Whether it’s the CISM or any other professional certification, earning one means that the individual has invested in the time, effort, and money to acquire and then demonstrate specific knowledge.
And, for challenging credentials, such as the CISM, that says quite a bit about the person.
Thousands of associations use professional certifications as a way to recognize individuals for their dedication to their chosen careers and for upholding a specific set of standards.
Millions of professionals across all industries have invested time and money toward attaining these certifications.
According to Cyberseek, 20,300 professionals currently hold the CISM designation. At the same time, 36,232 job openings are looking for people with this certification.
Professional certifications are an important way for individuals to signify that they have achieved a certain level of knowledge and have demonstrated a commitment to their profession.
Companies often use professional certifications to set a minimum standard for promotion within the company or the minimum qualification for new hires.
Some professionals set their sites on achieving certification as a way to ensure they will continue to learn about their industry, and others thrive on the added esteem offered to them by their colleagues or the increased earning potential that comes with a credential.
The sense of belonging to an elite community motivates still others.
Hiring managers see professional certifications as a shortcut to expedite the candidate sourcing process.
By listing required certifications in the job description, their work becomes easier since they know that all the acceptable candidates will have a certain level of technical knowledge. Without this shortcut, assessing and verifying each candidate’s understanding of critical skills and experience would be unmanageable.
Is it a perfect system? Certainly not. For one reason or another, some highly qualified job seekers have opted not to pursue professional certification.
These individuals will be overlooked by a hiring manager that requires certification. Other people have all the proper credentials for a job, but other characteristics may make them a poor fit for the job in question.
What is CISM?
The Certified Information Security Manager (CISM) certification is offered by ISACA. Originally known as the Information Systems Audit and Control Association, it now uses only the acronym ISACA.
With more than 145,000 members worldwide, ISACA offers a host of related certifications and certificates. In addition to the CISM, ISACA offers the following certifications:
- Certified Information Systems Auditor (CISA)
- Certified in Risk and Information Systems Control (CRISC)
- Certified in the Governance of Enterprise IT (CGET)
- Cybersecurity Practitioner Certification (CSX-P)
- Certified Data Privacy Solutions Engineer (CDPSE)
- Information Technology Certified Associate (ITCA)
- Certified in Emerging Technology (CET)
ISACA also provides certificates to purport an understanding of key information systems and cybersecurity concepts and principles.
These certificates are notably less comprehensive than a professional certification such as those listed above.
The CISM is designed to signify technical expertise and experience in information security governance, information risk management, information security program development and management, and information security incident management.
This highly sought-after professional designation is widely seen as a threshold for security team members transitioning to security management positions within the enterprise.
For frontline security practitioners, achieving the CISM indicates they are prepared to move their careers forward.
Companies of all types depend on CISM to demonstrate their security team’s proficiency, thereby building confidence with their customers, clients, and business partners.
Businesses can instill confidence in their downstream partners in this day of elevated concern about supply chain risks by promoting that their security team includes professionals holding a CISM.
To ensure that individuals stay abreast of new technologies and are active in the field of information security and privacy, the CISM policy requires the attainment of a number of continuing professional education (CPE) credits during a specified period.
After passing the CISM exam, CISMs must earn and report an annual minimum of 20 CPE hours. These hours must be appropriate to advancing the CISM’s knowledge or ability to perform CISM-related tasks. They must also earn and report a minimum of 120 CPE hours for a three-year reporting cycle.
Achieving the CISM designation is one of the most challenging certifications to achieve, but earning a CISM provides access to some of the most desirable jobs in information security, governance, and risk analysis.
Working in these areas, you may help evaluate the information security needs of your employer’s data projects, critique existing security measures, and introduce new defenses to counter developing threats. Most jobs that require CISM certification are senior positions that call for candidates who already have several years of industry experience.
The job titles and responsibilities that require a CISM can vary widely, but they are senior-level or management jobs in most cases. Some common security and risk management roles that often look for candidates with a CISM include:
- Information security engineer
- Security software developer
- Security architect
- Information security consultant
- Security analyst supervisor
- Business information security officer
- Chief information security officer
Global Knowledge’s 2024 IT Skills and Salary Survey indicates that CISM is among the highest-paying tech certifications.
Cybersecurity jobs that require a CISM to qualify generally pay from $75,000 to $157,000 per year. Of course, that can vary widely depending on the industry and the job responsibilities.
