On the joy (was it?) of becoming an ISACA Certified Information Security Manager (CISM)

The why and the how

The Why?

Let us start with the why – thank you Simon Sinek – why would a CTO need to sit for an ISACA CISM exam? The most important reason for me was perspective; understanding the not so exciting world of Governance, Risk and Compliance and becoming more familiar with various IS and Security Control frameworks. It was also great to review how a Security Strategy is developed and what resources should be used as inputs to the strategy.

The Why Not?

Well, there are a few reasons why some may not be interested in CISM. If you are after gaining some ‘technical’ knowledge, this is not the course for you. It is also not the cheapest undertaking. The exam costs, membership fees and application fees – all of which are in USD – add up to around $850 or so.

Any Prerequisites?

ISACA suggests having some “technical expertise” but I found the entire content void of anything too technical. I would suggest you do not need to have hands-on security experience to start your CISM journey. What is perhaps more relevant, is on the job experience in terms of risk management, governance, familiarity with various frameworks and of course stakeholder management; in other words business communication skills.

Studying for the exam is one thing, but getting the actual certification (assuming you pass the exam) is another thing. As per the ISACA guidelines, you must have the relevant full-time work experience in the CISM Job Practice Areas. The four practice areas are;

  1. Information Security Governance
  2. Information Risk Management
  3. Information Security Program development and Management
  4. Information Security Incident Management

What to Study?

I got my hands on the ” All In One – CISM Certified Information Security Manager – Exam Guide”. It is 530 pages of not-the-most-exhilarating read. I found some sections were repeated. I also went through most of the 1,000 questions in the 9th Edition CISM Review Questions, Answers & Explanations Manual.

How Is the Exam?

A quick way to say goodbye to a lot of money is to do the exam.

The cost aside, it is a four-hour long exam during which you are not allowed any breaks. I did mine using the online proctored method due to COVID-19 but doing it online, you cannot take bathroom breaks or have a glass of water. You also cannot look away to rest your eyes as the proctors give you a warning to look at the screen.

The questions are all multiple choice with only a single correct answer. Most questions are worded reasonably OK-ish but there are questions which have been poorly written. I found the right answer to be generally obvious in most questions but there were a few that made you think really hard. The key for passing the exam is to keep reminding yourself that you are not a security engineer. You are a business person in charge of managing risk or educating the business on risks associated with activities/processes/etc and let the business decide how to handle the risk.

I believe I finished my exam in just a little over two hours. There is certainly no need to panic and rush through questions. You also have the option of marking a question and reviewing it at a later stage.

Overall, I give this exam a difficulty rating of five out of 10.

Passed the Exam?

Great! But you are not certified yet. You need to pay another $50USD, download some forms and prove that you have on the job experience in the four domains of CISM. This process took 7 weeks for me! Granted, the first 3 weeks were wasted as I had ticked the wrong check-box, but instead of being made aware in the first few days, it took ISACA 3 weeks to let me know. There were also certain standards based on which they accept signed PDF documents, and that process took a little time too. Overall, seven weeks before I had an email saying welcome to the club 🙂

And Now What?

Well, if you are still keen to do training, spend time on becoming CISSP certified. I hear it has a lot more technical content which, is something I do enjoy a lot.

Will I do it? I do not know yet. I think I will do another Azure exam before getting back into anything Security.