Information security today is one of the most pressing problems of the IT industry, and most company leaders sooner or later realize that the main issue here is not the availability of certain technologies, not to mention products, but the high professional level of relevant specialists. In order not to make a mistake in choosing a future employee, a person should, first of all, pay attention to whether he or she has certification in information security. Although the debate about the extent to which certification reflects a specialist’s real ability to solve assigned tasks continues to this day, there is still no better mechanism for assessing his capabilities. Moreover, practical experience, sometimes contrasted with the formal passing of certification exams, has long been a requirement for an outstanding certification.
The CISM (Certified Information Security Manager) certificate is awarded by the Information Systems Audit and Control Association (ISACA), known as the leading professional organization of information systems management specialists for their control, audit, and security. This association, founded in 1967, has dozens of national branches and is engaged in research, subject standards, and professional certification of specialists (“How to Become CISM Certified”). The main accreditation for ISACA members is the certification of CISA (Certified Information Systems Auditor), numbering more than 35 thousand specialists, but currently, about 5 thousand specialists are certified by CISM (Schreider 97). CISM certification is aimed at experienced managers of information security systems or structures. The CISM certificate confirms that the specialist has the appropriate knowledge, experience and is able to effectively manage the protection of information in the organization or advise on management issues in this area. It is plausible to state that CISM is more likely a management certification in a specific subject area and is focused on risk management of information systems, although a certified specialist knows the principles and methods of protecting an information system at a conceptual level.
For CISM certification, an individual must pass an exam, sign the ISACA Code of Professional Ethics, and confirm that a person has experience in the subject area. The exam is held once a year on the same day around the world and consists of 200 questions in writing (“How to Become CISM Certified”). In addition, such paper technology is a characteristic feature of higher certifications since it allows organizers to protect the exam material from compromise as much as possible. The exam lasts 4 hours, and the fee for it is 450-500 dollars. Subject of the exam: regulation in information security (21%), risk management (21%), information security program management (21%), information security management (24%) Response management (13%) (“How to Become CISM Certified”). Certification requires at least five years of experience in the field of information security and at least three years of protection management in those areas that are listed as exam topics. Various certificates (Security +, SANS GIAC, CISA, etc.) can go to offset 1-2 years of general experience in information security, but this does not cancel the 3-year term of work on security management. Certification must be confirmed through ongoing professional training (at least 120 hours of training every three years and at least 20 hours per year) according to ISACA-approved programs (Schreider 128). To prepare for the exam, courses are held by ISACA during conferences and in the offices of the association. In general, CISM certification is rated as one of the best for managers working in the field of information security.
Works Cited
“How to Become CISM Certified”. ISACA. 2019, Web.
Schreider, Tari. Building Effective Cybersecurity Programs: A Security Manager’s Handbook. Rothstein Publishing, 2017.