Whether it’s the CISM or any other professional certification, earning one means that the individual has invested in the time, effort, and money to acquire and then demonstrate specific knowledge. And, for challenging credentials, such as the CISM, that says quite a bit about the person.
Thousands of associations use professional certifications as a way to recognize individuals for their dedication in their chosen careers and for upholding a specific set of standards. Millions of professionals across all industries have invested time and money toward attaining these certifications.
Professional certifications are an important way for individuals to signify that they have achieved a certain level of knowledge and have demonstrated a commitment to their profession. Companies often use professional certifications to set a minimum standard for promotion within the company or the minimum qualification for new hires.
Some professionals set their sites on achieving certification as a way to ensure they will continue to learn about their industry, and others thrive on the added esteem offered to them by their colleagues or the increased earning potential that comes with a credential. The sense of belonging to an elite community motivates still others.
In the end, there can be any number of reasons why each individual seeks and achieves certification or why a company desires employees that have earned them.
Hiring managers see professional certifications as a shortcut to expedite the candidate sourcing process. By listing required certifications in the job description, their work becomes easier since they know that all the acceptable candidates will have a certain level of technical knowledge. Without this shortcut, assessing and verifying each candidate’s understanding of critical skills and experience would be unmanageable.
Is it a perfect system? Certainly not. For one reason or another, some highly qualified job seekers have opted not to pursue professional certification. These individuals will be overlooked by a hiring manager that requires certification. Other people have all the proper credentials for a job, but other characteristics may make them a poor fit for the job in question.
What is CISM?
The Certified Information Security Manager (CISM) certification is offered by ISACA. Originally known as the Information Systems Audit and Control Association, it now uses only the acronym ISACA. With more than 145,000 members worldwide, ISACA offers a host of related certifications and certificates. In addition to the CISM, ISACA offers the following certifications:
- Certified Information Systems Auditor (CISA)
- Certified in Risk and Information Systems Control (CRISC)
- Certified in the Governance of Enterprise IT (CGET)
- Cybersecurity Practitioner Certification (CSX-P)
- Certified Data Privacy Solutions Engineer (CDPSE)
- Information Technology Certified Associate (ITCA)
- Certified in Emerging Technology (CET)
ISACA also provides certificates to purport an understanding of key information systems and cybersecurity concepts and principles. These certificates are notably less comprehensive than a professional certification such as those listed above.
The CISM is designed to signify technical expertise and experience in information security governance, information risk management, information security program development and management, and information security incident management.
This highly sought-after professional designation is widely seen as a threshold for security team members transitioning to security management positions within the enterprise. For frontline security practitioners, achieving the CISM indicates they are prepared to move their careers forward.
Companies of all types depend on the CISM to demonstrate their security team’s proficiency, thereby building confidence with their customers, clients, and business partners. Businesses can instill confidence in their downstream partners in this day of elevated concern about supply chain risks by promoting that their security team includes professionals holding a CISM.
To ensure that individuals stay abreast of new technologies and are active in the field of information security and privacy, the CISM policy requires the attainment of a number of continuing professional education (CPE) credits during a specified period.
After passing the CISM exam, CISMs must earn and report an annual minimum of 20 CPE hours. These hours must be appropriate to advancing the CISM’s knowledge or ability to perform CISM-related tasks. They must also earn and report a minimum of 120 CPE hours for a three-year reporting cycle.
Achieving the CISM designation is one of the most challenging certifications to achieve, but earning a CISM provides access to some of the most desirable jobs in information security, governance, and risk analysis. Working in these areas, you may help evaluate the information security needs of your employer’s data projects, critique existing security measures, and introduce new defenses to counter developing threats. Most jobs that require CISM certification are senior positions that call for candidates who already have several years of industry experience.
The job titles and responsibilities that require a CISM can vary widely, but they are senior-level or management jobs in most cases. Some common security and risk management roles that often look for candidates with a CISM include:
- Information security engineer
- Cybersecurity developer
- Cybersecurity assessment and remediation executive
- Security architect
- Manager of cyber defense
- Manager of security operations
- Information security consultant
- Security analyst supervisor
- Business information security officer
- Chief information security officer
Global Knowledge’s 2020 IT Skills and Salary Survey indicates that the CISM is among the highest paying tech certifications. Jobs that require a CISM to qualify generally pay from $75,000 to $125,000 per year. Of course, that can vary widely depending on the industry and the job responsibilities.
Over and above work experience and personal study, there are other options for learning the material needed to pass the CISM exam. Industry conferences, in-person training classes, and online courses are available to individuals seeking to prepare for the exam.
ISACA and other industry conferences are one way to acquire training to help pass the CISM exam. Those planning to sit for the CISM exam can garner a wealth of knowledge at many security and IT conferences by carefully selecting conference talks, education sessions, and vendor exhibits.
