Cism preparation time

hk_engineer

i, I want to appear on September 2013 CISM exam . Currently , I have studied for CISSP . But haven't appear for Exams. I was originally planning for December exams , but due to family commitments , I need to appear in the September one . Can you guide as to how to start an nail the exam . I have around months remaining for the exam, considering I have got good experience in IT Networks and Security , but not in Security management.It would be like starting from Scratch for me .

Please guys help me with your valuable views. I have been told REVIEW MANUAL and DATABASE CD can cross me the border.
URGENT HELP NEEDED!!!

paul78

Welcome to the TE. The Review Manual and Q&A is definitely the way to go. If you have the requisite background, you should have plenty of time. If you don't have security management experience, I do not believe that you meet the minimum requirements to earn the CISM designation. But you can certainly still write the exam.

My own preparation was about 35 hours in total. The bulk of the preparation was in the week leading up to the exam - about 24 hours.


Generally, I find ISACA exams to be very relevant and fair. I think others disagree with my viewpoint but again I think it boils down to individual experience and background.


Good luck on your studies.

hk_engineer

Thanks for the help Paul, I am doing a mix of roles in IT assurance management at the moment. My plan is to move to full fledged Security management role and I guess CISM should help me get that. Also, I have 5 years to go about it so that should be enough. Considering I need 3 years as my degree in It should be sufficient for 2 year waiver.

I am planning to buy Review manual and Database questions . Apart from that , I have 1 month membership with CBT nuggets so will take their video tutorial for CISM for a better idea in Security Management. Do you think I need anything else to cross the victory border.

paul78

Depending on your confidence level, perhaps the only other thing you could do is to look at some of the other materials on the ISACA web site. It could give you some additional insight into the nomenclature used by information security managers. Look at the topics related to RiskIT and BMIS here - Information Technology - Professional Networking - Knowledge Center | ISACA

I have never looked at other materials other than the ISACA provided books so I can't really comment on CBT Nuggets or external vendors. The ISACA review manuals are extremely dry to read so if you have another set of materials, it could be helpful.

I probably should have mentioned that I have about 25 years of management experience in IT and Security when I took the exam. So most of the topics were already very familiar to me. I'm not sure if my own preparation style would necessarily be relevant.

hk_engineer

Thanks Paul, I will have a look at that as well. I understand what you mean by experience . I have got around 6 years of experience working in different areas of networks . My idea to use CBT nuggets is that they are like live instructor lead classes and will give me more insight then reading only the review manual which according to many is v dry,

Thanks for your input and do share your experience and things you think is of extreme focus so that I make sure I don't miss them.

Experienced valuable opinion is always sacred..

Just , for info,, can you tell me what is a day to day work for a CISM.. I m asking in real world terms not according to ISACA as I have read the job practise section as well, But from someone experienced like you it would be really good.

paul78

For the CISM, make sure you focus on what an actual information security manager would do. The CISM unlike the CISSP which you were studying for is not about practical knowledge. But more about judgmental behavior. I think that is one of the reasons why people sometimes do not like ISACA exams; the questions can seem irrelevant because it's extremely difficult to write exam questions which test for management decision-making abilities.

As for my day-to-day, I work for at a line-of-business for a Fortune 500 company. I'm actually a fairly senior-ranking manager so my day to day job varies tremendously. I often joke that my main job description is "other activities as required". Among my peers in the company and similar companies, someone that holds a CISM or performs similar work as a CISM is primarily responsible for governance, security, and risk in their area of responsibility.

For me, that includes (a) all IT capex budget and opex (excluding workforce) management for my line-of-business, (b) infosec governance (c) vendor contracts as related to risk management (d) escalation of security issues (e) customer contract disputes (f) compliance with corporate policies (g) compliance with regulatory safeguards related to data protection and privacy. Those are the basic highlights. I don't actually do all the work associated with these items. My job is to make sure that other people get it done but I'm the one that is accountable for the satisfactory outcome.

hk_engineer

Paul, Thanks for the prompt response . I have a similar position obvioulsy not as senior(But anything required ) But it's mostly w.r.t Network and Network Security and Deployment.
Thanks for the prompt response and I hope I am able to succeed in the exam , Thanks for being so wonderful .
Do share the information that I need in order to succeed.
Can you tell me you your full name so I can add you on Linked in as well , If you prefer.

paul78

Good luck on the exam. Regardless of whether you succeed or not, the actual exam preparation process in itself can be very valuable.

Unfortunately, I guard my real identity on this forum closely so I must respectfully decline your invitation. The anonymity on this forum allows me to share some of my experience if it's helpful to others. I am actually not permitted by my employer to participate in social networks. Whenever I post articles on the Internet in my real name or speak at a conference, I am obligated to seek approval from my employer and I am suppose to post a disclaimer which disavows connection to my employer .

hk_engineer

Hi Paul,
Thanks for the feedback, I really appreciate your efforts.
I am trying to transition from Network and Network Security to Security Management and wanting to do CISSP and CISM in order to get the desired jobs and get understanding as to how it is working .

SO helpful people like you really make life easy.
Do add any further advice if you have about it and anything related to CISM . I will really appreciate that.

hk_engineer

Hi Paul,
Thanks for your help previously, The exam is approaching and obviously I am quite nervous,
But , I would say, whether I pass or not , I have a new brain installed after preparing for this Exam, I did study for CISSP as well, but what I learned from this Cert is extremely valuable.
I hope I pass.
I just have a small query which is basicallly for experience people like you.

I am currently , not directly in a Security Management environment
Just wanted to know if you can provide me a sort of detail or tricks to align my experience relevant to Security Management as no one would provide me an opportunity if I cant align my skills with it ..

paul78

Are you referring to the ISACA experience requirements to be awarded the CISM designation? If so, my suggestion is to pass the exam first I know that's easier said. But you have several more years to get experience if you don't currently qualify. You probably don't want to be distracted before taking the exam. If you already passed and qualify for the CISSP, then you are likely to do just fine on the CISM. One note of caution, the CISM is paper based so if you are more used to computer based testing, you may want to simulate taking a paper based exam by using the ISACA exam Q&A review manual.

hk_engineer

Hi Paul,
Sorry for the late response, I am not talking about the certification , I am willing to know about the job prospects how to make an employer understand I am going to be capable enough , considering , I haven't been a security manager before ,as I ahve worked in Networks and Network Security and I am a Network Manager at the moment , so don't deal with Security management a lot , so tips to align my Resume for Security Consultancy or management position ..
Certification for CISM is a later stage , I need to get in to the real role first..

paul78

Ahh - I see what you mean. Getting into any functional area of IT in my opinion is the same regardless of whether it's security, network engineering, systems administration, etc. I was trying to think of any concrete tips but I admit that I was falling short of any specifics. There's really no magic bullet. However, if you live in the US and you work in an industry where you have specific domain expertise of some of the sectorial security nuances, it could be easier to land a role in security. For example, if you work in healthcare, and you have worked with PHI issues or if you work in financial services and had exposure to PCI or GLBA requirements. I hope that makes sense.

hk_engineer

Yup , Thanks PAul. Lets see how it goes for me , the exam is done and waiting for the result now in order to plan accordingly for betterment.