ISACA’s Certified Information Security Manager (CISM) certification indicates expertise in information security governance, program development and management, incident management and risk management. Take your career out of the technical realm to management!
The CISM DIFFERENCE
Whether you are seeking a new career opportunity or striving to grow within your current organization, a CISM certification proves your expertise in these work-related domains:
- INFORMATION SECURITY GOVERNANCE
- INFORMATION RISK MANAGEMENT
- INFORMATION SECURITY PROGRAM DEVELOPMENT & MANAGEMENT
- INFORMATION SECURITY INCIDENT MANAGEMENT
Is CISM Right for You?
ISACA’s Certified Information Security Manager (CISM) certification is for those with technical expertise and experience in IS/IT security and control and wants to make the move from team player to manager. CISM can add credibility and confidence to your interactions with internal and external stakeholders, peers and regulators.
Build a World Class Team
ISACA's Certified Information Security Manager (CISM) certification brings credibility to your team and ensures alignment between the organization's information security program and its broader goals and objectives. CISM can validate your team’s commitment to compliance, security and integrity and increase customer retention!
Register for the Exam
Register online for the CISM certification exam. The exam is available either online with remote proctoring or in-person at a testing center.
Download the Exam Candidate Information Guide that provides all the necessary information about exam registration, scheduling, preparation, rules, administration, scoring, retake policy, etc.
Exam Prep Materials
Whether you prefer to prep on your own time or with the additional guidance and interaction that comes with live, expert instruction, ISACA has the right test prep solutions for every professional. Choose what works for your schedule and your studying needs.
Disclaimer: Please be advised that the CISM Exam Content Outline will be updated effective 1 June 2022. Starting on that date the CISM Exam will reflect the new Exam Content Outline. Updated preparation material for the new Exam Content Outline will be available for purchase in March 2022. Purchase of this material will not grant you access to the newer version of the material at a later date.
Apply to Get Certified
The final step to becoming CISM certified is to submit your CISM Certification Application. Prior to doing so, you must meet the following requirements:
Pass the CISM Exam within the last 5 years.
Have the relevant full-time work experience in the CISM exam content outline.
Submit the CISM Certification Application including the application processing fee.
Maintain Your Certification
The goal of the continuing professional education (CPE) policy is to ensure that all CISAs maintain an adequate level of current knowledge and proficiency in the field of privacy. This proves to your peers and external and internal stakeholders that your skills and knowledge are always up to date and relevant.
CISM Certification Requirements
The ISACA community – members, volunteers and professionals – is guided by our Purpose and Promise, which define the essence of who we are and what we do. Our Purpose is the reason we exist – to help business technology professionals and their enterprises around the world realize the positive potential of technology. Our Promise is how we as an organization and as individuals, deliver on our Purpose – the work we do every day to inspire confidence that enables innovation through technology.
Applicants must meet the following requirements to become CISM Certified:
- Successfully Complete the CISM Examination:The examination is open to all individuals who have an interest in information security management. All are encouraged to work toward and take the examination. Successful examination candidates will be sent all information required to apply for certification with their notification of a passing score.
- Adhere to the Code of Professional Ethics: Members of ISACA and/or holders of the CISM designation agree to a Code of Professional Ethics to guide professional and personal conduct.
- Adhere to the Continuing Professional Education (CPE) Policy: The objectives of the continuing education policy are to:
Maintain an individual's competency to ensure that all CISMs maintain an adequate level of current knowledge and proficiency. CISMs who successfully comply with the CISM CPE Policy will be better equipped to manage, design, oversee and assess an enterprise’s information security
Provide a means to differentiate between qualified CISMs and those who have not met the requirements for continuation of their certification
- Demonstrate the Required Minimum Work Experience: A minimum of 5-years of professional information security management work experience - as described in the CISM job practice areas - is required for certification. The work experience for CISM certification must be gained within the 10-year period preceding the application date for certification. Candidates have 5-years from the passing date to apply for certification.
- Substitutions and waivers may be obtained for a maximum of 2-years as follows:
Two Years:
Certified Information Systems Auditor (CISA) in good standing
Certified Information Systems Security Professional (CISSP) in good standing
Post-graduate degree in information security or a related field (e.g., business administration, information systems, information assurance)
One Year:
One full year of information systems management experience
One full year of general security management experience
Skill-based security certifications (e.g., SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security +, Disaster Recovery Institute Certified Business Continuity Professional (CBCP), ESL IT Security Manager)
The experience substitutions will not satisfy any portion of the 3-year information security management work experience requirement.
Exception: Every 2-years as a full-time university instructor teaching the management of information security can be substituted for every 1-year of information security experience.
It is important to note that many individuals choose to take the CISM exam prior to meeting the experience requirements. This practice is acceptable although the CISM designation will not be awarded until all requirements are met.