CISM and CISA

Which exam is more difficult, the CISA or the CISM? Which exam holds more weight if your goal is to work in information security management?

Find more posts tagged with

Comments

keatron

Hello.

CISA is more popular amongst insurance companies and large CPA firms (for example, a CPA/Auditor who's primary focus is now IT related audits, for things such as SOX, etc.).

CISM is closer to being parallel to CISSP and more geared towards security management.

JDMurray

Which security management cert is more industry-recognized, the ISACA CISM or the (ISC)² ISSMP? And how does the ISSMP expand/improve on the security management topics found in the CISSP?

keatron

Good question JD. Having recently been engaged in some study for the ISSMP and working with ISC2 on new exam content, I can tell you that it improves to the point of taking that so called mile wide inch deep description and making it 2 inches wide and a mile deep. It's a ton of mind twisting judgement call scenarios. The good thing about the official content (expected around the end of March 07 ssshhhh), is that it is full of scenarios, then answers to questions, then a break down of the likely outcome of each answer you're asked to choose from. So it really takes out most of the technical stuff and focuses almost exclusively on day to day security management decisions and issues. Disaster recovery responses, attack response, documentation, even how to deal with public disclosure. So I would definitely recommend anyone in or planning to be in a infosec management role to dive into ISSMP, whether you're certifying or not, the information is priceless.

seccie

CISA is a bit like CISSP. You don't have to know so many details like with CISSP to pass it.

The disadvantages are:
- a domain about auditing,
- short exam time (200 questions in 4 hours), and
- scenario-based questions (which steal your time).

I've heard a negative opinion about CISM to be a kind of "CISSP imitation for CISAs". Personally I didn't consider passing CISM because of the grandfathering-policy - a lot of people were allowed to literally buy the certificate, without passing the exam. That was why I went for CISSP

kmcnees

dcooper24 wrote:

Which exam is more difficult, the CISA or the CISM? Which exam holds more weight if your goal is to work in information security management?

Wow, really good question. I would probably say that the CISA is a bit more difficult than the CISM.

If your goal is to work in information security management, then the CISM would carry more weight I think.

drakhan2002

Do you need to have the CISA before the CISM or can you jump directly to the CISM?

keatron

drakhan2002 wrote:

Do you need to have the CISA before the CISM or can you jump directly to the CISM?

No, you don't need CISA to earn CISM.

lopezco

keatron wrote:

So I would definitely recommend anyone in or planning to be in a infosec management role to dive into ISSMP, whether you're certifying or not, the information is priceless.

How much time do you think (at least) would be needed to prepare for this Certification, and how many years of experience?

keatron

If you're still fresh from your CISSP prep, I would recommend another 3 to 4 months. If not, then 4 to 6. This is assuming you have about 2 hour per day for reading and research.

JDMurray

seccie wrote:

Personally I didn't consider passing CISM because of the grandfathering-policy - a lot of people were allowed to literally buy the certificate, without passing the exam. That was why I went for CISSP

I have a friend who ended up collecting several security and auditing certifications by the "grandfathering" method. At the time, he thought it was a great thing to just fill out some paper work and receive a cert based on his previous certs and documented work experience. However, he now claims to spend nearly $3000US each year just to maintain her collection of professional certifications (e.g., conferences, professional and cert organization fees, etc.). To hear him talk, it sounds as though grandfathering people into certifications is a revenue model for certification organizations to gain members and money. If this is true, it certainly does water-down the value of the grandfather-able certs.

How much you'll be paying for all those certifications versus what value you will get from them is something to seriously consider.

bah44

jdmurray wrote:

seccie wrote:

How much you'll be paying for all those certifications versus what value you will get from them is something to seriously consider.

Good point, however ... consider where the $$$ go for the certs. The biggest amount of the money required in maintaining a CISA or CISM is joining ISACA and the local chapter. The CISA and CISM each cost an additional $40 per year. The CPE requirements are close enough that anything used for one can be used for the other.

So ... since I already have me CISSP and CISA ... I'll be taking the CISM this December. It'll cost only an additional $40 per year to maintain.

Brady Hamilton
CISSP, CISA, CCNA

arlyn007

I just finshed up a CISM Class in which the instructor is a question writer for ISACA and ISC2. Im taking the CISA this June and I'm not taking it lightly though I have the CISSP cert. The instructor said that the CISM is graded on a curve and 45% is needed. I'm hoping the CISA is equvilent and I'm hopeing alot of dumbazz aretaking it the sametime as me... lol, I'm probably their leader.

BTW: I registered early to take the CISA exam to save on $$$ but I was able to get into a paid seat for a CISM course, I'll take it in Dec.

mivmann

dcooper24 wrote:

Which exam is more difficult, the CISA or the CISM? Which exam holds more weight if your goal is to work in information security management?

I'm working as a it-auditor and we are encouraged to take the CISA exam as it's it security from an auditors perspective (which i will right after CISSP). I would say thats its tough just too meet the requrements for the CISM as you have to have 2 years experience as a leader of a systems security section/department. Would be a nice one to have though

bugusmart

I would like to take the CISA exams in December. Can someone give me a link to get free CISA CBT and learning materials .

JDMurray

bugusmart wrote:

I would like to take the CISA exams in December. Can someone give me a link to get free CISA CBT and learning materials .

