Maintaining your CISM certification: Renewal requirements
The uniquely management-focused Certified Information Security Manager (CISM) certification offers precisely the credentials that meet the professional expectations and goals of hiring organizations. It verifies that the cert holder has the knowledge to manage, design, supervise, and assess the information security realm for organizations.
The CISM certification covers four domains of knowledge:
- Information security governance (17%)
- Information security risk management (20%)
- Information security program (33%)
- Incident management (30%)
To register for the CISM exam, you have to visit the ISACA website to fill out a registration form and make your payment. ISACA’s CISM certification exam is computer-based and administered at authorized PSI testing centers globally. Exam registration is continuous so that candidates can register at any time. You can schedule as early as 48 hours after paying registration fees. The fee to register for the CISM certification exam is USD $575 for ISACA members and USD $760 for non-members.
To renew your CISM certification, you must earn and report the standard amount of annual CPE hours over three years and pay a maintenance fee of $45 for members and $85 for non-members.
CISMs who can no longer work due to hardship, disability, illness or other personal issues can attain “non-practicing” status. While non-practicing CISMs are still required to pay annual maintenance fees, they are not obligated to complete continuing education hours. A non-practicing status must be attained the same year the certification holder leaves the profession and officially begins at the start of the calendar year. They must apply for CISM non-practicing status through ISACA, along with a CISM invoice and payment.
After passing the CISM certification exam, you should maintain an adequate level of skill, knowledge and proficiency. A commitment to continuing education offers many professional benefits and will allow you to remain engaged, prepared, and successful in the information security world.
To retain the certification, a CISM must complete a certain number of CISM CPE hours annually over a three-year period. CISMs must comply with the following requirements. Failure to meet these expectations can result in the immediate revocation of your CISM certificate.
- Complete and document a minimum of 20 CPE hours in an appropriate and relevant CISM environment. These hours can be used to meet the requirements for more than one ISACA certification when the activity is applicable.
- Submit annual CPE maintenance fees to ISACA international headquarters.
- Complete and document a minimum of 120 CPE hours over a three-year reporting period. This period typically begins on the first day of January and is indicated on each annual invoice letter confirming compliance. It is up to the certification holder to report any errors directly to ISACA.
- Provide required documentation of CPE activities if audited. This can happen if a CISM is randomly selected to provide written evidence of previously reported CPE activities. The CISM Certification Committee will decide if the audit is approved and revoke any certifications not in compliance.
- Comply with ISACA’s Code of Professional Ethics.
-Support and comply with all appropriate governance and management standards related to information systems and technology.
-Perform duties objectively with diligence and care.
-Lawfully serve stakeholders’ interests and maintain a high degree of personal conduct and character.
-Protect the privacy of any information and do not use it for personal benefit or gain.
-Approach all undertakings with a realistic sense of completion.
-Make sure all important facts and findings are disclosed to employers.
-Support the professional education of stakeholders by enhancing their understanding of governance and management of enterprise information systems and technology.
Educational activities that meet the CPE standard include technical and managerial training in related areas, both of which must be applied to the management, design or assessment of an information security workplace. Hours on the job cannot be used to meet this requirement, but the CISM Certification Committee has approved the following CPE activities:
- Active participation—and proof of attendance—in ISACA conferences, seminars, workshops, chapter programs and related meetings.
- Participation in corporate training, university courses or related conferences not sponsored by ISACA.
- Immersion in self-study courses through structured learning designed specifically for CPE credits. This educational requirement can also be met through online learning, trade shows, webinars and other creative outlets.
- Development of presentations on management, design, or assessment of an enterprise’s information security.
- Publication of written material directly related to information security management. Submissions must appear in a formal publication or website, and a copy of the writing must be available upon request.
- Development and review of CISM exam items, including materials review.
- Contribution of 20 hours each year to related information security work for ISACA or other professional entities in the field.
- Mentoring efforts related to coaching, reviewing performance and assisting with CISM exam preparation or guidance through the credentialing process are all viable activities.
CISMs who wish to return to “active status” must apply for CISM active status to the Certification Department before resuming work. Assuming a CISM’s status changes within two years of the first status change, they can submit documentation for the mandatory 20 CPE hours.
If more than two years have passed since the status change, the CISM will need to submit the active status application and earn 120 CPE hours over three years. They will also need to obtain one year of relevant work experience and submit a verification of work experience form signed by a supervisor. All non-practicing CISMs will remain such until their new status is approved in writing.
Want to know more about the CISM certification exam? If so, please visit Infosec’s CISM hub.