CISM, CISA & CRISC – WHICH CERTIFICATION TO TAKE?

Posted on by Henrik Parkkinen


CISM, CISA, CRISC. Which one, of these three, is the best ISACA certification?

I have been asked this one a couple of times since I worked my way through these certifications. And I have also been asked:

  • Which gives the most bang for the buck?
  • Which one should I take?
  • Why did you take all three of them?
  • Who should take these certifications?
  • <Insert question>

I would rather switch the question around a bit and look at the subject from a couple of other perspectives. And this is what I will do in this article.

I will share my thought process and why I choose to take these three certifications from ISACA. And I will mix in some of my own thoughts around certifications and my journey towards achieving CISM, CISA and CRISC.

CISM, CISA and CRISC from ISACA

All three (CISM, CISA, CRISC) of these certifications are well-recognized and highly ranked in the security industry. Of course, this was something in my process that I contemplated but it was not the only thing. There were other things that were drivers for me personally.

I am a proud holder of these certifications. I am proud of my achievement. I am proud of being a part of a great community, i.e. ISACA. And I am proud of the knowledge I possess in the areas of these certifications.

For your information!

This article is a long one. I have tried to put out answers to as many questions as possible that I have received from those who have reached out to me asking about these certifications (CISM, CISA, CRISC).

This article is not a “How you pass CISM, CISA and CRISC for breakfast!” thing. This article do not contain any hidden or secret recipes for how to pass these certifications. I do not share the magic formula for passing. I do not have that one.

This article is providing you with my personal insights and thoughts about certifications in general and the CISM, CISA and CRISC.

I think that this article should be read by you who are curious about taking these certifications. If you are aiming for the CISM, CISA and CRISC I hope this article will help you to find out if these certifications are right for you.

This form of article about the CISM, CISA and CRISC is also what I personally would have appreciated. A personal story that shines some light over the “Why” question. If you feel the same way, enjoy the reading.

TERMS & DEFINITIONS

Below are terms and definitions that will be used several times in this article:

  • CISM –  Certified Information Security Manager
    This certification is targeted toward those who want to demonstrate their knowledge of security management and strategy. For example security leaders, managers, and decision-makers.

  • CISA – Certified Information Systems Auditor
    This certification is targeted toward those who want to demonstrate their expertise in IS/IT auditing, control, and security through a risk-based approach. For example security and IT auditors.

  • CRISC – Certified in Risk and Information Systems Control
    This certification is the only credential focused on enterprise IT risk management. The certification is targeted toward those who want to demonstrate their expertise in building a well-defined, agile risk-management program, based on best practices to identify, analyze, evaluate, assess, prioritize and respond to risks.  For example risk practitioners and security professionals.

  • ISACA – Information Systems Audit and Control Association
    ISACA is the organization that provides the certification mentioned above.

PROLOGUE

Well, you will get quite a good perspective of how much time I spent before I decided to go with ISACA…and that is more of who I am. I enjoy contemplating. Analyze stuff. Break things down. Think things through.

Sometimes it would have saved me energy and time to spend less time…but hey, I kind of like to sort things out in my brain. That is one of the most fun parts of a journey for me. Strategize. The thinking.

And this, kind of thinking, is also something that I got the sense of and an impression of and that ISACA, as an organization, also supports. I read tons of blog posts, white papers, and watched YouTube reviews around the internetz. I did my due diligence…as always. I did my pre-study very thoroughly.

The more I got to know ISACA the more I felt this was the right path for me. I try to approach my certifications and the time spent on the process as an “investment”. Before I jump into things, I like to go through a personal pre-study phase.

ISACA, I am truly impressed by the organization. So much value is generated through such a great community. Kind people. Great support. Progressive knowledge development. Inclusive feeling. Engaging atmosphere. You guys do a great job, and I’m glad to be a part of the community! And I do not get any form of commission for saying this.

