Introduction

If you're preparing to take the Certified Information Security Manager (CISM) exam, you'll undoubtedly want to find as much information as you can about information security and the art of leading and managing security teams. The more information you have at your disposal, the better off you'll be when taking the exam. This study guide was written with that in mind. The goal was to provide enough information to prepare you for the test, but not so much that you'll be overloaded with information that's outside the scope of the exam.

This book presents the material at an intermediate technical level. Experience with and knowledge of security concepts, operating systems, and application systems will help you get a full understanding of the challenges you'll face as a security manager.

I've included review questions at the end of each chapter to give you a taste of what it's like to take the exam. I recommend that you check out these questions first to gauge your level of expertise. You can then use the book mainly to fill in the gaps in your current knowledge. This study guide will help you round out your knowledge base before tackling the exam.

If you can answer 90 percent or more of the review questions correctly for a given chapter, you can feel safe moving on to the next chapter. If you're unable to answer that many correctly, reread the chapter and try the questions again. Your score should improve.

Don't just study the questions and answers! The questions on the actual exam will be different from the practice questions included in this book. The exam is designed to test your knowledge of a concept or objective, so use this book to learn the objectives behind the questions.

The CISM Exam

The CISM exam is designed to be a vendor-neutral certification for cybersecurity managers. ISACA recommends this certification for those who already have technical experience in the information security field and are either already serving in management roles or who want to shift from being an individual contributor into a management role.

The exam covers four major domains:

1. Information Security Governance
2. Information Security Risk Management
3. Information Security Program
4. Incident Management

These four areas include a range of topics, from enterprise risk management to responding to cybersecurity incidents. They focus heavily on scenario-based learning and the role of the information security manager in various scenarios. There's a lot of information that you'll need to learn, but you'll be well rewarded for possessing this credential. ISACA reports that the average salary of CISM credential holders is over $118,000.

The CISM exam includes only standard multiple-choice questions. Each question has four possible answer choices and only one of those answer choices is the correct answer. When you're taking the test, you'll likely find some questions where you think multiple answers might be correct. In those cases, remember that you're looking for the best possible answer to the question!

The exam costs $575 for ISACA members and $760 for nonmembers. More details about the CISM exam and how to take it can be found at:

www.isaca.org/credentialing/cism

You'll have four hours to take the exam and will be asked to answer 150 questions during that time period. Your exam will be scored on a scale ranging from 200 to 800, with a passing score of 450.

ISACA frequently does what is called item seeding, which is the practice of including unscored questions on exams. It does so to gather psychometric data, which is then used when developing new versions of the exam. Before you take the exam, you will be told that your exam may include these unscored questions. So, if you come across a question that does not appear to map to any of the exam objectives-or for that matter, does not appear to belong in the exam-it is likely a seeded question. You never really know whether or not a question is seeded, however, so always make your best effort to answer every question.

Taking the Exam

Once you are fully prepared to take the exam, you can visit the ISACA website to register. Currently, ISACA offers two options for taking the exam: an in-person exam at a testing center and an at-home exam that you take on your own computer through a remote proctoring service.

In-Person Exams

ISACA partners with PSI Exams testing centers, so your next step will be to locate a testing center near you. In the United States, you can do this based on your address or your ZIP code, while non-U.S. test takers may find it easier to enter their city and country. You can search for a test center near you at the PSI Exams website:

https://isacaavailability.psiexams.com

Now that you know where you'd like to take the exam, simply set up a PSI testing account and schedule an exam on their site.

On the day of the test, bring a government-issued identification card or passport that contains your full name (exactly matching the name on your exam registration), your signature, and your photograph. Make sure to show up with plenty of time before the exam starts. Remember that you will not be able to take your notes, electronic devices (including smartphones and watches), or other materials in with you.

At-Home Exams

ISACA began offering online exam proctoring in 2020 in response to the coronavirus pandemic. When this book went to press, the at-home testing option was still available and appears likely to continue. Candidates using this approach will take the exam at their home or office and be proctored over a webcam by a remote proctor.

Due to the rapidly changing nature of the at-home testing experience, candidates wishing to pursue this option should check the ISACA website for the latest details. In fact, checking the ISACA website for exam policy changes is a good idea for all test takers.

After the CISM Exam

Once you have taken the exam, you will be notified of your score immediately, so you'll know if you passed the test right away. You should keep track of your score report with your exam registration records and the email address you used to register for the exam.

Meeting the Experience Requirement

The CISM program is designed to demonstrate that an individual is a qualified information security manager. That requires more than just passing a test-it also requires real hands-on work experience managing cybersecurity teams.

The CISM work experience requirement has two different components:

• You must have five years of information security work experience.
• You must have at least three years of information security management work experience. That work experience must come from at least three of the four CISM domains.

If you're a current information security manager, you may find it easy to meet these requirements. If you've been in the field for five years and have been a manager for at least three of those years, you're probably good to go because your time as an information security manager also counts toward your general information security experience requirement.

There are some waivers available that can knock one or two years off your experience requirement. All of these waivers apply only to the general information security work experience requirement, not the management requirement.

If you hold any of the following credentials, you qualify for a two-year reduction in the experience requirement:

• Certified Information Systems Security Professional (CISSP)
• Certified Information Systems Auditor (CISA)
• Master of Business Administration (MBA) degree
• Master's degree in information security or a related field

One year experience requirement waivers are available for holders of:

• Skill-based or general security certifications (such as the CompTIA Security+ credential)
• Bachelor's degree in information security or a related field
• One full year of general information systems management experience
• One full year of general security management experience

You must have earned all of the experience used toward your requirement within the 10 years preceding your application or within 5 years of the date you pass the exam.

Maintaining Your Certification

Information security is a constantly evolving field with new threats and controls arising regularly. All CISM holders must complete continuing professional education on an annual basis to keep their knowledge current and their skills sharp. The guidelines around continuing professional education are somewhat complicated, but they boil down to two main requirements:

• You must complete 120 hours of credit every three years to remain certified.
• You must have a minimum of 20 hours of credit every year during that cycle.

You must meet both of these requirements. For example, if you earn 120 credit hours during the first year of your certification cycle, you still must earn 20 additional credits in each of the next two years.

Continuing education requirements follow calendar years, and your clock will begin ticking on January 1 of the year after you earn your certification. You are allowed to begin earning credits immediately after you're certified. They'll just...