Certified Information Security Manager (CISM) Certification

The ISACA community – members, volunteers and professionals – is guided by our Purpose and Promise, which define the essence of who we are and what we do.  Our Purpose is the reason we exist – to help business technology professionals and their enterprises around the world realize the positive potential of technology.  Our Promise is how we as an organization and as individuals, deliver on our Purpose – the work we do every day to inspire confidence that enables innovation through technology.

Applicants must meet the following requirements to become CISM Certified:

Successfully Complete the CISM Examination:

• The examination is open to all individuals who have an interest in information security management. All are encouraged to work toward and take the examination. Successful examination candidates will be sent all information required to apply for certification with their notification of a passing score.

Adhere to the Code of Professional Ethics:

•  Members of ISACA and/or holders of the CISM designation agree to a Code of Professional Ethics to guide professional and personal conduct.
  
  Adhere to the Continuing Professional Education (CPE) Policy: The objectives of the continuing education policy are to: 

• Maintain an individual’s competency to ensure that all CISMs maintain an adequate level of current knowledge and proficiency. CISMs who successfully comply with the CISM CPE Policy will be better equipped to manage, design, oversee and assess an enterprise’s information security
• Provide a means to differentiate between qualified CISMs and those who have not met the requirements for continuation of their certification

Demonstrate the Required Minimum Work Experience:

A minimum of 5-years of professional information security management work experience – as described in the CISM job practice areas – is required for certification. The work experience for CISM certification must be gained within the 10-year period preceding the application date for certification. Candidates have 5-years from the passing date to apply for certification.

Substitutions and waivers may be obtained for a maximum of 2-years as follows:
Two Years:

• Certified Information Systems Auditor (CISA) in good standing
• Certified Information Systems Security Professional (CISSP) in good standing
• Post-graduate degree in information security or a related field (e.g., business administration, information systems, information assurance)

One Year:

• One full year of information systems management experience
• One full year of general security management experience
• Skill-based security certifications (e.g., SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security +, Disaster Recovery Institute Certified Business Continuity Professional (CBCP), ESL IT Security Manager)

The experience substitutions will not satisfy any portion of the 3-year information security management work experience requirement.

Exception:

Every 2-years as a full-time university instructor teaching the management of information security can be substituted for every 1-year of information security experience.

It is important to note that many individuals choose to take the CISM exam prior to meeting the experience requirements. This practice is acceptable although the CISM designation will not be awarded until all requirements are met.

What you’ll learn

• Govern information security policies
• Manage risks and ensure compliance to the information security policies
• Develop, manage and implement information security program in an organization
• Manage incidents related to information security

Requirements

• 1. As with the CISM certification exam, the candidates are required to have a minimum of five years of experience in information security management.
• 2. Experience in the fields of information security governance, risk management, compliance, and incident management is also preferable.

Description

The Certified Information Security Manager (CISM) course helps the candidates to achieve the CISM certification. The certification is offered by the Information Systems Audit and Control Association (ISACA) to validate the expertise and knowledge of the candidates regarding the relationship between an information security program and the broader business targets. The certification also validates that the candidate has the hands-on knowledge of developing, managing and implementing an information security program for an organization.

CISM certification is a certification by ISACA for experienced Information security management professionals with work experience in developing and managing information security programs. The CISM course covers the four domains of the CISM certification exam. The course is an ideal preparatory course for the students seeking to gain CISM certification as well as the IT security and information security professionals looking to build on their practical experience.

Who this course is for:

• The ideal candidates for the course must be:
• Experienced information security managers and officers
• IT consultants and managers
• IT auditors
• IT security policy makers
• Privacy officers
• Network administrators
• Network security engineers
• Candidates seeking CISM certification

How to become a CISM

The CISM certification process includes a 200-question multiple-choice exam that is scored using a 200-800 scaled scoring method. This allows performance comparisons to be made among candidates. 450 is a passing score, indicating that the individual meets a minimum consistent standard of knowledge set by the ISACA Certification Committee.

The exam covers four content areas:

• 1. Information security management
• 2. Information risk management and compliance
• 3. Information security program development and management
• 4. Information security incident management 

To qualify for the exam, applicants must have five years of verified experience in the infosec field, with a minimum of three years of infosec management experience in three or more of the CISM content areas. Experience must be gained within a 10-year period preceding the application date or within five years from the date of passing the exam.

To maintain CISM certification, individuals must sustain an adequate level of knowledge and proficiency in the field of information systems security management, complete 20 continuing professional education (CPE) hours annually and follow ISACA’s Code of Professional Ethics.

Benefits of CISM Certification

• Recognition of attainment of advanced job skills as required for an information security professional
• Worldwide recognition as an information security manager
• Confirms commitment to profession
• Provides access to valuable resources, such as peer networking and idea exchange

CISM holders understand business and how to manage and adapt technology in their organizations and industries. They identify serious issues and tune company-specific practices to allow for the governance of information and related technologies.

The CISM credential is, therefore, highly desirable due to its ability to appeal to organizational security requirements in an industry wide accepted fashion. Organizations will for a long time to come remain receptive to accredited holders of the CISM.