WHAT IS THE VALUE OF CERTIFICATIONS?

I think that certifications provide value from mainly two perspectives. A personal perspective and from an external perspective. By this I mean, a certification holds the value you or others give to it. If you personally think it is worth it and something that is value-adding for you as an individual that is true for you.

And I do not think that is something that should be argued against. This is also something that I believe in. Certifications are for me, towards myself, a test of my knowledge. And yes, I still though hold the same knowledge without the certifications. But the certifications provide me with an external validation of my knowledge towards a specific test.

At the same time, I also think that knowledge will always trump certifications, degrees, or studies. A certification can though provide external validation of knowledge (as I personally see it). But certifications are not something that always equals knowledge. There is no guarantee that just because someone holds a certain certification has that knowledge in practical terms. A certification can also be seen as that the person accomplishing it holds certain knowledge during an actual period when the exam is written.This is where experience comes in and play a vital role.

I know persons who are more experienced than myself and that I consider more skilled in certain areas, which the certifications are targeted towards, that do not hold any certifications. So there is no right or wrong, according to myself, that one must hold certain certifications to provide evidence for the knowledge one holds. Everyone does not put the same value into certifications from a personal perspective. And I am totally fine with it.

Knowledge combined together with experience and certification is something I believe in, and this is what I strive for. Before I took the CISM, CISA, and CRISC I had put my hands and brain into the things that the certifications tested me at. I was not new to the concepts tested in the examinations which helped me a lot during the tests and preparation.

The CISM, CISA, and CRISC are targeted toward persons who have practical experience in the field and areas. In the certification process to be approved by the CISM, CISA, and CRISC the person must describe and provide how many years of practical experience is held in each area of the subject the certifications test the “student” at. And the application and experience must be signed by someone who can validate the correctness of the experience, for example, the “students” manager.

It is also worth mentioning that certifications are something that may be a requirement for certain forms of assignments or roles. For example ISO, PCI-DSS, FedRAMP, or a customer/organization requiring a certain certification. This is not only applicable to the certifications mentioned in this article, the CISM, CISA, and CRISC are though well known and usually found as requirements. Another one that often is mentioned is the CISSP or certifications from SANS.

And as said earlier in this article, the value of certifications comes from the value that you personally or someone else put into it. Someone else might be that external organization, industry, HR, partner, customer, assignment etcetera. You can not control the requirements or the value an external entity puts on certifications.

BACKGROUND & THOUGHTS

I have +20 years of knowledge in the field. Approximately half of this time has been spent on technical hands-on assignments. The other half of these years I have been conducting assignments on a non-technical level (so-called management and business assignments/consulting) in various management and leadership roles.

Today most of my assignments are mainly around management/leadership/business consulting within the security realm, but here and there get involved in semi-technical things around offensive and defensive security. It is always fun to click the buttons and do some technical things here and there. Or to study some Offensive security, have some fun during a CTF or just hack stuff.

I have always been fascinated by the abstracts within the IT field, all the way back since I studied in school. I was and still am, and always will be, one of those persons who really liked to dig deep into the topics I found interesting. I am a nerd, and I am proud of it. And this is still how I operate when I want to learn something that interests me. I kind of try to outthink myself. See how deep I can travel into the rabbit hole of knowledge for a given subject.

Related to ISACA and the certifications they provide I did a fair amount of research on one specific part.

“What is their body of knowledge built around?”

The more information I came across the more I liked the form of their “knowledge model”. The certifications, which I choose, were agnostic from a methodological perspective. What I mean is that they are concept based. The knowledge is formed around conceptual thinking for how tasks of operational, tactical, and strategic characteristics are conducted.

Some say that the way ISACA puts out the concepts does not always reflect real-life scenarios. Well, that’s true. There are loads of theories and knowledge out there which are not totally aligned with how things work in the reality. Not only from ISACA but also from other vendors and academies.

