How to become CISM certified – Certification requirements

July 5, 2019 by Graeme Messina

Achieving CISM (Certified Information Security Manager) certification is an accomplishment that only a select few IT professionals will attain in their careers. Worldwide, there are an estimated 23,000 CISM professionals, which relative to the number of people on the planet is a tiny percentage. This certification is highly sought after, and holders of the CISM are almost guaranteed to find a dream job in information system security management within an organization.

Because the CISM is so highly sought after, it is a difficult certification to secure for potential candidates. There are specific steps that need to be followed in order for prospective candidates to become CISM certified, and we will outline each one so that if you are looking to become certified then you will have a better idea of how to approach it. We will cover the five steps that you will need to complete the CISM, and we will go into detail about what you need to move forward in your certification journey.

5 steps to become CISM certified

Pass the exam

Surprisingly, passing the exam is the least of your worries when trying to go about getting your CISM certification, and the exam is no mean feat in itself. There are various domains of competency that candidates must show understanding and knowledge in. As of 2018, these are:

    • Information security governance (24%)

This section requires that candidates understand how to establish, maintain and manage information security governance frameworks. Candidates must also master all of the supporting processes that ensure that the security strategy of the IT department is aligned with the organizational goals and objectives of the company.

    • Information risk management (30%)

Candidates must also learn how to manage information risk to levels that are acceptable to the organizational goals and objectives of the company that they work for. This is a large part of the exam, so understanding all of these different objectives is really important for passing the CISM exam.

    • Information security program development and management (27%)

Candidates must learn how to develop and maintain an information security program that identifies, manages and protects the organization’s IT assets while keeping in line with the information security strategy and business goals, which supports the security requirements of the organization that you are working for.

    • Information security incident management (19%)

Planning, establishing and managing your department’s capabilities to detect, investigate and respond to security threats is essential for a CISM professional. Candidates must also display an ability to respond to and recover from information security incidents to minimize business impact.

Comply with code of professional ethics

Members of ISACA and/or holders of the CISM designation must agree to the Code of Professional Ethics, which will guide the successful candidate in both professional and personal conduct. The Code of Professional Ethics is comprised of 7 points, which are briefly summarized and simplified below.

  • The candidate will ensure that auditing, controlling, security and risk management systems are supported and implemented within the organization. Standards and procedures relating to the information security systems within the organization must also be adhered to at all times.
  • Candidates must perform all of their duties in alignment with the professional standards that are espoused within the CISM.
  • Candidates must operate within the confines of the law, and must not bring themselves or the organization into disrepute.
  • Privacy and confidentiality must be observed at all times, unless disclosure is required by relevant law enforcement agencies. Information must not be used for personal gain and profit.
  • A candidate’s competency must be maintained and kept up to date in their relevant field of expertise. This must be done so that the company or organization benefits from skill, knowledge and competence within the IT security sector.
  • A CISM professional must ensure that they inform relevant parties of the results that are attained after work performed, making sure that they do not hold any information back that might affect the results of the reporting process.
  • Candidates must empower users within the organization by educating and enhancing their understanding of governance and managing the enterprise information systems and technologies within the organization, such as auditing, controlling and securing the systems and applying best practices when it comes to risk management.


Participate in CPE Program

The main idea behind the CPE (Continued Professional Education policy) is to ensure that qualified CISM candidates keep their knowledge as up to date as possible. This will ensure that any new trends or possible threats are identified and included in new security policies going forward. The main goals of the CPE Program can therefore be thought of as:

  • A means of maintaining competency and making sure that the CISM professional remains knowledgeable and proficient in the field of IT security systems and management. By doing these things, CISMs are far more likely to be able to effectively manage, design and oversee the organization’s information security, while assessing any potential threats to the security of IT systems within the company.
  • Allowing for the identification of qualified CISMs compared relatively to those who are not keeping up to date with the CPE Program.

Successful CISM candidates must also pay maintenance fees and keep a minimum of 20 contact hours of CPE annually. Additionally, candidates must also ensure that they complete a minimum of 120 contact hours over a period of 3 years to keep in compliance with ISACA requirements. More information regarding the CPE can be found here.

Work experience

Candidates must also submit verified evidence that they have worked a minimum of 5 years in the field of information security, with a minimum of 3 years in information security management in at least three of the job practice analysis areas. This work experience has to be gained within the 10-year period, which precedes the application for certification, or within 5 years from the date of passing the exam. Some qualifications can act as a substitute for the full 5-years’ worth of work experience, and what follows are two separate scenarios that can lessen the requirements of the individual candidate, based on qualifications and work experience.

Two Years:

  • Certified Information Systems Auditor (CISA) in good standing
  • Certified Information Systems Security Professional (CISSP) in good standing
  • Post-graduate degree in information security or a related field (e.g., business administration, information systems, information assurance)

One Year:

  • One full year of information systems management experience
  • One full year of general security management experience
  • Skill-based security certifications (e.g., SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security +, Disaster Recovery Institute Certified Business Continuity Professional (CBCP), ESL IT Security Manager)
  • Completion of an information security management program at an institution aligned with the Model Curriculum

Candidates must be aware that the experience substitutions that are listed above are not accepted as a replacement for any part of the 3-year information security management work experience. The only exception is two years’ worth of full-time university level instructor teaching information security management, which can substitute 1 year for every two years worked in such a role.

Submit CISM application to ISACA

The final step is for candidates to submit a CISM application for certification. This can only be done after a candidate has passed the CISM exam and acquired the necessary work experience. There are three ways to get the CISM application:


There is a lot for CISM candidates to complete before they can attain certification, but it is well worth the effort in the end, as CISM certifications are in high demand, and they are quite rare. Positions that require a CISM certification are high level management roles that require both experience and advanced technical and managerial skills.

The CISM can be seen as a combination of roles such as IT auditor mixed with the execution skills of an information security, creating a unified function within the organization. The CISM is seen as the international standard globally for IT security professionals in security, auditing and systems control.

CISM professionals are almost certainly guaranteed to land themselves a dream job in IT management with skills and managerial processes that are highly valued by corporations. Achieving this certification is a career changing milestone that will elevate your professional standing within the organization, and is likely open the door to better earnings, higher incentives and better benefits, as well as an advanced understanding of security systems management within an organization.


Posted: July 5, 2019
Articles Author
Graeme Messina
View Profile

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.

Leave a Reply

Your email address will not be published. Required fields are marked *