ISACA Certifications 2015 Overview

ISACA has four major certification programs that are well respected within their primary domains. The CISA (Certified Information Systems Auditor) certification is the oldest of ISACA’s credentials and is the most coveted certification for information security audit professionals. Well over 100,000 people have passed the CISA exam since its inception in 1978 although 30% of those are now in “inactive status”. Given the length of time this  30% seems easily explained by retirements, exit from the field, and for a smaller number lack of diligence around upholding the continuing education requirements.

The CISM (Certified Information Security Manager) credential has been around since 2002 and has become the second most desired Information Security Management credential in job postings behind only the CISSP. ISACA is closing in on 25,000 total CISM credentials issues although less than 20,000 remain in active status. Information Security Managers are in extremely high demand in 2015 due to high profile compromises and this credential should continue to accelerate in popularity.

Adoption of the CRISC (Certified in Risk and Information Systems Control) credential has been astounding showing it is highly desired in the marketplace. This is not surprising because risk management is central to an organization and individuals that can effectively plan a risk management program are in high demand in the industry.

The CGEIT (Certified in the Governance of Enterprise IT) is the ISACA certification I know the least about and it looks like I am not the only one. It is the ISACA certification that has gained the least traction in the industry of the four offerings. This certification feels a little further from ISACA’s core competency but still has room to grow since all things information security are in demand.

2015 Consolidated Summary of ISACA Certifications (Source ISACA)

ISACA CertificationYear of InceptionNorth AmericaEMEAASIACentral/South AmericaOceaniaGlobal Count
CISM2002960060003300 90060019500

2015 ISACA Certification Holders By Region: (Source ISACA)

ISACA CertificationYear of InceptionCurrent HoldersHistorical HoldersExpired% Expired% Active
Certified Information Systems Auditor (CISA)197875600108550329500.30354675260.6964532474
Certified Information Security Manager (CISM)2002195002426747670.19643960930.8035603907
Certified in the Governance of Enterprise IT (CGEIT)20074900595010500.17647058820.8235294118
Certified in Risk and Information Systems Control (CRISC)2010158001744316430.09419251280.9058074872

Other facts about ISACA Certifications:

  • ISACA certifications are only offered one time per year making obtaining these credentials more time challenging vs. alternatives with more flexible testing options. Do not miss your chance to obtain your desired ISACA certification this year’s certification exams are scheduled for June 13th.
  • Exams are 4 hrs in length with 200 multiple choice questions
  • ISACA exams are paper/pencil based and require filling out traditional test bubbles that will bring back college flashbacks.
  • ISACA exam results take between 5 (CISA/CISM) and 8 (CRISC/CGEIT) weeks to have returned.
  • Registration deadlines:Early registration deadline: Feb 11th; Final registration deadline: April 10th.
Posted in CGEIT, CISA, CISM, CRISC, ISACA | Tagged , , , | Comments Off on ISACA Certifications 2015 Overview

SANS Management, Audit & Legal Domain Certifications 2015 Outlook

Certifications in the SANS Management, Audit & Legal domains have not enjoyed the same widespread adoption as other technical certifications in other SANS domains. This is not altogether surprising considering SANS is known for their hardcore technical training and many of these certifications have long standing competitors in the field that dominate the landscape.

Predictions for 2015:

  • The GIAC Security Leadership (GSLC) credential continues to grow but greatly lags its peers the CISP and CISM. If I ran the SANS program I would make the GSLC a one time certification and not require renewal to help differentiate it from the alternatives. Certification renewal is greatly overrated in a generalist domain such as security leadership so this seems a reasonable alternative to battle the credential renewal drain.
  • Adoption of the GSNA will continue to lag the CISA certification which dominates the Information Security Audit field.
  • Adoption of the GIAC Certified Project Manager (GCPM) credential will continue struggle gaining traction as most project managers will continue to seek the PMI Project Management Professional (PMP) which is more often mentioned in job applications for project management professionals.

All of these SANS Administration domain credentials have a base price of $1,099 (prior to any training related discounts). All of the certifications require renewal after 4 years which can be accomplished via 36 Continuing Education Credits and a renewal fee of $399. Another option to retain the certification after the four years is to retake the exam.

Here is the mixed domain summary table summarizing the key information for these certifications as of January 2015.

TitleDomainYear EstablishedTotal Certified 1/19/15# of Exam QuestionsTime Limit (hrs)Min Passing Score
GIAC Security Leadership (GSLC)Management20033003150468%
GIAC Information Security Professional (GISP)Management2006979250570%
GIAC Certified Project Manager (GCPM)Management2008160150470%
GIAC Systems and Network Auditor (GSNA)Audit20011941115370%
GIAC Law of Data Security & Investigations (GLEG)Legal200731575271%
Posted in SANS Training | Tagged , , , , | Comments Off on SANS Management, Audit & Legal Domain Certifications 2015 Outlook

SANS Forensics Domain Certification 2015 Outlook

SANS Forensics technical training helps demonstrate that an incident response analyst/engineer is knowledgeable and skilled in the field of incident management. Demand for forensics skills is experiencing rapid growth in the industry as enterprises reluctantly acknowledge that incidents will gain a foothold and must be identified and contained once they have occurred.

Predictions for 2015:

  • The forensics domain will be the fastest growing domain in the SANS certification suite due to the hot marketplace for incident response skills.
  • The GIAC Reverse Engineering Malware (GREM) credential will begin to show up in job posting requirements for malware analysts/engineers, which is one of the fastest growing positions in all of information security.
  • The newly established GNFA credential will grow quickly as certification holders in the three other Forensics related domains seek the credential to obtain a new credential and obtain the CMU credits needed to renew their existing domain certifications.

All of these SANS Administration domain credentials have a base price of $1,099 (prior to any training related discounts). All of the certifications require renewal after 4 years which can be accomplished via 36 Continuing Education Credits and a renewal fee of $399. Another option to retain the certification after the four years is to retake the exam.

Here is the Forensics domain summary table summarizing the key information for these certifications as of January 2015.

TitleYear EstablishedTotal Certificates Issued as of 1/19/15# of Exam QuestionsTime Limit (hrs)Min Passing Score
GIAC Certified Forensic Analyst (GCFA)20043880115369%
GIAC Certified Forensic Examiner (GCFE)20101771115371%
GIAC Reverse Engineering Malware (GREM)2005168875270.70%
GIAC Network Forensic Analyst (GNFA)20145950260%
Posted in SANS Training | Tagged , , | Comments Off on SANS Forensics Domain Certification 2015 Outlook

SANS Security Administration Domain Certification 2015 Outlook

SANS Security Administration technical training is second to none and with the information security job market booming certification numbers continue to rise across the board. The generalist GSEC credential leads the way numbers wise but it is the incident handler (GCIH) certification that is hot in the marketplace. The GCIH credential is coveted in the industry and it’s popularity is acknowledgement by the industry that incidents will happen and effective response is essential. Skilled incident response analysts are essential to modern information security organizations to help identify incidents and minimize the impact to the enterprise after they occur.

Predictions for 2015:

  • The number of GCIH certification holders continue to rise. This is a valuable credential that blends both incident response and the ability to understand hacker tools and techniques. Expect 15,000 certification holders by end of year.
  • The GICSP certification’s growth will rapidly rise in response to the increasing awareness of high impact process control related cyber security events  (German Steel and Turkish pipeline recent news) and the desire to build programs to mitigate the risks.
  • The GCED Enterprise Defender credential will experience rapid growth and be top 6 in overall numbers in this domain by 2016.
  • The GCCC certification will grow but struggle to obtain the success of the other certifications ahead of it due to being more a generalist credential focused on implementing the SANS Top 20 Controls.

All of these SANS Administration domain credentials have a base price of $1,099 (prior to any training related discounts). All of the certifications require renewal after 4 years which can be accomplished via 36 Continuing Education Credits and a renewal fee of $399. Another option to retain the certification after the four years is to retake the exam.

Here is the Security Administration domain summary table summarizing the key information for these certifications as of January 2015.

Certification NameTotal Certificates Issued as of 1/19/15# of Exam QuestionsExam Time Limit (hrs)Minimum Passing Score
GIAC Security Essentials (GSEC)15749180573%
GIAC Certified Incident Handler (GCIH)10439150472%
GIAC Certified Intrusion Analyst (GCIA)4662150467%
GIAC Penetration Tester (GPEN)3663115374%
GIAC Web Application Penetration Tester (GWAPT)229275270%
GIAC Certified Perimeter Protection Analyst (GPPA)177275269%
GIAC Certified Windows Security Administrator (GCWN)152875266%
GIAC Information Security Fundamentals (GISF)108175270%
GIAC Assessing and Auditing Wireless Networks (GAWN)88175271%
GIAC Certified Enterprise Defender (GCED)865115368%
GIAC Certified UNIX Security Administrator (GCUX)75575265%
GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)51775366%
Global Industrial Cyber Security Professional (GICSP)351115369%
GIAC Mobile Device Security Analyst (GMOB)34575266%
GIAC Critical Controls Certification (GCCC)4875371%
Posted in SANS Training | Comments Off on SANS Security Administration Domain Certification 2015 Outlook

CRISC Certification – Is it worth obtaining?