Personally, the ISACA concepts, for those certifications I have taken, resonated very closely with how I have conducted assignments and tasks in the same fields of expertise. But of course, I have been making deviations here and there when I have applied the concepts or me taking another path to achieve a result. I am a pragmatic dude and always will be. I strive for practical applications of the things that I learn and encourage others to do the same.

I don’t see conceptual knowledge or theories as something that is the holy grail or that deviations from those are not allowed. From my point of view, the art of wisdom is partly when one can transform knowledge from theories into pragmatic and applicable real-life practices.

In summary, I have found that ISACA’s conceptual methods are very close to my personal thinking and how I approach tasks and activities in the cyber security, information security, and IT security realm. This is my opinion so it will be subjective. But I will always choose the pathway that I find most practical and effective to achieve my goal. Theories are great but the practical application of it is king. Security is not battled In theories. Risks, threats and vulnerabilities are real.

But to make a long story short, I think that ISACA’s concepts are much more easily understood if you have had a couple of years in the field and made some of the most common mistakes. Yes, you heard me right. Mistakes. A mistake can be “How to think about a concept/method/theory” or “How you conducted a certain task”. We learn from our mistakes. It’s a cliché but it’s true.  And keep in mind that in every mistake there is something that is correct. Everything is not incorrect just because it’s a “mistake”. And a mistake is not about failing, it is just a result that is a part of the process.

CISM, CISA & CRISC

Three exams, within the same realm. With this, I mean that these certifications are all knowledge based on concepts and on theories from the industry related to security. They do not test the student on technical know-how. Questions will hear and there touch around technical subjects but do not ask for how a certain technology for example shall be configured, designed, implemented etcetera.

And for the reason that I like to nerd myself into subjects, it also felt inspiring that there were three certifications. Three subjects within the same realm (I.e. non-technical security stuff) where I could test my skills.

This is my personal masterpiece that I have constructed on my own. All credits and bragging rights reserved.

What happens when you get all those three certifications? Do you get a certain title, like Certified Cyber Security Management Expert or similar? No. You do not get that sort of a title. And I think it is a good thing.

ISACA does not push the students to stack up these certifications. Each certification holds its own credibility and recognition. This was at least the case when I took the certifications. What happens in the future I do not know. I hope it remains the same.

So why take all three?

Well, why not if one has the knowledge, interest, and/or motivation? For me, this was also a part for myself to validate my knowledge towards myself (as said earlier in this article). To get an external confirmation that the knowledge I hold and have collected through my career is and can be validated by an external entity. This was one of the motivators for me. Knowledge is something I possess, and I’m very comfortable and proud of it. Now a word or two about each certification.

CISM

This was my first ISACA exam. Before taking the CISM I felt very comfortable with the knowledge ISACA had included in the certification and that I was to be tested on. I kind of felt that it all made sense. All my aggregated knowledge from the years of working came down to a test that is based on experience and knowledge combined with the methodologies outlined in CISM.

I personally think that this exam may be a bit hard to crack if one does only have the technical know-how and less security management experience. This exam is not a technical test. It tests the knowledge of security from a management perspective.

CISM from ISACA

Besides those who are aiming for a decision-maker, leadership, or manager role in security, this exam provides perfect knowledge for those conducting business and management assignments. I also think security architects can benefit well from the knowledge gained through this certification.

But keep in mind though, that just because a person has passed this exam does not mean he/she is a person who can lead a team or an organization. It does not and is not a test in leadership. What I mean here is that, and what I strongly believe in, a manager/decision maker/leader within security also needs leadership skills. Management and leadership are two different skills.

CISM is a test of knowledge in “security management”. I am not saying this is something negative about the certification but leadership skills and knowledge in security management are two different domains. Each one can be trained but it is two different disciplines. Just because a person holds the CISM does not mean there is a great leader behind that knowledge/certification. I think you get it.

Regarding leadership and management roles in security, you can read my CISO (Chief information security officer) series in three parts to get a deeper understanding of my philosophies. And of course, get a feeling for what the CISO role is about.

