Welcome new CISAs and CISMs, or not

Computerworld - While the masses were milling about RSA, long-anticipated emails and letters started arriving in homes and offices across the globe, announcing results of intensive examinations administered at the end of last year. 

Until recently, the Information Systems Audit and Control Association (ISACA) only gave the Certified Information Systems Auditor (CISA) examination once annually, in the summer. Arguably the top dog among vendor-independent security certifications, CISA brings the aura of competence and experience to information security and privacy practitioners even outside the realm of audit.

In the summer of 2003, ISACA began offering a new Certified Information Security Manager (CISM) designation to address demand for an identifier or label that conveys competence outside of audit, in leadership areas of applied information security. In mid 2005, ISACA responded again to pressure, and began offering both tests biannually, in December as well as June. 

These designations are some of the most respected in the industry, and it's a very big deal for many people.  If you just took the exam, or if you're still pondering what a previous exam meant, I've got some advice.

Bad news?

First, if the first sentence of the letter included the word unfortunately, don't be too discouraged, or take a low score as a personal indictment.  A lot of people don't make it on their first try, and no test is fair to its entire audience.  There are always distractions, misunderstandings, strange terminology, and neighbors' dogs that keep you up the night before a test.  If you're working in the industry, you know your own worth and competence.  Sign up now for the next round and get on with studying.  The final registration deadline is in April. 

Keep working; find out where you missed the most questions.  ISACA is kind enough to provide scoring in individual subject areas.  Pick your weakest area and keep studying. 

Better yet, try to find a project at work that will give you practical experience.  While academic learning and test cases may give practical knowledge of how to do things such as perform a risk assessment or build an information security program, there's nothing like actually doing it.  Focusing on areas of weak knowledge often has the osmotic effect of strengthening the rest of your skillset where you already know how to categorize and use information.  It's a lot easier to stare down the next test when you can look forward and backward through your own experience.

Congratulations?

If you passed the CISA or CISM test, congratulations.  But remember that you're still a candidate -- you have to fill out the certification form from ISACA, and submit evidence of applied experience and references. You'll need to break out your resume -- the long one that lists every project you've participated in or led -- and create a few mappings of relevant positions, individual projects, experience in each area, and years of experience for the application.