Cism/cisa/cissp

Hi, which one is hardest from that certs? CISM->CISA->CISSP?

Find more posts tagged with

Comments

CISSP & CISA are both very very broad in terms of the overall body of knowledge.

CISSP is more management and ideology focused.

CISA is very bulletpoint audit this audit that in this way.

CISM is broad but not nearly as broad as the others.

I can't really give you pointers as to which is which since I took all of them very far apart in my career. CISSP was early on and I found it very difficult. From talking to others I actually think it's easier now than it was a bit back when I took it, but people still find it challenging, esp. people who haven't lived and breathed security for the requisite number of years.

CISM I found relatively painless, but I've lived and breathed in this space for a long time.

CISA is a different focus since it's audit-based, but I still don't think it's too bad.

Maybe others who took all three close to back-to-back can help you out better. Do you meet the prereqs for each?

TeKniques

I've taken and passed the CISSP and CISA within 6 months of each other. For me, the CISA was harder because the study material was super dry and the questions were a lot more open ended then the CISSP was. I have not taken the CISM, but I would bet it's close to the CISA in terms of preparation and question quality.

steve.taylor

You probably shouldn't think in terms of which is the most difficult.

Anyway, the CISSP is easily the most difficult. From a technical perspective, it's more far difficult than the other two. You just need to look at the domains to see that.

The CISM exam isn't worth the paper on which it's written in my humble opinion. It was so easy that I walked out thinking that I hadn't even got a single answer wrong (and I pretty much hadn't). This isn't because of my individual brilliance but rather because the exam is just far too easy. I've mentored colleagues on passing the CISM exam, and they've all passed without even having any infosec experience.

CISA isn't that difficult once you learn to "think like an auditor". You just need to think as if you were an auditor first, business manger second, and an infosec bod third.

eth0

you know that is funny but most this theory exams are easy to pass for people without experience, when I am senion level penetration tester I would have problem with pass CEH because of stupid questions

ZzBloopzZ

steve.taylor wrote: »

The CISM exam isn't worth the paper on which it's written in my humble opinion. It was so easy that I walked out thinking that I hadn't even got a single answer wrong (and I pretty much hadn't). This isn't because of my individual brilliance but rather because the exam is just far too easy. I've mentored colleagues on passing the CISM exam, and they've all passed without even having any infosec experience.

Could you kindly mentor me or give some advice about it? I tried to PM you but since you don't have high enough post count the feature is disabled for some reason. :c(

beads

As an industry we still need a more difficult and rigorous exam than the CISSP, concentrations fall flat as well. As far as the ISACA exams (CISA and CISM) they are pretty much specialist exams and should be treated as such. If your a career auditor then the CISA is a must. If your title is Security Manager then I would expect to see the CISM. Though the exam material is pretty light and a better reflection of a "management" exam than the CISSP. Never saw a management question on the CISSP but perhaps others have seen such an animal when they sat for the exam.

People get a bit obnoxious with too many credentials after awhile, attempting to list 35 credentials after your name and you become a "cert *****" and rapidly loose any credibility other than having too many credentials and nothing to back any of it up.

Take and practice exams in your field of work to learn your craft not to line the pockets of certification bodies and testing centers. Know your craft and you've never be without gainful employment.

- b/eads

eth0

I just go into general IT security. I have professional experience in forensic/cert/pentesting and want go into mainly (but not only) red teaming. Still not sure what certificate will be good for me, because there is just no certificate for red teaming better that just OSCP

. Red teaming is like pentest 2.0, you do just real attack on company and only few people know about that, no just pentest on webapp and when you have sqli then you don't escalate it. It give so much satisfaction when you hack into production servers and got root on it

. Last time I got job as senior in big4 company, this was my first senior position (I have less that 30y old, even I don't work in IT for 5 years yet) and I don't have any problems in this job, I mean like lack of skills etc. So I just want still develop my mainly technical skills, because this is future for me (no any manager level, I am not good speaker/writer).

mbarrett

The only cert I know of for this is the SANS GPEN.

UnixGuy

None of those certs are technical nor necessary for 'red teaming'. Do the CISSP if you will, it seems to be industry standard. I personally think that you have enough certs

OSCE would be a good challenge for you. Maybe challenge the GPEN & GPXN.

GREM is a good one too. I know the course is expensive, so perhaps challenge the exam instead.

eth0

UnixGuy wrote: »

None of those certs are technical nor necessary for 'red teaming'. Do the CISSP if you will, it seems to be industry standard. I personally think that you have enough certs OSCE would be a good challenge for you. Maybe challenge the GPEN & GPXN.

GREM is a good one too. I know the course is expensive, so perhaps challenge the exam instead.

Thanks for opinion, from one side I think that OSCE is no needed because almost never I will use that skills at job and from other that this certificate is like must have, to have both OSC{P,E}.

SANS are only for 4 years and are very expensive, think about that like price *3-4 because with salary from my country is like that (and I have only 1.5k euro per year budget at work for all, conferences/tranings etc)...

CISSP maybe will be good idea but atm my English skills are too low for this freak exam questions, for example OSC{P,E} have basic/simple English

mokaz

eth0 wrote: »

CISSP maybe will be good idea but atm my English skills are too low for this freak exam questions, for example OSC{P,E} have basic/simple English .

CISSP=yes
OSCE=yes

the rest; if gun forced to do so then ask for a week abroad with hotel, champagne and free bar with all your friends.