Before I took on this exam, i.e. CISM, I did not use any form of practice material. I felt comfortable in just going for it. I am aware that this might come out as a brag and that I am boasting myself. This is a hit I am willing to take though as I aim to be as transparent as possible with my own journey. I am by no means saying that this certification was an easy one. This is just how I did it.

CISA

This was my second ISACA exam and the CISA exam was an interesting one. In one way this exam may be one of these three (CISM, CISA, CRISC) from ISACA which would make the most sense to start out with.

Usually, one starts out with auditing before moving into a more managerial role or discipline. For example, managing a certain people, teams, functions or projects. This was the case for me as well. Before I for example took on my first leadership role I had conducted several audits, assessments, and risk management assignments.

Before I sat for the CISA, I also felt that the knowledge I had gained from applying several different industry best practices, frameworks, and standards for auditing and risk management built up a solid foundation for this exam. I have also had the opportunity to develop auditing and assessment frameworks on my own.

CISA from ISACA


The student does not need to have a deep understanding of certain standards or frameworks though, CISA will not test those parts. CISA is an agnostic certification in auditing. But if you have worked with some well know standards and frameworks in your professional career, that will help you out. Experience and knowledge will be beneficial. It was it at least for me.

If you are aiming to take all these three certifications it makes perfect sense to start here. This exam is not by any means the easiest but to see it from a career, practical and holistic perspective it makes perfect sense. Start here…but it’s not a “must”. It all comes down to where you are, as a “student” and how comfortable, interested, and motivated you are. I did not start with this one though, I went for the CISM first.

So maybe you should not listen to my recommendations after all? Just kidding! CISA is a perfect starting point. For the CISA certification, I needed to refresh some of my skills and things related to auditing. But the most parts of my preparation for this certification also came from my professional career, i.e. knowledge I have accumulated and stored in the tank.

CRISC

This one was the last one in the order for me of these three. I am a strong believer and supporter of risk management as you might have understood if you read some other articles and browsed around my website. This exam was something that also made perfect sense for me to write and how the exam was framed.

I have had the opportunity to develop and implement several risk management methodologies during my professional career. And also, to conduct numerous risk assessments, educate and coach individuals and organizations in risk management. And I have also studied different frameworks and standards along the road.

Along this list of risk management experience, I have also conducted third-party risk management, risk management related to supplier and systems assessment, cyber security risk and threat assessment, and cloud security assessment.

CRISC from ISACA

I think that the risk management discipline is something that has a very interesting future ahead. Machine learning, AI, and quantum computing. Yes, this can be something really cool! Something very powerful.

CRISC could be a good candidate for being the second certification in the ordering of these three. CISA and auditing are coupled with risk management. But CRISC will take you as a student on a deep dive into the risk management subject.

The knowledge from both CISA and CRISC will be tested during the CISM certification but from a security management perspective. I took the CRISC exam as my third certification.

I have written more about risk management, risk assessment and the phases in the process in these articles:

The articles are not and shall not be seen as learning material for the CRISC exam. They reflect condensed experience and knowledge that I have collected through my career. But I have gotten lots of good feedback on the articles I have written from many others saying that they have been very helpful in their studies for the CRISC and CISM. Check them out on yourself and decide, I hope you find them helpful and value adding.

Before taking this exam, I actually did some studying. I wanted to make sure I had the right terms and acronyms understood from an ISACA point of view. Many risk management frameworks and standards use the same concepts, but the terms and acronyms might differ. Magnitude named in one standard is equivalent to for example impact. Frequency is the same as Likelihood. And in general, the risk assessment process might also differ a bit for example as there are more or fewer phases used between standards and frameworks. But in general, I felt very comfortable to write this exam. I went for it without using the official study material.

