Often, the same thing is explained in different chapters in different ways . I had to read and re-read, connect Google. And what is the detailed relationship between BIA (Business impact analysis) and Risk management from the point of view of ISACA, I still can not explain. Yes, because they are embarrassed to describe in each section in their own way: - \

• CISM - certification for managers.

Therefore, all issues (well, except for the most technical) should be considered from the perspective of management and business .
For example:
Accountability by business process owners can BEST be obtained through:
A. periodic reminder memorandums.
B. strict enforcement of policies.
C. policies signed by IT management.
D. education and awareness meetings. - this one right, p.ch. the only way a sound business works.

Another example:
An information security program should be sponsored by:
A. infrastructure management.
B. the corporate legal department.
C. key business process owners. - this one right, p.ch. whoever owns money dances music.
D. quality assurance management.
Examples are taken from the official self-assessment test at isaca.org . By the way, I recommend passing - questions typical for the exam.

• note taking

As though obvious. Structures your mind.
I used the mind map tool - freemind.

Exam

4 hours, 200 questions. You can knock out 800 points as much as possible. The threshold is 450 points. The scheme by which these points are considered - I have not found. But, it seems, all the questions have some weight, summing up which you can get a score for the region, and then approximate it to the overall score. And in the exam there are pilot questions, the answer to which is not taken into account. Santa Barbara is shorter.

The passage of the exam itself is organized quite clearly.
You come, they register you, take you to the right audience, in which the desks are already numbered. You find your place, get a few pencils, eraser, admin ticket and wait for instructions.

I think it’s almost impossible to write off.

In the brief pauses that I did during the exam, the brain tried to crack their system. But I didn’t come up with anything more fun than installing a video camera in a lamp above my head (before the exam) well, naturally, no one needs it :)

It makes sense to think ahead of time during the rest period before the exam, and also the way of travel (especially from other cities). I went to Moscow from Minsk. A night on the train, from 6 in the morning at the station - all this did not give freshness to the mind. Another time I would try to do it differently. Can come in a day and spend the night in a hotel.

A tricky nuance - you have 4 hours for the exam, but in reality it is only 3:30.
The fact is that at first you need to answer in a special examination book (you can do remarks there, write whatever you want, etc.), and then transfer the answers to the final full version.
Those. literally sketch a bubble opposite the desired question.
Since the cube with a diameter of about 4 mm, to clearly sketch it, you need 2-4 seconds, multiply by 200, we get about 800 seconds or 13 minutes just to bluntly feverishly redraw your answers. Well, you need to add as much time to uniformity so as not to be mistaken.
I saw how some at the end furiously sketched after the final whistle, so the instructors had to threaten with expulsion.

In general, time is running out. I chose rhythm tactics for myself - I answer 25 questions - a pause of several minutes. In the middle I went for a walk - this is possible, only in turn, strictly one at a time.

The exam takes place on the same day, around the world, on December 10 in my case.

Epilogue

After writing the exam, there were great doubts about whether I would get a passing grade. It was felt that the chances were somewhere between 50-60%. But a couple of months passed, and recently the answer came - the test passed. With a result of 552 out of 800. It may not shine, but the threshold of 450 has been passed.

Now I will need to provide verified data about my 5 years of experience in the field of information security, to be officially called CISM. But this is a separate song.

Is this CISM necessary? Let everyone answer for himself. But one thing I can say, it’s almost impossible to get it for free, which means that people with the CISM label know something about information security.

upd:
On the issue of cost:
- ISACA membership $ 155
- exam $ 425 (this is the lowest possible price - due to early registration and membership)
- CISM Review Manual 85 $ (discount price)
- CISM Practice Question Database (CD-ROM) $ 120 (discount)
- get from Minsk to Moscow, also different things - such as literature delivery 300 $
Total 1085 $

Link to detailed instructions about what is included in the 5 years of necessary experience: Requirements to Become a Certified Information Security Manager

upd2: continued about how it was applied: CISM application