Maintaining Your CISM Certification: Renewal Requirements

July 5, 2019 by Jennifer Jeffers

Understanding CISM

Getting a leg up in the information security (infosec) space is no easy feat these days. It demands commitment, knowledge, and a fair amount of training. While some of this activity happens on the job, there will still be a need to improve your experience, earning potential, and career advancement through certain IT certifications. The uniquely management-focused certified Information Security Manager (CISM) credential offers precisely the kind of education required to meet professional expectations and goals. By recognizing and certifying individuals who manage, design, supervise, and assess the information security realm of business, the CISM process promotes international security and professional enrichment.

CISM differs from other security certifications because it specifically focuses on the role of information security managers. Most other certifications focus more on technical skills or specific product knowledge, but CISM targets the individual who has moved past the role of practitioner and longs for the challenges of infosec management.

As an independent nonprofit association, ISACA offers this certification and provides benchmarks and governance tools for global businesses looking to improve their information systems. Any professionals involved in the infosec field or looking to become more efficient IT managers and consultants can benefit considerably from this type of advanced certification, which is accredited by the American National Standards Institute (ANSI) and recognized around the world. That’s why the time to jumpstart your career with a CISM is now.

Certification Details

Since 2009, the CISM certification has received over 30 professional accolades and become one of the most sought-after educational IT pieces in the industry. Qualifying for the certification demands a combination of four things: experience, ethics, education, and exam. Students must have at least five years of infosec field experience—with three of those years spent in a management position or CISM content area—and a willingness to sustain their IT knowledge over time. To complete the certification process, applicants are required to pass a 200-question multiple-choice exam which covers four areas of instruction:

  1. Information security management
  2. Information risk management
  3. Information security program development and management
  4. Information security incident management

Once the certification is achieved, holders must adhere to all ISACA’s professional codes and policies, including an agreement to comply with their education mandate and mandatory work experience requirements. All knowledge, skills, and proficiency learned in the certification process must be maintained, along with a completion of 20 CPE hours each year. In this way, passing the CISM exam is not just one accomplishment—it is a larger commitment to professionalism and excellence.

The CISM certification utilizes various educational strategies and allows participants to partake in real-life scenarios to enhance authentic learning. With a full library of templates and constant instructional support, students will reap many benefits from a CISM certification, including:

  • An understanding of the relationship between an infosec program and broader business goals and objectives.
  • Knowledge and experience in the development and management of in infosec program.
  • Inclusion in an elite peer network of professionals.
  • Access to ongoing education, career advancement, and business communication.

Enterprises and government agencies pay close attention to CISM certifications among their employees and expect their infosec and IT professionals to complete them. As the yearly number of applicants increases, so does the need for increased qualifications and education. And, as the demand for infosec experts also continues to grow, employers have become more and more discriminating in the hiring process. The meticulous and intensive nature of the CISM certification allows organizations to rest easy, knowing they have employees who are competent and confident. Since the certification began in 2002, approximately 23,000 global CISM professionals have launched their infosec careers. Employers hire CISMs for many reasons and expect them to:

  • Identify critical issues within company-specific practices.
  • Support the governance of information and enterprise-related technologies.
  • Bring credibility to their professional role.
  • Assume a comprehensive view of information systems security management and how it affects organizational success.
  • Demonstrate commitment to improved alignment between the company’s existing infosec program and any future goals.
  • Provide employers with a CISM certification that enhances professional credibility and success!

The Exam

Because the CISM certification is one of the most prestigious programs in the field, passing the exam has become a critical milestone for anyone interested in an infosec career. The CISM exam covers five areas of infosec management—each of which is clearly defined and detailed through instruction—and must be completed within four hours. The test contains 200 multiple-choice questions, which allows for about one minute per question. With four-point questions, you must answer about 113 questions correctly to obtain a passing score of 450 or higher. A perfect score of 800 requires you to answer every question correctly. You will receive your score in the mail five weeks after completion. Once you have your passing score, you can apply for the CISM certification by downloading and printing the application from the ISACA website. At this time, you will have to submit proof of experience, with a signed verification from your boss. Upon review of your application, ISACA will either accept or deny your request.

Remember, only a little more than half of the people who take the CISM exam will actually pass, so it’s important to prepare yourself. The CISM certification does not require you to study before assessment, so finding an effective learning method is up to you. There are a number of ways to prepare yourself for the CISM exam, including enrolling in an infosec course, participating in a CISM bootcamp, or studying online model curriculum materials. These instructional settings will reinforce relevant concepts and provide effective test-taking strategies. Through testing your knowledge and your ability to apply it in the real world, you will enter the exam with an increased sense of aptitude and confidence. While ISACA offers many different courses in review and training, you can also find ways to prep for the exam with non-ISACA materials designed to improve your score and overall academic organization. Once you have registered for the CISM exam, you will gain access to some training and study guides—accompanied by a small fee, of course. You can so review sample questions and answers from past tests, along with supplementary materials sorted by practice sections. Although these third-party review courses can cost up to $1,500, the ISACA does offer a free self-assessment exam with 50 sample questions, allowing you to test your readiness.

