CISA is more popular amongst insurance companies and large CPA firms (for example, a CPA/Auditor who's primary focus is now IT related audits, for things such as SOX, etc.).
CISM is closer to being parallel to CISSP and more geared towards security management.
Which security management cert is more industry-recognized, the ISACA CISM or the (ISC)² ISSMP? And how does the ISSMP expand/improve on the security management topics found in the CISSP?
Good question JD. Having recently been engaged in some study for the ISSMP and working with ISC2 on new exam content, I can tell you that it improves to the point of taking that so called mile wide inch deep description and making it 2 inches wide and a mile deep. It's a ton of mind twisting judgement call scenarios. The good thing about the official content (expected around the end of March 07 ssshhhh), is that it is full of scenarios, then answers to questions, then a break down of the likely outcome of each answer you're asked to choose from. So it really takes out most of the technical stuff and focuses almost exclusively on day to day security management decisions and issues. Disaster recovery responses, attack response, documentation, even how to deal with public disclosure. So I would definitely recommend anyone in or planning to be in a infosec management role to dive into ISSMP, whether you're certifying or not, the information is priceless.
CISA is a bit like CISSP. You don't have to know so many details like with CISSP to pass it.
The disadvantages are:
- a domain about auditing,
- short exam time (200 questions in 4 hours), and
- scenario-based questions (which steal your time).
I've heard a negative opinion about CISM to be a kind of "CISSP imitation for CISAs". Personally I didn't consider passing CISM because of the grandfathering-policy - a lot of people were allowed to literally buy the certificate, without passing the exam. That was why I went for CISSP
So I would definitely recommend anyone in or planning to be in a infosec management role to dive into ISSMP, whether you're certifying or not, the information is priceless.
How much time do you think (at least) would be needed to prepare for this Certification, and how many years of experience?
DAL
"If you reveal your secrets to the wind, you should not blame the wind for revealing them to the trees." — Kahlil Gibran
If you're still fresh from your CISSP prep, I would recommend another 3 to 4 months. If not, then 4 to 6. This is assuming you have about 2 hour per day for reading and research.
Personally I didn't consider passing CISM because of the grandfathering-policy - a lot of people were allowed to literally buy the certificate, without passing the exam. That was why I went for CISSP
I have a friend who ended up collecting several security and auditing certifications by the "grandfathering" method. At the time, he thought it was a great thing to just fill out some paper work and receive a cert based on his previous certs and documented work experience. However, he now claims to spend nearly $3000US each year just to maintain her collection of professional certifications (e.g., conferences, professional and cert organization fees, etc.). To hear him talk, it sounds as though grandfathering people into certifications is a revenue model for certification organizations to gain members and money. If this is true, it certainly does water-down the value of the grandfather-able certs.
How much you'll be paying for all those certifications versus what value you will get from them is something to seriously consider.
How much you'll be paying for all those certifications versus what value you will get from them is something to seriously consider.
Good point, however ... consider where the $$$ go for the certs. The biggest amount of the money required in maintaining a CISA or CISM is joining ISACA and the local chapter. The CISA and CISM each cost an additional $40 per year. The CPE requirements are close enough that anything used for one can be used for the other.
So ... since I already have me CISSP and CISA ... I'll be taking the CISM this December. It'll cost only an additional $40 per year to maintain.
I just finshed up a CISM Class in which the instructor is a question writer for ISACA and ISC2. Im taking the CISA this June and I'm not taking it lightly though I have the CISSP cert. The instructor said that the CISM is graded on a curve and 45% is needed. I'm hoping the CISA is equvilent and I'm hopeing alot of dumbazz aretaking it the sametime as me... lol, I'm probably their leader.
BTW: I registered early to take the CISA exam to save on $$$ but I was able to get into a paid seat for a CISM course, I'll take it in Dec.
Which exam is more difficult, the CISA or the CISM? Which exam holds more weight if your goal is to work in information security management?
