The Certified Information Security Manager certification or CISM Certification indicates a professional’s expertise in various domains such as information security governance, incident management and risk management, and program development and management. A CISM certification is evidence for your expertise in the following domains:
- Information Security Risk Management
- Information Security Governance
- Incident Management
- Information Security Program
CISM certification is growing in popularity among both existing or aspiring managers as cybersecurity at the enterprise level has nowadays become a c-level and board responsibility. The certification equips professionals with required management credentials along with various technical certifications that expose them to a large enterprise-scale cyber security operation.
The Information Systems Audit and Control Association, currently known only by its acronym ISACA, is the international professional association providing the CISM. The requirements of this certification include five years of field experience in the field, passing a single exam that consists of 150 questions taken over four hours, and paying a registration fee.
This updated CISM exam content outline has been in effect since 1st June 2022. CISM exam tests your expertise mainly in the four work-related domains that are applicable across several industry verticals. The CISM exam contains 150 questions covering four information security management areas. These domains are listed below:
Information Security Governance – 17%
Information Security Risk Management – 20%
Information Security Program – 33%
Incident Management – 30%
The CISM job consists of preparing task and knowledge statements, pertaining to the above domains.
Interested candidates can register online for the CISM certification exam. The exam is available in both offline and online formats. The online test contains remote proctoring and the offline one is held in-person at an official testing center.
Eligibility for the exam is checked at the time of exam registration. The registration is valid for twelve (12) months (365 days). You will forfeit the fees if you do not schedule and attend the exam during this 12-month eligibility period. Eligibility deferrals and extensions are not allowed.
Once you have cleared the CISM exam, the final step to become a CISM certified professional is to submit your application for CISM Certification. Before submitting the application, you must make sure that you meet a few eligibility requirements. You should have
- passed the CISM Exam within the last 5 years.
- obtained the relevant full-time work experience specified in the CISM exam content outline.
- submitted the CISM Certification Application and paid the application processing fee.
1. Candidates must pay a US$50 application processing fee for all submissions. This application fee is a non-refundable one-time payment.
2. Candidates should apply for certification within 5 years of passing the exam.
3. To ensure a speedier processing, candidates must finalize their payment and submit their completed application.
Note: Applications are reviewed in the order they are received.
Applicants must fulfill the following requirements to get CISM Certification:
1. Pass the CISM Examination.
2. Members of ISACA and/or holders of the CISM certification must follow a Code of Professional Ethics that outlines their professional and personal conduct
3. Submit proof of the Required Minimum Work Experience: Applicants require a minimum of 5-years of work experience in professional information security management – as specified in the CISM job practice areas – in order to get the certification. This work experience for CISM certification must have been obtained within 10 years prior to the date for applying for the certification. Also, candidates must apply for the certification within 5-years from passing the examination.
4. Follow the Continuing Professional Education (CPE) Policy: The continuing education policy seeks to maintain an individual’s competency and ensure that all CISMs maintain an adequate level of proficiency and current knowledge in the security domain. CISMs who comply with the CISM CPE Policy are found to be better equipped to design, manage, assess, and oversee an enterprise’s information security.
Candidates can obtain substitutions and waivers for a maximum of 2-years through the following means:
Applicants can get waiver for two years if they have:
- Three years of Certified Information Systems Security Professional (CISSP) work experience in good standing
- Three years of work experience as a Certified Information Systems Auditor (CISA) in good standing
- A Postgraduate degree in information security or any related field (e.g., information assurance, information systems, business administration)
Applicants can get waiver for one year if they have:
- One full year of work experience in information systems management
- One full year of work experience in general security management
- A valid skill-based security certifications (e.g., CompTIA Security +, SANS Global Information Assurance Certification (GIAC), Disaster Recovery Institute Certified Business Continuity Professional (CBCP), Microsoft Certified Systems Engineer (MCSE), ESL IT Security Manager)
However, even with these experience substitutions candidates must satisfy a minimum requirement of 3-year information security management work experience.
Usually, professionals choose to take the CISM exam before meeting the work experience requirements. This is an acceptable practice. However, the CISM designation will not be award till the candidate meets all the requirements.
All those who possess technical expertise and experience in IS/IT security and control can leverage their career using ISACA’s Certified Information Security Manager (CISM) certification. Certified professionals can make the move from team player to become a manager. CISM adds credibility and confidence to a professional’s interactions with both internal and external stakeholders, as well as peers and regulators.