CISM training
Over and above work experience and personal study, there are other options for learning the material needed to pass the CISM exam. Industry conferences, in-person training classes, and online courses are available to individuals seeking to prepare for the exam.
Conferences
ISACA and other industry conferences are one way to acquire training to help pass the CISM exam. Those planning to sit for the CISM exam can garner a wealth of knowledge at many security and IT conferences by carefully selecting conference talks, education sessions, and vendor exhibits.
By reviewing the exam requirements before attending a conference, would-be CISMs can construct a conference itinerary to learn all the conference has to offer in areas relevant to their upcoming exam.
Another benefit of attending industry conferences comes in the form of networking opportunities. By building relationships with other security practitioners, particularly those that have already passed the CISM exam, future CISMs can bolster their confidence by learning more about the exam proper and the exam process.
ISACA holds several conferences annually in various places around the world. Other security industry conferences also provide excellent educational opportunities.
Looking for a virtual professional conference experience? Check out the Cybersecurity Guide Podcast, where we interview the industry’s leading experts.
In-person training
Notwithstanding some coronavirus-related restrictions in place at the time of this writing, there are many in-person CISM exam training opportunities.
At various times of each year and in various locations, ISACA offers training weeks where individuals can attend classes specifically designed to pass the CISM exam. Upcoming training weeks can be found on the ISACA website.
ISACA members can attend local chapter events geared toward helping members achieve ISACA credentials, including the CISM.
For companies interested in providing training for groups of employees, ISACA offers enterprise training. In this case, a qualified exam prep trainer will hold classes at the company’s site.
Businesses that are independent of ISACA also offer CISM training classes. Many of these professional training companies provide a quality training experience.
However, ISACA warns that only accredited third-party trainers are assured of having the most up-to-date materials precisely aligned with ever-changing examination domains and emphasis.
Online programs
ISACA offers an online CISM review course and an online database of review questions with their answers. Other private companies, ISACA accredited and otherwise, also offer online courses designed to help potential CISMs pass the exam.
CISM bootcamps
Bootcamp prerequisites
Before you can be CISM certified, you need to pass the exam and have at least five years of relevant work experience. Some other certifications can reduce this requirement to two years.
What to expect during a bootcamp
CISM bootcamps aim to prepare you for the exam by focusing on ISACA’s four core domains. These domains are designed to test your knowledge and skills in both the technical and managerial aspects of information security. Here’s what you can expect to learn:
- Information security governance: This section covers enterprise governance, organizational culture, and legal requirements. You’ll also delve into organizational structures, roles, and responsibilities, as well as information security strategy development.
- Information security risk management: Here, you’ll learn about risk assessment, emerging threats, and vulnerability analysis. The curriculum also includes risk treatment options and monitoring.
- Information security program: This domain focuses on program development and resources. Topics include information asset identification, industry standards, and information security policies. You’ll also learn about control design, implementation, and testing.
- Incident management: This part prepares you for handling security incidents effectively. It covers incident response plans, business impact analysis, and disaster recovery plans. You’ll also learn about incident classification, containment methods, and post-incident review practices.
Time commitment
CISM bootcamps are short and intense, usually lasting between three to ten days. They come in various formats: on-site, online instructor-led, and self-paced online courses.
Cost factors
Prices range from $1,200 to $5,000, depending on the provider and additional perks like exam vouchers and courseware.
Post-bootcamp
Passing the CISM exam is tough, with a first-time pass rate of 50-60 percent. The exam lasts four hours and consists of 150 multiple-choice questions. After passing, you need to maintain your certification with Continuing Professional Education (CPE) hours and an annual fee.
Final thoughts about CISM bootcamps
CISM bootcamps are a fast-track to a lucrative career in cybersecurity governance and management. However, they require a significant investment of time and money, and the exam is challenging. Choose your bootcamp wisely, considering factors like curriculum, duration, and additional perks.
What are the CISM exam requirements?
According to the ISACA website, “a minimum of five-years of professional information security management work experience — as described in the CISM job practice areas — is required for certification.
The work experience for CISM certification must be gained within the 10-year period preceding the application date for certification. Candidates have five-years from the passing date to apply for certification.”
