Geekly Articles each Day
📜 ⬆️ ⬇️

Certificates CISSP, CISA, CISM: how to get and is the game worth the candle?

Why do you have KISA on your business card?
You seem to be a serious person ...
(from a conversation with a friend)

We all know that we are always met by clothes, but we do not always think about what exactly is behind this word “clothes”. “Clothes” are our attributes, which allow other people to easily fit us into their view of the world or, more simply, hang a label on us. Accordingly, by controlling our attributes, we can control how other people perceive us. In the environment of information security specialists, well-established attributes that allow others to rank you as serious information security specialists are such statuses as CISSP, CISA, CISM.

This article will look in detail at what stands behind these certifications, how to prepare for passing the relevant exams and whether they should be received.



')

What kind of certificates?


First we will spell out the abbreviations and translate, but not literally, but by meaning.

CISSP (Certified Information Security Systems Professional) is a certified information security specialist.

CISA (Certified Information Systems Auditor) - a certified IT auditor.

CISM (Certified Information Security Manager) is a certified information security manager.

It is this composition of certifications selected for consideration that is explained by their proximity to topics (domains), and, of course, the author’s experience in conducting training for these exams.

We summarize the exam information in the following table:


CISSP


CISA


CISM


Domains


1. Security and Risk
Management


2. Asset Security


3. Security
Engineering


4. Communication and
Network security


5. Identity and
Access Management


6. Security
Assessment and Testing


7. Security
Operations


8. Software
Development security



1. The Process of
Auditing Information Systems


2. Governance and
Management of IT


3. Information
Systems Acquisition, Development and Implementation


4. Information
Systems Operations, Maintenance and Service Management


5. Protection of Information Assets


1. Information
Security governance


2. Information Risk
Management


3. Information
Security Program Development and Management


4. Information Security
Incident management


Duration


6 o'clock


4 hours


4 hours


Number of questions


250


150


150


Passing score


700 out of 1000 points


450 out of 800 points


450 out of 800 points


Experience Requirements


5 years


5 years


5 years


Organization


ISC2


ISACA


ISACA


Exam cost


599 USD


760 USD


575 USD
for ISACA members



760 USD


575 USD for ISACA members


Extension


85 USD


85 USD


45 USD
for ISACA members



85 USD


45 USD for ISACA members



What you need to know and understand?


I really do not want to disclose the amount of knowledge that lies behind each of the domains (and is very well described in exam guides), so we’ll take a brief look at the portrait of the ideal holder of each of the three certificates.

CISSP


The true owner of the CISSP should be very well oriented in all modern trends of information security, and primarily in the field of information security management. The applicant must be able to think in the categories of "vulnerability", "risk", "countermeasure". The experience of administering information protection tools or hacking computer networks (ethical, of course) will be undoubtedly useful, but in the exam no one will be required to remember any particular setting or command of any system, since certification does not depend on any vendor. You need to understand what is behind the abbreviations RFID, NIPS, RBAC, DIAMETER, IKE, ESP, LLC, MTPD, IDM, XSS, which are used for encryption algorithms, hashing, etc.

In my opinion, the volume of knowledge of CISSP corresponds to the amount of knowledge of a young specialist who graduated with good marks from a specialized department and has a couple of years of real experience in information security in a serious organization.

CISA


The owner of CISA should not only be well-versed in the field of information security, but also in IT management, the life cycle of information systems, and how to check all this for compliance with the best international practices. Ideally, the applicant of this certificate must go through life school in one of the companies of the big four (BIG4: EY, PWC, KPMG, Deloitte) or in a large company that has a full-fledged group or IT audit department.

CISM


If the CISSP can be a recent university graduate working with hardware and software, and only representing what management is, CISM is not the first year for people involved in information security management. There are fewer domains in CISM than in CISSP and there will be no problem transferring it to a person who has already passed CISSP.

What could be the difficulty?


Let's discuss some of the pitfalls that need to be remembered when preparing for exams.

Paper Security


Many technical specialists are fond of technology, but business processes are not at all interesting for them, respectively, corporate policies, procedures, standards are perceived as unnecessary pieces of paper. From the standpoint of management, such documents are very important, since they form information security requirements, which in turn are implemented with the help of technology and competent actions of employees. A competitor CISSP, ISA, CISM needs to learn to think as a manager and to love the process approach to management with all my heart.

In case of fire, make the first!


If it is necessary to assess priorities for saving assets and have a human life on the list, then it will always have number one priority. Safes with money and documents can be safely left at the mercy of the elements.

