CISM Experience requirement - clarification?
jonwinterburn
Member Posts: 161 ■■■■□□□□□□
in CISM
Hi all,
I've begun studying for the 2015 CISM exam, aiming to take it in September. However, I've hit a potential snag in the experience requirement which I need some clarification on.
On this page: How to Become CISM Certified it says "Submit verified evidence of a minimum of five years of information security work experience, with a minimum of three years of information security management work experience in three or more of the job practice analysis areas."
I have 15 years' experience in IT with several of those in InfoSec. My experience was enough for me to become certified as CISSP. In my current role, I perform InfoSec management, but my title is InfoSec Analyst. I am not a manager per se, as in I don't manage a team. But I do manage projects, including projects that are ordinarily managed at management level, like ISMS and policies. My goal is to move into actual InfoSec management of teams of analysts. Achieving CISM is part of this plan. However, I am concerned that the minimum 3 years "information security management" experience is specifically requiring me to be a manager in title. If so, then I am out of luck. I understand I can pass the exam and then become certified later - as long as I achieve the 3 years within 5 years of passing the exam. But what if I don't get an official management role in time? I'd have to take the exam all over again.
So you can see my quandary. Any ideas?
Thanks,
Jon
I've begun studying for the 2015 CISM exam, aiming to take it in September. However, I've hit a potential snag in the experience requirement which I need some clarification on.
On this page: How to Become CISM Certified it says "Submit verified evidence of a minimum of five years of information security work experience, with a minimum of three years of information security management work experience in three or more of the job practice analysis areas."
I have 15 years' experience in IT with several of those in InfoSec. My experience was enough for me to become certified as CISSP. In my current role, I perform InfoSec management, but my title is InfoSec Analyst. I am not a manager per se, as in I don't manage a team. But I do manage projects, including projects that are ordinarily managed at management level, like ISMS and policies. My goal is to move into actual InfoSec management of teams of analysts. Achieving CISM is part of this plan. However, I am concerned that the minimum 3 years "information security management" experience is specifically requiring me to be a manager in title. If so, then I am out of luck. I understand I can pass the exam and then become certified later - as long as I achieve the 3 years within 5 years of passing the exam. But what if I don't get an official management role in time? I'd have to take the exam all over again.
So you can see my quandary. Any ideas?
Thanks,
Jon
Comments
-
paul78
Member Posts: 3,016 ■■■■■■■■■■
You are over thinking it. "Management" doesn't refer to people management, it refers to process or function management. The folks at ISACA are also very nice and can answer your query if you give them a call or email.
Good luck on the exam. -
cyberguypr
Mod Posts: 6,928 Mod
This has been discussed before here. This has nothing to do with being a manager. You are fine. Same way as working in waste management just means you drive a garbage truck.
