2010 has been my year of security certifications. I have been eligible for quite some time now, both in terms of the pre-requisites and expertise but it is only around mid-2009 that I coaxed myself into attempting various security certifications. Around May I cleared the CISSP and CEH certifications. Last month I cleared the CSSLP exam and this past Saturday I took the CISM exam (I did well and expect to pass).
For me it was just a coincidence but (1) CISSP (2) CSSLP and (3) CISM is indeed the best order to take the 3 exams, preferably within quick succession of each other. The gap between each exam should not be more than 2 months and can be as low as 1 month. CISSP has the broadest scope amongst all 3 certifications. It covers the 10 main domains of information security and is fairly technical in nature though not very in-depth on each topic. It also has the most study material available in terms of books, official guides and question banks.
CSSLP is the new kid on the block and has very little material available. However if you have just studied for the CISSP and have the requisite experience in supporting the software development process from a security perspective it is a breeze to clear the CSSLP. Very little extra study is required and most of the exam questions focus on applying security fundamentals to the domain of software development.
I expected the CISM to be tougher than the CISSP. I do not know how I formed this impression but I was wrong. CISM study topics are almost a proper subset of the CISSP study topics and for somebody who has studied recently for the CISSP the CISM should be fairly easy to clear. One reason why CISM may be considered equivalent to or better than CISSP by employers might be because of the experience requirement which mandates at least 3 years of information security management experience and overall 5 years of information security experience. CISSP requires just 4 years of information security experience for graduates. CISM has a few books and official guides and question banks available but they are much rarer than CISSP resources because the number of CISM candidates is very low. I could not find a single hard-copy book in any book store in Bangalore. In the end my company’s Books24x7 subscription and a friend’s CISM material from 2007 was what I used to brush up for the CISM exam.
In short if you plan to take these 3 exams take all of them in quick succession with CISSP being the first. If you are well-prepared for the CISSP you are automatically well-prepared for the CSSLP and CISM and you should exploit this to reduce repeat study for CSSLP and CISM.
Blogposts
Can you share some CSSLP questions from top of your mind?
I just took my CSSLP. I was a bit worried because more than half of the questions are not straight forward to me. It needs a lot of thinking. The CSSLP book is simply not enough to get me thru most of the questions.
Did you get a score, or number of correct questions from your result? If not, how many question do you think you got it right out of the 150 questions.
Since I passed the exam I did not get a score. However I am confident I did fairly well and should have scored about ~85%.
Thanks for the info. Which parts of CISSP study are most relevant for the CSSLP? I’m having a hard time determining if I’m ready for the CSSLP since there’s only 3 (!) samples questions available as far as I can tell [in the CSSLP Candidate Information Bulletin]. By all accounts, the assessment questions in the CSSLP Prep Guide are not representative, so I can’t use those as a yardstick. So anything you could share about which parts of CISSP study might be most relevant would be helpful. Thanks.
I was wrong. CISM is difficult than CISSP. Not able to pass CISM. I think CISM management and bigger propective as compared to CISSP. I need to correct my basics again.
@Varun – So what do you feel is more difficult in the CISM? And how do you plan to prepare better?
Hi Vuran,
I sat my CISSP today, am nervous about whether I will pass or not but I’ll find out in about 10 days I think. I really wanted to go for the CSSLP. Which area’s of the CISSP do you really need to focus on and if that is combined with the CSSLP study guide that is currently available how many hours prep do you think it should take on average?
Also any idea on where I can get good practice questions for the CSSLP?
Thanks,
Saj
Usually a security professional is proficient only in 3-4 domains on the CISSP CBK. Thus the exam taker should focus on those domains in which he has least experience and knowledge. This will be different for different people.
If the CISSP domains are fresh in your mind I would say you need about 40-50 hours at the most to prepare for the CSSLP. Because I have done a lot of work in application security I found it much easier to prepare for the CSSLP after my CISSP exam.
Please can I have your thoughts on the CEH, did you self study?
Any recommendations?
Thanks,
Saj
Yes, I studied on my own. Because I have significant experience in network and application vulnerability assessments I did not consider it necessary to undergo the 5-day CEH training course.
CEH is very networking-centric (though that is changing). Also if you have actually conducted network vulnerability assessments it is quite easy to clear the exam.
CEH
it is a pure wastage of money & time. No results.
I am planing for CISSP, CSSLP, RPM, CEH.. From where I should began.
I am already IRCA Lead auditor of ISO 27001, 9001, 20000. Also have Comptia Security+, MCSecDes, OCDBA, MCTS, PMP
The best is to start from your home every morning.
Don’t do any other certificate. First try to analyse what you gained from older ones. I am sure result be 0 or max 4-5 %.
Varun,
I am planning for CSSLP first and then CISSP as my bulk of my experience falls into applications development area. What is your thought on this and any issues/pitfalls with CSSLP first and then CISSP scenarion.
Thanks
I would suggest don’t go for any of those. They just not helpful in getting you career progression. Run for perfection not for success. If you have perfection success will follow you.
– Varun
Varun,
Bit confused. So, you say CISSP and CSSLP have no value getting into security related job
? My thought were, they are good to start with. I may be wrong. Any comments?
Thanks
HI Varun,
I am preparing for CISSP, can you please suggest various sources which i should consider to evaluate my self i.e. practice exams..
are u planning for CISM again?