PATH FOR CERTIFICATION

I think that there are strong incentives to start out with CRISC as the first certificate. The main reason for this is due to that both in the CISA and CISM you as a student will be tested in risk management.

Auditing is strongly related to risk management. And if you are about to take on a role within security management (which the CISM is targeted towards) you need to, according to my personal belief, have a solid understanding in risk management.

As risk is the most fundamental part of security I therefore suggest the following ordering as option 1. But for those who want to take another route, there is an option 2.

Option #1:

  1. CRISC
  2. CISA
  3. CISM

Option #2

  1. CISA
  2. CRISC
  3. CISM

MY JOURNEY

And as you see. I did the almost total opposite, starting out with CISM and then taking CISA and ending the hat trick with CRISC. This was what made the most sense to me. This was the path that also felt most fun for me to take.

I wrote the exams during a period of 3 months (4 calendar months, where I had 1 month of vacation in between the certifications). Me boasting again. Claiming those brag rights. Just kidding. I try to be transparent. (I actually wrote 4 exams during this period. The forth one was CCSK from Cloud Security Alliance.)

So, what was the thing that did provide me with the capability to pull them off in three months? I have got asked this question by colleagues, peers in the field my network, persons I have coached and mentored.

The answer to it is those +20 years of experience, doing the job. Pulling up the sleeves. Contemplations around the subjects. Testing out theories. Applying newly gained knowledge. Continuing to read and learning along the road as working professionals.

I can not emphasize enough how much the experience helped me. But I am not saying this amount of experience is needed for others to pass the certifications. And I have not been actively targeting myself toward assignments or roles throughout my career to be able to take these certifications.

My personal journey has primarily been focused on gaining knowledge and taking on assignments, roles, and activities in my professional career that I find fun, interesting, challenging, and that make me grow.

From a retrospective point of view, I can not say that there is one thing that stood out or that I had as a main advantage. It is the composition of the complete exposure to all the domains that the certifications tested me in. And when looking at it from this viewpoint, it is quite cool and satisfying. To see that all those years and accumulated knowledge have a direct translation to a certification. Or three certifications, CISM, CISA, and CRISC. And that I could pull them off with very low studying.

As a person, I am a constant learner and seeker of knowledge. I enjoy the learning process. To research and improve along the road. And when I find myself that I am “understanding” the subject, which means that I feel that I am currently satisfied with my knowledge in a certain domain and can apply, practice, and explain it to others, I seek something new to learn.

The new things can be something that deepens my knowledge within a certain domain, for example learning a standard or framework. Or by taking on a security discipline that further improves me in my profession. For example leadership studies. I love leadership. It is an endless journey of studying, pretty comparable to the security discipline I would say, and an important skill to have if you want to become a security leader.

When a certification is gained in a certain subject it does not mean that the knowledge learned is valid to infinity. This is true for almost every certification out there. And to put this into the security realm, knowledge learned today may most likely be obsolete in the future. The security landscape (threats, risks, vulnerabilities, technologies, organizations, world, geo politics etcetera m) changes. And the change is constant.

To keep up with that change, from a knowledge perspective, one must be willing to grow their knowledge along the road. Stay curious and learn new things. Be interested in new trends, frameworks, standards, and so forth. Read about emerging technologies. Stay updated with what is happening out there, in the threat landscape and the security universe. This is what I also like about the security field. There is constant change and so much to learn. But I also think that the learning process needs to and shall be treated as a marathon. It is not a sprint. It needs to be sustainable over time and something that stands the test of time.

One of the best ways to continue to learn and grow is to surround yourself with a community and network of people. Create connections with people who share the same interest. Surround yourself with people who are smarter, wiser, and willing to share knowledge and help you to grow. One way to accomplish this is to use social community platforms, such as LinkedIn for example. There are tons of great minds out there who share their knowledge, experience, and wisdom. And they do it for free!

This is also how I share my knowledge, experience, and wisdom. I put it out there, to help others who help me. My ambition is to help others to grow in their own journey. And also inspire others to do the same, and share their knowledge. Improve and grow together.

