Spotlight on ISACA’s Certifications: CISA, CISM and the New CGEIT
BackBy Howard Nicholson — November 2007
ISACA, a nonprofit IT governance association with more than 65,000 members in 140 countries, developed its first certification almost 30 years ago. Today, it offers two credentials and a new IT governance designation based on the body of knowledge of the IT Governance Institute (ITGI).
With their global focus, as well as rigorous testing, professional experience and mandated continuing- education requirements, ISACA certifications are recognized as credentials that add value to organizations.
“The need for certification as a way to identify highly qualified professionals is more critical than ever,” said Lynn Lawton, ISACA international president. “High-profile scandals, large financial settlements and damaging shareholder lawsuits have gained the attention of directors and senior management, who increasingly realize that their information technology deserves a high level of governance to minimize risks and support growth.”
ISACA has a long history of certification programs. In 1978, ISACA established the Certified Information Systems Auditor (CISA) designation, which more than 50,000 professionals have earned. In 2002, the Certified Information Security Manager (CISM) certification was introduced, and more than 6,500 professionals have earned it.
Both designations are accredited by the American National Standards Institute (ANSI). ISACA’s most recent credential, introduced in August, is the Certified in the Governance of Enterprise IT (CGEIT) certification.
IT has become vital to the achievement of enterprise goals and delivery of benefits, and executives are realizing enterprise governance must be extended to IT, as well.
After surveying stakeholders from a cross-section of industries (including chief information officers and senior IT professionals), ISACA determined there is a business need for a certification that recognizes expertise in IT governance and helps enterprises identify and hire professionals who have IT governance knowledge and experience.
To meet this growing business demand, ISACA has introduced CGEIT. Supported by ITGI, as well as built on the institute’s intellectual property and input from subject-matter experts worldwide, CGEIT focuses on the five areas of IT governance: strategic alignment, resource management, risk management, performance measurement and value delivery.
It also focuses on frameworks that provide support for IT governance (e.g., CobiT and ITIL). It is designed for professionals who have a management, an advisory or an assurance role relating to the governance of IT and who wish to be recognized for their IT governance-related experience and knowledge.
To earn the CGEIT, applicants must prove at least five years of experience supporting the governance of an enterprise’s IT (or two years of IT governance experience and three years of management experience) and pass the CGEIT exam. The first CGEIT exam will be administered in December 2008. A grandfathering program, through which highly experienced IT governance professionals can apply for certification without taking the exam, is also available for a short time (see www.isaca.org/cgeit for details).
ISACA’s first credential, CISA, is recognized as a standard for information systems auditors. Its demand continues to grow — nearly 14,400 candidates registered for the June 2007 CISA exam, a 19 percent increase from the June 2006 exam. More than 25,000 candidates are expected to take the CISA exam this year. It is offered twice each year in 11 languages and at more than 230 locations worldwide.
“Succeeding the CISA exam in 1985 changed my perspective from ‘efficiency at all costs’ to understanding the necessity for controlling technology, its costs and its strategy,” said Georges Ataya, Solvay Business School (Belgium) executive professor and managing partner of ICT Control SA-NV. “My involvement in developing the Val IT framework is a direct result of that changed perspective.”
To earn the certification, a minimum of five years of information systems auditing, control or security work experience is required. Educational experience, such as a bachelor’s or master’s degree in the field, can be substituted for up to two years of work experience.
Those holding the CISA designation use the credential in a variety of capacities:
- More than 1,200 CISAs are employed in organizations as the CEO, CFO or equivalent executive position.
- More than 2,200 are chief audit executives, audit partners or audit heads.
- More than 3,200 are CIOs, CISOs, security directors, security managers or consultants.
- More than 5,000 are audit directors, managers
- Nearly 9,300 are employed in managerial or consulting positions in IT operations or compliance.
“I have worked in all areas of information technology, from hardware maintenance, software development and project management to IT general management,” said Avinash Kadam, director of MIEL e-Security Pvt. Ltd. “I earned the CISA certification in 1994, and it opened up new avenues of information systems consulting for me.”
In the most recent example of CISA’s industry recognition, California’s Electronic Recording Delivery Act has required those wanting to be named an approved security auditor to possess at least one of five certifications—including the CISA credential.
Similarly, Department of Defense (DoD) Directive 8570.1 has named CISA among those approved for DoD information assurance (IA) professionals. The directive requires up to 80,000 professionals to earn one of 13 certifications accredited under ISO/IEC standard 17024. CISM also received this recognition.
Additionally, numerous organizations and government bodies outside the United States have recognized CISA:
- In Hong Kong, ISACA members who have held the CISA for at least four years have the right to vote for the city’s legislative counselors, as representatives of the IT category.
- The National Stock Exchange (NSE) of India has recognized CISA as a requirement to conduct systems audits.
- In Romania, banks desiring to implement distance or electronic payment instruments, such as Internet banking and home banking, are required by law to be certified by CISA-holding auditors.
- In Singapore, CISA is accredited under the Critical IT Resource Program of the National Infocomm Competency Centre (NICC), a national body that oversees accreditation of IT-related certifications.
CISM is a much younger credential, but it is still respected in the information security industry.
“When I advise organizations on the competency model and job profile they should look for when they are searching for a chief security officer, I always recommend they seek out individuals with the CISM certification,” said John Pironti, Getronics chief risk strategist. “The CISM certification has become the leading credential for the business of information security. It differentiates itself from traditional information security certifications by focusing on the business and risk management issues associated with information security.”
Additionally, in 2006, Microsoft included CISM as an accepted security credential for the Security Solutions Competency in the Microsoft Partner Program.
CISM is designed for professionals who manage, design, oversee and/or assess an enterprise’s information security. CISM holders use their credential in the following careers:
- More than 1,000 CISMs serve as CIOs, CEOs, CSOs or security directors.
- More than 2,000 CISMs serve as information security managers or in related information security positions.
- Nearly 1,000 CISMs are in security consulting or training positions.
“Earning the CISM certification has helped me to stay current in a fast-changing technological world, helps me understand and support the information security and risk requirements of many of our clients and gives me the confidence of having attained a highly regarded qualification,” said Latha Ramanathan, information security manager at Tata Consultancy Services in India.
Demand for CISM is growing. More than 2,000 candidates registered for the June 2007 CISM exam — nearly a 25 percent increase from June 2006 — and more than 4,000 candidates are expected to take the exam this year. Like the CISA exam, the CISM exam is offered twice annually. It is available in three languages and at more than 230 global testing sites.
The test covers five areas of information security management: information security governance, information risk management, information security program development, information security program management and incident management and response.
These areas and statements were developed as a result of a job practice analysis of the work information security managers perform.
To earn the CISM, a minimum of five years of information security work experience is required (certain substitutions are accepted), in addition to a passing score on the exam.
As employers realize the importance of information security and governance, they look to certifications to identify prospective employees with experience and expertise in these fields. A quick search of Monster.com reveals hundreds of job listings specifying a preference for CISA or CISM.
“No enterprise can surpass the abilities and talents of its employees,” said Marios Damianides, Ernst & Young partner of security and technology services. “The fields of technology and security are ever-changing, and I need to know that employees are prepared to face such challenges. ISACA’s designations are excellent indicators of proficiency in these areas.”
Howard Nicholson, CISA, is international vice president of ISACA and chair of the CGEIT certification board. He can be reached at firstname.lastname@example.org.