Tag Archives: certification

CISSP For Dummies 7th edition Published

The latest edition of CISSP For Dummies, the 7th edition, is now available from Amazon, Barnes & Noble, Walmart, Target, and other booksellers.

Co-author Lawrence Miller and I completed this latest revision early in 2022. This revision covers the new CISSP Common Body of Knowledge that was updated in 2021. In addition to updates reflecting changes in the CBK, numerous other changes were made, reflecting advances and changes in cybersecurity practices, risks, threats, and regulations.

The publication of this 7th edition is a celebration of TWENTY YEARS of CISSP For Dummies. Larry and I wrote the first edition of CISSP For Dummies in 2002.

CISSP For Dummies is the only CISSP study guide approved by (ISC)2, the organization that manages the CISSP certification worldwide. This is a testimony to the quality and completeness that only CISSP For Dummies provides to security professionals who aspire to earn this prestigious certification.

Clément Dupuis

This announcement would be incomplete without a grateful shoutout to Clément Dupuis, founder of CCCure, the well-known training organization for technology professionals. Clément passed in 2021, but not before providing valuable research material to Larry and me as we created this edition of the book.

The Unexpected Burden of Multiple Certifications

Those who have been in any information technology profession for a few years or more are witness to the practice of professional certifications. They function as a badge of achievement as well as a badge of access to further professional opportunities.

Many IT professional certifications have continuing education requirements. Organizations such as ISACA, (ISC)2, IAPP, the PCI Security Standards Council, and others require certificate holders to adopt a continuous learning lifestyle through periodic training and other learning opportunities. These and other organizations require that certificate holders document their CPEs (continuing professional education) with the certification body; occasional audits of documented CPEs keep certification holders honest.

ISACA’s CPE policy requires that a certification holder complete 120 hours of training during a three-year certification cycle. This comes to 40 hours per year. ISACA requires a minimum of 20 hours per year, which encourages certification holders to maintain that learning lifestyle.

What may not be immediately clear is that this requirement is per certification.

I now hold four certifications from ISACA: CISA, CISM, CRISC, and CDPSE. Last week, as I was entering my 2020 CPEs into the ISACA system, the reality of one aspect of the CPE policy became exceedingly clear to me: when you have multiple certifications with a single entity like ISACA, each CPE hour is applied to only one certification. For me, this means that I must earn a minimum of 80 hours per year and 480 hours every three years for all four certifications. Keeping the CPE’s level every year means that I must earn a minimum of 160 CPEs, or one full month, of training annually, or over three hours of training every week. ISACA’s policy and its CPE portal do not permit the application of a CPE to more than one certification.

The result: I’m now laser-focused on all of the different training methods and opportunities, and on a weekly basis I identify those that help me to continue to advance my knowledge and skills.

I keep very crisp records of my CPEs. On my personal laptop computer, I have a worksheet that is open all the time where I enter every webinar, vendor demo, writing project, mentoring session, and other eligible activities. My records include the number of CPEs, as well as which certification each CPE will be credited to. I try hard to “front load” my learning each year in the event that life or work get in the way later in the year. And for those three-year certification cycles (which for me, thankfully, are spread out evenly), I try to front-load each certification with more than 40 hours for the first year of the three-year cycle, so that I don’t end up in a situation in the third year when I need to earn more than forty hours.

Fortunately, there is no shortage of online learning opportunities. I subscribe to email feeds from (ISC)2, ISACA, Dark Reading, Brighttalk, TechTarget, and others, so my inbox always has opportunities for me to choose from every week.

I applaud you if you aspire to earn more certifications, whether they are a badge of honor or a means of opening doors for professional growth.


Update: apparently ISACA will permit CPE hours for an activity to be applied to more than one certification, provided the activity qualifies for each certification in question. Read more here. Full link here: https://isaca.force.com/support/s/article/Can-my-CPEs-be-applied-torwards-more-than-one-certification-1597877234103

CISM vs CISSP

A reader recently asked me about the CISM versus the CISSP. Specifically, he asked, “How hard is the CISM for someone who passed the CISSP?”

Having earned both certs (and a few more besides), and having written study guides for both, I felt qualified to help this individual. My answer follows.

CISM is much heavier on security management and risk management than CISSP. You’ll have to study these topics, and the business side of information security.  To paint with a broad brush, you could say that CISM is for CISO’s while CISSP is for security engineers. That, in essence, is the distinction.

Oh and there’s a great study guide out for the CISM: https://www.amazon.com/Certified-Information-Security-Manager-Guide-ebook/dp/B079Z1J87M

I passed my CISSP almost 20 years ago while I was still a hands-on technologist.  I studied for my CISA two years later. I learned through my ISACA CISA study materials (provided by my employer) that ISACA has a vastly different vocabulary for infosec than does (ISC)2.  Think of it as a business perspective versus an engineering perspective.  Both are right, both are valid, both are highly valued in the employment market.  But they are different.  Master both, and you’ll be a rare treasure.


Study guides for CISSP:

CISSP For Dummies

CISSP Guide to Security Essentials

Study guides for CISM:

CISM All-In-One Exam Guide

 

 

Insights into CRISC certification quality

ICRISC.h2 spent the previous Friday+weekend at ISACA HQ in Chicago at a workshop. The objective: to examine about 360 candidate exam questions for the CRISC (Certified in Risk and Information Systems Control) certification.

There were about 30 of us that worked in three independent groups that consisted of a facilitator (Richard Norman, a security manager in the UK), a scribe (Kim Cohen, the Certification Exam Development Manager at ISACA), and 8 risk management experts from many different organizations including Bank of America, Caterpillar, Premera Blue Cross, and Verizon Business.