It is important to note that ISACA does not require candidates to meet the work experience qualifications before sitting for the exam. Those individuals who wish to complete the exam as they build their work experience are welcome to do so, but the CISM designation will not be awarded until all requirements are met.
Candidates may obtain substitutions and waivers for a maximum of two of the five required years of work experience. An explanation of what prior ISACA certifications or higher-level work experience are acceptable substitutes can be found on ISACA’s certification requirements page.
To protect the reputation of all CISMs, ISACA requires individuals to adhere to their Code of Professional Ethics which guides the professional and personal conduct of CISM holders.
Lastly, ISACA requires that CISMs and all other ISACA certification holders adhere to their Continuing Professional Education (CPE) Policy and earn a minimum of 20 CPEs mentioned above.
The CISM exam
The CISM exam has historically been offered only at authorized in-person testing sites. Now, however, candidates can choose an online remotely proctored test.
The exam registration fee for ISACA members is $575 and $760 for nonmembers. There is a $50 application fee for both members and nonmembers. Once you achieve CISM certification, there is an annual maintenance fee of $45 for members and $85 for nonmembers.
The CISM exam is multiple-choice and computer-based. There are 150 questions, all of which have four possible answers. The time allowed to complete the exam is four hours. The questions are part of a weighted scale ranging from 200 to 800 points, and a minimum passing score is 450 out of the 800 possible points.
The exam covers four domains of knowledge, and candidates should have a thorough understanding of each domain. The four domains and their representation within the total number of questions are:
- 30 percent: Information risk management and compliance
- 27 percent: Information security program development and management
- 24 percent: Information security governance
- 19 percent: Information security incident management
Candidates need to understand the CISM’s question methodology, as it is not simply a multiple-choice exam with one correct answer per question. Instead, ISACA has constructed the exam with some questions requiring a most likely or best answer. More than one answer may be true, but one will be “more true, or more accurate” than the others.
To get an idea about the types of questions candidates may encounter on the CISM exam, ISACA provides ten practice questions.
On test day, candidates will only be admitted into the test center or allowed to access the test online if they have a valid and current form of photo identification.
The acceptable forms of identification are:
- Driver’s license
- State identity card
- Passport or passport card
- Military ID
- Green card
- National ID card
If a candidate fails their first attempt at the CISM exam, they are allowed to retake the exam but must start the application and registration process from the beginning.
CISM recap
The CISM is a vital certification for anyone looking to prove they have what it takes to get into the management side of information security.
This credential demonstrates that they can consider the entirety of their employer’s security concerns and build policies and protocols around them. Technical knowledge in this field is essential, and the examination is designed to separate the good from the great security practitioners.
The CISM is one of the most recognized IS/IT certifications globally and signifies the holder has a high-level view of the strategic dimension of information security governance and program development and management.
Experienced practitioners can prepare for taking the exam through self-study, although many tailor-made study programs are available.
To ensure that CISMs uphold the credibility of the certification, ISACA enforces stringent work experience requirements, adherence to a broad-reaching code of ethics, and earning ongoing CPEs. Without these requirements, the respect the certification currently holds would indeed begin to wain.
Individuals depend on the reputation of the CISM certification to further their careers. Companies point to it to reassure customers and clients that their staff members are the best in the business.
FAQs
CISM stands for Certified Information Security Manager. It’s a globally recognized certification offered by ISACA for professionals in the field of information security governance and management.
CISM is ideal for experienced information security managers, risk managers, and professionals looking to move into managerial roles within the cybersecurity field.
You need to pass the CISM exam and have at least five years of work experience in information security management. Some other certifications can reduce this requirement to two years.
The CISM exam focuses on four core domains: Information Security Governance, Information Security Risk Management, Information Security Program, and Incident Management.
CISM bootcamps offer intensive, focused training programs designed to prepare you for the CISM exam. They cover the exam’s four core domains and often include practice tests.
CISM bootcamps usually take between three to ten days and the cost can range between $1,200 and $5,000.
While many bootcamps offer exam pass guarantees or free retakes, passing the exam ultimately depends on your preparation and understanding of the material.
You’re required to earn and report a minimum of 120 Continuing Professional Education (CPE) hours every three years and pay an annual maintenance fee.
Sources
- Cybersecurity certification data | From Cyberseek.org in Jan 2025.
- ISACA Certifications | From ISACA in Jan 2025.