In the first four parts of this series, I describe my preparation for the CISSP exam, writing exam questions, proctoring exams, and writing study guides for two different publishers. My CISSP journey took a second, parallel path when I had the opportunity to earn another examination.
I don’t remember now where I first heard of the CISA certification, but it had to be in 2001, early in the purely-security part of my career. CISA, or Certified Information Systems Auditor, is a certification from ISACA (then known as the Information Systems Audit and Control Association, but now simply known as ISACA). CISA was established in 1978, whereas CISSP is much younger, established in 1994.
My distinct impression in 2001 was that possessing the CISSP and CISA certifications together was a Golden Ticket in the information security industry. I was young and aspired to more significant roles in the business, so I pursued the CISA with vigor.
I am grateful that my employer purchased CISA study materials for me, which consisted of a large question bank, and extensive study materials. While there is considerable overlap between the CISSP and CISA certifications in terms of the domains of required knowledge, I soon learned that the vocabulary of information security was far more extensive than portrayed by CISSP. I especially struggled with the terminology and practices of IS audit, having been audited but not having been an auditor. Still, I was determined to succeed.
I registered for and sat for the CISA exam in June 2002. The exam itself was every bit as difficult as the CISSP examination and was Scantron-based as well. It’s incredible how you can get a cramp in your hand filling in little bubbles, although I think this is in combination with the mental stress that accompanies it.
Like the CISSP exam, I thought I had failed, as the exam questions were tough. However, a month or so later, a letter came in the mail from ISACA that told me that I had passed! I was over the moon and wore the twin monikers CISSP and CISA proudly.
A year later, ISACA released the new Certified Information Security Manager (CISM) certification, and I had an opportunity to earn it through ISACA’s grandfathering process. I thought to myself: I have the CISSP and CISA certifications; why do I need any more? I did not pursue the CISM grandfathering opportunity, a decision I would later regret for almost a decade. I did, eventually, sit for and pass the CISM exam, by the way.
In later years, I would earn more certifications in other topics such as disaster recovery planning, cloud security, privacy, and cardholder security – some grandfathered, some with arduous study and exams.
In Part 6: continuous education and CPE recordkeeping.
In Part 7: paying it forward.