CISM Certification: Overview and Career Path [Updated 2019]

July 5, 2019 by Lester Obbayi


With an increase in information security professional certifications and institutions offering them, it can be daunting to identify the right certification without adequate information. We will offer an overview of the CISM certification, answering various questions that candidates might have right before taking the exam about getting accredited and the career paths associated with it.

At the end of this post, it will be apparent why the CISM certification is the globally accepted standard of achievement and success in this area.

What Is the CISM Certification?

The Certified Information Security Manager certification is an Information Security credential that is offered by ISACA and focuses on teaching the relevant managerial skills related to IT security.

The certification is intended for professionals who specifically want to focus on the managerial aspect of information security, without necessarily diving into the complicated inner workings of different information security concepts.

CISM-accredited professionals are mostly tasked with overseeing the information security of organizations, which involves designing and developing working information security practices and policies.

Once accredited, a candidate can demonstrate an understanding of the relationship between an information security program and broader business goals and objectives.

Who Should Earn the CISM?

The CISM certification is targeted at candidates who are tasked with or are aspiring toward management of the information security of organizations or industries.

Such organizations often require individuals who understand:

  1. Policy making in order to ensure that effective information security policies are established.
  2. Factors that are necessary to lower and manage risks and optimize resources and at the same time establish trust and reputation.
  3. How to guarantee assurance on critical decisions that are to be made concerning security of the organization.
  4. How to perform efficient and effective risk management.

Successful CISM holders will be most qualified to take up senior management positions where tasks would, for instance, involve validating and ratifying all the necessary assets that need to be protected or even ensuring that penalties for non-compliance to policies are communicated and enforced.

What Experience Do You Need?

In order to attain eligibility for the certification, candidates need to satisfy a couple of requirements as outlined below. The candidates must:

  1. Register, sit and pass a 200-question examination. This is a requirement aimed at determining the knowledge and skill set of candidates. Candidates must be familiar with computer networks and some basics of computer security.
  2. Show evidence of previous work experience. Candidates need to have five years of previous professional work experience in information security, with three years as a security manager in at least three of the four main training areas. Eligibility is only valid when the reported experience is current, being within ten years from the application, or five years from passing the exam.
  3. Proceed with and complete the rest of the application. After completing the above requirements, it is important that candidates remember that the completion of the rest of the application is necessary for eligibility.

Topics covered by the examination include Information Risk Management and Compliance, Information Security Incident Management, Information Security Governance, and Information Security Program Development and Management.

How Does the CISM Compare to Other Security Certifications?

There are other certifications that can be considered as alternatives to the CISM that also offer managerial skills. These include:

  1. CISSP-Certified Information Systems Security Professional:
    The CISSP certification is globally accepted in the area of information security and has become desirable to professionals desiring to dive into managerial positions as information security personnel.
  2. CISA-Certified Information Systems Auditor
    CISA-accredited individuals are greatly sought after by many organizations due to their expertise in audit experiences and their ability to institute proper controls and ensure compliance within organizations. This however, unlike the CISSP and CISM, is not an entirely IT security certification.

The overall choice of a certification depends on the preference of the candidate and the ability of the market to accommodate holders of a specific certification.

Currently, jobs in the cybersecurity field have gone up by 80% more over the past three years than any other job related to information technology, promising exciting opportunities for certified professionals not only now but also in the distant future.

Is the CISM Worth the Effort?

The process of getting CISM accreditation is painstakingly long and often this question would linger in candidates’ minds every now and then. In order to appreciate the benefits of the hard-earned CISM, a review of a few jobs would be in order.

The following job titles would match the CISM credential:

Information Security Manager

The ISM is tasked with obtaining senior management commitment (such as acquiring budgets), assessing security metrics, performing strategic alignment, performing adequate risk management, ensuring value delivery, and ensuring adequate resource management.

Chief Information Officer

In an environment with new business demands, stringent industry-specific regulations, and risks emerging every day, the ability to manage risk and security has emerged as a mission critical issue for small and large business enterprises worldwide. CISM provides business leaders with the ability to understand and articulate a host of complex and challenging security management issues that can significantly impact enterprise success.

Information Risk Compliance Specialist

The CISM would be involved and largely oversee the building and implementation of programs, policies, and practices to ensure that organizations comply with industry and government regulatory requirements. The CISM liaises with internal business units, legal teams, and HR to increase awareness within the organization.

What Is the Best Way to Train for the CISM?

There are a couple of ways that prospecting CISMs can prepare for the certification, depending on the preferences and level of understanding of the candidate. Some preferences are discussed below in brief overview for candidates to pick their best suit.

In-Person Bootcamp

The good thing bout in-person bootcamps is that they are well structured, with skilled instructors leading sessions. The structure allows candidates to be accountable for their study progress while at the same time building their motivation to remain focused on the objectives of the study.

Live Online Training

Candidates who prefer classroom-based study in the comfort of their own living room or workspace might be best suited by this study mode. Here, the candidate is logged online to an active and live session where an instructor takes charge of the session. This study mode has various advantages. The candidate can, for example, enjoy session re-sits, interact in real-time with the instructor, ask questions whenever necessary, save on travel expenses by being able to study online, and, in some cases, gain access to video recordings, depending on the terms agreed upon with the facilitator of the training.


The self-study mode of training requires tremendous discipline in order to cover the content in the required time. Candidates choosing this mode might want to obtain study materials online and use them to prep for the examination. For example, for $2,999, candidates can gain access to Infosec Institute’s Mentored Online training

The benefit of this study mode is that candidates have online access to the CISM course at their disposal for 120 days. Media files can also be shipped to candidates’ offline. A custom CISM question-and-answer book is also accessible.


CISM holders understand business and how to manage and adapt technology in their organizations and industries. They identify serious issues and tune company-specific practices to allow for the governance of information and related technologies.

The CISM credential is, therefore, highly desirable due to its ability to appeal to organizational security requirements in an industry wide accepted fashion. Organizations will for a long time to come remain receptive to accredited holders of the CISM.

Posted: July 5, 2019
Articles Author
Lester Obbayi
View Profile

Lester Obbayi is a Cyber Security Consultant with one of the largest Cyber Security Companies in East and Central Africa. He has a deep interest in Cyber Security and spends most of his free time doing freelance Penetration Tests and Vulnerability Assessments for numerous organizations.

Leave a Reply

Your email address will not be published. Required fields are marked *