What is the CISM Certification?

CISM, which stands for Certified Information Security Manager, is a certification provided by ISACA (Information Systems Council Audit and Control Association) that indicates the ability of an individual to merge information security with the business goals of a company. It emphasizes how management skills relate to IT security. It’s perfect for anyone in the infosec with an interest in the managerial aspects of information security, as opposed to the technical aspects. This could include IT managers, consultants, auditors, and any chief financial officer, as well as anyone hoping to attain one of these positions in the future.

Why Become a CISM?

There are a few key reasons why it’s worth it to become a CISM if you’re involved or want to be involved in the information security programs of a country. First, it gives you a foundational knowledge of ITS and managerial concepts. Second, it often comes with a pay raise. According to Certification Magazine’s most recent data, the average pay for a CISM is $127,063, at the top of a list of 163 different security certifications. Third, employers love it– and for good reason:

  • It’s a good way to screen potential employees. If someone is a CISM, it generally means that they have the foundational knowledge to make smart information security and managerial decisions.
  • Having CISMs on board lends security credibility to the company.
  • CISMs are able to assess company practices and policies and make changes that lead to more secure information practices.
  • It leads to customer retention because having CISMs as part of the team demonstrates real commitment to security.

How do You Become a CISM?

There are four main steps to becoming a CISM: the CISM exam, work experience, agreement to a code of ethics, and continuing education.

The CISM Exam

The CISM Exam consists of 150 multiple-choice questions covering the following topics:

  • Information Security Governance
  • Information Risk Management
  • Information Security Program Development and Management
  • Information Security Incident Management

You have 4 hours to take the exam, and in order to pass you have to earn a score of at least 450 out of 800. Click here for CISM exam prep options.

To learn more about the anatomy of the CISM exam, download this comprehensive guide to the exam. It includes info about the exam structure, content, application process, and general reasons as to why you should consider getting this in-demand certification.

Work Experience

In order to become a CISM, you have to report at least five years of work experience in the information securities field. Three of these years have to span three of the following job practice areas, which you’ll notice are the same as the CISM exam topics:

  • Information Security Governance
  • Information Risk Management
  • Information Security Program Development and Management
  • Information Security Incident Management

These five years of job experience have to come either in the ten years before you take the CISM exam, or within five years after you take the exam.

Code of Ethics

ISACA provides a strict CISM code of ethics that CISMs are expected to follow.

Continuing Education

To ensure that CISMs are up to date with the latest technology, security practices, etc., ISACA requires CISMs to complete a certain number of continuing education hours every year. This allows the ISACA to make sure that their certifications are producing qualified CPEs.
Once you’re certified, in order to maintain your CISM you have to attain and report a minimum of 120 CISM continuing education hours within three years, starting on 1 January after your certification. Additionally, every year following these three years CISMs have to attain and report at least 20 CISM continuing education hours, counting from 1 January, and pay an annual maintenance fee.
ISACA says of these continuing education hours, “This training must be directly applicable to the management, design or assessment of an enterprise’s information security or the improvement of those skills.” These continuing education hours can come in a number of forms, but a few examples are as follows:

  • ISACA-sponsored conferences and courses
  • University or self-paced courses relating to the management of security information systems
  • Publication of articles or books in this field
  • Exam question development or review

For more information about the CISM exam, click here!