We had our work cut out for us. Each group had about 120 exam questions to examine, discuss, edit, and ultimately determine whether it’s a good question based on many different quantitative and qualitative measurements. Oftentimes our discussion of the question became a discussion about how a security or risk management practices (including what companies should be doing and what they are actually doing). Richard, our facilitator, and Kim, our scribe, kept us on task and on pace.

The hard work began long before the three day weekend. Going back to May 2013, we each began our training on writing certification exam questions for ISACA, and over a four or five week period we each wrote a total of twenty exam questions.  Anyone who thinks this is an easy task does not understand the rules and the discipline required for the task. It is quite difficult.

I’ve been trained by two other certification organizations in exam question writing, but ISACA has really upped the game.  The rigor and quality that ISACA puts into certification exam question development is impressive. There are several levels of review, by different teams, on each question, by vetted subject matter experts, before it sees the light of day. And the analysis does not stop after the exam question has been finalized and approved. Analysis on how test takers answer the question continue throughout the life of the exam question.  It is no wonder that CRISC won the Certification of the Year Award from SC Magazine.

ISACA has been in the certification business longer than just about anyone in information technology. ISACA itself started in the 1960s, and the CISA certification began in the 1980s; tens of thousands of security and IS audit professionals have earned the CISA certification, and it remains one of the top IT security certifications today.

Certification and Experience: Putting the Cart Before the Horse

Bookmark This (opens in new window)

When I earned my CISSP in 2000, and my CISA in 2002, I desired to earn these certifications as a way of demonstrating the knowledge and experience that I had already accumulated. To me, these certifications are a visible symbol of my professional qualifications in the professional community.

In recent years, I have seen many people who do not have the knowledge or the experience, and they desire to earn these certifications so that they may be better qualified for positions where they can earn the knowledge and experience that these certifications require.

These people have it backwards. They are showing impatience: they want the positions that require experience, but they do not yet have it. They ask, now that I have my CISSP (or CISA or CISM), how can I now get security specialist, security manager, security auditor, or other positions? And they wonder why they have difficulty finding these jobs that require CISSP, CISA, or CISM certification.

What I believe they fail to understand is that they do not have the required experience.

The correct path for professional certification and experience is this: acquire the knowledge and the experience, and then earn the certification. This is the method expected by employers, professionals, and the organizations that develop and manage these certifications.

Would you go to a doctor who had his license to practice but did not yet have the required experience? Of course not, and likewise employers do not hire candidates based only on their certifications. Instead, employers hire based upon knowledge, experience, and particular skills.

I believe that many of these aspiring certification candidates are being led astray by training organizations who are implicitly (if not explicitly) fostering the expectation that one can earn a certification based on a short training course alone, as though it is a “shortcut” to positions with greater responsibility, expectations, and compensation.

To IT professionals who want to get ahead and earn certifications: good for you! I wish you well! However, do know that you need to accumulate years of work experience first – then earning those certifications will be relatively easy, and you will have greater satisfaction through knowing that you have rightfully earned your certification, not only because you were able to pass a certification exam, but also because you have the experience that goes with it.

CISA study group

CISM study group

CISSP study group

CRISC study group

Security+ Study Guides

Bookmark This (opens in new window)

There are several books in print that the Security+ candidate can use as a study aid for the Security+ exam.

CompTIA Security+ Study Guide: Exam SY0-101CompTIA Security+ Study Guide: Exam SY0-101 by Mike Pastore and Emmett Dulaney



The Ultimate Security+ Certification Exam Cram 2 Study Kit (Exam SYO-101) (Exam Cram 2)The Ultimate Security+ Certification Exam Cram 2 Study Kit (Exam SYO-101) (Exam Cram 2) by Que Certification



Security+ Certification All-in-One Exam GuideSecurity+ Certification All-in-One Exam Guide by Gregory White

Security+ Guide to Networking Security Fundamentals, Second Edition by Mark Ciampa



Security+ Study GuideSecurity+ Study Guide by Ido Dubrawsky, Jeremy Faircloth, Michael Gregg, and Eli Faskha



Security+ Certification for DummiesSecurity+ Certification for Dummies by Lawrence H. Miller and Peter H. Gregory



A Real World Guide to CompTIA Security+ SkillsSecurity Administrator Street Smarts: A Real World Guide to CompTIA Security+ Skills by Michael Gregg and David Miller

CISM exam study guides

There are a few books in print that the CISM (Certified Information Security Manager) candidate can use as a study aid for the CISM exam.

CISM All-In-One Exam Guide by Peter H Gregory

CISM Review Review Manual 2007, 15th Ed by ISACA

The CISM Prep Guide: Mastering the Five Domains of Information Security Management by Ronald L. Krutz and Russell Dean Vines

Complete Guide to CISM Certification by Thomas R. Peltier and Justin Peltier
CISA exam study guides

 

CISA exam study guides

There are now several books in print that the CISA (Certified Information Systems Auditor) candidate can use as a study aid for the CISA exam.

CoverFront200xCISA Certified Information Systems Auditor All-In-One Study Guide, 3rd ed
by Peter H. Gregory, CISA, CISM, CIPM, CRISC, QSA, CISSP, CCISO
.
.
.
.
.

CISA: Certified Information Systems Auditor Study Guide, 2nd edition
by David Cannon

CISA: Certified Information Systems Auditor Study Guide by David L. Cannon, Timothy S. Bergmann, and Brady Pamplin

CISA Exam Cram 2 : Certified Information Systems Auditor by Allen Keele and Keith Mortier

CISA Exam Prep: Certified Information Systems Auditor (ACM Press) by Michael Gregg

IT AUDIT: A Practical Guide To the CISA Exam by Trony Clifton

CISM exam study guides