Certified Information Security Manager (CISM) is a certification for advanced IT professionals who want to demonstrate that they can develop and manage an infosec program at the enterprise level. Credit: Gorodenkoff / Shutterstock What is CISM? Certified Information Security Manager (CISM) is an advanced certification for IT and cybersecurity professionals that demonstrates they ability to develop and manage an infosec program at the enterprise level. CISM is offered by ISACA, a nonprofit professional association focused on IT governance, and it is a popular and valuable certifications for IT professionals interested in making business decisions about cybersecurity and working with — or joining — their organization’s IT leadership ranks. Benefits of CISM certification Earning a CISM credential can have several beneficial impacts on your career, including: Career advancement and recognition: CISM certification demonstrates your expertise and interest in information security management, setting you apart for potential promotions and leadership roles. Increased knowledge and skills: The training process involved in achieving CISM certification will expose you to a wide range of infosec management responsibilities, thereby elevating your knowledge of management principles, frameworks, and best practices that you can apply in real-world scenarios. Additional job security: By demonstrating your commitment to IT security management and validating your skills are up-to-date, CISM certification can make you a more prized member of your security team and ensure you are perceived as someone with leadership potential, thereby improving your job security longer term. Networking opportunities: By achieving your CISM and joining various communities for CISM certification holders, including ISACA, you will gain access to opportunities for knowledge sharing, collaboration, mentorship, and employment. Is CISM worth it? CISM salary CISM certification involves a number of steps, so the obvious question arises: Is it worth it? If you’re interested in a management position — and the higher salaries such positions command — earning a CISM certification is a great way to signal your expertise, as well as your seriousness about your career and ambitions. Job titles that match up with CISM credentials include information security manager, information risk compliance specialist, and, yes, CIO. According to ZipRecruiter, CISMs make on average approximately $95,000 a year. SkillSoft, however, pegs the average salary of a CISM holder at $167,396 in its IT Skills and Salary Report, among the top 15 for certifications across IT. CISM vs. CISSP What’s the difference between CISM and CISSP, one of the other most popular advanced cybersecurity certs? Both CISM and CISSP require infosec technical savvy, but CISM specifically requires that you show that you understand the incentives around information security from a business point of view, rather than just a technical standpoint. It is strongly oriented towards managers and those who aspire to be promoted to management. A CISSP certification, by contrast, demonstrates in-depth technical knowledge over a broad list of security domains, though it involves some managerial responsibilities as well. The two certs are not an either/or proposition — ISC2, the organization that offers the CISSP, says they complement one another. It’s not uncommon for the same people to pursue both certifications, though often a CISM certification heralds a career pivot to management. What domains are covered by the CISM? The CISM exam covered four core domains, which also provide the foundation for the work experience requirements to earn the certification. The four CISM domains, with estimated exam coverage, are: Information security governance (17%): This domain ensures candidates can analyze, plan, and develop information security strategies, including legal, regulatory, and contractual requirements; organizational structure, roles, and responsibilities; governance frameworks and standards; and strategic planning. Information security risk management (20%): This domain ensures candidates can analyze and identify at a management level infosec risks, threats, and vulnerabilities, including the ability to assess emerging risks and the threat landscape; to perform vulnerability, control deficiency, and risk analysis; and to conduct risk monitoring and reporting, in addition to other risk response tasks. Information security program (33%): This domain ensures candidates can manage infosec programs, including security control, testing, reporting, and implementation. Included in this domain are security program resource strategies; asset identification and classification; security policies, procedures, and guidelines; infosec metrics; security awareness and training; and management of external services. Incident management (30%): This domain ensures candidates can prepare a business to respond to incidents and guide their recovery. Included in this domain are incident response planning; business continuity and disaster recovery planning, business impact analysis; incident management training, testing, and evaluation; containment methods; and post-incident review practices. CISM requirements To earn a CISM certification, candidates must fulfill two requirements: Pass the CISM exam Demonstrate the required work experience To meet the second requirement, candidates must have five years of experience in information security within the decade before they apply for the certification, with three years of management experience in three or more of the core areas listed above, which ISACA refers to as job practice areas. Certain lower-level certs can stand in for years of experience, and time spent teaching infosec at the university level can substitute as well. If you don’t have enough professional experience to qualify for the certification after passing the exam, you can apply