By reviewing the exam requirements before attending a conference, would-be CISMs can construct a conference itinerary to learn all the conference has to offer in areas relevant to their upcoming exam. Another benefit of attending industry conferences comes in the form of networking opportunities. By building relationships with other security practitioners, particularly those that have already passed the CISM exam, future CISMs can bolster their confidence by learning more about the exam proper and the exam process.
ISACA holds several conferences annually in various places around the world. Other security industry conferences also provide excellent educational opportunities.
Notwithstanding some coronavirus-related restrictions in place at the time of this writing, there are many in-person CISM exam training opportunities. At various times of each year and in various locations, ISACA offers training weeks where individuals can attend classes specifically designed to pass the CISM exam. Upcoming training weeks can be found on the ISACA website.
ISACA members can attend local chapter events geared toward helping members achieve ISACA credentials, including the CISM.
For companies interested in providing training for groups of employees, ISACA offers enterprise training. In this case, a qualified exam prep trainer will hold classes at the company’s site.
Businesses that are independent of ISACA also offer CISM training classes. Many of these professional training companies provide a quality training experience. However, ISACA warns that only accredited third-party trainers are assured of having the most up-to-date materials precisely aligned with ever-changing examination domains and emphasis.
ISACA offers an online CISM review course and an online database of review questions with their answers. Other private companies, ISACA accredited and otherwise, also offer online courses designed to help potential CISMs pass the exam.
What are the CISM exam requirements?
According to the ISACA website, “a minimum of five-years of professional information security management work experience — as described in the CISM job practice areas — is required for certification. The work experience for CISM certification must be gained within the 10-year period preceding the application date for certification. Candidates have five-years from the passing date to apply for certification.”
It is important to note that ISACA does not require candidates to meet the work experience qualifications before sitting for the exam. Those individuals who wish to complete the exam as they build their work experience are welcome to do so, but the CISM designation will not be awarded until all requirements are met.
Candidates may obtain substitutions and waivers for a maximum of two of the five required years of work experience. An explanation of what prior ISACA certifications or higher-level work experience are acceptable substitutes can be found on ISACA’s certification requirements page.
To protect the reputation of all CISMs, ISACA requires individuals to adhere to their Code of Professional Ethics that guides the professional and personal conduct of CISM holders.
Lastly, ISACA requires that CISMs and all other ISACA certification holders adhere to their Continuing Professional Education (CPE) Policy and earn a minimum of 20 CPEs mentioned above.
The CISM exam
The CISM exam has historically been offered only at authorized in-person testing sites. Now, however, candidates can choose an online remotely proctored test.
The exam registration fee for ISACA members is $575 and $760 for nonmembers. There is a $50 application fee for both members and nonmembers. Once you achieve CISM certification, there is an annual maintenance fee of $45 for members and $85 for nonmembers.
The CISM exam is multiple-choice and computer-based. There are 150 questions, all of which have four possible answers. The time allowed to complete the exam is four hours. The questions are part of a weighted scale ranging from 200 to 800 points, and a minimum passing score is 450 out of the 800 possible points.
The exam covers four domains of knowledge, and candidates should have a thorough understanding of each domain. The four domains and their representation within the total number of questions are:
- Information Security Governance (24 percent)
- Information Risk Management and Compliance (30 percent)
- Information Security Program Development and Management (27 percent)
- Information Security Incident Management (19 percent)
Candidates need to understand the CISM’s question methodology, as it is not simply a multiple-choice exam with one correct answer per question. Instead, ISACA has constructed the exam with some questions requiring a most likely or best answer. More than one answer may be true, but one will be “more true, or more accurate” than the others.
To get an idea about the types of questions candidates may encounter on the CISM exam, ISACA provides ten practice questions.
On test day, candidates will only be admitted into the test center or allowed to access the test online if they have a valid and current form of photo identification.
The acceptable forms of identification are:
- Driver’s license
- State identity card (non-driver’s license)
- Passport card
- Military ID
- Green card, alien registration, permanent resident card
- National identification card
If a candidate fails their first attempt at the CISM exam, they are allowed to retake the exam but must start the application and registration process from the beginning.
The CISM is a vital certification for anyone looking to prove they have what it takes to get into the management side of information security. This credential demonstrates that they can consider the entirety of their employer’s security concerns and build policies and protocols around them. Technical knowledge in this field is essential, and the examination is designed to separate the good from the great security practitioners.
The CISM is one of the most recognized IS/IT certifications globally and signifies the holder has a high-level view of the strategic dimension of information security governance and program development and management.
Experienced practitioners can prepare for taking the exam through self-study, although many tailor-made study programs are available.
To ensure that CISMs uphold the credibility of the certification, ISACA enforces stringent work experience requirements, adherence to a broad-reaching code of ethics, and earning ongoing CPEs. Without these requirements, the respect the certification currently holds would indeed begin to wain.
Individuals depend on the reputation of the CISM certification to further their careers. Companies point to it to reassure customers and clients that their staff members are the best in the business.