Business Continuity and Disaster Recovery Planning (BCP / DRP)


In all the examinations under consideration, there are questions about BCP / DRP. Currently, such projects are being implemented only in fairly large organizations, respectively, only a small percentage of specialists are faced with these issues in practice. To study these topics, it is best to additionally examine the publications of two specialized communities of specialists: The Business Continuity Institute and Disaster Recovery Institute .

Thinking IT auditor


To pass the CISA exam, you need to be well aware of how an IT auditor thinks. IT auditors check how the requirements of internal and external documents are fulfilled and think in a completely different way than IT specialists aimed at “everything to work, and the rest is not important”.

Let me explain with the following example. In Romashka LLC, access to the systems is provided on the basis of applications by e-mail and a certain chain of approvals is carried out. For an administrator, a waste application is unnecessary trash that can be removed on New Year's Eve, automatically clearing the archives, and for an IT auditor, this application is an important evidence of the procedure that needs to be stored as gold.

For mastering the techniques used by real IT auditors, it is very useful to become a member of ISACA (by the way, there is an ISACA branch in Moscow ) and thus gain access to a database of useful methodological documents . As already seen in the table, ISACA membership gives substantial discounts for both the exams themselves and for the renewal.

Cheating


We have often taken quite condescendingly towards those who write off on exams. In Western culture, cheating is considered a serious offense, requiring appropriate punishment. It is forbidden to write off the rules on the ISACA and ISC2 exams, the delivery process is monitored, violators are expelled in disgrace.

More about ethics


Both ISC2 and ISACA have a code of professional ethics - it is better to read and remember it, since questions on ethics will definitely be there and good knowledge of it will bring several additional points.

How to prepare?


Based on my own experience of preparing for exams and conducting preparatory courses at the Echelon Training Center, I propose the following algorithm.

Step 1. Where am I?


Find out what you are good at, and what you are not. View questions on all domains or pass trial tests. Determine which domains are easy for you, and for which you need to “pump”.

Step 2. What is English?


Assess whether your knowledge of English is enough to understand the questions and suggested answers, if not, include English in your training plan.

Step 3. Obtaining and studying educational materials


Books


Without a pair of good books, preparation will be simply impossible. It is best to look through all that you can get, and choose the right for you, based on the style of presentation and relevance of the material (it is better to watch books published in the last 2-3 years). A list of specialized guidelines for preparing for the examinations in question is given at the end of the article. I am glad to inform you that quite recently the first Russian book appeared in which the main domains of examinations are considered: “Seven secure information technologies” , and this is another contribution to the development of information security in Russia from the Echelon group of companies.
By the way, on the Web you can find an informal translation into Russian of an outdated version of a textbook for preparing for the CISSP, Sean Harris (done by Dmitry Orlov) - it won't hurt to run around on issues (at the very start of the study). It is better to start preparing, using the literature in Russian (for immersion into the subject area), and to finish it with a massive study of approximate questions exclusively in English (see the question bases below).

Additional materials


For those areas of knowledge where you feel insecure, it is better to read additional materials, which can usually be found on specialized sites ( isaca.org , isc2.org , thebci.org , drii.org ).

Glossary of terms


Even if you assessed at Step 2 that your English proficiency level is suitable for passing the exam, do not be lazy and browse the glossary of ISACA . Please note that in exam questions there are often words whose translation into Russian is not always unequivocal (for example, control is a countermeasure, a measure of risk minimization, GIS, control).

Base issues


It is easy to find and purchase a database of exam preparation questions, both official from ISC2 and ISACA, and from third-party vendors. Bases of questions can be both in the form of programs for testing, and in the form of textbooks. Very useful material that allows you to constantly assess their readiness for the exam. Just do not expect to see exactly the same questions on the exams themselves, so memorizing questions and answers by heart is a waste of time.

Training courses


Is it worth going to specialized courses? It is worth it, if you want to immerse yourself in the subject of the exam in just a couple of days and see the whole picture. It should be understood that no course can replace independent reading of books and the solution of test tests.

The duration of this preparation phase, if no such exam has been passed before, is 3-4 months (an average of one hour per day), if there is a high level of success, then the period can be reduced to a week (of course, full immersion).

Step 4. Preparing for the last week before the exam


As a rule, preparation for the exam is stretched for a long time and at the end you can forget a little bit what you studied at the beginning. Therefore, it is advisable to take a few days off before the exam in order to scroll through their entire materials. In any case, at the end of the training, you will have to spend a couple of days for crafting individual technical parameters.

A pair of life hacks


In this section, I would like to cite several ideas that can facilitate the preparation and passing of exams.

