The focus of CISSP is purely Information Security. Having said that, its a big field. However, it is not an auditor-specific qualification so it is complementary to CISA rather than an alternative to it. It’s a demanding, well thought out, and well manged certification that commands considerable respect, more so than CISA and CISM, and if you see it as a learning experience rather than a rubber stamp, you’ll get a huge amount out of it.

How can I obtain a CISSP qualification?

You need to pass an exam and evidence 5 years of relevant experience, then get an endorsement. Sounds straightforward? Perhaps, but the exam is a six-hour marathon consisting of a vast array of intentionally confusing questions covering everything from the obvious to the extremely obscure. The field is covers – review the CBK or ‘common body of knowledge’ maintained by ISC2 – is vast and detailed.

There are lots of reasons not to do this exam. You can study for ages, but not know whether you know enough to pass. You can know everything, but not like their take on multiple choice questions – or you can just be a but too slow. For some the biggest reason not to do it are the frequently missing sandwiches and water (one distinctly odd and unreasonable requirement is that you are not allowed to bring a bottle of water or snacks into the exam – so what ever you do, don’t be diabetic). For others, it’s the fact that good people do fail.

ISC2 really should look at splitting the syllabus into several 3 hour exams to do it justice. They should also review some of the slightly more unreasonable rules, that add nothing to it’s integrity.

All in all though, once you’ve done it you haven’t proved your a good IT auditor or Information Security practitioner, but you’ve proved you know your stuff.

The exam is not impossible or unreasonable – if you know the material you could even say it’s not particularly difficult – it just requires you to understand what you’re doing, as well as know what you’re doing. As it should, after all.

The experience is easier, if it takes a little longer – 5 years experience in information security, with 1 year off for a degree. There are no extra years off for other qualifications, but really – don’t bother unless you’ve been doing something relevant for the last five years as you probably won’t pass the exam anyway.

What does CISSP cover?

The syllabus is governed by the ISC2 CISSP CBK – it’s a lot of letters to describe a lot of content, and pretty comprehensive. If you’re a business policy wonk, be preapred to understand the underlying principles of networking and cryptography. If you’re a network monkey, be prepared to understand business, governance and risk.

The areas covered are:

• Access Control
• Application Development Security
• Business Continuity and Disaster Recovery Planning
• Cryptography
• Information Security Governance and Risk Management
• Legal, Regulations, Investigations and Compliance
• Operations Security
• Physical (Environmental) Security
• Security Architecture and Design
• Telecommunications and Network Security

What does CISSP cost?

The exam is around $400 (assuming you enrol well in advance), but the main cost is training. Unless you’re supremely confident (or just enjoy resitting exams) it’s definitely worth investing in a training course. Don’t accept anything under 5 days, and be sure to do the homework – a course that long can’t possibly teach you everything you need to know, so see it as a revision course and read around the syllabus in your weaker areas before hand.

Be prepared also for travel costs unless you live in a capital city or US state capitol, and keep an eye on exam dates as they often get booked up well in advance. You could do a lot worse than to sign up for a course that ends with the exam – the knowledge will be fresh, even you you might be tired! As for the cost of course – expect to pay between £200 ($300) and £400 ($600) a day in fees for most courses, plus VAT or sales tax, along with accommodation and travel costs. To a large extent you get what you pay for, but do your research and ask for referrals from friedns or colleagues for course providers and specific tutors – it makes a big difference to how much you learn.

How long will CISSP take?

It varies depending on you and the time you have, but allow at least 3 months from registration to sitting the exam and allocate some time teach week to go through each area of the syllabus. If you have IT audit experience, good IT knowledge and a strong background in business, a one week training course followed by the exam may be enough – but you’ll be lucky. If there are gaps in your knowledge or you’re relatively new to the profession (less than 5 years proper experience leading audits or managing an Information security team), you will need more time and might want to consider doing something like CISA or CISM first. You will want to take relevant courses, read up in weak areas, and spend a few months preparing for the exam. If you’re weaker in one area, as Riskmonkey is (no, I’m not telling which!) it might be worth doing a course in that area first, or trying to get some on the job experience that covers it to make it easier to understand where the examiners are coming from.

Add several months if you have to resit. I’ve you’ve done a six hour exam once, you definitely won’t want to do it three times.

Do I get letters after my name?

Yes, you can use the letters CISSP, as long are you keep your certification up to date. The letters are worth a fair bit on the recruitment market, particularly combined with CISA for auditors, or good technical or business qualifications.

Do I need to do CPD to retain my CISSP qualification?

Yes. You need 120 CPD points over three years, and at least 20 each year. It’s quite a lot, and for the privilege of doing this you get to pay an annual $85 fee. However as the alternative is to resit the exam, Riskmonkey recommends the CPD option – strongly.

Is CISSP appropriate for me?

Yes, if you’re an experienced professional looking to demonstrate confidence and plug any gaps in your knowledge – CISSP is the one ‘must have’ IT security qualification, and everyone will learn something be doing it.

No, though, if you’re new to IT audit or Information Security, even if you already have some IT experience. It’s the closest there is to a gold standard, but it’s not easy for beginners. If you’re new to Information Security or IT audit or looking to move in that direction from a relevant IT or operational audit field, forget CISSP for now and look at CISA or CISM as a qualification you can do straight away. CISSP just doesn’t make sense without experience.

How do I get started with a CISSP certification?

Visit the CISSP pages on the ISC2 web site and enrol.

All auditors expect clients to question their usefulness. Many auditors question their usefulness. Most would accept that their impact on an organisation is generally quiet and incremental, rather than dramatic. Most of all, when you’ve been doing – or putting up with – a lengthy audit only to find there are no recommendations that management are not already aware of you have ask whether it’s time well spent.

Time then to remember what we’re here for:

1. Ensure that risks are adequately managed to allow the organisations objectives to be achieved
2. Report to management and the board where risks are not adequately managed
3. Ensure actions agreed by management are appropriate, are implemented effectively, and actually address the risk
4. Demonstrate the value of audit and effective risk management
5. Provide solutions that support the achievement of organisational goals
6. Provide an independent view and challenge
7. Identify over-control or ineffective controls that offer an opportunity for improving efficiency
8. Identify objective, evidenced findings – and proportionate recommendations
9. Always say “what’s the risk” before doing anything
10. Enjoy work (no, seriously!)

And what we’re not here for:

1. Create tick-lists and go through them with interviewees
2. Tell management what they already know
3. Record findings ‘for the sake of it’ or where the risk does not justify better control
4. Ignore risk areas because management don’t want them looked at
5. Come up with unworkable, efficient or bureaucratic solutions
6. Make subjective decisions or ‘hold people to account’
7. Make life difficult for management
8. Waste people’s time with unnecessary queries
9. Ignore things because we don’t understand them
10. Be a policeman

Riskmonkey.net is proud to launch our new audit careers guide. This guide provides step by step advice and guidance for anyone considering a career in internal audit, IT audit, or related fields.

The guide as the result of many weeks work, compiling the views and experiences of audits around the globe. Reflecting our focus on information risk, we cover IT audit careers as well as audit jobs and the role of auditors.

15 in-depth articles are brought together to provide an honest and open look at what it really means to be an auditor, and why it matters.

Enjoy the guide – and let us know what you think!

Visit the Audit careers guide here:

• audit careers guide

Everything we do creates risk. Crossing the street. climbing a mountain, even breathing or drinking a glass of water. It is exactly the same for organisations. All your operations create risk. Your financing creates risk. You operate within a risky external environment.

So when you say you make widgets, what you really mean is that you are part of a large unstable marco-economic system that contains a number of organisations like yours, none of which have any guarantee of survival (indeed, the others are out to get you). As part of this system, you put a lot of effort into trying to comply with it’s rules but you can never be completely sure that you are complying with everything. You borrow money from  people, usually shareholders or banks, which you cannot guarantee you will be able to pay back. You buy materials from other companies to make your widgets, or dig them out of the ground. Either way, supply is uncertain and you often have to buy things in different currencies, which means the cost to you is constantly changing. You then have to make your widgets, without getting them wrong or accidentally killing anyone in the process. Even when you’ve made them, you have to store them, ship them all over the world, and sell them to people you don’t completely understand and whose desire to buy them also changes constantly. In doing so, you have to make sure you pay taxes and duties, market your product legally, and maintain your reputation and financial stability so your customers and suppliers have confidence in you. You also have to protect your staff, customer and business information from other people who would like to know all the things you need to know do do all this.

Most businesses traditionally focus on one risk in this process – the risk that you can’t sell your widgets for more than they cost you to make. This is the most critical risk whatever your industry. Financial Services business worry that they can’t change their borrowers more than they pay their lenders, allowing for the cost of doing business. Governments worry (at least in theory!) that they can’t cover the cost of the services they provide through the taxes they collect.

However, as we’ve illustrated here, manging this risk is not enough. It’s no good making a widget for £1 and selling it for £2, if the cost of cleaning up that oil-spill, decommissioning that nuclear power plant, paying-out for the employee killed using your machinery, or compensating people for the loss of their data amounts to £1.50 per widget. You’ve managed the financial risk whilst making a profit, but you’re exposure to other types of risk have turned that profit into a loss.

So all organisations need to manage their exposure to all the risks that impact on their business. Audit is a part of this process.

The first question is to ask “What risks do we need to manage?”. in order to answer that, the organisation needs to know what risks matter, and that means understanding the business and what it is trying to achieve. You then need to manage any risks that might reduce your ability to achieve those objectives. If you’re aim is to double your profit every 12 months (for example a young consumer brand), you will be very focused on financial risk. If you’re aim is to reduce the cost of your product by not be subject to changing exchange rates that affect your competitors (such as an airline or oil company), you’ll focus more on exchange rate and market risk. If you process a lot of information and rely on the confidence of your customers and regulators (for example a bank or credit reference agency) you’ll need to address operational, security and reputational risk.

Once you know this, the organisation needs effective structures in place to ensure risk is managed. This takes the form of a system internal control. This means establishing reliable, repeatable, transparent and affordable processes to operate the business that do not rely on trusting any one employee, or for that matter on nay one control. Examples are everywhere – from staff security passes to bank reconciliations and system audit trails – all of which need implementing, documenting, managing, monitoring, verifying, reporting and updating to respond to a business in constant change.

We can’t be sure any system or control will work perfectly all the time, so we also need an independent check that risk is managed properly. One that cannot be stamped on by management – one that provides assurance to shareholders and other stakeholder that risk are properly managed without their having to rely on. Senior management to be an effective control. For this reason, we have Audit.

A simple model – the ’3 lines of defence’ model – helps explain this. Management controls should be effective – that’s the first line of control. In case they are not, there should be monitoring and verification processes, for example risk management and compliance functions – that’s the second line. Management should be able to rely on first line controls and the board should be able to rely on second line controls as a check on management. Together these controls should manage business risk. To make sure they do this effectively and consistently, you have Internal Audit who operate independently of management and report findings to the board or audit committee. There are then external auditors, normally focussed on financial risk, who are accountable directly to shareholders or other external stakeholders and therefore also (semi)independent of the board. They will also review the work of internal audit. Auditors therefore form the third line of control.

That’s why internal audit must be as independent as possible – it must be willing to say things that management find uncomfortable. Yet is is part of the organisation and must be sensitive to it’s objectives. After all, even auditors are there to help ensure these objectives are achieved.

If you’ve ever sat at your desk wondering what exactly the bunch of outsiders hanging out in the audit room find to do with their time, or if ou’re thinking of a career in audit but just can’t figure out what you will actually be doing all day, this is the article for you.

Here is riskmonkey’s list of the top ten day-to-day tasks auditors undertake:

1. Planning audits. This means reviewing files, researching the company, reading board minutes, accounts, and news articles – trying to gain an understanding of where the company is at the time of the audit, and also so that during the audit you can assess it’s plans, direction and risks, and also consider whether their IT infrastructure and strategy are fit for purpose.
2. Arranging meetings. Harder than it sounds, arranging audits, planning meetings, liaising with clients and management.
3. Holding meetings. For most operational staff being audited, this is the visible bit. Auditors hold meetings with relevant staff to understand systems, processes and controls and to obtain evidence to support their operation.
4. Writing notes. Everything must be documented. That means plenty of paperwork – at least 70% of the total time. Writing up meetings, writing up fieldwork and testing, referencing files, copying documentary evidence, writing audit reports, and preparing files for review.
5. Closing audits – holding ‘exit meetings’ to go through findings with management, and dealing with audit file review points.
6. Interrogating systems and data analysis – interviews in other words, but with machines rather than people. This is generally IT auditors, or possibly general auditors using CAATs – Computer Assisted Audit Techniques.
7. Management – communicating with client, planning future audits, reviewing files and other such tasks.
8. Learning – undertaking training, wither formal or informal. Also learning ‘on the job’ with someone more experienced, or bringing a more junior colleague up to speed.
9. Reporting – the key deliverable for auditors is a report which normally goes to the board audit committee. First there is a draft report, for discussion with management. Responses from management, setting out what action they intend to take, are then incorporated into a final report.
10. Travelling – auditors often do more than most. Unless you work for a large centralised company, auditors often have to travel nationally and internationally to visit clients and conduct fieldwork.