Ask yourself how to achieve a sustainable environment for you that makes you grow in your profession. Seek the knowledge, that is what will make you stand out and also accomplish the goals (certifications, assignments, skills, projects) you commit to. Invest in knowledge, knowledge is an investment.

I hope my website, www.HenrikParkkinen.com, can be one of those resources to help you as an individual to grow. To gain further knowledge and experience that I share from my +20 years in the field. This is what I try to do. Help you to grow. Provide a platform where you can gain information, knowledge, and experience and take part in my personal contemplations about security stuff.

RECOMMENDATION

This is one of the methods I kind of use for everything I try to learn, independent of subject or topic. I used this method during my studies for the exams and still do and always will. It has worked for me, not saying it should work for others or that others shall use it. But I want to share it. It is universal. I have used it for years.

I would recommend those who are taking on the exams to, if possible of course, apply the knowledge during your professional day-to-day work. If you for example study how to conduct an IT risk assessment, try to apply the knowledge practically. If this is not possible, contemplate around how the principles may be applied if a risk assessment were conducted. Or develop a PoC of a methodology on a high level by illustrating it in PowerPoint, paper, or on a whiteboard. Show it to others and explain it to them. There is a strong power in actually “creating” something. Your brain will believe and acknowledge the learnings when practiced. You as a student also create belief in yourself. You build up yourself for an accomplishment waiting for you.

Think about it, this is exactly how it works in the sports world. Practice, practice, and practice. If there is a need to for example strengthen a certain skill, then more repetitions are made in that area. And the repetitions do not always need to be practical. On the whiteboard, in an actual assignment, on the PowerPoint etcetera. They can be mentally conducted just within a cognitive plane. This is for example how the UFC fighters, golf, hockey, basketball, and soccer players do. This method is also something that is used in chess, poker, and other board games. The list goes on.

If there is not a practical application you may be able to apply the knowledge at, do the mental reps. This is also training. Visualizing and contemplating how things are done. Might sound like hippy shit, but trust me. It’s not. Your brain can not distinguish between fiction, fantasy, and reality. This is science. And it is a really cool universal life hack.

MY PERSONAL LEARNING PROCESS

This is how I do it:


1.) Gather information
2.) Read and processes the information
3.) Contemplate and analyze
4.) Apply and test what I have learned
5.) Contemplate what I learned from the practical testing (in step 4)
6.) Discuss with others in my network
7.) Contemplate the information from the discussions
8.) Apply and test the new learnings
9.) Repeat

WHY CeRTIFICATIONS?

I am one of those persons who truly like the learning process. Collecting and analyzing information, and knowledge and translating it into my own wisdom. And of course, applying it into practice.

The motivator, at least in my opinion, should also come from that it’s somewhat “fun”. If it’s not fun to learn the stuff I think the burnout factor, procrastination etcetera becomes significantly amplified.

Find something that motivates you. It will not be fun 100% at the time but when zooming out and asking yourself “WHY am I spending my time on this?” the answer and the feelings should be closer to “fun” instead of the opposite. What is your “why”? Find that before kicking off and things will become smoother. And understanding and finding that “Why” before kicking off will help you to stay motivated.

It will help you to stay focused and also get back to your personal driver. It gives strength and power. And I do not think there is a universal answer to the “Why”. Most of us are driven by different attributes and factors. Understand your personal drivers and what keeps you motivated. It can be a good idea to write it down, on a piece of paper that you have at hand and can take a look at it if your start to feel unmotivated. Personally, I keep that piece of paper in my mind. I do not write them down on paper…and that is just who I am. Pick the method that suits you.

For WHO?

Who should take the CISM, CISA, or CRISC certifications? Or all three of them

If you are having the ambition to become, or already working as, a business leader, or take on a management or leadership position within the security field these certifications are for you. If you are more leaning towards a certification that tests your technical security knowledge across all security domains CISSP is the one for you. It contains some of the domains found in for example CISM and CRISC. Fewer things were found in CISA.

