An overview of CISSP

The proliferation of the ISC2 CISSPcertification on information security-related job postings is well documented. From entry-level to executive roles, including CIOs, CISOs, security consultants andsecurity analysts, CISSP continues to be an expectation.

Billing itself as being "an inch deep and a mile wide" in its body of knowledge, it expects exam candidates to be competent in a range of topics from cryptography to networking to common regulations across the following eight domains:

1. Security and Risk Management (16%) includes security governance principles; legal, regulatory and compliance issues; how todevelop, document and implement security policies, standards, procedures and guidelines; and more.
2. Asset Security (10%) includes how to identify and classify information and assets; managing the data lifecycle; asset retention; and more.
3. Security Architecture and Engineering (13%) includessecure design principles, security models, selecting controls, cryptographic attacks,physical security and more.
4. Communication and Network Security (13%) includes secure design principes in network architecture, secure network components and secure communication channels.
5. Identity and Access Management (IAM) (13%) includes physical and logical access control, identification and authentication strategies, federated identity and more.
6. Security Assessment and Testing (12%) includes security control testing, collecting security process data,security audits and more.
7. Security Operations (13%) includes logging and monitoring, configuration management, incident management and more.
8. Software Development Security (10%) includes security in the software development lifecycle, secure coding guidelines and standards, and more.

It requires knowledge of history to some extent as well. For example, ISC2 might ask, "What is The Orange Book more commonly known as, and in what year was it initially issued?" This is information most practitioners only need to recall to impress their peers at dinner parties -- or for as long as it takes them to get through the CISSP exam.

The three-hour exam, which consists of 125-150 multiple-choice questions, requires a 700/1,000 passing grade. Candidates must have at least five years of work experience in two or more of the eight domains. A bachelor's or master's degree in computer science, IT or a related field or an additional ISC2-approved credential satisfies up to one year of experience. Part-time work and internships can also count toward experience.

An overview of CISM

ISACA's CISM certifications, also a frequent flyer on job postings for CISOs, CTOs and directors of security and compliance, has occasionally been referred to as a "shadow of CISSP." It is identical in purpose but different in approach.

The CISMexam is transparent in its focus on the role of the information security manager (ISM), a title that translates seamlessly to real-world alternatives, including the coveted CISO position.

The CISM body of knowledge assumes familiarity of basic technology fundamentals, including networking and OS architecture, across the following four domains:

1. Information Security Governance (17%) includes organizational culture; legal, regulatory and contractual requirements; information security strategy development; strategic planning; and more.
2. Information Security Risk Management (20%) includesrisk assessment and analysis, risk and control ownership, risk monitoring and reporting, and more.
3. Information Security Program (33%) includes asset identification and classification; security policies, procedures and guidelines;security awareness and training; and more.
4. Incident Management (30%) includes incident containment methods, business impact analysis, incident eradication and recovery, and more.

CISM test questions rarely require the candidate to recall specific details, unlike CISSP, which is known for its memorization requirements. For example, CISSP might ask what different key sizes are available for AES; CISM does not. CISM success comes in mastering concepts and principles over specifications and details. CISM recognizes constraints, such as budget or resource issues, and focuses on the ideals and principles of how to address those issues.

The exam consists of 150 multiple-choice questions and has a passing grade of 450/800. Candidates must have a minimum of five years of experience within the CISM domains.

CISSP, CISM or both?

I've been teaching CISSP and CISM programs for years. I am asked time and again which credential a candidate should choose if choosing only one. As an advocate for training and education, my rebuttal is to ask, "Do you mean which to pursue first?"

The overlap between the two credentials is incidental; they're less competitive than complementary. CISSP makes agood information security leader in the eyes of the engineers, administrators and technologists who report to that leader; CISM makes a good information security leader in the eyes of executive leadership and the board.

The CISSP and CISM credentials have the following commonalities:

• Risk management focus.Both touch on a concept that those who are purely operational in focus sometimes miss or ignore: Information security programs are risk management programs. As such, the CISSP and CISM curricula view security objectives through the lens of operational and business risk.
• Prerequisites.Both have minimum industry experience requirements, and each requires attestation of competence on the part of others -- a member in good standing for CISSP and previous employer(s) for CISM.
• Benefits. Both are often associated withsix-figure salaries and strong job security. That said, professionals should always view any implications of guaranteed income and employment with healthy skepticism.
• Maintenance requirements. Credential maintenance for both requires a commitment to and documentation of 120 continuing professional education credits per three-year cycle.

The question of which credential to prioritize falls to job seekers and hiring managers. Only they can decide what they are looking for in their career paths and their employees.

For the technologist passionate about gaining deep information security expertise, CISSP might be more appealing. For business-focused professionals who want to be more visible -- and perhaps promotable -- as information security leaders, CISM might serve them well.

In the end, a well-rounded infosec leader would benefit from the knowledge that's represented in the curricula for both certifications.

Mike Pedrick is a vCISO and consultant, advisor, mentor and trainer. He has been on both sides of the IT, IS and GRC consulting/client table for more than 20 years.