Exam Profile: Certified Information Security Manager (CISM)
Date: Jul 13, 2011
The CISM certification is less than 10 years old. The Information Systems Audit and Control Association (ISACA) created it to satisfy a demand for experienced information security managers. The exam requires a strong understanding of and years’ experience in risk management, governance, and information security program management.
Over a relatively short lifespan, the CISM is being adopted at a respectable pace. Today, there are already about 16,000 candidates worldwide who have successfully passed the CISM. The typical successful candidate is moderately experienced. Over a quarter of CISM holders are senior managers, 20% of which hold executive (CEO, CIO, CISO, CTO, CSO, etc) positions. Due to the somewhat senior demographic, the CISM is repeatedly recognized as one of the most highly paid certifications.
Respect for the CISM is consistent through all regions worldwide, unlike other certifications such as CompTIA’s Security+, which is fairly “US-heavy.” In the United States, the CISM is distinguished by the US Department of Defense as one of the few formally recognized certifications by the DoD.
CISM versus CISA
Just so there is no confusion, here are a few facts differentiating CISM from CISA:
- In 2010, over 21,000 candidates registered for the CISA, compared to just 4,900 for the CISM.
- CISA retention hovers near 90 percent; while over 93% for the CISM.
- A 2008 Foote Partners study found the CISM to be the highest paid certification.
- There are 85,000 CISA holders, while CISMs number around 16,000.
As you compare the two certifications, bear in mind as the CISM nears its 10-year birthday, the CISA will be 35 years old. The demands in the workforce are always changing and information security technologies are changing more rapidly. However, one constant is the need for established information security management.
For much more on how the CISA differs from the CISM, see the Pearson IT article Comparing CISA and CISM in the Real World.
Earning the CISM Certification
Passing the exam is one of two requirements for gaining the CISM designation. The second is meeting the required amount of work experience. The most straightforward way to complete the requirement is to have 5 years of information security management experience, but several variants of exceptions and substitutions exist, e.g. having an advanced degree in IT.
While a candidate could pass the CISM exam before gaining the work experience, it wouldn’t be easy. That said, ISACA encourages candidates to study for and try the exam at any time, but the certification will be awarded only after a candidate meets the experience requirement. A candidate has 5 years after their exam to meet this requirement and apply for the certification.
There are other agreements for a candidate regarding ethics and continued education to obtain the CISM. But this article is about the exam, so consult the ISACA website for more details on gaining the certification.
Exam Details
- Number of questions: 200
- Types of questions: multiple choice
- Passing score: 450 on a scale from 200 (lowest possible) to 800 (perfect)
- Time limit: 4 hours (works to just over a 1 minute per question)
- How to Register: You may register for the CISM exam, next available on 10 December 2011 by visiting the ISACA website.
The exam is open to anyone interested in information security management, risk management and incident response. Obtaining the CISM certification requires passing the exam, work experience and submitting the application.
The exam is offered twice a year, administered worldwide on the same day. For the 2011 exam, you may select from over 100 countries. In the US alone, it’s available in 77 cities across 22 states.
Before registering for the exam, you will create an ISACA account (name and e-mail). Then to register, you provide more demographic information, choose a test site and pay the registration fee. The fee amount depends whether you are an ISACA member or not, available to you during registration.
Trouble Spots
The first trouble spot for exam candidates is the sheer scope of material. Without actually knowing the scope, someone may shrug off the exam as simply a non-technical, IT auditing exam. But after a few minutes reviewing the scope, that opinion may change to overwhelm they read through the exam’s 5 content areas and grasps the depth of each area.
After a review of all five content areas, or domains, the structure and pattern takes shape. In time, a candidate can associate their own strengths and gaps against them. So, what may appear overwhelming at first will fast create a list of priority areas to study.
The CISM exam covers 5 domains. Those domains are as follows:
- Information Security Governance
- Information Risk Management
- Information Security Program Development
- Information Security Program Management
- Incident Management and Response
Experience Pays Off
With ISACA being an auditing-centric association, you might fear the CISM is loaded with auditing related questions. Not true. Instead, the exam has a large base of information risk management. This gives anyone with experience in information risk a strong advantage. Almost equally so, anyone with experience in information security program management will also have an easier time.
To possess an introductory level across a few of the 5 domains requires a few years of relevant experience. Let’s say, for example, you have 3 years experience in information risk management and 2 years with incident response, and then you will have enough hands-on knowledge to be quite familiar with 2 of the 5 domains. Any experience in information security program development and management should raise your confidence even higher. Confidence in the material will increase motivation to study more unfamiliar areas. So experience definitely pays off in time and motivation during your study.
Covering Both Operational and Policy Levels
Another trouble spot is the combination of both low-level and high-level understanding of the domains required of the candidate. Be aware, a candidate having a few years of experience in a domain does not guarantee they know the entire domain. Each domain covers job duties and knowledge that spans multiple levels of a job. For example, let’s consider Domain 4, covering systems maintenance. On an operational level of systems maintenance, a candidate will be more familiar with questions about procedures and implementation. On a higher, more management level of systems maintenance, the candidate is more familiar with policies and standards. Domain 4 spans both levels and much more.
No person is expected to know all areas solely based on experience. This means you must study and should not rely on experience alone for any domain.
Preparation Hints
Your best approach to preparation is to break down your studying according to the 5 domains listed above.
On the ISACA website, under the CISM exam section, click on the link titled “Prepare for the Exam.” There will be a helpful guide called “The Candidate's Guide to the CISM Exam” available for free.