for the certification once you do gain the needed experience, as long as it’s within the next five years. ISACA calls this practice “acceptable” and says that’s common. CISM certification process Once you’ve passed your exam and accumulated enough work experience to qualify, you’re ready to apply for your CISM certification. This is a relatively painless process, and requires a one-time $50 application processing fee. But to maintain your certification, you must take at least 120 continuing professional education (CPE) hours over a three-year reporting cycle, with a minimum of 20 hours in each year. There are lots of ways to meet this requirement, including attending university classes, corporate trainings, or vendor sales presentations, or participating in professional education activities and meetings. You can get more details by reading ISACA’s CISM CPE Policy. It’s also worth noting that one of the benefits of ISACA membership is free programs that count towards your CPE hours. If you’re CISM-certified, you’re also expected to adhere to the CISM code of professional ethics. Finally, you have to pay an annual maintenance fee of $85, though that’s reduced to $45 for ISACA members, and if you hold multiple ISACA certifications you get a bulk discount on maintenance. CISM exam The CISM exam covers the four CISM domains outlined above in the noted proportions. There’s a very thorough breakdown of the key domains, subtopics, and tasks on which you’ll be tested on IASCA’s website. The CISM exam can be taken either online or in person, consists of 150 multiple-choice questions, and is scored on a scale of 200 to 800, with 450 being a passing score. (If you don’t pass, you can retake the exam as often as four times a year, with a brief waiting period between attempts.) IT security architect Jeremiah Walker, in an article on LinkedIn, says that “unlike most multiple-choice exams, most questions have at least three good answers. You will see a lot of questions that ask, ‘What is the MOST important thing to do in this situation?’ or ‘Which step should you take FIRST?’ You won’t be able to guess at these questions. You must truly understand the CISM material.” Another important thing to note while taking the exam: You should keep the certification’s management orientation in mind and view the questions through that lens. CISM exam cost The CISM exam costs $760, with a discounted ISACA member price of $575. ISACA membership costs $145 to join, with a subsequent annual fee of $135, though you do get benefits beyond the exam discount. CISM study guide There are various official and unofficial study guides for the CISM exam. Perhaps the most important is ISACA’s Question, Answer, and Explanation (QAE) database, which can be accessed with a free ISACA account. Keep in mind that the QAE database doesn’t include the actual questions you’ll encounter on the exam; rather, it will show you the typesof questions that you can expect. “The questions were good at showing how the real questions would be worded,” says one Reddit user who passed the exam. “Having the reasons the answers were correct and incorrect is probably the best thing. Not a single question from the QAE database was on the actual exam, but I feel like I learned a lot reading the descriptions of the answers.” ISACA also publishes an official review manual, which is available for $139 from ISACA ($109 for members) or Amazon. There are also unofficial study guides available on the internet, as is the case for most big certifications: one that comes recommended from several quarters is the CISM All-in-One Exam Guide, which costs only $40 on Amazon. CISM training If you are interested in going beyond the study guides to learn in a more structured way, a number of CISM training courses are available. ISACA, for example, offers the official CISM Online Review Course, which includes 16 hours of instruction and costs $895. (Members get a $100 discount.) There are plenty of online courses available from a variety of vendors. Some of the highest-rated offerings include: The course from Certified Information Security, which includes direct phone support with a mentor and costs $795.00. The CyberVista CISM Training Course, available in both live online and on-demand formats, with pricing available on request. CISSP Exam Practice, despite the name, also offers an online CISM bootcamp, which costs $498. SimpleLearn’s CISM Certification Training includes 16 hours of e-learning content and an exam voucher, with pricing available on request. Thor Pedersen offers a popular series of courses available on Udemy for approximately $99 per domain. Related content news Predictable AWS cloud deployment resources allow full account takeover The staging S3 buckets created within CDK bootstrapping have predictable naming patterns attackers can exploit. By Shweta Sharma 25 Oct 2024 3 mins Cloud Security Vulnerabilities Security interview How Interpol is adapting to the ever-evolving cybercrime landscape Interpol Director of Cybercrime Neal Jetton discusses how the international police organization is collaborating across borders and sectors to fight cybercrime as technological innovations continue to emerge and the battle for talent wages on. By Mario Moreno 25 Oct 2024 8 mins Government IT Government Cyberattacks news Sophos to acquire rival Secureworks in $859 million deal The companies’ executives position the acquisition as an opportunity to expand their combined security portfolio and market presence within the channel. By Martin Bayer 24 Oct 2024 3 mins Technology Industry Mergers and Acquisitions Security news Iranian hackers ramp up influence operations ahead of 2024 US election Microsoft has warned about escalating cyber influence operations by Iran's IRGC as election day approaches, targeting US political campaigns and public trust. By Gyana Swain 24 Oct 2024 6 mins Hacker Groups Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe