**这是本文档旧的修订版!**
目录
2025/10/5
看了CyberSecurity Architect Handbook的书,作者提到,CISM也是推荐架构师考的一个证书,所以我准备放到明年的目标中去。
查了一下,
受験費用: ISACA会員 $575 (非会員$760) ※4
新入会員:US$175(国際会費 US$145+東京支部US$30)
合格了之后,申请认证需要50USD,如果先成为会员,再报名考试,则需要750USD,比非会员要便宜,而且买书也会便宜点。
公司估计愿意报销考试费,但不愿意报销会员费吧,直接760USD考,然后申请认证的50USD自己出,但认定通过后还是要交会员费和支部会员费的。
东京有好3个考场(当然线上考也可以),高田马场,新桥,秋叶原。周末没有座位,只能平日,而且一天只有上午10点和下午2点可以选。
4小时,150道题,4个Domain,难度上来说小于CISSP和CCSP,高于SC,不知道是不是。
并且,题目不确定的可以选Flag,后面再Review,这一点相对来说压力就小好多了。
两本参考书,Questions的就没有必要买了,Review Manual可以入手一本,日亚是是3万日元。
https://www.amazon.co.jp/CISM%E3%83%AC%E3%83%93%E3%83%A5%E3%83%BC%E3%83%9E%E3%83%8B%E3%83%A5%E3%82%A2%E3%83%AB%E3%80%81%E7%AC%AC16%E7%89%88-Isaca/dp/1604209011/
但官网电子书是139USD,只要2万日元。
https://destcert.com/cism-certification-guide/
Mike Study Plan
WK1:
- Begin Reading Chapter 1 of the CISM Study Guide
- Finish Reading Chapter1 of the CISM Study Guide
- Watch LinkedIn CISM1 Section 1-4
- CISM Study Guide Chapter1 Review Questions
- Take a well-deserved break!
WK2:
- Begin Reading Chapter 2 of the CISM Study Guide
- Finish Reading Chapter2 of the CISM Study Guide
- Watch LinkedIn CISM1 Section 5-9
- CISM Study Guide Chapter2 Review Questions
- Take a well-deserved break!
WK3:
- Begin Reading Chapter 3 of the CISM Study Guide
- Finish Reading Chapter 3 of the CISM Study Guide
- Watch LinkedIn CISM2 Section 1-6
- CISM Study Guide Chapter3 Review Questions
- Take a well-deserved break!
WK4:
- Begin Reading Chapter 4 of the CISM Study Guide
- Finish Reading Chapter 4 of the CISM Study Guide
- Watch LinkedIn CISM2 Section 7-12
- CISM Study Guide Chapter4 Review Questions
- Take a well-deserved break!
WK5:
- Begin Reading Chapter 5 of the CISM Study Guide
- Finish Reading Chapter 5 of the CISM Study Guide
- Watch LinkedIn CISM3 Section 1-4
- CISM Study Guide Chapter5 Review Questions
- Take a well-deserved break!
WK6:
- Begin Reading Chapter 6 of the CISM Study Guide
- Finish Reading Chapter 6 of the CISM Study Guide
- Watch LinkedIn CISM3 Section 5-9
- CISM Study Guide Chapter6 Review Questions
- Take a well-deserved break!
WK7:
- Begin Reading Chapter 7 of the CISM Study Guide
- Finish Reading Chapter 7 of the CISM Study Guide
- Watch LinkedIn CISM3 Section 10-13
- CISM Study Guide Chapter7 Review Questions
- Take a well-deserved break!
WK8:
- Begin Reading Chapter 8 of the CISM Study Guide
- Finish Reading Chapter 8 of the CISM Study Guide
- Watch LinkedIn CISM4 Section 1-3
- CISM Study Guide Chapter8 Review Questions
- Take a well-deserved break!
WK9:
- Begin Reading Chapter 9 of the CISM Study Guide
- Finish Reading Chapter 9 of the CISM Study Guide
- Watch LinkedIn CISM4 Section 4-6
- CISM Study Guide Chapter9 Review Questions
- Take a well-deserved break!
2025/10/22
今天再次试用1个月的领英会员,然后把CISM的Mike的课程的一小部分下载好了。
其他参考书:
https://leanpub.com/cismlastmile 10美元
https://www.youtube.com/playlist?list=PL7XJSuT7Dq_UffFGcmTvKL7JeHweC5HKU
WHY should you take ISACA's CISM exam after the CISSP?
HOW can you do it quickly? Read on…
1️⃣ CISM is LESS TECHNICAL than CISSP
It focuses much more on process and governance. Your technical depth from CISSP is more than enough!
