A Guide to the Certified Information Security Manager (CISM) qualification


There are now a vast number of courses and qualifications available for IT and cyber security professionals. Some are achievable over only a few days, whilst some may take years to complete. In terms of Information Security, there are a great deal of courses and qualifications out there, but one of the best-known and highly regarded is the Certified Information Security Manager (CISM) qualification, which is awarded by ISACA (the organisation previously known as the Information Systems Audit and Control Association).

The Qualification

The Certified Information Security Manager qualification was first launched in 2002 and is now a globally accepted qualification amongst the IT community.

Who is it for?

The CISM is for IT professionals with a specific interest in IT security. It is awarded to individuals who meet the following requirements:

  1. Pass the CISM exam.
  2. Adhere to ISACA’s Code of Professional Ethics.
  3. Agree to comply with the Continuing Professional Education (CPE) Policy
  4. Have relevant work experience.
  5. Submit an Application for CISM Certification.

The Exam

One of the criteria for certification is passing the main exam. The exam covers the four CISM areas outlined below:

  • Information Security Governance (24% of exam)
  • Information Risk Management and Compliance (30% of exam)
  • Information Security Program Development and Management (27% of exam)
  • Information Security Incident Management (19% of exam)

The exam consists of 150 multiple-choice questions covering the areas above. Candidates have four hours in which to complete the exam.

Since 2017, the exam can now be taken via computer-based testing (CBT) at a number of registered exam centres. This also means that the candidate’s exam score can be displayed straight away.

In order to register for the exam, candidates must first register online with the ISACA, find a testing centre nearby, and pay for the examination in advance.

The fees for this exam are $575 USD (approx. £475) for SACA Members and $760 USD (approx. £625) for non-members.

Required Experience / Qualifications

Those who wish to become qualified must possess a minimum of five years of relevant work experience. This experience must be verified and include at least three years of information security management work in three or more of the specified areas. This experience must have been gained in the 10-year period prior to the application date, or within 5 years from when the exam was originally passed.

There are, however, several certifications and types of experience that can be used towards the 5-year information security work experience requirements (but not toward the 3-year specific requirements).

Certifications and experience that count for two years of the five include:

  • Certified Information Systems Auditor (CISA)
  • Certified Information Systems Security Professional (CISSP)
  • Post-graduate degree in either information security or a related field such as business administration, information systems, or information assurance.

Certifications and experience that count for one year of the five include:

  • One year of information systems management experience
  • One year of general security management experience
  • Skill-based security certifications such as CompTIA Security +, SANS Global Information Assurance Certification (GIAC), Disaster Recovery Institute Certified Business Continuity Professional (CBCP), Microsoft Certified Systems Engineer (MCSE), or ESL IT Security Manager.
  • A completed information security management program at a relevant institution (i.e. one aligned with the Model Curriculum).

Continuing Professional Education and Jobs Prospects

A key element in obtaining certification is that the candidate agrees to follow the Continuing Professional Education (CPE) policy. This policy is there to ensure that all certified candidates keep their knowledge current and maintain proficiency in the field. Staying up-to-date means that individuals are better able to provide leadership and value to their organisations. At least 20 hours of CPE are required each year in order to maintain the CISM certification.

Professionals who pass the CISM qualification can go into a wide range of roles including (but not limited to):

  • Information Security Manager
  • Information Security Analyst
  • IT Audit Manager
  • Director of Cyber Security & Information Assurance
  • Cybersecurity Consultant

According to the website IT Jobs Watch, the average (median) annual salary for an ISACA Certified Information Security Manager is £65,000. You can find out more about other cyber security job salaries in this article on our sister site, Cyber Security Jobs.