I'm working as a it-auditor and we are encouraged to take the CISA exam as it's it security from an auditors perspective (which i will right after CISSP). I would say thats its tough just too meet the requrements for the CISM as you have to have 2 years experience as a leader of a systems security section/department. Would be a nice one to have though
Is it worth taking for a person without any accounting background ?. and generally which industries give preference to CISA's than big auditing, banking and insurance firms ?.
Is it worth taking for a person without any accounting background ?
Searching for the keyword "CISA" on dice.com shows some of the non-accounting positions favor CISA certification:
IT Auditor
IT Security Analyst
Systems Development Audit Supervisor
Network Security Analyst
Information Security Auditor
Information Security Engineer
Security Audit Engineer
Compliance Analyst
Risk Analyst
etc.
It looks like any business or industry that cares about information security needs CISA-certified people.
Thank you so much for the freepracticetests.org reference!
I just began studying for the CISA, and I love how I can set the quiz to be generated into a platform that suits my current level of knowledge/studying.
It is alright if you have a problem with grandfathering but I do not think that applies solely to the CISM. I have got certifications from both ISACA and ISC2 (CISA & CISSP), am also planning on my CISM...of course none of these through grandfathering...but that is a matter of choice for me. If others choose to go the grandfathering route, do they qualify? Has the body in question put procedures in place to see that this is verified? Whoever goes on to carry a load (maintenance fees) he/she cannot bear, has no one to blame. It does not degrade the quality of the certification, which has strict eligibilty criteria by the way. Arguments such as these have been there for a while and will go on even a bit more. I am gaining from them all and like a said above, its a matter of choice. Remeber it says CISM, SM for Security Management...that's why it allows for grandfathering. The target is for Security Managers. CISSP targets Security Administrators really.
CISA is a bit like CISSP. You don't have to know so many details like with CISSP to pass it.
The disadvantages are:
- a domain about auditing,
- short exam time (200 questions in 4 hours), and
- scenario-based questions (which steal your time).
I've heard a negative opinion about CISM to be a kind of "CISSP imitation for CISAs". Personally I didn't consider passing CISM because of the grandfathering-policy - a lot of people were allowed to literally buy the certificate, without passing the exam. That was why I went for CISSP
My concern is after gaining CISA. As u all know that ISACA offer CISA certs to whom who pass the test AND have few years experience in security. A candidate who earns CISA cert but have no previous work experience in auditing, will he face difficulties in getting an auditing job? In other words, what will be the employer perspective about him? What chances he has to start new dimension in his IT career?
I was thinking of starting a new thread but I think this question could be relevant here.
I've been thinking about studying for and obtaining the CISM certification. I already have a CISSP. After looking at the CISM study guide, I've noticed some material is similar and some is different (little bit more management all-around).
Do you guys think this is a waste of time, or a good focus towards infosec management.
I was thinking of starting a new thread but I think this question could be relevant here.
I've been thinking about studying for and obtaining the CISM certification. I already have a CISSP. After looking at the CISM study guide, I've noticed some material is similar and some is different (little bit more management all-around).
Do you guys think this is a waste of time, or a good focus towards infosec management.
Thanks.
There's some debate over the value of the ISACA certs, but putting all that aside, the CISM material is excellent.
That and the CISA are on-deck for me. If I can do the CISA in June, I'll probably take a stab at the CISM in December. Those might slip six months though (ISACA only offers one exam in June and another in December).
Hi All, I am appearing for CISA this time...Just wanted to have an idea as to is CISA a time battle during the exam...do i have to hurry up or is 4hrs are enogh for 200 questions?
There's some debate over the value of the ISACA certs, but putting all that aside, the CISM material is excellent.
That and the CISA are on-deck for me. If I can do the CISA in June, I'll probably take a stab at the CISM in December. Those might slip six months though (ISACA only offers one exam in June and another in December).