One thing underlies all this – it’s all about producing evidenced, objective findings and communicating them effectively and constructively to both audit management and the client.

There is something in audit for everyone, but no-one would pretend that every task will have you rooted to the edge of your seat. If you enjoy communicating, think before acting, and don’t mind being organised, there should be nothing in this list to surprise you.

Riskmonkey is increasingly asked how to increase your salary as an IT auditor, information security expert or IT assurance professional.

here are some top tips:

• Increase your value to your current employer.
  Demonstrate your value (which is a entirely different to just doing a good job). When were you last in the company newsletter? When did your clients last tell your boss how good you are? When  did you last bring a job in under-budget? When did you go out of your way to share your expertise with others in your team?
• Increase your value to prospective employers.
  Get your employer to sponsor you to do relevant certifications, and if they won’t, dig into your wallet or collect coins from the street until you can do it yourself. Then tell your employer.
• Build your reputation.
  Get well known. Write for industry publications, attend professional seminars, do presentations, be a name. Don’t write a blog, that’s stupid. Riskmonkey knows it doesn’t help at all.
• Build your skills.
  Ask where you are seen to be weak and take on responsibilities that will help you improve. If you’re bad at firewall auditing, ask to do firewall reviews. If you’re bad at report writing, ask to write someone  as well. If you’re bad at presentations, do one on a topic you are confident in. If you don’t like that idea, do a training course.
• Focus on career development, not salary.
  Riskmonkey’s company had no pay rises this year, but he’s been promoted twice, which increases salary and moves tour career forward. Take up opportunities, and if you’re not sure, at least find out more. Who knows what move might be right?
• Ask.
  It sounds obvious, but if you don’t ask, why should they offer? If they say no, don’t forget to ask shy not, you might learn something useful about yourself, or about the company. Many people never ask.
• Leave.
  Surprisingly, the average pay-boost from changing employers is not much over 5%, so think carefully – it’s a big upheaval, but if you’re not valued and can do better elsewhere, maybe it’s time to knock out those tent pegs and move on?

Training and experience are well and good, but the truth is some people are just not cut out for professional audit and security roles. Others take years to realise that it’s the prefect fit for their them. Here riskmonkey looks at the top personality traits that help or hinder, and asks what auditors can do to address them.

1. An enquiring and observant mind.
   If you’re someone who asks ‘why’ to everything, you have great potential. The key to good audit is not to take a checklist and tick it off, but to understand the environment in which the entity operates and ask enquiring questions, such as ‘what would happen if…’ or ‘why didn’t they…’  That means asking questions about people as well as technology. If on the other hand your auditor never asks the key questions – how, why, who, when (and where’s the evidence!), they will find only what management gives them to find. That’s not much use to anyone.
2. Attention to detail.
   It’s all well and good to understand the big picture, but you also need to be able to grind through the intricacies of firewall configurations or project technical specifications. It’s not always interesting, but you can’t afford to neglect the smallest detail until you understand it, and you’re happy there’s no risk exposure arising from it.
3. Business acumen.
   ‘You must be joking!’ I hear you say. ‘Auditors don’t understand business, they try to stop it!’. Not true. Firstly, you need to have a real feel for the business in order to assess risks accurately and consider controls in the context of the environment in which they exist. Secondly.
4. Confidence.
   You only as good as your client thinks you are. If you don’t look, talk, and act like you know what you’re doing, you don’t know what you’re doing. Whether you’re interviewing operational staff or negotiating with your client’s Chief Executive, you need to have confidence – in your team, in your work, but mostly in yourself.
5. Optimism.
   Surprised? Don’t be. Do be a cynic, absolutely be sceptical, always be someone who says trust comes easily when you don’t need to rely on it, and with difficulty when you do. Just don’t be a pessimist, please. It does no good to go in assuming nothing will work, assuming controls will not be implemented, waiting for the worst and finding it everywhere. Be someone who looks objectively with an open mind – and comes up with a  positive, optimistic solution that gives the client a push forward, not a push over the edge. Plus, who would you rather work with or have working for you – the auditor who says it’s going to rain – or the auditor who hopes for sun, but brings an umbrella just in case?
6. An interest in technology, as well as people.
   The five points above fit just as well for all assurance roles. An active interest in IT is the differentiator. If you just think financial or operational audit is boring, think IT audit is better paid, or have romantic dreams about ‘hackers’ and Angelina Jolie, forget it today and try something easier, like operational management or grounds maintenance (depending what takes your fancy). IT assurance or security roles unless you’re actually interested in things with plugs that go ‘beep’.
   You don’t need to have been a teenage hacker, think online gaming is more fun that a trip to the pub, or count sheep in binary when you’re trying to go to sleep (admittedly Riskmonkey has had a passable go at all three, but then I’m geek enough to write this stuff  in my spare time). However if you’ve come this far and only gained a basic understanding of Microsoft Office, all the training in the world won’t make you interested enough. If on the other hand you can only converse with another human being in machine code and think B.O. is something that only affects people who are daft enough to wash, maybe it’s time to take more of an interest in the people side?

This list is of course inherently subjective, and if you don’t have these qualities you may well have others that are worth just as much. Qualities you don’t have in abundance can always be worked on and improved. However, if you’re a disinterested, unfocussed pessimist with a low sense of self worth, audit might not be the career for you!

Hosted applications are revolutionising the world. The way forward is remotely hosted applications, accessible from anywhere. Or even locally hosted applications accessible from anywhere. There is a touch of hyperbole (and perhaps a bit of bandwagon-jumping) to this statement, although on balance Riskmonkey agrees.

Riskmonkey.net is a devotee of Google Apps, web hosting in shared data centres, and yes – you’ve guessed it – wordpress. The bottom line is, there is no point doing something yourself is someone else can do it (or has already done it) much better and at a lower cost. RM is sat in a coffee shop on a Sunday afternoon typing into a web site hosted in Sheffield and using email hosted in the United States, using 3G provided by a German company’s British subsidiary. Putting to one side for now the data protection issues (perhaps a subject for a future post), the security problem here is the word ‘anywhere’.

My email, my web site, my documents – all accessible from any computer or mobile device anywhere in the world. Public library computer, airport lounge terminal, railway station hot-spot, android mobile or iPhone, hotel reception or space station(1) – no problem. Therein lies the problem.

Catching up on urgent emails.... or downloading 10,000 confidential customer records?

When applications are available anywhere so is data, and the main culprit in most organisations is email. Specifically tools such as the rightly maligned Microsoft Outlook Web Access, but Google Apps carries exactly the same risk: as you no longer control the access device, any data accessed may be cached or downloaded to the local machine. Once there, you have no way of detecting it, controlling it, or removing it.

What can you do about it? Unfortunately, the answer is often not as much as you need to if you wish to adequately address the risk. High risk organisations – those with lots of personal data in circulation – should simply ban it outright or restrict it to use over a corporate VPN.

For others, assuming you are satisfied with the security of the application itself and the data in transit between the webmail interface and the supporting Microsoft Exchange server or mail server (and if you’ve implemented it, you ought to be!):

Here are our top 12 actions you can take to limit the risk of data being transferred to an uncontrolled local machine or network via your web based email solution:

1. Restrict by IP address. If you know where people need access (and there is a static IP address for those locations) tie down access to pre-approved IP addresses
2. Prohibit file download via webmail to any client on on the corporate network (if your solution allows for this)
3. Provide staff with screens to restrict the field of vision from which data can be seen on a laptop monitor
4. Prohibit access via known public access points (such as BT Openzone) and unsecured wifi connections
5. Restrict access from aboard using IP address – not perfect, but if you’re staff never go further abroad than the next county, they don’t need access from Thailand or India.
6. Provide preferred alternatives, such as controlled Blackberry devices
7. Subject webmail to higher levels of monitoring and lower attachments limits
8. Restrict access to webmail to users with a requirement for it. Outlook Web Access, for example, can be granted on an individual or AD-group basis.
9. Establish an documented approval process for staff requesting access, including a requirement for staff  to sign to say they understand they are responsible for how they use the service
10. Introduce mandatory training, for example a CBT, for staff using webmail. This could include all aspects of security – access in public areas, avoiding CCTV, risks of shoulder-surfing, not storing emails or attachments on the local machine, and not uploading files from the local machine.
11. Keep detailed logs, including attempts to download files or large volumes of email, and let staff know logs and usage are closely monitored
12. Remove access promptly when no longer required, and audit usage every 3 months to check it is being used. Remove the permission if it is not.