At the same time, I think that the certifications are not and shall not only be seen as something that only should be held by non-technical roles. Knowledge is an investment. And I can see that many roles that are technical would benefit from the knowledge that is provided through the learnings.

The CISM I think would make total sense for a security architect as it spans a broad range of disciplines. The same goes for the CRISC. Risks are everywhere and security is about risk. And for a technical specialist to understand how to “speak” about security from a risk perspective is a very strong capability to possess. This is, in general, how decision-makers and non-technical persons communicate about security.

The CISA is more domain-specific toward auditors. It may still provide good value and knowledge for a technical role but not as high as in compression to the CISM and CRISC according to my own opinions.

So if you have gotten inspired to start out the journey with one (or all three of these certifications), what’s next? Now it is time to ”Go”. The first place to visit is to go to ISACA’s website and take a look at the learning material for the certification(s).

And I would also recommend you read a couple of their journals and blog posts on the subjects which are covered within the certification(s). They shall not be seen as learning material but they do provide very good knowledge and they are written by experts in the field. Many of them have one or more of these certifications. You will get further perspectives on the subjects, such as for example risk management, auditing, security governance, and so forth. It will also broaden your insight into the topics and subjects.

EPILOGUE

Certifications are not an absolute must to become an accomplished security professional. If you find the learning journey interesting and value adding for YOU, go for it.

ISACA require a holder of one or more of the CISM, CISA and CRISC to keep the certifications to pay a yearly fee and to report CPEs. I short, when the certifications are passed a yearly fee must be pied for renewal and CPE points need to be collected. As this is a monetary aspect and time commitment I suggest that you take this into consideration before jumping on. Read up on what this means and if these requirements are achievable and sustainable for you. Most certification bodies (ISACA, ISC2, etc.) have similar requirements in place. This is not something unique to ISACA.

As said before, I see knowledge as an investment. I think and recommend you who are reading this to look at it in the same way. This has nothing to do with CISM, CISA and CRISC. This is how I think about knowledge. It is an investment in yourself. Something that can not be taken away from you. And In this case, the monetary and time commitment becomes secondary. But hey, it is an individual decision for everyone. This is though how I resonate.

And some last words of wisdom. Do not let your fears of failing to hinder you or stop you from being brave and walking out into the fields of unknown territory. A new subject, certification, or knowledge area might feel overwhelming at first when there are loads of new terms, acronyms, models, and abstracts but this is a part of the journey.

But the best way forward is to go, just go for it. Start out. Let your ego step aside and soldier on out there. Stretch the boundaries of your comfort zone. This is what really will make you and your knowledge grow and transform it into wisdom. Be curious to test out new things. Get yourself into activities, projects and areas that enable you to grow. To become a more accomplished security professional, if that is the goal, a broad understanding will serve you well. Trust me on this one!

Always keep learning, just a little at a time. 1% here and there. Always keep improving. Same principles here, 1%. Stay open-minded. Be humble. Share your knowledge. Listen to others. Stay curious. Be kind. Grow.

FUN FACT

According to my approximations (that may be a bit off but gives a ballpark figure), with the help of figures provided by ISACA from 2021, there are around ~100K persons on the planet earth who are active holders of the combo: CISM, CISA, CRISC from ISACA. ~100 of those live in Sweden. One of them lives in the city of Skövde (~population of 50K), Sweden. And I am one of them and it feels cool to be one of these people. </Boasting and bragging again>.

Thanks, ISACA for all the work you, the community, and volunteers (including myself) put in! Glad to be a part of it!

I hope this article provided some useful and inspiring information for you to start out your own knowledge journey.

Knowledge is an investment.
Invest in knowledge.

Henrik Parkkinen, Security dude

Henrik Parkkinen