Tag Archives: ISACA

The Unexpected Burden of Multiple Certifications

Those who have been in any information technology profession for a few years or more are witness to the practice of professional certifications. They function as a badge of achievement as well as a badge of access to further professional opportunities.

Many IT professional certifications have continuing education requirements. Organizations such as ISACA, (ISC)2, IAPP, the PCI Security Standards Council, and others require certificate holders to adopt a continuous learning lifestyle through periodic training and other learning opportunities. These and other organizations require that certificate holders document their CPEs (continuing professional education) with the certification body; occasional audits of documented CPEs keep certification holders honest.

ISACA’s CPE policy requires that a certification holder complete 120 hours of training during a three-year certification cycle. This comes to 40 hours per year. ISACA requires a minimum of 20 hours per year, which encourages certification holders to maintain that learning lifestyle.

What may not be immediately clear is that this requirement is per certification.

I now hold four certifications from ISACA: CISA, CISM, CRISC, and CDPSE. Last week, as I was entering my 2020 CPEs into the ISACA system, the reality of one aspect of the CPE policy became exceedingly clear to me: when you have multiple certifications with a single entity like ISACA, each CPE hour is applied to only one certification. For me, this means that I must earn a minimum of 80 hours per year and 480 hours every three years for all four certifications. Keeping the CPE’s level every year means that I must earn a minimum of 160 CPEs, or one full month, of training annually, or over three hours of training every week. ISACA’s policy and its CPE portal do not permit the application of a CPE to more than one certification.

The result: I’m now laser-focused on all of the different training methods and opportunities, and on a weekly basis I identify those that help me to continue to advance my knowledge and skills.

I keep very crisp records of my CPEs. On my personal laptop computer, I have a worksheet that is open all the time where I enter every webinar, vendor demo, writing project, mentoring session, and other eligible activities. My records include the number of CPEs, as well as which certification each CPE will be credited to. I try hard to “front load” my learning each year in the event that life or work get in the way later in the year. And for those three-year certification cycles (which for me, thankfully, are spread out evenly), I try to front-load each certification with more than 40 hours for the first year of the three-year cycle, so that I don’t end up in a situation in the third year when I need to earn more than forty hours.

Fortunately, there is no shortage of online learning opportunities. I subscribe to email feeds from (ISC)2, ISACA, Dark Reading, Brighttalk, TechTarget, and others, so my inbox always has opportunities for me to choose from every week.

I applaud you if you aspire to earn more certifications, whether they are a badge of honor or a means of opening doors for professional growth.

Update: apparently ISACA will permit CPE hours for an activity to be applied to more than one certification, provided the activity qualifies for each certification in question. Read more here. Full link here: https://isaca.force.com/support/s/article/Can-my-CPEs-be-applied-torwards-more-than-one-certification-1597877234103

Hard copy vs online verification

Today, in an online forum, someone asked why ISACA still uses paper based certification applications instead of moving to online verification. The person argued that other organizations had gone to an online verification system.

My response:

I can understand why this is still a paper-based process. Moving it online would provide many opportunities for fraud. While I believe that 99.9% of CISA/CRISC/CISM applicants are honest, a purely online system would provide an easier opportunity for someone lacking the necessary background or experience to fabricate it – including verifiers. How could you prove that the verifiers are genuine?

Maybe, someday, if we ever get to a reliable online identity system that provides a solid tie between a real person and an online identity, I think that ISACA should stick with the paper model.

I am sure that ISACA has had this discussion, and will continue to have it from time to time.

Career advice: how to begin a security career

Bookmark This (opens in new window)

Today a colleague from Melbourne wrote me and said,

Hi Peter,

Greetings from Melbourne, Australia.

It was refreshing to read your site esp your Christian perspective on the profession.

I’m after some career guidance if you don’t mind –
I have a Business Analyst background and am currently working in IT consulting for a company that specialises in custom app development and systems integration. I have taken a keen interest in Info Security and will sit the CISSP exam at the end of this year with the intention to certify as an ISC2 associate (until such time as I possess the relevant experience to be a CISSP)…

In terms of specialising in the Information Security field are there any particular areas where demand will be highest? (application, network,governance etc.) Also, what blend of technical/personal abilities will the profession require of its practitioners going forward… any insight you can provide will be much appreciated. Thank you.



* * * * * * *

Hi (name),

Thank you for your message and your kind comments.

If you were in the U.S., I could give you more precise perspective on what’s in demand.  But I have an idea.

I suggest you find a local chapter of ISSA and/or ISACA (the ‘owner’ of the CISA and CISM certifications) and sign up.  This will give you many networking opportunities to meet and know others in the information security profession.  Through your contacts and communications with local members, you should soon get a good idea of what’s in demand.

But I stress this: the best people in information security are those who already have technology experience, and begin to build expertise on the risks in that technology.  So I see you are in an app dev and integration firm.  I’ll presume that this is a field where you have good expertise.  So what I would suggest is that you begin to build your security experience by beginning to understand the risks around “safe coding” principles and the processes to ensure that the entire SDLC (systems development life cycle) includes procedures to ensure that the proper measures are taken to ensure that changes to software do not introduce vulnerabilities at any level.  So if s/w dev is your thing, you might pick up a copy of Michael Howard’s book, Writing Secure Code (or something close to that – a huge best seller).

For me, my career was in computer operations, systems administration, software engineering, and network engineering.  Then, it became my job to secure systems and networks, so I began to read all I could and made systems and networks secure.  Then, I branched out from there to better understand other sources of risk, like unauthorized intruders and secure coding.

So my advice is, begin to build security expertise in the area of technology where you are most familiar, and branch out from there.  Networking with others will help to broaden your knowledge about risk overall.

Hope this helps,


Integrity and intellectual property

Bookmark This (opens in new window)

On some of my mailing lists I have seen messages recently that suggest that persons are willing to send and receive copyright materials.

Exercise extreme caution when offering or accepting study materials that are not in their *original* form. If you transmit or receive electronic (or paper) copies of copyright materials such as study guides or study questions, there is a good chance that both the sender and receiver are breaking international copyright laws, which is both a crime as well as a violation of the ISACA Code of Ethics.

Sending or accepting such materials also compromises your personal and professional integrity. This will make you ineffective as IT audit professionals and leaders. See these two articles for more information:

Personal integrity: the keystone in an infosec career

A call for character and integrity

The road of higher integrity is not always the easy road. Taking the path of high integrity requires sacrifice and it is often difficult. You will, however, be a better person for it, both personally and professionally. And your conscience will allow you to sleep at night!

CISM exam study guides

There are a few books in print that the CISM (Certified Information Security Manager) candidate can use as a study aid for the CISM exam.

CISM All-In-One Exam Guide by Peter H Gregory

CISM Review Review Manual 2007, 15th Ed by ISACA

The CISM Prep Guide: Mastering the Five Domains of Information Security Management by Ronald L. Krutz and Russell Dean Vines

Complete Guide to CISM Certification by Thomas R. Peltier and Justin Peltier
CISA exam study guides


Fraudulent CISA exam registration web site – www.cisaca.org

Bookmark This (opens in new window)

The web sites’ http://www.cisaca.org and http://www.cisaca.com claim to be authorized by ISACA to register candidates for the CISA exam and sell ISACA authored study material are fraudulent.

Update: these sites appear to have been taken down.

Neither these web sites nor their owners are affiliated in any way with or endorsed by ISACA. Nor have these web sites or their owners been authorized as registrars for the CISA exam or as distributors of any CISA study materials.

Any registration for the CISA exam or study aid purchase made through http://www.cisaca.org or http://www.cisaca.com, is NOT valid. ISACA is not responsible for any refund of registration fees or study materials purchased through these sites. The only legitimate online exam registration and study aid purchase web site is http://www.isaca.org.

Anyone that has been deceived by these web sites, is asked to please contact ISACA International Headquarters’ certification department (certification (at-sign) isaca (dot) org) and provide the following information, their name, email address, who the payment was made to, the amount paid, the exam registered for, and the web site accessed to register for the exam. We highly encourage you to contact the ISACA certification department regarding registration for future CISA exams.

Original posting from www.isaca.org