2️⃣ CISM is MORE STRATEGIC in its focus than CISSP
It provides substantial high value leadership knowledge, complementing your CISSP foundation, expanding your perspective as a security leader.
3️⃣ CISM exam is more narrow in terms of subject matter
This makes preparation faster vs CISSP for most candidates.
HOW can you prepare quickly?
🎥 CISM Exam Prep: The Complete Course
11+ hours, FREE on YouTube, https://lnkd.in/g-_NnxEP
📕 CISM: The Last Mile ($10 on Leanpub)
Targeted coverage of every topic on the exam syllabus.
https://lnkd.in/ds2AWV2q
📕 CISM Questions, Answers, and Explanations (ISACA)
The book version of 1000 questions is half the price of the online test bank.
https://amzn.to/447IuQl
💻Online Practice Quizzes (PocketPrep)
Affordable and effective option to augment what comes with study guides (~$21/mth). Get it at https://lnkd.in/g5nm6c4k
https://www.scworld.com/sc-awards-finalists
CISM和CISA,CCSP一并被列为最受欢迎的IT资格,虽然有人说ISC2的ISSMP也能代替CISM的位置,但它需要等2年才能考,所以这期间如果公司允许的话,还是考一个CISM吧。
12-12
今天收到通知说,CISM要在2026年Q4改考試大纲,所以还是趁早考吧。
1-20
CISM合格后,需要在5年内申请认定,共需要5年工作经验,有CISSP可以减免2年,这样只要3年。
即使Rezil找不到人证明,KPMG找李桑(时长是2年9个月),然后下一家公司找老板证明也是可以的。
Mike Chapple CISM Chapter Essentials
Chapter1 Today's Information Security Manager
Know the three objectives of cybersecurity. Confidentiality ensures that unauthorized individuals are not able to gain access to sensitive information. Integrity ensures that there are no unauthorized modifications to information or systems, either intentionally or
unintentionally. Availability ensures that information and systems are ready to meet the needs of legitimate users at the time those users request them.
Describe how information security strategies should be aligned with organizational goals and objectives. As information security managers develop their plans, they should use
reliable techniques to assess the current state of the program, such as threat research, SWOT analysis, and gap analysis. They may then identify the initiatives that will move the organization from the current state to its desired state.
Explain how security strategies are influenced by internal and external factors. Security strategies must be aligned with the business, but they must also incorporate other influences. Information security managers must remain abreast of emerging technologies, social media, the business environment, the organization's risk tolerance, regulatory requirements, third-party considerations, and the threat landscape as they develop, monitor, and revise cybersecurity
strategies.
Know why stakeholder commitment and communication are essential to success. As information security leaders roll out new strategies, they must ensure that they have the support of senior leaders and other stakeholders. They may do this by clearly outlining how information security supports the organization's broader goals and objectives, identifying the business impact of security initiatives, and identifying clear success criteria.
Explain how security controls may be categorized based on their mechanism of action and their intent. Controls are grouped into the categories of managerial, operational, and technical
based on the way that they achieve their objectives. They are divided into the types of preventive, detective, corrective, deterrent, compensating, and physical based on their intended purpose.
Describe the diverse impacts of data breaches on organizations. When an organization suffers a data breach, the resulting data loss often results in both direct and indirect damages.
The organization suffers immediate financial repercussions due to the costs associated with the incident response, as well as long-term financial consequences due to reputational damage. This reputational damage may be difficult to quantify, but it may also have a lasting impact. In some cases, organizations may suffer operational damage if they experience availability damages, preventing them from accessing their own information.
Explain why data must be protected in transit, at rest, and in use.Attackers may attempt to eavesdrop on network transmissions containing sensitive information. This information is highly vulnerable when in transit unless protected by encryption technology. Attackers also might attempt to breach data stores, stealing data at rest.
Encryption serves to protect stored data as well as data in transit. Data is also vulnerable while in use on a system and should be protected during data processing activities.
Know how data loss prevention (DLP) systems block data exfiltration attempts. DLP technology enforces information handling policies to prevent data loss and theft. DLP systems may function at the host level, using software agents to search systems for the presence of sensitive information. They may also work at the network level, watching for transmissions of unencrypted sensitive
information. DLP systems detect sensitive information using pattern-matching technology and/or digital watermarking.
Explain how data minimization reduces risk by reducing the amount of sensitive information that we maintain. In cases where we cannot simply discard unnecessary information, we can protect information through de-identification and data obfuscation. The tools used to achieve these goals include hashing, tokenization, and masking of sensitive fields.