Some of the risks are non too obvious but still potential critical flaws. For example, if you monitor email traffic you may pick up on an email being sent with a suspect attachment, or at least have logs to refer to should you need to investigate an incident. However, you might not pick up an email with a data file being put in a ‘drafts’ folder in a users mailbox in the office, for later download from the drafts folder to a computer outside the control of the corporate network using webmail – just one easy way for malicious users to by-pass corporate network security and email monitoring controls to extract restricted data.

Even after all this though, there really is no security guarantee with remotely accessible email, unless accessed via a VPN solution such as Citrix -which means that Riskmonkey’s preferred solution is still only allow access to email via approved devices.

Disclaimer:

(1) Riskmonkey has never actually a written a post from a space station, but would be happy to try if anyone is offering a free ride to the ISS.

Prince 2 is a project management methodology. IT’s was established by the UK government, and whilst there’s not a lot of evidence that they are any good at project management – and plenty of evidence to suggest they are rather bad at IT project management – the methodology itself has been picked up by the private sector as a thorough approach to managing a project in a controlled way. Relatively few organisations apply it ‘by the book’ – most will adapt it to their own needs and risk profile.

How can I become a Prince 2 Pracititioner?

You will need to undertake a course, normally around 5 days long, and two multiple choice exams. The first, Prince 2 Foundation, is fairly striaghtforward, closed book, and most course providers run this on the afternoon of the second day or the morning of the third day of the course.

The second exam, Prince 2 Practitioner, requires you to stay awake and pay attention all week whether you have prior project management experience or not. You’re allowed to take the manual to the second exam, but it won’t help much as there is a time limit. The best exam tip is to make sure you know exactly where everything is the manual, so if you have time at the end you can go through the questions you’re not sure about with the manual to hand.

What does Prince 2 cover?

The syllabus is based on the manual poduced by the Office of Government Commerce (OGC), and is designed to enable you tomanage a proejct using a defined methodology. As a result, it doesn’t cover other approaches to project management.The other point to note is that whilst it will explain the process, it doesn’t provide any challenge or help you assess it’s appropriateness or applicability in your organisation or project.

What does it cost?

The fees are set by course providers – in the UK, expect to pay anything from £600 to £2,000, including the manual and exam fee. You can, in theory, take the exam directly. It’s more expensive though, and no-one does. To make sure you get value for money, ask around to find the good trainers and course providers in your area. Whilst it’s not cheap, pass rates are fairly good and arrangements can be made to resit.

How long will it take?

Generally a week. If you’re not familiarwith project management, it’s a good idea to spend some time getting familiar with the approach first.

Do I get letters after my name?

You can call yourself a ‘Prince 2 Practitioner’. That’s quite a lot of letters though, so it’s one for the CV rather than the business card.

Do I need to do CPD?

No. The certification is valid for five years, after which you need to sit an update exam. Usually, this is done as part of a short refresher course.

Is it for me?

If you audit projects run along fairly traditional lines or in a bureaucratic manner, it’s the most appropriate project management certificate. If you audit public sector projects in the UK, it’s a no-brainer. If, however, you spend your time with software development teams who use words like ‘agile development’ and ‘extreme programming’, you’ll find it hard to applyin any meaningful way. If you’re not sure what approach your organisation takes, speak to the project managers and ask them if their methodology is based on or developed from Prince 2. If the answer is yes, Prince 2 Practitioner will raise your credibility and help you udnerstand their approach.

How do I get started with Prince 2 Pracititioner?

Visit the APM group web site to find out more about Prince 2, or do a web search for training courses near you.

The Certified Information Systems Manager (CISM) qualification is provided by ISACA, and roughly on a par with it’s CISA IT audit qualification. It is a certification for IT managers, and like CISA tries to strike a balance between technical IT knowledge and business understanding, with a focus on information risk management, information security governance, incident management, and developing and managing an information security program. It  requires a four hour multiple choice exam and five years relevant experience in an information security management role, although part of this can e waived for other relevant experience. Holders can use the post-nominal letters ‘CISM’, and their status can be verified on ISACA’s web site.

More information:

• Information from ISACA