Proportion of Domains Per Exam
I mentioned earlier that the 5 domains are not covered equally in the CISM exam. The domain distribution is as follows:
- Domain 1—Information Security Governance: 23%
- Domain 2—Information Risk Management: 22%
- Domain 3—Information Security Program Development: 17%
- Domain 4—Information Security Program Management: 24%
- Domain 5—Incident Management and Response: 14%
This distribution is called the Job Practice for the exam, as ISACA developed this using industry practitioners and subject matter experts.
In a figure taken from the ISACA website, they illustrate this distribution like this:
Use this distribution for studying. In other words, don’t invest equal study time for Domain 4 (24% of the exam) on Domain 5 (only 14% of the exam). A more reasonable strategy is to use study time in a similar proportion per domain.
Important: Because ISACA routinely updates the job practice areas, they already disclosed that the December 10th 2011 exam is the last CISM exam date that uses this exact distribution listed above.
Task and Knowledge Statements
“The Candidate's Guide to the CISM Exam” lists the several task statements and knowledge statements per domain. Task statements specify a job objective, while knowledge statements declare some specific awareness about an area. Between all domains, the CISM exam covers 45 task statements and 93 knowledge statements.
An example of a task statement would be “Ensure that threat and vulnerability evaluations are performed on an ongoing basis.” That’s task statement #4 of Domain 2: Information Risk Management. An example of a knowledge statement would be “Knowledge of risk assessment and analysis methodologies (including measurability, repeatability and documentation).” That’s statement #5 of the same Domain 2.
I strongly recommend you to read through these task and knowledge statements. To see them all, visit the ISACA website, go to the CISM section, under Prepare for the Exam / Job Practice Areas. Consider the task and knowledge statements as your recipe for mastering the CISM exam.
Study with Structure
Armed with the task and knowledge statements, you have a structured framework for studying. Depending on your preference, you may wish to check off the topics you feel already comfortable with, prioritizing the most unfamiliar areas to concentrate on. Or you may wish to briefly visit the most well-known areas, which may provide you more insight on the detail level expected across all areas. In any case, use the domain breakdown to your advantage, as a checklist and path to covering all required of you.
Important: ultimately, your strategy for studying should reflect both this domain proportion and your prior experience. And you can execute this strategy with a definite structure.
Study What Counts the MOST or What Comes FIRST
Know that CISM exam questions frequently use superlatives to distinguish the right answer. Superlatives like “best,” “most,” and “greatest” are common. In other words, from the four answers available there might be many correct answers, but there’s only one BEST answer.
Another common question type is to ask about priority or order. You’ll read questions asking for the primary goal or role. And it’s common to pose a situation, and then you are asked what would be the first step in a series of tasks.
So, just recognizing what steps are necessary is not good enough; know what order the steps should follow.
Recommended Pace for Taking the CISM Exam
You are given 4 hours to answer the 200 questions. That may seem like a lot, but it’s not. Sure, some people are out early, but this could be their second or third time. Let’s talk more about a smart pace.
Four hours is 240 minutes, or one minute and twelve seconds per question. Even the most studious candidate shouldn’t try to concentrate for 4 hours straight. Instead, a candidate should take a break or two to refresh and reenergize. If a candidate takes two short breaks of 5-10 minutes each, that now leaves 220-230 minutes for the exam. Also consider that in any exam, it’s wise to allot time at the end to briefly scan your answer sheet for obvious mistakes (skipped or doubled-answered questions). A safe allotment of time would be 10%, or 20 minutes in this case. That leaves 200 minutes for 200 questions. With a break or two and some buffer time at the end, this gives a plain “one question per minute” pace. This pace is especially helpful as you work through the exam, since you can confidently check your pace against the spent time and your current question.
Recommended Study Resources
Job experience helps, but can only get you so far. Preparation requires studying. Take advantage of study material and make the best use of your valuable time.
You might find on the ISACA website a variety of resources, such as study guides and review courses (virtual) through their “eLearning Campus.” Depending on your location, you may also find an instructor-led course available in your area. It’s a personal preference, but all these are available at a price.
There is also expected a “CISM Exam Preparation Community” accessible through the ISACA website. At the time of writing, the community is not yet available, with ISACA stating, ”Exam preparation communities will open later this year.” However, given the next exam is December 10th, this doesn’t mean the community will be available long before (or earlier than) the exam itself.
Study guides are not restricted to ISACA. Proven guides are available by online book outlets, e.g. Amazon, and independent education providers. It is possible to get freely available, downloadable study guides and practice exams. However, be aware that these are often provided to help generate leads for retail exams.
Where to Go from Here
If you can feasibly prepare for the exam before the exam date, you should immediately register for the exam. This obligation will help you to commit to a study and training regimen.
- Familiarize yourself with the five domains.
- Familiarize yourself with the Job Practice Areas, available on the ISACA website under the CISM exam section. The Job Practice Areas are the five domains or content sections of the exam. Each area includes several task and knowledge statements.
- As I said earlier, the Job Practice Areas also shows the proportion of each domain to the exam. For example, Domain 4 (“Information Security Program Management”) comprises 24% of the exam, while Domain 5 (“incident Management and Response”) covers only 14%. Study accordingly.
- Also in the Job Practice Areas section or the Candidate’s Guide, use the full list of statements as a structured checklist.
- Study with structure, invest your time smartly and know the BEST answers.
- Once you feel relatively confident, try the CISM Sample Question Challenge (available on ISACA website, CISM section, then “Prepare for CISM”).
- You may opt to take other practice exams or purchase preparation materials to fill in gaps left before taking the actual exam.
- Remember during the exam to pace yourself, relying on the question/minute rate.