CISM certification experience

A few months ago, I decided to take on the CISM. I would like to share the experience of preparing, passing the exam.

What is CISM?

Certified Information Security Manager. A detailed description can be found at isaca.org.
')
In general, it is one of the most revered certificates in the field of information security. Here, for example, one well-known website on information security included CISM in the top certificates for 2012.

Motivation

Personal motivation is a personal matter. Regarding the motivation on the part of employers in the CIS, there is no particular expectation, therefore, as a rule, everything starts with its own initiative. Personally, I just told my manager about the benefits of certification - that it structures knowledge, will attract customers, etc. And we included CISM in my development plan. Fortunately, I work in a large international IT company, so there were no specific misunderstandings on this issue.

The process of preparation / learning.

1) ISACA membership

First of all, you should consider becoming an ISACA member .
This is a savings on the acquisition of the exam and literature to prepare for it. Also, this is access to extensive materials, access to the community.

2) Sources of preparation

Two important ones: CISM Review Manual and CD with questions. On some issues, of course, helped Google. It’s also nice to go to different groups - I subscribed to several groups in linkedin. A little help, at least keep in shape.

3) Time and practice

I consider it ideal to start 4 months before the exam in order to:

• read 2 times fully manual

The manual is quite complicated.
In general, while I read the manual once, I already forgot the first chapter. But the second time - it was read faster, and it really was deposited in the head.

• complete all questions in the database

The questions in the final exam will be completely different. But having passed all the questions in the test database, you are soaked with Isakov's spirit and logic, and this is absolutely necessary for passing the exam.
It is recommended to achieve in all 5 domains at least 80%.
For some reason, in my first round it was impossible to knock out more than 70%. Probably my “common wrong” sense fought the conceptual traps of Isaac.

• deal with new areas

For me, for example, there was a new area of ​​cryptography. Anyway, many technical terms had to be disassembled for the first time. For example, DMZ (well, I did not know what it is), types of attacks, Internet protocols.

In the exam preparation groups, people wrote that they spend 4 hours a day for 2-3 months. It seems to me too. Live (and work) when?
So, it would be good to set aside an hour 2-3 times a week for training.
I didn’t manage to maintain the rhythm at one moment, and 2 weeks before the exam, I realized that I don’t have time. Therefore, take a vacation. Sent his wife and children to relatives and more than a week and only engaged in the preparation. That's how people sometimes go crazy, the line between madness and reason is illusory.

More practice

• when reading the manual, it is worth paying close attention to places with excellent forms in the text , such as most, least, biggest, and so on.

The fact is that probably half of all questions on the exam contain these words in the formulation. For example, it’s a practical approach to building a security strategy. Well and so on. Therefore, having met most of the things in the manual, it is worth finding out what isaca highlights.

• The manual is compiled by many people, which explains its diversity.

Often, the same thing is explained in different chapters in different ways . I had to read and reread, connect Google. And what is the detailed relationship between BIA (Business impact analysis) and Risk management from the ISACA point of view, I still cannot explain. Because zadolbali describe each section in its own way: - \

• CISM - certification for managers.

Therefore, all issues (well, except for the most technical) should be considered from the position of management and business .
For example:
Accountability by business process can be obtained through:
A. periodic reminder memorandums.
B. strict enforcement of policies.
C. policies signed by IT management.
D. education and awareness meetings. - the correct one, p.ch. only this is how healthy business works.

Another example:
Security program should not be sponsored by:
A. infrastructure management.
B. the corporate legal department.
C. key business process owners. - the correct one, p.ch. who owns money, that music dances.
D. quality assurance management.
Examples are taken from the official self-assessment test on isaca.org . By the way, I recommend to pass - the questions are typical for the exam.

• note taking

As it is obvious. Structures your mind.
I used freemind mindmap.

Exam

4 hours, 200 questions. Maximum you can beat 800 points. Pass threshold - 450 points. I could not find the scheme according to which these points are calculated. But it seems that all the questions have a certain weight, summing up which you can get a score for the region, and then approximate it into an overall assessment. And in the exam there are pilot questions, the answer to which is not taken into account. Santa Barbara is shorter.

The exam itself is organized quite clearly.
You come, they register you, they assign you to the right audience, in which the desks are already numbered. You find your place, you get a few pencils, an eraser, an admission ticket and wait for instructions.

I think it is almost impossible to write off.

In brief pauses that I did during the exam, the brain tried to hack their system. But nothing more fun than installing a video camera in a lamp above my head (before the exam), I didn’t think of it well, naturally, nobody needs it :)

It makes sense to think in advance about the rest period before the exam, and also the route of travel (especially from other cities). I went to Moscow from Minsk. Night on the train, from 6 am at the station - all this did not give freshness to reason. Another time I would try to do it differently. May come in a day and spend the night in a hotel.

A cunning nuance - you have 4 hours for the exam, but in reality only 3:30.
The fact is that at first you need to answer in a special exam book (you can do remarks there, write what you want, etc.), and then transfer the answers to the final ansver.
Those. literally draw a bubo in front of the desired question.
Since a bubble with a diameter of about 4 mm, to clearly draw it, you need 2-4 seconds, multiply by 200, we get about 800 seconds or 13 minutes only to stupidly feverishly redraw your answers. Well, the same amount of time must be added to the uniformity in order not to be mistaken.
I saw some at the end frantically sketched after the final whistle, so that the instructors had to threaten with expulsion.

In general, time is running out. For myself, I chose tactics of rhythm - I answer 25 questions - a pause for a few minutes. In the middle I went for a walk - it is possible, only one by one, strictly one by one.

The exam takes place on the same day, around the world, on December 10 in my case.

Epilogue

After writing the exam, there were great doubts whether I would gain a passing grade. It felt that there were chances somewhere from 50-60%. But a couple of months passed, and the answer came recently — it passed the test. With a score of 552 out of 800. Maybe not shine, but the threshold of 450 is passed.

Now I will need to provide verified data on my 5-year experience in the field of information security in order to be officially called CISM. But this is a separate song.

Whether this thing is necessary CISM - let everyone answer for himself. But one thing I can say is that it’s almost impossible to get it free, and it means that people with a CISM label know something about information security.

upd:
To the issue of cost:
- ISACA membership $ 155
- $ 425 exam (this is the lowest possible price - due to early registration and membership)
- CISM Review Manual $ 85 (discount price)
- CISM Practice Question Database (CD-ROM) $ 120 (discount)
- get from Minsk to Moscow, also small things are different - such as literature delivery $ 300
Total $ 1085

Link to detailed instructions on what is included in 5 years of required experience: Requirements to Be a Certified Information Security Manager

upd2: continued about how applis: CISM application