CISM Certification Requirement

leostar

Guys,

I need some help here for my CISM certification requirements. I am trying to appear CISM exam this June 2010 and have a question in mind. Senior guys please help me.

I have more than 14 years of experience in IT System Administrator/Support experience, Worked as a IT Manager for 3 years and System Admin as a more than 8 years. Question: Is my experience is sufficient to qualify for Certification if I sit on Exam in June 2010. Or do I need specific title in my job role to gain the certification.

Thanks,
LeoStar

astorrs

Requirements for CISM Certification

4) Work experience in the field of information security

Submit verified evidence of a minimum of five years of information security work experience, with a minimum of three years of information security management work experience in three or more of the job practice analysis areas. The work experience must be gained within the ten-year period preceding the application date for certification or within five years from the date of originally passing the exam.

Experience Substitutions

The following security-related certifications and information systems management experience can be used to satisfy the indicated amount of information security work experience.

• Two Years:
  • Certified Information Systems Auditor (CISA) in good standing
  • Certified Information Systems Security Professional (CISSP) in good standing
  • Post-graduate degree in information security or a related field (e.g., business administration, information systems, information assurance)
• One Year:
  • One full year of information systems management experience
  • One full year of general security management experience
  • Skill-based security certifications (e.g., SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security +, Disaster Recovery Institute Certified Business Continuity Professional (CBCP), ESL IT Security Manager)
  • Completion of an information security management program at an institution aligned with the Model Curriculum

The experience substitutions will not satisfy any portion of the three-year information security management work experience requirement.

Have a look at the "job practice analysis areas" and confirm if you have 3 years experience in 3 or more of them in the last 10 years.

JDMurray

Based on the info on the CISM Requirements page the Andrew beat me to posting, I'd say you need to emphasize at least five years of InfoSec management-related work on your resume.

colemic

JDMurray wrote: »

Based on the info on the CISM Requirements page the Andrew beat me to posting, I'd say you need to emphasize at least five years of InfoSec management-related work on your resume.

OK, maybe I am being dense today, but I am not sure I understand what is meant by 'a minimum of three years of information security management work experience in three or more of the job practice analysis areas. Is it People Management? Risk Management? Incident Management? Doesn't seem very clear (to me at least) what kind of management it is looking for.


Then a little bit further down the list of requirements:

'The experience substitutions will not satisfy any portion of the three-year information security management work experience requirement.' -So I basically have to have an IAM title to qualify?

Exception: Two years as a full-time university instructor teaching the management of information security can be substituted for every one year of information security experience. -The way this is phrased, 'teaching management of information security' leads me to think that it is not referencing 'People Management,' or any instructor teaching an HR class would technically be qualified for the exception. What springs to mind, is the MIS (Management of Information Systems) Degree as being kind of what I am referring to, although after re-reading, I still don't think I am explaining it very well.


I am interested in pursuing this cert, but I am not sold on the fact that it is a requirement that I have people working under me to get it.

Ye Gum Noki

You don't have to manage people and I don't know what leads you to believe you do. Most InfoSec folks manage systems and unless you work for a large company, the InfoSec departement is going to be one deep, maybe two. So focus on YOUR experiences:

Have you done Information Security Governance, Risk Management, InfoSec Program Development or Management or Incident Management and/or Response? Have you managed any such programs?

It's really as simple as applying what you know and what you've done to the criteria. Focus on the five domains (that I paraphrased above) and your experiences. For example, if you've managed your company's firewalls and IPSs and developed policies for those, that counts. Managing a help desk with four techs, doesn't.

Don't get too wrapped around degree programs or being a supervisor. Those things may help, but are by no means required.

Good luck with this and on the exam should you decide to go forward,

Mr. Ye

colemic

Good grief, even I don't understand what I asking, now that I re-read it, LOL!