Passed - Information Security Management Advanced based on ISO/IEC 27002

I took this exam this morning.

It was 30 multiple choice questions, with 1.5 hours allowed.

I passed with a 77%, which is much lower than I would have liked, but honestly, I was happy to have passed it.

This was a really tough exam. I debated over several questions. They were asking very specific things about the standard from almost a pure implementation standpoint. I think there were only 1 or 2 questions that were asking me a specific fact. Instead every question was scenario based and there were pretty much always 2 answers that would have possibly worked.

This was much more difficult than the Foundation exam that I took last week. I really feel that with a bit of reading anyone could pass the Foundation exam, however, to get through the Advanced one would require some hands-on work with ISO/IEC standards. This exam was probably as tough or tougher than any of the ITIL v3 Intermediate exams, and just beneath my experience from several years ago with the ISO/IEC 20000 Consultant's Certification, which was the absolute toughest exam I've ever taken.

I used the actual 27k* standards and specifications as study material, as well as this book Implementing Information Security based on ISO 27001/ISO 27002 (Best Practice) (9789087535414): Alan Calder: Books . I don't think that the book was really all that helpful in this case. What helped me the most was exposure in the past to ISO/IEC 20000 implementations as well as some exposure to ISO/IEC 27K implementations.

MS

Find more posts tagged with

Comments

Bl8ckr0uter

Congrats. How would you rate this exam vs an exam like the security+? Is it more like ITIL meets Security+ or is it something entirely different? Oh and what's up next? CBAP? I think you were talking about doing that right?

eMeS

Bl8ckr0uter wrote: »

Congrats. How would you rate this exam vs an exam like the security+? Is it more like ITIL meets Security+ or is it something entirely different? Oh and what's up next? CBAP? I think you were talking about doing that right?

Much much tougher than Sec+. I took that one several years ago. Security+ is mostly trivial/factually oriented and is easy to study for and pass, IMO. This exam was a different beast altogether.

I wouldn't bring ITIL specifically into this mix, as ITIL doesn't really say too much about security. I would say this is more about thinking like the people that write the ISO/IEC standards do...if that makes sense. Thinking as they do and then applying that thinking to the situation you're given.

I don't see myself ever doing the CBAP. My business partner did it a while back, and honestly that's more her line of work than it is mine. If there were ever significant market demand for it then I might do it.

The next thing for me is likely to be ITIL Master http://www.itil-officialsite.com/Qualifications/ITILV3QualificationLevels/ITILV3MasterQualification.asp, if they ever get around to releasing the requirements for it. Possibly I will be asked to do some more of the APMG Complementary Qualifications as they are released, but that remains to be seen.

MS

Bl8ckr0uter

eMeS wrote: »

Much much tougher than Sec+. I took that one several years ago. Security+ is mostly trivial/factually oriented and is easy to study for and pass, IMO. This exam was a different beast altogether.

I wouldn't bring ITIL specifically into this mix, as ITIL doesn't really say too much about security. I would say this is more about thinking like the people that write the ISO/IEC standards do...if that makes sense. Thinking as they do and then applying that thinking to the situation you're given.

So for Joe infosec admin who is trying to move into the next level (like network security analyst or something for the government) would it benefit him if he was looking to stay on the "tech" side of infosec or more of the "CA" and management side of infosec?

eMeS wrote: »

The next thing for me is likely to be ITIL Master http://www.itil-officialsite.com/Qualifications/ITILV3QualificationLevels/ITILV3MasterQualification.asp, if they ever get around to releasing the requirements for it. Possibly I will be asked to do some more of the APMG Complementary Qualifications as they are released, but that remains to be seen.

MS

If I may ask (without getting too specific) what do you do? I mean I know you are a consultant but do you optimize business structure (and that's why you do a bunch of ITIL) or is it mostly for the training side of the business?

eMeS

Bl8ckr0uter wrote: »

So for Joe infosec admin who is trying to move into the next level (like network security analyst or something for the government) would it benefit him if he was looking to stay on the "tech" side of infosec or more of the "CA" and management side of infosec?

I would say that the audience for this is definitely more management/consulting oriented.

Bl8ckr0uter wrote: »

If I may ask (without getting too specific) what do you do? I mean I know you are a consultant but do you optimize business structure (and that's why you do a bunch of ITIL) or is it mostly for the training side of the business?

I, with a partner, own a company that delivers consulting and training. We do everything from ITIL, Six Sigma, project management to managing direct technology implementations. Most of our direct technology work is with a couple of IBM's product lines. We also occasionally get involved in some mainframe-related work and some BCP activities. Honestly we do a little of everything, but tend to see most of our work in a few areas...Gap Analyses are big right now, as well as the work with done with various organizations on improving their supplier management activities.

I currently hold all available ITIL credentials. I held expert pretty much upon release in 2007, from bridging from v2. Once they released all of the intermediate certifications I went back and completed them. Really the only reason for this is that in order to deliver any of those classes the instructor also has to hold the certification.

I would say that I spend about 50% of my time working on consulting projects, another 50% delivering training. The other 100% of my time I spend doing sales-related activities! I'm looking to over the next few years step back from the direct work and devote 100% of my time to purely sales/business development.

MS

jimmyhooh

Greeting EMES
Need your help? Do you have any

Foundations of Information Security – Based on ISO27001 and

ISO27002 reading manual as well as Sample Papers ISO27002. I m going to study on my own.

Cheers

Jimmy [email removed]
[/email]

eMeS

jimmyhooh wrote: »

Greeting EMES
Need your help? Do you have any

Foundations of Information Security – Based on ISO27001 and
ISO27002 reading manual as well as Sample Papers ISO27002. I m going to study on my own.

Cheers

Jimmy [email removed][/email]

No.

MS

-Foxer-

I wonder how this compares to the GIAC G2700. I'm studying for that right now and will hopefully be taking it in the next month or so.

eMeS

-Foxer- wrote: »

I wonder how this compares to the GIAC G2700. I'm studying for that right now and will hopefully be taking it in the next month or so.

I have no idea how it compares content-wise, but I am glad to see that the finally updated the name from 17799.

One way it compares is that to challenge the G2700 costs about 4 times what this exam costs; I have serious doubts that it provide 4 times the value...

MS

-Foxer-

I'm taking the class as part of the WGU MS:ISA program, so I didn't have a lot of choice in the matter.

Also, congratulations on passing.