Common CISM Job Titles [Updated 2019]

July 5, 2019 by Graeme Messina


Successful candidates that manage to gain certification in CISM will find that many new doors of opportunity have been opened to them. CISM holders are far more likely to land senior roles within an organization that come with more responsibility and great benefits, as well as higher remuneration. This is due to the comprehensive nature of the CISM. This makes CISMs highly sought after IT professionals that an organization can benefit greatly from, and they are therefore a valuable asset to the company.

Only once a student has successfully completed the exam and then performed the required tasks such as accruing work experience and continuing their studies, are they then officially certified. This is no easy task however, as the requirements are very specific, including constant cycles of studying and training. This makes sure that candidates are always up to date with the CISM certification, and that they remain current with their knowledge and familiar with new technologies and emerging trends within the Information Security industry. It is for all of these reasons that the CISM is such a highly valuable certification to have.

What kind of jobs can I get with the CISM certification?

The CISM is a higher-level certification that opens up many opportunities for an individual to progress further in their Information Security career. This is because candidates can specialize after they have attained this qualification, but at the same time, they learn a multitude of invaluable skills as well as Information Security theory. This means that the kinds of jobs that a CISM can get are varied and exciting, and can lean towards managerial positions, technical roles, systems auditing, Information Security risk assessment, and even systems development roles. It is for these reasons that the CISM is such an important certification for security professionals to get.

What are the most common CISM job titles and descriptions?

The CISM encompasses many different skills and can be used in both technical and managerial positions, all the way up to the executive level of an organization. Let us take a look at 3 different job titles and what some of their basic roles entail. It is important to bear in mind that many roles overlap one another, and that this may vary from organization to organization.

Information System Security Officer

As the ISSO in an organization, your job is multifunctional in many respects. ISSOs act as the primary contact between departments in issues that relate to system security. ISSOs are in constant communication with the Information System Owner, the Business Process Owner, the Chief Information Security Officer, and Information Security Manager on all technical and logistical challenges that involve the security of the organization’s information. Some key functions of this position are:

  • Providing information security expertise to the system development teams
  • Preparing and reviewing all security documents in the organization
  • Ensuring that the appropriate security controls are applied to all systems
  • Ensuring that test data is used during system testing for consistent results
  • Continuous monitoring of all IT systems and detailed report analysis

Information/Privacy Risk Consultant

This role is highly focused on process and policies. There are many points of failure within any information security system, and it is the job of an Information and Privacy Risk Consultant to identify and mitigate these risks. The CISM teaches fundamental risk assessment skills that are invaluable to an Information and Privacy Risk Consultant. Documentation and policy adherence makes up a large part of what this job title requires, and the CISM teaches candidates how to stay in control of these systems. Roles that an Information and Privacy Risk Consultant may have to perform include:

  • Information Security
  • Risk Assessment
  • Risk Analysis and Threat Assessment
  • Privacy Impact Assessments
  • Organizational Privacy Reviews

Information Security Manager

The Information Security Manager is seen as the key person responsible for the safe keeping of IT infrastructure within the company or enterprise. They are responsible for ensuring that all systems are kept safe and secure, and that data and security policies are kept up to date and are implemented to the highest standards of compliance. Security threats such as virus attacks, data breaches by hackers and cyber-criminal activities such as phishing and electronic fraud must be protected against. An Information Security manager is responsible for:

  • Assessing Security Measure
  • Developing and Implementing IT Security Policies
  • Monitoring Systems
  • Analyzing Reports
  • Managing Information Security Specialists

What Other Skills Are Beneficial To Landing a CISM Role?

The CISM covers a broad section of Information Security career paths, so for many people it is not always clear what job is waiting for them on the other side of the exam. You can expect to find roles that require multiple disciplines, such as:

What kind of salary bump can I expect after getting certified?

Candidates that have a CISM certification can expect great things on the salary front. The average salary comes in at around $128,000 USD per year, but this varies depending on the job title and job function that you find yourself performing. This is a high-level certification that usually requires that candidates already have 5 years of work experience in IT Security Management prior to writing the exam.

This work experience must have been within 10 years preceding the application of the exam. This experience can also be gained after writing the CISM, and candidates have 5 years to do it in commencing from the date that they passed the exam.

CISMs must also maintain their certification status, which adds some difficulty to keeping certified. For this reason, many employers see the CISM as an indication that the candidate is both skilled and knowledgeable in the field of information security, but also has the skills and ability to manage and create policies, and procedures while ensuring the safety and security of the organization’s information and IT systems.

Information Security Career Progression within the Organization

Many people that consider writing the CISM are not certain about the career path that they will be taking through a business, or even what roles would be compatible with the certification. The following is based on the information contained in the presentation called ‘Professionalism in Information Security: A Framework for Competency Development’ from Lynas, David; John Sherwood:

Entry Level Positions:

  • Systems Analyst
  • Developer
  • Security Designer Trainee
  • Security Systems Trainee
  • Security Auditor Trainee

Technical Specialists (Mid-Level Technical):

  • Security Consultant
  • Business Analyst
  • Security Product Manager
  • Security Designer
  • Security Systems Professional
  • Security Auditor
  • Information Risk Consultant

Technical Managers (Mid-Level Managerial):

  • Product Manager
  • Program Manager
  • Project Manager
  • Team Leader
  • Account Sales Manager

Expert Level Position (High-Level Technical):

  • Principal IT Consultant
  • Senior IT Systems Professional
  • Senior IT Development Engineer
  • Senior IT Architect
  • Senior Information Security Auditor

Manager/Director (High Level Managerial):

  • Operations Consulting
  • Systems Development
  • Systems and Infrastructure
  • Internal Auditing
  • Information and Privacy Risk Consultant

Senior Executive Level (Executive C-Level):

  • Chief Information Officer
  • Chief Operating Officer
  • Chief Technology Officer
  • Chief Information Security Officer
  • Chief Architecture Officer

Find out more information in this downloadable PDF on the ISACA website, which outlines in great detail many of the factors to consider when pursuing certification in the CISM. There is a great deal of detail, and it is a great source of valuable CISM related information.


The benefits of taking and passing the CISM are obvious: better pay, more responsibility and a detailed, fundamental understanding of information security management, as well as how it relates to the successful operation of a company or organization’s Information Security. Candidates who successfully complete their CISM will be virtually guaranteed better job prospects, and will be on their way to climbing up the management structures within the organization.

It is also worth noting that the CISM is globally recognized, so candidates will find that they can work wherever they choose. This creates further opportunities for anyone that wishes to branch out and broaden their horizons in another country.

Those that are interested in finding out more about the CISM are welcome to browse the Infosec Institute Resources page and search for CISM. You will find many helpful articles that offer insights into this highly sought after certification that will assist you on your journey towards CISM certification.

Posted: July 5, 2019
Articles Author
Graeme Messina
View Profile

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.

Leave a Reply

Your email address will not be published. Required fields are marked *