To register for the CISM exam, you will need to visit the ISACA website, fill out a registration form, and make your payment. The exam is available within three testing windows in 2018: February 1 to May 24, June 1 to September 23, and October 1 to January 24, 2019. A few weeks before the big day, you will receive an admission ticket in the mail stating the time, location, and details for the exam. You will be expected to bring a photo ID and your admission ticket on test day. And don’t forget to show up at least 30 minutes before it starts!

Maintenance Requirements

Once you have passed the CISM certification exam, it is important to make sure that you maintain an adequate level of skill, knowledge, and proficiency. This commitment to continuing education offers many professional benefits and will allow you to remain engaged, prepared, and successful in the infosec world. This effort requires the CISM to complete a certain number of annual CPE hours over a three-year period. In order to retain the certification, CISMs must comply with the following requirements. Failure to meet these expectations can result in the immediate revocation of your CISM certificate.

  • Complete and document a minimum of 20 CPE hours within an appropriate and relevant CISM environment. These hours can be used to meet the CPE requirements of more than one ISACA certification when the activity is applicable.
  • Submit annual CPE maintenance fees in full to ISACA international headquarters.
  • Complete and document a minimum of 120 CPE hours over a three-year reporting period. This period typically begins on the first day of January and is indicated on each annual invoice letter confirming compliance. It is up to the certification holder to report any errors directly to ISACA.
  • Provide required documentation of CPE activities if audited. This can happen if a CISM is randomly selected to provide written evidence of previously reported CPE activities. The CISM Certification Committee will decide if the audit is approved and will revoke any certifications not in compliance.
  • Comply with ISACA’s Code of Professional Ethics.
    • Support and comply with all appropriate governance and management standards related to information systems and technology.
    • Perform duties objectively, with diligence and care.
    • Lawfully serve the interests of stakeholders and maintain a high degree of personal conduct and character.
    • Protect the privacy of any information and do not use it for personal benefit or gain.
    • Approach all undertakings with a realistic sense of completion.
    • Make sure all important facts and findings are disclosed to employers.
    • Support the professional education of stakeholders by enhancing their understanding of governance and management of enterprise information systems and technology.

Educational activities that meet the CPE standard include technical and managerial training in related areas, both of which must be applied to the management, design, or assessment of an infosec workplace. While hours on the job cannot be used to meet this requirement, the following CPE activities have been approved by the CISM Certification Committee:

  • Active participation—and proof of attendance—in ISACA conferences, seminars, workshops, chapter programs, and related meetings.
  • Participation in corporate training, university courses, or related conferences not sponsored by ISACA.
  • Immersion in self-study courses through structured learning designed specifically for CPE credits. This educational requirement can also be met through online learning, trade shows, webinars, and other creative outlets.
  • Development of presentations related to management, design, or assessment of an enterprise’s infosec.
  • Publication of written material directly related to infosec management. Submissions must appear in a formal publication or website, and a copy of the writing must be available upon request.
  • Development and review of CISM exam items, including materials review.
  • Contribution of 20 hours each year to related infosec work performed for ISACA or other professional entities in the field.
  • Mentoring efforts related to coaching, reviewing performance, assisting with CISM exam preparation, or guidance through the credentialing process are all viable activities.

Renewal Requirements

To renew a CISM certification, you will need to earn and report the standard amount of annual CPE hours over three years and pay a maintenance fee. This payment will support proper processing of your application and maintain its overall integrity. It’s that simple.

CISMs who are no longer able to work due to hardship, disability, illness, or other personal issues can attain “non-practicing” status. While non-practicing CISMs are still required to pay the annual maintenance fee, they are not obligated to complete any continuing education hours. A non-practicing status must be attained the same year the certification holder leaves the profession and officially begins at the start of the calendar year. They must submit an application for CISM non-practicing Status located through ISACA, along with a CISM invoice and payment.

CISMs who wish to return to “active status” will need to complete and submit an Application for CISM Active Status to the Certification Department before resuming work. Assuming a CISMs status changes within two years of their first status change, they can earn and submit documentation for the mandatory 20 CPE hours. If more than two years have passed since the status change, the CISM will need to submit the active status application in addition to earning 120 CPE hours over three years. They will also need to obtain one year of relevant work experience and submit a Verification of Work Experience Form signed by a supervisor. All non-practicing CISMs will remain such until their new status is approved in writing.

Posted: July 5, 2019
Jennifer Jeffers
View Profile

Jen Jeffers is a freelance writer who creates educational and historical content for the internet as well as InfoSec narratives for the deep web. Her work blends the creative with the factual to offer readers articles that are both entertaining and edifying. Although she has a strong aversion to mathematics, she is willing to research and learn about almost anything in the name of continuing education. Follow her blog The Raven Report, a history collection for the dark romantic at

Leave a Reply

Your email address will not be published.