CISM

The Certified Information Security Manager® (CISM®) certification program is developed specifically for experienced information security managers and those who have information security management responsibilities. The CISM certification is for the individual who manages, designs, oversees and/or assesses an enterprise's information security (IS). The CISM certification promotes international practices and provides executive management with assurance that those earning the designation have the required experience and knowledge to provide effective security management and consulting services. Individuals earning the CISM certification become part of an elite peer network, attaining a one-of-a-kind credential. The CISM job practice also defines a global job description for the information security manager and a method to measure existing staff or compare prospective new hires.

Exam Preparation

Take the CISM Certification 5-day Boot Camp course.

Certification Requirements

1. Successfully Pass the CISM Exam

Score a passing grade on the CISM exam. A passing score on the CISM examination, without completing the required work experience as outlined below, will only be valid for five years. If the applicant does not meet the CISM certification requirements within the five-year period, the passing score will be voided.

2. The Code of Professional Ethics

Members of ISACA and/or holders of the CISM designation agree to a Code of Professional Ethics to guide professional and personal conduct.

3. Continuing Education Policy

Continuing Education Program Objectives

The objectives of the continuing education program are to:

a Maintain an individual's competency by requiring the update of existing knowledge and skills in the areas of information systems auditing, management, accounting and business areas related to specific industries (e.g., finance, insurance, business law, etc.)
b Provide a means to differentiate between qualified CISMs and those who have not met the requirements for continuation of their certification
c Provide a mechanism for monitoring information systems audit, control and security professionals' maintenance of their competency
d Aid top management in developing sound information systems audit, control and security functions by providing criteria for personnel selection and development

Maintenance fees and a minimum of 20 contact hours of CPE are required annually. In addition, a minimum of 120 contact hours is required during a fixed 3-year period. Upon completing the requirements for initial certification, the CISM will be provided with the CPE policy booklet for detailed criteria to be used in developing a personal CPE program.

4. Work Experience

Submit verified evidence of a minimum of five years of information security work experience, with a minimum of three years of information security management work experience in three or more of the job practice analysis areas. The work experience must be gained within the ten-year period preceding the application date for certification or within five years from the date of originally passing the exam.

Experience Substitutions

The following security-related certifications and information systems management experience can be used to satisfy the indicated amount of information security work experience.

a Two Years:
• Certified Information Systems Auditor (CISA) in good standing
• Certified Information Systems Security Professional (CISSP) in good standing
• Post-graduate degree in information security or a related field (e.g., business administration, information systems, information assurance)

b One Year:
• One full year of information systems management experience
• Skill-based security certifications (e.g., SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security +, Disaster Recovery Institute Certified Business Continuity Professional (CBCP), ESL IT Security Manager)

The experience substitutions will not satisfy any portion of the three-year information security management work experience requirement.

5. Submit an Application for CISM Certification

Once a CISM candidate has passed the CISM certification exam and has met the work experience requirements, the final step is to complete the CISM Application for Certification.

There are three ways to obtain the CISM application:

• Complete and print an online application;
• Download application in PDF format (PDF, 150K); or
• Request an application (sent in postal mail).

The Exam

The CISA exam is offered annually during the months of June and December.

CISM Exam Results

Receiving Your Score Report

Please notify the certification department immediately if registration contact information changes. Approximately eight weeks after the test date, the official exam results will be mailed to candidates. Additionally with the candidates consent to item #25 on the registration form, an e-mail containing the candidates pass/fail status and score will be sent to paid candidates. This email notification will only be sent to the address listed in the candidates profile at the time of the initial release of the results. To ensure the confidentiality of scores, exam results will not be reported by telephone or fax. To prevent e-mail notification from being sent to spam folders, candidates should add certification@isaca.org to their address book, white-list or safe-senders list.

Reporting of Your Test Results

The CISM exam consists of 200 items. Candidate scores are reported as a scaled scored. A scaled score is a conversion of a candidate's raw score on an exam to a common scale. ISACA uses and reports scores on a common scale from 200 to 800. A candidate must receive a score of 450 or higher to pass the exam. A score of 450 represents a minimum consistent standard of knowledge as established by ISACAs CISM Certification Board.

Types of Examination Questions

The exam questions were developed with the intent of measuring and testing practical knowledge and the application of general concepts and security standards. The questions are multiple-choice and are designed for one best answer. Candidates are given 4 hours to complete the 200 multiple-choice question exam.

The candidate is cautioned to read each question carefully and select the appropriate answer that is MOST likely or BEST.

Frequently Asked Questions

Q:
When can I take the exam?

A:
The CISM exam is offered annually during the months of June and December.

Q:
How long is the exam?

A:
A candidate is given 4 hours to complete a 200 multiple-choice question exam.

Q:
What does the CISM exam cover?

A:
The CISM exam covers five information security management areas, each of which is further defined and detailed through task and knowledge statements.

Q: How much does the exam cost?

A:
CISM® Examination Fees: Non-Members USD 480
CISM® Examination Fees: ISACA Members USD 360

Q: What is the language used on the exam?
A:

The CISM® examination is offered in English and French (other languages are available).

Other Resources

For further details visit - CISM Certification