CISSP, CISA & CISM

I am current this month working on deliverying CISSP and CISA training as well as doing the CISM exam and I thought as I go through the month I will talk about the courses and how I feel they compare and relate to the Information Security Professional

Top security certifications

Some of the top Information security certifications are offered by International Information Systems Security Certification Consortium (ISC)2 and ISACA (previously was known as Information Systems Audit and Control Association, but now just uses the acronym).

There is a very excellent sent of certifications offered by Global Information Assurance Certification (GIAC) which whilst not described here I will be hoping to discuss in future, I currently don't have first hand experience of GIAC and the certifications offered.

Summary of the certifications

Certification	Summary	Body
CISSP	The qualification of Certified Information Systems Security Professional (CISSP) was created in 1989. It is the one of the most popular and well known security certification. The CISSP study programme gives a broad overview of information security. Certification is by way of a multiple choice examination that covers 10 subject areas, including 'Cryptology', 'Law, Investigation and Ethics'.	(ISC)2
CISM	The Certified Information Security Manager (CISM) programme is intended to recognise those with the technical and managerial abilities to oversee an enterprise wide information security system. Individuals in such a role require an understanding of business goals and IT strategies, as well as the ability to define sensible security policies, acceptable usage policies for the use of email and Internet, and the configuration of the organisations firewall. The CISM certification is for the individual, who manages, designs, oversees and/or assesses an enterprise’s information security (IS). The CISM certification promotes international practices and provides executive management with assurance that those earning the designation have the required experience and knowledge to provide effective security management and consulting services.	ISACA
CISA	The Certified Information Systems Auditor (CISA) is recognised as the standard of achievement for those who audit, control, monitor and assess an organization’s information technology and business systems. With a growing demand for professionals possessing IS audit, and control skills, CISA has become a preferred certification program by individuals and organizations around the world. CISA certification signifies commitment to serving an organisation and the IS audit, control industry	ISACA

The certifications themselves although overlap on some content have different focuses, the most obvious is the CISA and its focus on auditing, this is a good certification not only for auditors but for those who deal with auditors.

The Venn diagram shows how the certifications complement each other with different focuses on auditing, or strategic, or tactical functions.

ISACA say that earning the CISSP and/or the CISA credential is complementary to the attainment of the CISM credential and is encouraged. 
 

Accreditation

CISSP, CISA & CISM are accredited to ANSI ISO/IEC Standard 17024:2003, is an International Standard which sets out criteria for an organization's certification program for individual persons.

The issues that ISO 17024 tackles can be summarized as:

• Defining what it is you examine (the competencies)
• Knowledge, skills and personal attributes
• Examination must be independent
• Examination must be a valid test of competence

Where competency is typically described as:

“The demonstrated ability to apply knowledge, skills and attributes”

The factor that all these certifications have been accredited show the effort the organisations put in to maintating the certifications with the standard and that they believe they are important certifications for a professional to hold

Certification Content

Each of the certifications divide the content in to domains of knowledge, the current domain structure of the certifications is shown below. I will be looking at the certifications and the content of the domains in more detail later this month.

CISA domains (2011)

Domain 1	The Process of Auditing Information Systems
Domain 2	Governance and Management of IT
Domain 3	Information Systems Acquisition, Development and Implementation
Domain 4	Information Systems Operations, Maintenance and Support
Domain 5	Protection of Information Assets

CISM domains (2011)

Domain 1	Information Security Governance
Domain 2	Information Risk Management and Compliance
Domain 3	Information Security Program Development and Management
Domain 4	Information Security Incident Management

CISSP Domains (2012 Candidate Information Bulletin)

Domain 1	Access Control
Domain 2	Telecommunications and Network Security
Domain 3	Information Security Governance and Risk Management
Domain 4	Software Development Security
Domain 5	Cryptography
Domain 6	Security Architecture and Design
Domain 7	Operations Security
Domain 8	Business Continuity and Disaster Recovery Planning
Domain 9	Legal regulations, investigations, and compliance
Domain 10	Physical and Environmental Security

Exam comparison

Exam	Length	No of Questions	Pass score (Scaled)	Max score (scaled)	Frequency
CISA	4	200	450	800	twice a year
CISM	4	200	440	800	twice a year
CISSP	6	250 *	700	1000	Frequently

*25 questions are experimental and not graded