CISM without enough experience

mathiasmmathiasm Posts: 4Registered Users ■□□□□□□□□□
Hi there,

I recently passed the CISSP certification and endorsement process, and are now looking towards the next certification step.

I would like to work with security management, so the CISM CISA are interesting for me. Of course I've got the 5 years of experience in the it security field (since i passed the CISSP endorsement), but i don't have any management experience.

I guess i could take the exam anyways but i won't be able to get the certificate, and how good is it without anyway?

I've tried to find information at the isaca site regarding which experience that counts. Does it have to be full time professional management or can i try to find a volunteer job?

If i take the exam without any experience and without any prerequisites to starting getting some experience, i guess i only have 5 years to getting the necessary experience or i'll have to retake the exam?

Is it the same thing with the CISA?

Are there any other certs you could recommend me taking, that would bring me ind the management direction and that i can take without management experience?

I was also thinking of taking a diploma in leadership, to supply the management part of the job...

Best regards

Mathias

Comments

  • colemiccolemic Posts: 1,568Member ■■■■■■■□□□
    Don't confuse security management with being a 'manager'. All you need is verifiable work experience from three of the five domains.

    Domain 1—Information Security Governance
    Domain 2—Information Risk Management
    Domain 3—Information Security Program Development
    Domain 4—Information Security Program Management
    Domain 5—Incident Management & Response

    For the Work Experience Requirement: (directly from How to Become CISM Certified)

    Submit verified evidence of a minimum of five years of information security work experience, with a minimum of three years of information security management work experience in three or more of the job practice analysis areas. The work experience must be gained within the ten-year period preceding the application date for certification or within five years from the date of originally passing the exam.
    Experience Substitutions
    The following security-related certifications and information systems management experience can be used to satisfy the indicated amount of information security work experience.

    Two Years:
    • Certified Information Systems Auditor (CISA) in good standing
    • Certified Information Systems Security Professional (CISSP) in good standing
    • Post-graduate degree in information security or a related field (e.g., business administration, information systems, information assurance)
    One Year:
    • One full year of information systems management experience
    • One full year of general security management experience
    • Skill-based security certifications (e.g., SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security +, Disaster Recovery Institute Certified Business Continuity Professional (CBCP), ESL IT Security Manager)
    • Completion of an information security management program at an institution aligned with the Model Curriculum
    The experience substitutions will not satisfy any portion of the three-year information security management work experience requirement.

    Some of my coworkers hold the CISM cert, and they say it is more off-the-wall than the CISA (which has slightly different experience requirements.) And I say the CISA is, to put it quite delicately, bat-**** crazy and ridiculous and hairsplitting (I am currently sstudying for the exam in June.) I just can't see the benefit for me of pursuing the CISM, I value my sanity too much.

    I would think that if you could pass the CISSP endorsement process, that you would not have any issue with the CISM/CISA work experience requirement.
    Working on: CCSP, definitely, maybe. On the twitters: @mcole1008
  • mathiasmmathiasm Posts: 4Registered Users ■□□□□□□□□□
    colemic wrote: »
    Don't confuse security management with being a 'manager'. All you need is verifiable work experience from three of the five domains.

    Domain 1—Information Security Governance
    Domain 2—Information Risk Management
    Domain 3—Information Security Program Development
    Domain 4—Information Security Program Management
    Domain 5—Incident Management & Response

    For the Work Experience Requirement: (directly from How to Become CISM Certified)

    Submit verified evidence of a minimum of five years of information security work experience, with a minimum of three years of information security management work experience in three or more of the job practice analysis areas. The work experience must be gained within the ten-year period preceding the application date for certification or within five years from the date of originally passing the exam.
    Experience Substitutions
    The following security-related certifications and information systems management experience can be used to satisfy the indicated amount of information security work experience.

    Two Years:
    • Certified Information Systems Auditor (CISA) in good standing
    • Certified Information Systems Security Professional (CISSP) in good standing
    • Post-graduate degree in information security or a related field (e.g., business administration, information systems, information assurance)
    One Year:
    • One full year of information systems management experience
    • One full year of general security management experience
    • Skill-based security certifications (e.g., SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security +, Disaster Recovery Institute Certified Business Continuity Professional (CBCP), ESL IT Security Manager)
    • Completion of an information security management program at an institution aligned with the Model Curriculum
    The experience substitutions will not satisfy any portion of the three-year information security management work experience requirement.

    Some of my coworkers hold the CISM cert, and they say it is more off-the-wall than the CISA (which has slightly different experience requirements.) And I say the CISA is, to put it quite delicately, bat-**** crazy and ridiculous and hairsplitting (I am currently sstudying for the exam in June.) I just can't see the benefit for me of pursuing the CISM, I value my sanity too much.

    I would think that if you could pass the CISSP endorsement process, that you would not have any issue with the CISM/CISA work experience requirement.

    I have read that on the site, but maybe its because of my poor English, but i can't see if they require professional experience (full timed paid job) or volunteer jobs satisfy for management experience?

    Well the CISSP domains that i have worked in is primely the technical ones (crypto, app security design, security architecture and design etc.) and they are quite different from the 5 domains in CISM, so i guess that i won't have any work experience?
  • colemiccolemic Posts: 1,568Member ■■■■■■■□□□
    It doesn't specify, but I would imagine they are saying that if not fulltime, then the equivalent (2080 hours per year for volunteer work.)

    Domain 4, Task Statement 1: 4.1 Manage internal and external resources (e.g., finances, people, equipment, systems) required to execute the information security program. --I'd say that easily covers security architecture and design.
    Working on: CCSP, definitely, maybe. On the twitters: @mcole1008
  • mathiasmmathiasm Posts: 4Registered Users ■□□□□□□□□□
    Thank you very much, maybe i should try reading the domains/tasks and see if my work fits at 3 domains or more :)
Sign In or Register to comment.