Combining CISSP and CISM Study

Below is the method I used to prepare for the CISSP and still use to revise and deepen my knowledge and understanding of Information Security concepts.

In short, I found that combining the CISSP and CISM exam material was the most effective (and certainly not the easiest or fastest one) method to study and prepare for the CISSP exam. While each certification has value individually, studying them together just clicked for me. This combined approach allowed me to bridge the gap between the detailed technical aspects learned from CISSP and the broader management strategies of CISM. It’s like having a complete toolkit for information security, with all the specifics and the overall framework.

The overlap between the certifications is a bonus. Instead of spending time memorising the same information twice, I could focus on understanding how these concepts relate to real-world scenarios. Building an information security program felt less like juggling and more like assembling a well-oiled machine.

This approach might not be for everyone, but for me, it just makes sense. It feels like the most efficient way to become a well-rounded information security professional, ready to handle any challenges that come my way.

Since I was preparing for the CISSP, I tailored my study to the eight domains of the CISSP exam.

Chapter 1: Security Governance and Risk Management

  • CISSP Domain 1: Security and Risk Management
  • CISM Domain 1: Information Security Governance

Topics Covered

  • Governance principles, policies, and frameworks (CISM)
  • Risk management processes and practices (CISM, CISSP)
  • Legal, regulatory, and compliance issues (CISSP)
  • Professional ethics (CISSP)
  • Business continuity planning and disaster recovery planning (CISSP)

Chapter 2: Security Program Development and Management

  • CISSP Domain 1: Security and Risk Management (partially)
  • CISSP Domain 6: Security Assessment and Testing
  • CISM Domain 2: Information Security Risk Management

Topics Covered

  • Developing and managing an information security program (CISM)
  • Aligning security strategies with business objectives (CISM)
  • Security metrics and performance measurement (CISM, CISSP)
  • Security assessment and testing methodologies (CISSP)
  • Risk assessment and risk treatment options (CISM)

Chapter 3: Asset Security

  • CISSP Domain 2: Asset Security
  • CISM Domain 1: Information Security Governance (partially)

Topics Covered

  • Information and asset classification (CISSP)
  • Ownership and stewardship of information assets (CISSP)
  • Data lifecycle management (CISSP)
  • Asset retention policies (CISSP)
  • Protection of privacy (CISSP)

Chapter 4: Security Architecture and Engineering

  • CISSP Domain 3: Security Architecture and Engineering
  • CISM Domain 1: Information Security Governance (partially)

Topics Covered

  • Security models and architecture (CISSP)
  • Engineering processes using secure design principles (CISSP)
  • Cryptography principles and practices (CISSP)
  • Physical security principles (CISSP)
  • Secure systems design (CISSP)

Chapter 5: Communication and Network Security

  • CISSP Domain 4: Communication and Network Security
  • CISM Domain 3: Information Security Program Development and Management

Topics Covered

  • Secure network architecture design (CISSP)
  • Network protocols and devices (CISSP)
  • Secure communication channels (CISSP)
  • Network attack vectors and countermeasures (CISSP)
  • Wireless security (CISSP)

Chapter 6: Identity and Access Management (IAM)

  • CISSP Domain 5: Identity and Access Management
  • CISM Domain 3: Information Security Program Development and Management

Topics Covered

  • Identification and authentication mechanisms (CISSP)
  • Identity lifecycle management (CISSP)
  • Access control models and methods (CISSP)
  • Privileged access management (CISSP)
  • Federation and single sign-on (CISSP)

Chapter 7: Security Operations

  • CISSP Domain 7: Security Operations
  • CISM Domain 4: Information Security Incident Management

Topics Covered

  • Security operations management (CISSP)
  • Monitoring and detection processes (CISSP)
  • Incident response planning and execution (CISM, CISSP)
  • Investigations and forensic analysis (CISSP)
  • Disaster recovery operations (CISM, CISSP)

Chapter 8: Software Development Security

  • CISSP Domain 8: Software Development Security
  • CISM Domain 2: Information Risk Management (partially)

Topics Covered

  • Security in the software development lifecycle (CISSP)
  • Software development methodologies (CISSP)
  • Application security controls (CISSP)
  • Secure coding practices (CISSP)
  • Security testing and evaluation (CISSP)

Suggested Study Resources

For the Exam:

  • The CISSP and CISM Official Study Guides
  • YouTube Videos
  • Some Practice Questions (do not overdo it – trust me on this)

As a Professional:

  • The CISSP and CISM All in One Exam Guides.
  • The CISSP CBK (Common Body of Knowledge)

Discover more from Opinion Grove

Subscribe to get the latest posts sent to your email.

Related Articles

Cracking the CISSP Exam: Think Like the Boss, Not Just the IT Wiz
Cybersecurity / Cybersecurity Certifications

Cracking the CISSP Exam: Think Like the Boss, Not Just the IT Wiz

Konstantinos Veves
The Myth of the Automatic Promotion: Why Great Doers Aren’t Always Great Leaders
Cybersecurity / Cybersecurity Certifications

The Myth of the Automatic Promotion: Why Great Doers Aren’t Always Great Leaders

Konstantinos Veves
Cracking the CISSP: Questions and Analysis
Cybersecurity / Cybersecurity Certifications

Cracking the CISSP: Questions and Analysis

Konstantinos Veves