Hi All, I am appearing for CISA this time...Just wanted to have an idea as to is CISA a time battle during the exam...do i have to hurry up or is 4hrs are enogh for 200 questions?
That actually depends on how easily you are able to answer the exam items. Are you using any CISA practice exams to improve your testing skills and increase your mental stamina?
Hi All, I am appearing for CISA this time...Just wanted to have an idea as to is CISA a time battle during the exam...do i have to hurry up or is 4hrs are enogh for 200 questions?
Depends on the person. Just watch your time as you're taking the exam and try not to spend too much time per question.
hi does anyone know if i can use my CISSP training as CPEs towards CISA?
i recently studied and passed the CISSP, it was 3 months long of studying in domains overlapping with the CISA requirements.
it only makes sense ISACA would allow/recognize some of that study time as CPE time.
You must have the CISA (or CISM) cert first before you can start claiming CPEs for it. Unless the rules have been changed, you cannot claim CPEs for educational events that occurred before you were awarded the CISA cert. Check on ISACA's Web site for the latest rules.
Comments
CISA is more popular amongst insurance companies and large CPA firms (for example, a CPA/Auditor who's primary focus is now IT related audits, for things such as SOX, etc.).
CISM is closer to being parallel to CISSP and more geared towards security management.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
The disadvantages are:
- a domain about auditing,
- short exam time (200 questions in 4 hours), and
- scenario-based questions (which steal your time).
I've heard a negative opinion about CISM to be a kind of "CISSP imitation for CISAs". Personally I didn't consider passing CISM because of the grandfathering-policy - a lot of people were allowed to literally buy the certificate, without passing the exam. That was why I went for CISSP
Wow, really good question. I would probably say that the CISA is a bit more difficult than the CISM.
If your goal is to work in information security management, then the CISM would carry more weight I think.
No, you don't need CISA to earn CISM.
"If you reveal your secrets to the wind, you should not blame the wind for revealing them to the trees." — Kahlil Gibran
How much you'll be paying for all those certifications versus what value you will get from them is something to seriously consider.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
BTW: I registered early to take the CISA exam to save on $$$ but I was able to get into a paid seat for a CISM course, I'll take it in Dec.
I'm working as a it-auditor and we are encouraged to take the CISA exam as it's it security from an auditors perspective (which i will right after CISSP). I would say thats its tough just too meet the requrements for the CISM as you have to have 2 years experience as a leader of a systems security section/department. Would be a nice one to have though
Network Engineer,
CCNA,CCNP.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
Is it worth taking for a person without any accounting background ?. and generally which industries give preference to CISA's than big auditing, banking and insurance firms ?.
IT Auditor IT Security Analyst Systems Development Audit Supervisor Network Security Analyst Information Security Auditor Information Security Engineer Security Audit Engineer Compliance Analyst Risk Analyst etc.
It looks like any business or industry that cares about information security needs CISA-certified people.Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
Thank you so much for the freepracticetests.org reference!
I just began studying for the CISA, and I love how I can set the quiz to be generated into a platform that suits my current level of knowledge/studying.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
BR,
I've been thinking about studying for and obtaining the CISM certification. I already have a CISSP. After looking at the CISM study guide, I've noticed some material is similar and some is different (little bit more management all-around).
Do you guys think this is a waste of time, or a good focus towards infosec management.
Thanks.
There's some debate over the value of the ISACA certs, but putting all that aside, the CISM material is excellent.
That and the CISA are on-deck for me. If I can do the CISA in June, I'll probably take a stab at the CISM in December. Those might slip six months though (ISACA only offers one exam in June and another in December).
Welcome to the forums, btw.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
Depends on the person. Just watch your time as you're taking the exam and try not to spend too much time per question.
CCNA: Security (210-260)
Date: TBD
i recently studied and passed the CISSP, it was 3 months long of studying in domains overlapping with the CISA requirements.
it only makes sense ISACA would allow/recognize some of that study time as CPE time.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray