There is a wide range of different security courses available, and a mind-boggling array of certification and acronyms which go with them. This article focusses on three of the most common, highlights the differences between them and provides guidance on how you choose one over the other.
CISMP has been developed by the British Computer Society (BCS), and is the Certificate in Information Security Management Principles. It is a well known and common entry-level qualification, which is typically attained by people who are looking to start their careers in information- or cyber- security. It covers, at a very high level, a wide range of topics and provides a good foundation level of understanding. It can be viewed as a preparatory course which you then build on, perhaps specialising in one area or another.
It covers the following topics, and typically these subject areas are covered over five days on a course, with a one hour multiple choice exam at the end:
Information security principles
Information security framework
Procedural and people security controls
Technical security controls
Software development and life cycle
Physical and environmental security
Disaster recovery and business continuity management
Other technical aspects
CISSP is the Certification Information Systems Security Professional from (ISC)2, and is one of the two most popular high level certifications (the other being CISM – more on that shortly). Of the two, CISSP is more focussed on technical skills and management, and is based on eight domains:
Security and Risk Management
Communications and Network Security
Identity and Access Management
Security Assessment and Testing
Software Development Security
In order to achieve certification, you must pass a six hour exam consisting of 250 multiple choice questions, and be able to evidence at least five years’ experience in at least two of the domains listed above. You also need to have an existing CISSP verify your claims of experience.
The Certified Information Security Manager (CISM) from ISACA is the other major certification which companies typically look for. It focusses more on governance and risk than technical skills, and is allied to the Certified Information Security Auditor (CISA) certification, also from ISACA. There are only four domains, namely:
Information Security Governance
Information Risk Management
Information Security Program Development and Management
Information Security Incident Management
Those applying for CISM need to be able to demonstrate at least five years’ experience in three or more of these domains, and also have to pass a 250 question multiple choice exam which lasts up to four hours. This is currently a paper based exam which is only available twice a year (all exams globally run at exactly the same time), though it is understood that this is moving to a computer based test in the near future.
For both CISSP and CISM, certification is maintained by completing and evidencing a minimum of 20 hours Continuing Personal Development / Continuing Professional Education each year over three years, with a minimum of 120 hours CPD / CPE required in that time. Activities which qualify include attending seminars and conferences, contributing to papers, presenting on one of the domain topics etc.
CISMP is a good foundation to start a cyber- or information- security career. Candidates cover the basics of the topics involved, and will have a sound understanding for each area covered, which will in turn help them decide which they want to pursue in order to further their career. CISMP has no ongoing CPD requirement.
It can also be seen from above that there is little difference in terms of qualification requirements between the CISSP and CISM: the former is more suited to those with a technical, more hands on, background while the latter is better for those who have spent more time on the policy, process and governance side of things. They both require 5 years’ experience in the industry and endorsement from an existing holder of the certification. The exams can be lengthy, but time allowed to complete them is plenty, and candidates should not find them too daunting.
(ISC)2 and ISACA are aiming to ensure that, because candidates must have experience as well as pass an exam, their qualifications have merit and are valuable for the individual and the company. The requirement for CPEs also helps to ensure that knowledge is being maintained and refreshed over the course of the certification.
Call us now to discuss your requirements with one of our consultants.
Want to stay updated on the latest cyber-security news that can affect your organisation? Sign up now to our Cyber Insight Weekly delivered 1st day of every month.