The Beginning
Sometime in 2020, I decided to pursue the CISM certification. As written in a previous blog, my employer covered three exam attempts due to a job requirement. After two CISSP failures, I began to research the CISM. According to the ISACA web page, “the Certified Information Security Manager® (CISM®) affirms your ability to assess risks, implement effective governance, and proactively respond to incidents.”
Who should take it?
As the name implies, this is a managerial certification. Similar to ISC2, ISACA requires at least five years experience in at least three of the four domains. The CISM domains are as follows:
- Information Security Governance
- Information Security Risk Management
- Information Security Program
- Incident Management
https://www.isaca.org/credentialing/cism/cism-exam-content-outline
Honestly, I would recommend 2-3 years of solid IT work at a minimum to start thinking about this one, possibly longer. You should ALSO have the strong desire to manage, now and into the future. It helps to have a very strong background in cybersecurity project management, as well as interfacing with senior management regularly over the course of multiple years. If you have the foundation mentioned above, the study material will make sense to you.
I want to be clear about something. This certification isn’t for everyone and my career has been extremely unconventional. Although I had great success with this one, ISACA certifications such as Certified Information Systems Auditor (CISA) or Certified in Risk and Information Control (CRISC) may be better for you. It all depends on your line of work and future goals. Everyone is different.
As a professional in the Risk Management field, it seemed to fit the bill. I was legitimately interested in the material as well. I even crack the book open from time to time today, in 2024. After only a bit of research, it was time to start studying.
The Studying
For the CISM, studying consisted of the All-In-One guide, along with the official ISACA Questions and Explanations (QAE) bank.
The latest guide can be found here:
As of today, the QAE bank is $299 USD for members and $399 USD for non-members. I highly recommend for paying for the ISACA membership first ($145 USD), at least for year one. You can find out more here:
https://store.isaca.org/s/store#/store/browse/cat/a2D4w00000Ac6NNEAZ/tiles
With the ISACA membership, you get discounts on most products, including exam fees and renewals. You also get access to free webinars, local ISACA chapter events, and other CPE-earning opportunities at low or no fee.
There are sample questions for free and other “pay to play” material via ISACA and other means. However, my best advice is to always keep things simple.
When I received the book, I dove right in. Over a couple of months, I read the entire thing and performed each set of practice questions at the end of the chapters. At the time, I was a Reservist in the Navy, which meant a lot of downtime. I was able to handle a huge chunk of these studies during drill weekends. Looking back, I don’t know if I’ll ever swear by reading an entire study guide cover-to-cover, but here we are. I called them “intentional reading sessions”.
If you’ve read my CISSP synopsis, there are a lot of similarities here, but there was no battle. There was no fight. There was no lack of understanding.
After reading the full study guide, I entered a “drill and kill” mode in the QAE bank, doing reps of 10-20 questions until I was comfortable. I would study during lunch and in the evenings, mostly. Full disclosure- I was actually doing quite poorly at first, but “reset” the QAE bank about midway and my scores improved.
After being exposed to all 800 or more questions (it is now over 1,000), I was scoring well above 80 percent on the practice exams. I would go back into the book and re-read the topics of contention, and then I scheduled my exam.
The Exam
The exam itself is timed for four hours and 150 questions. Unlike the CISSP, it is NOT a Computer Adaptive Test (CAT) format. Basically, what you see is what you get. Everyone has four hours and 150 questions, no matter what. It does not shift scope based on your answers, while CISSP can sense towards what you are getting wrong, and hone in on that topic. The exam will not end early. You will see the full 150 questions.
Going into the exam, I was confident. Granted, it was years ago, but I don’t remember too many questions that threw me for a loop. Nothing was surprising. It was still a long, challenging exam, however. I do not recall how long it took me, likely around two hours or less. I did not come close to the time limit whatsoever.
This is a bit anticlimactic, but I passed. I was both proud and grateful to be done, meeting the requirements to keep my job in the DoD (yes, seriously). I also learned some valuable stuff that I still use today. Bonus- ISACA is even kind enough to share your actual score. I shattered the minimum.
Summary
I’d like to reiterate that my career has been very, very unconventional. I’ve been a “jack of all trades” administrator on a submarine, who basically fell into Governance, Risk, and Compliance (GRC) after applying for positions out of the military. Everyone’s journey is different.
If your journey lies in GRC, management, or another non-technical facet of Cybersecurity, the CISM could be the right path. I wouldn’t say it’s easy, not by a long shot. It takes months of preparation and heavy reading.
Additionally, it is pricey ($575-$760 USD), so only do it if you are truly ready to invest in yourself. If you have an employer cover the costs, definitely take the opportunity to explore an ISACA certification. I learned a lot on the way, and will continue to learn. Overall, the answer to the title is a resounding “Yes”. It was worth it and I will continue to hold the certification. In my studies, I became more confident in communicating and assessing cyber risk to multiple audiences. You can too.
In the future, I look forward to writing more, and diving into multiple topics. Feel free to reach out anytime.
- Mark E .
Cyberlynx 