2010 has been my year of security certifications. I have been eligible for quite some time now, both in terms of the pre-requisites and expertise but it is only around mid-2009 that I coaxed myself into attempting various security certifications. Around May I cleared the CISSP and CEH certifications. Last month I cleared the CSSLP exam and this past Saturday I took the CISM exam (I did well and expect to pass).
For me it was just a coincidence but (1) CISSP (2) CSSLP and (3) CISM is indeed the best order to take the 3 exams, preferably within quick succession of each other. The gap between each exam should not be more than 2 months and can be as low as 1 month. CISSP has the broadest scope amongst all 3 certifications. It covers the 10 main domains of information security and is fairly technical in nature though not very in-depth on each topic. It also has the most study material available in terms of books, official guides and question banks.
CSSLP is the new kid on the block and has very little material available. However if you have just studied for the CISSP and have the requisite experience in supporting the software development process from a security perspective it is a breeze to clear the CSSLP. Very little extra study is required and most of the exam questions focus on applying security fundamentals to the domain of software development.
I expected the CISM to be tougher than the CISSP. I do not know how I formed this impression but I was wrong. CISM study topics are almost a proper subset of the CISSP study topics and for somebody who has studied recently for the CISSP the CISM should be fairly easy to clear. One reason why CISM may be considered equivalent to or better than CISSP by employers might be because of the experience requirement which mandates at least 3 years of information security management experience and overall 5 years of information security experience. CISSP requires just 4 years of information security experience for graduates. CISM has a few books and official guides and question banks available but they are much rarer than CISSP resources because the number of CISM candidates is very low. I could not find a single hard-copy book in any book store in Bangalore. In the end my company’s Books24x7 subscription and a friend’s CISM material from 2007 was what I used to brush up for the CISM exam.
In short if you plan to take these 3 exams take all of them in quick succession with CISSP being the first. If you are well-prepared for the CISSP you are automatically well-prepared for the CSSLP and CISM and you should exploit this to reduce repeat study for CSSLP and CISM.
Blogposts
Can you share some CSSLP questions from top of your mind?
I just took my CSSLP. I was a bit worried because more than half of the questions are not straight forward to me. It needs a lot of thinking. The CSSLP book is simply not enough to get me thru most of the questions.
Did you get a score, or number of correct questions from your result? If not, how many question do you think you got it right out of the 150 questions.
Since I passed the exam I did not get a score. However I am confident I did fairly well and should have scored about ~85%.
Thanks for the info. Which parts of CISSP study are most relevant for the CSSLP? I’m having a hard time determining if I’m ready for the CSSLP since there’s only 3 (!) samples questions available as far as I can tell [in the CSSLP Candidate Information Bulletin]. By all accounts, the assessment questions in the CSSLP Prep Guide are not representative, so I can’t use those as a yardstick. So anything you could share about which parts of CISSP study might be most relevant would be helpful. Thanks.
I was wrong. CISM is difficult than CISSP. Not able to pass CISM. I think CISM management and bigger propective as compared to CISSP. I need to correct my basics again.
@Varun – So what do you feel is more difficult in the CISM? And how do you plan to prepare better?
Hi Vuran,
I sat my CISSP today, am nervous about whether I will pass or not but I’ll find out in about 10 days I think. I really wanted to go for the CSSLP. Which area’s of the CISSP do you really need to focus on and if that is combined with the CSSLP study guide that is currently available how many hours prep do you think it should take on average?
Also any idea on where I can get good practice questions for the CSSLP?
Thanks,
Saj
Please can I have your thoughts on the CEH, did you self study?
Any recommendations?
Thanks,
Saj