I recently received information from ISACA about their new CRISC certification (Certified in Risk and Information Systems Control). Based on the CRISC grandfathering provisions I am eligible for consideration so I am evaluating whether it would be useful to sign up at this time. Information security professionals have a mixed view of grandfathering since it is used by certification vendors to quickly get an established (and paying) community but is viewed by many as a cheap way of obtaining a certification without completing the study materials and exam.  Before I get to my decision, I want to review some of the key questions around the CRISC and my decision process.

Who is the CRISC meant for?

The newly created CRISC certification is targeting business and information security professionals who specialize in the end to end risk management process (risk identification, assessment, evaluation, and remediation). In addition, there is a focus on the design, implementation, and monitoring of internal controls to manage these business & system.

Who can be grandfathered into the CRISC?

Information Security and risk management professionals with at least 8 years of IT or business risk mitigation experience that includes a minimum of 6 years of cumulative work experience across all 5 of the CRISC domains. And a minimum of 3 years of cumulative work experience in CRISC risk domains 1-3

What are the CRISC risk domains?

Here are the breakdowns of the CRISC domains by weighted percentage.

  • Domain 1 – Risk Identification, Assessment & Evaluation – 31%
  • Domain 2 – Risk Response – 17%
  • Domain 3 – Risk Monitoring – 17%
  • Domain 4 – Information Systems Control Design & Implementation (17%)
  • Domain 5 – IS Control Monitoring & Maintenance (18%)

* Per ISACA website details

When does the CRISC grandfathering deadline end?

You must make your decision to pursue the CRISC via the grandfathering program within a month. The currently announced deadline is mentioned as June 30th, 2011.

What is the cost of the CRISC?

The ISACA member rate for CRISC is $595 and the non-member rate is $725.  The annual recertification fee is 40$ for ISACA members and $85 for non-members.

What are the CRISC CPE requirements?

The requirements are identical to that of the CISA which is 120 CPE hrs every three year cycle with an annual minimum of 20.

Should I accept grandfathering status for the CRISC certification?

Since I am not philosophically opposed to the concept of grandfathering for qualified professionals I gave adequate consideration as to whether I should apply for the CRISC designation. After doing some careful career consideration I decided it was not a needed activity for me do complete at this point even though I would qualify. It is uncertain how much traction the CRISC will gain in the industry since more established credentials like the CISSP and CISA are already considered the dominant certifications. There is potentially room for another one but I would likely consider a SANS offering before pursuing the CRISC.


Posted in CRISC | Tagged , , | Comments Off on CRISC Certification – Is it worth obtaining?

Pass the CISSP Exam – Successful CISSPs explain their approach

The CISSP exam is one of the most difficult information security exams to pass due to the broad base of subject domains tested. Maggie Harper is our second information security professional to be interviewed to lend a hand in this series designed to help you pass the CISSP exam. After all what better way is there to supplement your formal study plan then to hear from those that have been in the trenches and passed the exam themselves?

Maggie, what were your reasons for pursuing the CISSP certification?

I pursued the certification because I feel that the information  security field is an ever growing and expanding field and the CISSP would help me with the transition from technical/engineering PM into a network security type role.

Did your employer at the time encourage you to take the CISSP exam ?

No, I decided to pursue it on my own.

What study method/materials did you use to prepare for the CISSP exam?

A co-worker named Curtis Levinson helped me tremendously in understanding not just the fundamentals contained within the 10 domains, but the origin and evolution of those fundamentals as applicable in both today’s environment and emerging technologies. I also used the Wiley study guide and took the time to quiz other CISSP’s. A million practice tests, scenarios and questions helped too.

It is nice to see that your co-worker played such and important mentoring role. What CISSP subject domains did you need to spend the most studying in detail?

Crypto, still gets me to this day even after passing the exam ; )

How did your CISSP exam approach compare to my published CISSP Exam Strategy?

Great strategy you outline! I’m a one time through and then come back and hit what I felt would take too much time to noodle through. Only had two of those though.

How confident were you that you passed post exam?

Not at all. The exam was hard, no doubt about it. Of those I spoke with that walked out confident they passed, they didn’t.

I guess humility was the order of the day there. I wonder if there is some kind correlation to overconfidence and lack of success rate. Have you found the CISSP CPE requirements tough to meet?

Not really, there are alot of different avenues for CPEs.

Any final tips you have for CISSP candidates that we have not previously discussed?

Talk to as many certified people as you can. But don’t take their experience as your own. There are different versions of the test and you can easily make the mistake of focusing on the wrong areas. Ask a lot of questions! Even if people look at you like you’ve suddenly sprouted another head, ask!

Maggie made effective use of her network and inquisitive nature to conquer the CISSP exam. Thanks again for lending your time to help the CISSPs of tomorrow to pass the exam.

Be sure to check out the first CISSP Exam Interview if you missed it.

Posted in CISSP | Tagged , | 1 Comment