CISM without enough experience

Hi there,

I recently passed the CISSP certification and endorsement process, and are now looking towards the next certification step.

I would like to work with security management, so the CISM CISA are interesting for me. Of course I've got the 5 years of experience in the it security field (since i passed the CISSP endorsement), but i don't have any management experience.

I guess i could take the exam anyways but i won't be able to get the certificate, and how good is it without anyway?

I've tried to find information at the isaca site regarding which experience that counts. Does it have to be full time professional management or can i try to find a volunteer job?

If i take the exam without any experience and without any prerequisites to starting getting some experience, i guess i only have 5 years to getting the necessary experience or i'll have to retake the exam?

Is it the same thing with the CISA?

Are there any other certs you could recommend me taking, that would bring me ind the management direction and that i can take without management experience?

I was also thinking of taking a diploma in leadership, to supply the management part of the job...

Best regards

Mathias

Find more posts tagged with

Comments

colemic

Don't confuse security management with being a 'manager'. All you need is verifiable work experience from three of the five domains.

Domain 1—Information Security Governance
Domain 2—Information Risk Management
Domain 3—Information Security Program Development
Domain 4—Information Security Program Management
Domain 5—Incident Management & Response

For the Work Experience Requirement: (directly from How to Become CISM Certified)

Submit verified evidence of a minimum of five years of information security work experience, with a minimum of three years of information security management work experience in three or more of the job practice analysis areas. The work experience must be gained within the ten-year period preceding the application date for certification or within five years from the date of originally passing the exam.
Experience Substitutions
The following security-related certifications and information systems management experience can be used to satisfy the indicated amount of information security work experience.

Two Years:

Certified Information Systems Auditor (CISA) in good standing
Certified Information Systems Security Professional (CISSP) in good standing
Post-graduate degree in information security or a related field (e.g., business administration, information systems, information assurance)

One Year:

One full year of information systems management experience
One full year of general security management experience
Skill-based security certifications (e.g., SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security +, Disaster Recovery Institute Certified Business Continuity Professional (CBCP), ESL IT Security Manager)
Completion of an information security management program at an institution aligned with the Model Curriculum

The experience substitutions will not satisfy any portion of the three-year information security management work experience requirement.

Some of my coworkers hold the CISM cert, and they say it is more off-the-wall than the CISA (which has slightly different experience requirements.) And I say the CISA is, to put it quite delicately, bat-**** crazy and ridiculous and hairsplitting (I am currently sstudying for the exam in June.) I just can't see the benefit for me of pursuing the CISM, I value my sanity too much.

I would think that if you could pass the CISSP endorsement process, that you would not have any issue with the CISM/CISA work experience requirement.

mathiasm

colemic wrote: »

Don't confuse security management with being a 'manager'. All you need is verifiable work experience from three of the five domains.

Domain 1—Information Security Governance
Domain 2—Information Risk Management
Domain 3—Information Security Program Development
Domain 4—Information Security Program Management
Domain 5—Incident Management & Response

For the Work Experience Requirement: (directly from How to Become CISM Certified)

Submit verified evidence of a minimum of five years of information security work experience, with a minimum of three years of information security management work experience in three or more of the job practice analysis areas. The work experience must be gained within the ten-year period preceding the application date for certification or within five years from the date of originally passing the exam.
Experience Substitutions
The following security-related certifications and information systems management experience can be used to satisfy the indicated amount of information security work experience.

Two Years:
Certified Information Systems Auditor (CISA) in good standing

Certified Information Systems Security Professional (CISSP) in good standing

Post-graduate degree in information security or a related field (e.g., business administration, information systems, information assurance)

One Year:
One full year of information systems management experience

One full year of general security management experience

Skill-based security certifications (e.g., SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security +, Disaster Recovery Institute Certified Business Continuity Professional (CBCP), ESL IT Security Manager)

Completion of an information security management program at an institution aligned with the Model Curriculum

The experience substitutions will not satisfy any portion of the three-year information security management work experience requirement.

Some of my coworkers hold the CISM cert, and they say it is more off-the-wall than the CISA (which has slightly different experience requirements.) And I say the CISA is, to put it quite delicately, bat-**** crazy and ridiculous and hairsplitting (I am currently sstudying for the exam in June.) I just can't see the benefit for me of pursuing the CISM, I value my sanity too much.

I would think that if you could pass the CISSP endorsement process, that you would not have any issue with the CISM/CISA work experience requirement.

I have read that on the site, but maybe its because of my poor English, but i can't see if they require professional experience (full timed paid job) or volunteer jobs satisfy for management experience?

Well the CISSP domains that i have worked in is primely the technical ones (crypto, app security design, security architecture and design etc.) and they are quite different from the 5 domains in CISM, so i guess that i won't have any work experience?

colemic

It doesn't specify, but I would imagine they are saying that if not fulltime, then the equivalent (2080 hours per year for volunteer work.)

Domain 4, Task Statement 1: 4.1 Manage internal and external resources (e.g., finances, people, equipment, systems) required to execute the information security program. --I'd say that easily covers security architecture and design.

mathiasm

Thank you very much, maybe i should try reading the domains/tasks and see if my work fits at 3 domains or more