2010 has been my year of security certifications. I have been eligible for quite some time now, both in terms of the pre-requisites and expertise but it is only around mid-2009 that I coaxed myself into attempting various security certifications. Around May I cleared the CISSP and CEH certifications. Last month I cleared the CSSLP exam and this past Saturday I took the CISM exam (I did well and expect to pass).
For me it was just a coincidence but (1) CISSP (2) CSSLP and (3) CISM is indeed the best order to take the 3 exams, preferably within quick succession of each other. The gap between each exam should not be more than 2 months and can be as low as 1 month. CISSP has the broadest scope amongst all 3 certifications. It covers the 10 main domains of information security and is fairly technical in nature though not very in-depth on each topic. It also has the most study material available in terms of books, official guides and question banks.
CSSLP is the new kid on the block and has very little material available. However if you have just studied for the CISSP and have the requisite experience in supporting the software development process from a security perspective it is a breeze to clear the CSSLP. Very little extra study is required and most of the exam questions focus on applying security fundamentals to the domain of software development.
I expected the CISM to be tougher than the CISSP. I do not know how I formed this impression but I was wrong. CISM study topics are almost a proper subset of the CISSP study topics and for somebody who has studied recently for the CISSP the CISM should be fairly easy to clear. One reason why CISM may be considered equivalent to or better than CISSP by employers might be because of the experience requirement which mandates at least 3 years of information security management experience and overall 5 years of information security experience. CISSP requires just 4 years of information security experience for graduates. CISM has a few books and official guides and question banks available but they are much rarer than CISSP resources because the number of CISM candidates is very low. I could not find a single hard-copy book in any book store in Bangalore. In the end my company’s Books24x7 subscription and a friend’s CISM material from 2007 was what I used to brush up for the CISM exam.
In short if you plan to take these 3 exams take all of them in quick succession with CISSP being the first. If you are well-prepared for the CISSP you are automatically well-prepared for the CSSLP and CISM and you should exploit this to reduce repeat study for CSSLP and CISM.