Certified Information Security Manager (CISM) Certification

  1. CISM Information

5 Myths of Cloud Computing - HP

7 Deadly Network Security Sins: A Guide for Protection

Best Practices for Making BYOD Simple and Secure




What is the CISM certification?
The Certified Information Security Manager (CISM) certification is an advanced information security credential that demonstrates a candidate’s knowledge and expertise in information security management. The CISM certification is offered by the non-profit entity ISACA (Information Systems Audit and Control Association), and has now been earned by over 23,000 people worldwide since its introduction in 2002.
Who is the CISM certification for?
The CISM certification is aimed at experienced individuals who manage, oversee and evaluate the information security needs and policies of an enterprise (or those who aspire to). The CISM credential demonstrates a candidate’s experience and understanding of risk management and information security management, as well as their understanding of the overlapping nature of information security policies and structures with the overall business needs of an organisation.

Typical job roles for CISM holders include:
  • Information Security Manager
  • I.T. Security Consultant
  • Security Auditor
  • Risk Manager
Are there any prerequisites needed for the CISM certification?
The CISM certification requires a minimum of 5 years relevant information security work experience, including a minimum of three years of information security management experience. The work experience must have been gained within 10 years prior to applying for CISM certification or up to 5 years after passing the CISM exam. If a candidate passes the exam but fails to achieve the relevant work experience within 5 years the exam pass will expire and the candidate will be required to retake the exam.

Candidates with approved work experience or certification achievements can reduce the work experience requirement by up to two years. For example, holders of the CISA or CISSP qualify for the full two year reduction. Full details can be found here.
How do I earn the CISM certification?
There are a number of steps that candidates must take in order to earn the CISM certification:
  • Register for the CISM exam (and pay the applicable exam fee)
  • Pass the exam
  • Apply for CISM certification (once the required work experience requirement has been met)
  • Agree to the ISACA Code of Professional Ethics
  • Commit to the Continuing Education program
  • Agree to adhere to the Information Systems Auditing Standards
The CISM exam consists of 200 multiple-choice questions. The exam duration is 4 hours and is offered in a select number of languages.

The exam covers the following 4 domains:
  • Information Security Governance
  • Information Risk Management and Compliance
  • Information Security Program Development and Management
  • Information Security Incident Management
A comprehensive outline of the exam topics can be found here.
What is the passing score?
The passing score for the CISM exam is 450 points or more on an exam scale of 200-800. The CISM credential is not awarded automatically after passing the exam but rather the candidate must send in an application applying for the credential (and paying the applicable fee). If the relevant work experience requirement, the CISM credential is awarded to the candidate.

Candidates can expect the exam results to be mailed (or e-mailed if requested) to them approx. 5 weeks after taking the test.

CISM candidates can take a self-assessment test here.
What if I fail the CISM exam?
If a candidate fails the CISM exam they may retake the exam (with payment of the applicable fees) on any future exam date (see below). Candidates may retake the exam any number of times under the same conditions.
What does the CISM exam cost?
The cost of the CISM exam differs depending on whether the candidate is a member of ISACA or not. There is also a discount for early exam registration (available to both members and non-members). The current costs of the exam can be found here.

In addition to the exam registration fee, there is also the certification application fee of US$50.
Where can I take the CISM exam?
The CISM exam can be taken on any of the three testing dates available during the year – June, September and December (the dates are the same worldwide). Registration for a testing date normally opens approx. 3-5 months prior to the exam date, and closes again 1-2 months before the exam date. Candidates are advised to check the official ISACA website for exam registration information.

The CISM exams are administered in approx. 250 locations worldwide (see here for details). About one month before the test date candidates will be mailed an exam admission paper. This paper will outline the time, date and location of the exam. Candidates must bring this admission paper with them on the day of the exam.
CISM recertification requirements
CISM-certified individuals are required to maintain their credential through ISACA’s Continuing Professional Education (CPE) program. This involves completing 120 CPE hours over a three year period, with the added condition that the candidate must attain a minimum of 20 CPE hours annually. Along with an annual fee (US$85 for non-members of ISACA), CISM holders must submit a detailed report of their activities for each year.

CPE hours are earned in a number of ways, most notably by undertaking activities that enhance or advance the CISM’s knowledge or ability to perform CISM-related duties. Approved activities include official training courses, self-study courses, professional meetings or conferences, seminars, workshops, giving presentations, teaching, mentoring, etc.

Failure to comply with the CPE requirements prohibits the individual from using the designation ‘CISM’ in a professional context.

Comprehensive details about the CPE program can be found here.