Discard the crazy option immediately and do not slow down


The most common question format in all examinations considered is the MCQ (a favorite choice of the Western world) (multiple choice question) - a multiple choice question (usually 4). Before you take up training with exam questions, try to solve the inverse problem - to come up with such an MCQ on a topic that you understand like no other. You will see that it’s not so easy to come up with more or less close options for the only correct one, and you will definitely turn on one option that is essentially completely delusional. And this means that when answering questions one must immediately eliminate the obviously wrong one and look for the best of the remaining three, and in most cases it is immediately visible. If it is not visible, then it is better to choose at random and move on, and in no case do not hang on one issue for more than a minute.

Pay attention to FIRST, LAST, EXCEPT, NOT


It is necessary to carefully read the questions and pay attention to the words that influence the choice of answer directly: one thing to choose from the list is a countermeasure that needs to be implemented first, and another thing to the last.

Is it worth becoming a certified specialist?



Supply / Demand


Let's see how many professionals possessing these certificates, by whom and where they work - take a look at social networks and pages of associations. In the last article on Internet intelligence, we already “punched” a whole group of users and used special tools for this, this time we confine ourselves to simply viewing the search results.

On the Linkedin network, which is now fairly limited access, you can find 539 accounts of Russian users with CISA certificates, 330 - with CISSP and 129 - with CISM.

Scrolling through the profiles of users who indicated these certificates, one can see that their owners, as a rule, occupy management positions in large companies, many are involved in the consulting field (BIG4, IT integrators, etc.)

According to the official statistics of the associations ISC2 and ISACA, there are currently only 200 CISSP , 203 CISA and 60 CISM certificate holders in Russia (these CISA and CISM statistics include only certified specialists who are also members of the ISACA association).

In order to understand whether there is a demand for such specialists, let's look at the availability of vacancies for people with such certificates and the level of salaries that employers are ready to offer them. We will summarize the results of issuing from the site HH for our keywords (certificate names) in the following table:


CISSP


CISA


CISM


Number of open vacancies


41


47


26


Distribution


by region


Russia 33


Moscow 29


Ukraine 4


Kiev 4


Belarus 2


Minsk 2


St. Petersburg 2


Kazakhstan 1


Astana 1


Altai Republic 1


Samara region 1


Other countries 1


USA 1


Russia 34


Moscow 33


Ukraine 8


Kiev 8


Belarus 3


Minsk 3


Kazakhstan 2


Astana 1


Almaty 1


Altai Republic 1


Russia 16


Moscow 15


Ukraine 5


Kiev 5


Belarus 3


Minsk 3


Kazakhstan 2


Astana 1


Almaty 1


Altai Republic 1


Salary levels


Stated 8


from 195,000 rubles - 3


from 310 000 rub .- 2


from 370,000 rubles .- 1


Stated 4


from 195 000 rub. - one


Stated 2


from 125 000 rub. one



It is obvious that basically such specialists are in demand in large cities and especially in capitals. The salary level is decent, but, of course, the salary is paid not for a certificate, but for work.

Analyzing this data one should also remember that senior positions in large organizations are often replaced without publishing vacancies. Therefore, the real demand for such specialists is somewhat higher.

Questions to assess the need to become a certified specialist


Let's put in one list the questions, the answers to which will allow the specialists in the field of information security to decide whether they need certification.

I got this "auditing" checklist:

  1. Do you have a higher technical education in IT and an average score of at least 4?
  2. At work do projects on most of the exam topics?
  3. Do you read English articles on professional topics without a dictionary?
  4. Do you want to move up the career ladder?
  5. Will it be time to get ready in the evenings and be able to take a few days off before the exam?
  6. Do you feel a little like a real manager?
  7. Ready to live and work in the capital?

If you have a positive answer to most of the questions, then you should definitely get involved in this business, prepare, pass the exam (s), and then constantly maintain your knowledge at a decent level.

Exam Preparation Tutorials


  1. Seven secure information technologies / Under. ed. A.S. Markov. M .: DMK Press, 2017. 224 p. Book site: http://security-experts.ru/
  2. CISSP (ISC) 2, Certified Information Systems Professional Official Study Guide, 7th Edition by James M. Stewart, Mike Chapple, Darril Gibson
  3. CISSP Official (ISC) 2 Practice Tests, Mike Chapple, David Seidl
  4. CISA Review Manual, 26th Edition by ISACA
  5. CISA Review Questions, Answers & Explanations Manual, 11th Edition by ISACA
  6. CISM Review Manual, 15th Edition by ISACA
  7. CISM Review Questions, Answers & Explanations, 9th Edition by ISACA

Source: https://habr.com/ru/post/320748/

More articles:


All Articles