Sign up for a free account at www.cccure.org and have a look at their CISA discussion forum and study materials. You can take free CISA practice tests at www.freepracticetests.org/quiz/home.php. Also, check the booksellers on amazon.com for discounted CISA exam study books.

macwhizard

Another question about CISA.

Is it worth taking for a person without any accounting background ?. and generally which industries give preference to CISA's than big auditing, banking and insurance firms ?.

JDMurray

macwhizard wrote:

Is it worth taking for a person without any accounting background ?

Searching for the keyword "CISA" on dice.com shows some of the non-accounting positions favor CISA certification:

IT Auditor IT Security Analyst Systems Development Audit Supervisor Network Security Analyst Information Security Auditor Information Security Engineer Security Audit Engineer Compliance Analyst Risk Analyst etc. It looks like any business or industry that cares about information security needs CISA-certified people.

bayted

JDMurray:

Thank you so much for the freepracticetests.org reference!

I just began studying for the CISA, and I love how I can set the quiz to be generated into a platform that suits my current level of knowledge/studying.

JDMurray

Glad to help!

dcooper24

Thank you guys for all the information given.

Biakpara

It is alright if you have a problem with grandfathering but I do not think that applies solely to the CISM. I have got certifications from both ISACA and ISC2 (CISA & CISSP), am also planning on my CISM...of course none of these through grandfathering...but that is a matter of choice for me. If others choose to go the grandfathering route, do they qualify? Has the body in question put procedures in place to see that this is verified? Whoever goes on to carry a load (maintenance fees) he/she cannot bear, has no one to blame. It does not degrade the quality of the certification, which has strict eligibilty criteria by the way. Arguments such as these have been there for a while and will go on even a bit more. I am gaining from them all and like a said above, its a matter of choice. Remeber it says CISM, SM for Security Management...that's why it allows for grandfathering. The target is for Security Managers. CISSP targets Security Administrators really.

seccie wrote: »

CISA is a bit like CISSP. You don't have to know so many details like with CISSP to pass it.

The disadvantages are:
- a domain about auditing,
- short exam time (200 questions in 4 hours), and
- scenario-based questions (which steal your time).

I've heard a negative opinion about CISM to be a kind of "CISSP imitation for CISAs". Personally I didn't consider passing CISM because of the grandfathering-policy - a lot of people were allowed to literally buy the certificate, without passing the exam. That was why I went for CISSP

wasadeq

My concern is after gaining CISA. As u all know that ISACA offer CISA certs to whom who pass the test AND have few years experience in security. A candidate who earns CISA cert but have no previous work experience in auditing, will he face difficulties in getting an auditing job? In other words, what will be the employer perspective about him? What chances he has to start new dimension in his IT career?

BR,

shamizzle79

I was thinking of starting a new thread but I think this question could be relevant here.

I've been thinking about studying for and obtaining the CISM certification. I already have a CISSP. After looking at the CISM study guide, I've noticed some material is similar and some is different (little bit more management all-around).

Do you guys think this is a waste of time, or a good focus towards infosec management.

Thanks.

dynamik

shamizzle79 wrote: »

I was thinking of starting a new thread but I think this question could be relevant here.

I've been thinking about studying for and obtaining the CISM certification. I already have a CISSP. After looking at the CISM study guide, I've noticed some material is similar and some is different (little bit more management all-around).

Do you guys think this is a waste of time, or a good focus towards infosec management.

Thanks.

There's some debate over the value of the ISACA certs, but putting all that aside, the CISM material is excellent.

That and the CISA are on-deck for me. If I can do the CISA in June, I'll probably take a stab at the CISM in December. Those might slip six months though (ISACA only offers one exam in June and another in December).

Welcome to the forums, btw.

tpatt100

I am scheduling the CISA tomorrow for the June testing.

meghafnd

Hi All, I am appearing for CISA this time...Just wanted to have an idea as to is CISA a time battle during the exam...do i have to hurry up or is 4hrs are enogh for 200 questions?

dynamik wrote: »

There's some debate over the value of the ISACA certs, but putting all that aside, the CISM material is excellent.

That and the CISA are on-deck for me. If I can do the CISA in June, I'll probably take a stab at the CISM in December. Those might slip six months though (ISACA only offers one exam in June and another in December).

Welcome to the forums, btw.

JDMurray

meghafnd wrote: »

Hi All, I am appearing for CISA this time...Just wanted to have an idea as to is CISA a time battle during the exam...do i have to hurry up or is 4hrs are enogh for 200 questions?

That actually depends on how easily you are able to answer the exam items. Are you using any CISA practice exams to improve your testing skills and increase your mental stamina?

cabrillo24

meghafnd wrote: »

Hi All, I am appearing for CISA this time...Just wanted to have an idea as to is CISA a time battle during the exam...do i have to hurry up or is 4hrs are enogh for 200 questions?

Depends on the person. Just watch your time as you're taking the exam and try not to spend too much time per question.

notshai

hi does anyone know if i can use my CISSP training as CPEs towards CISA?
i recently studied and passed the CISSP, it was 3 months long of studying in domains overlapping with the CISA requirements.
it only makes sense ISACA would allow/recognize some of that study time as CPE time.

JDMurray

You must have the CISA (or CISM) cert first before you can start claiming CPEs for it. Unless the rules have been changed, you cannot claim CPEs for educational events that occurred before you were awarded the CISA cert. Check on ISACA's Web site for the latest rules.