BCS CISMP (v9)

In March 2022, I passed the CISMP-V9 exam, and gained the BCS Foundation Certificate in Information Security Management Principles.

As the name suggests, this is related to setting up an ISMS (Information Security Management System). Basically, it falls under GRC (Governance, Risk, and Compliance) rather than hands-on technical skills.

So, who’s the target audience for this certification? I’d recommend the Security+ to anyone who works in IT, but the CISMP is only relevant to a smaller group. Be aware that this won’t teach you how to set up an ISMS from scratch. It’s a foundation certification, so it’s really just laying the groundwork, by introducing concepts.

When I was looking at a QA training course for the CPSA, they recommended the CISMP as a pre-requisite. Now that I’ve done both exams, I’d say that the CISMP isn’t really relevant to the CPSA at all! However, I did find the CISMP useful for IASME Cyber Assurance.

The CISMP meets the requirements for Accredited Affiliate membership of the CIISec (Chartered Institute of Information Security). However, the Security+ also meets the CIISec requirements (along with various other certifications), and that’s more widely recognised. So, I wouldn’t recommend doing the CISMP just for this, but if you get the CISMP then you might want to look at CIISec membership as a fringe benefit.

TSG Training did a 40 minute webinar about the CISMP:
BCS CISMP Webinar : 15th April 2021 – YouTube
I think that video is worth watching, and the key point they emphasise is that this isn’t a difficult exam.
NB The sound quality is a bit iffy for the first minute or so, but it gets a lot better when they switch over to the main presenter.

Training

The BCS recommend that everyone who wants to do this exam should read their reference book: Information Security Management Principles. The third edition (published in 2021) corresponds to v9 of the exam syllabus; I already had a copy of the second edition (first published in 2013, reprinted in 2018), which corresponds to v7.3 of the exam syllabus, and that was close enough.
NB I recommend that you download the syllabus from the BCS website. Among other things, that shows the change history.

Aside from the book, there’s then a choice between doing a course and self-study. At the time of writing, the BCS website shows 30 partners (accredited providers) who offer training:

• 2 of the websites are offline.
• 8 of them don’t offer a CISMP course.
• 1 of them (CAPSLOCK) only offers the CISMP course as part of a larger bundle.
• 6 of them don’t list a price.
• 13 of them list a price for the CISMP course, ranging from £525 (e-Careers Limited) to £7600 (Nobleprog UK Ltd). Most of them include an exam voucher, which would cost £192 (+VAT) on its own.

Personally, I just did self-study, so my only costs were the book and the exam.

Since I was using an older edition of the book, some information was out of date. For instance, chapter 1 referred to the IISP (the Institute of Information Security Professionals), which became CIISec in 2018. I assume that the third edition is more up to date. However, I didn’t notice any glaring issues.

There are some illustrations scattered throughout the book, but they don’t really add anything to the text. For instance, one page has a picture of a cartoon figure holding a book; another page has the same person holding a giant padlock. They remind me of the clip-art which I used to see in PowerPoint presentations, and I think the book would be better off without them, but they’re not really doing any harm.

The book also has some “activities”. If I was attending a course, I suspect that this is where the attendees would be split up into small groups to talk amongst themselves, then present their conclusions. Personally, I didn’t find these very helpful, so my advice is to focus on the general principles rather than the specifics.

For instance, one scenario is about risk assessment. How likely is it that a building company would send hired thugs to the homes of environmental campaigners to intimidate them? I don’t know, and it would be a waste of effort for me to find out. I.e. that’s domain-specific knowledge, which won’t be relevant to other organisations.

By contrast, the sample questions in each chapter are more useful, since they’re similar to what you’ll see in the exam.

I only read the first 3 chapters (roughly half of the book) before I took the exam. However, I also have quite a bit of work experience in this area, which I was able to draw on.

Looking at section 3.3 of the syllabus, it says:
“Describe the number of common, established standards and procedures that directly affect information security management.”
The key point here is awareness. You don’t need to read all the ISO standards which are mentioned (especially since it’s quite expensive to buy a copy!) but you should know which is which.

Exam

The BCS website has a specimen paper with 50 questions (and the answers at the end). I did this the night before my exam, and scored 47/50 (94%); the pass mark is 65%, so I felt quite confident.

While most certification bodies now offer online proctoring, this exam still has to be done at a Pearson Vue test centre. In my case, that involved a 3 hour round trip, when the exam itself took less than 1 hour. (There are 2 hours allocated to the exam, but it took me about 35 minutes to do my first pass, then another 20 minutes to review all my answers.)

When I finished the exam, it didn’t display the result on the screen (which is unusual). When I left the room, the staff at the test centre gave me a paper printout which said “Pass”. This was on a Saturday morning, and I received an email at 04:30 on Monday morning, asking me to register for the BCS candidate portal. Since that email was sent outside office hours, I assume that it was automated. I don’t know whether it always takes 48 hours to process the results, or whether it’s longer at weekends.

The portal showed my exact result, and allowed me to download my certificate as a pdf. I scored 82%, so I was comfortably above the pass mark. However, this was lower than my score in the practice exam, i.e. the real exam was a bit harder. That means that if you’re borderline on the practice exam, you’re probably not ready for the real exam yet.

In both the practice exam and the real exam, there are 4 possible answers to each question. However, the real exam was a bit more complex because it involved combinations. For instance, consider this question:

Which of these characters is from Marvel?

• A. Superman
• B. Batman
• C. Spider-Man
• D. Wonder Woman

The correct answer would be C, and this is similar to the practice exam.

Now consider this question:

Which of these characters are from Marvel?

1. Superman
2. Batman
3. Spider-Man
4. Wonder Woman
5. Wolverine
6. Black Widow

Answers:

• A. 1, 2, 3
• B. 1, 3, 5
• C. 2, 4, 6
• D. 3, 5, 6

The correct answer would be D, and this is closer to the real exam.

In some of the questions, you need to look closely to make sure that you’re not missing any key words. That’s particularly relevant when there seem to be multiple correct answers. Here’s another example:

Which of these American characters is from Marvel?

• A. Superman
• B. Batman
• C. Spider-Man
• D. Captain Britain

In this case, there are 2 Marvel characters (Spider-Man and Captain Britain) but Captain Britain isn’t American, so the correct answer would be C rather than D.

There are other cases where the questions contain irrelevant information, so you need to identify what’s significant. E.g. “Dave is out for a walk in New York city, when he sees someone swinging past in a red and blue costume. Which superhero is it likely to be?” In this example, it doesn’t matter whether the witness was Dave or Priya; you’d need to focus on the description of the superhero, and compare that to the possible answers.