Definition of CISM
CISM (Certified Information Security Manager) is “an advanced certification which indicates that an individual possesses the knowledge and experience required to develop and manage an enterprise information security program.” This certification is offered by ISACA, a nonprofit, independent association. CISM is accredited by ANSI under ISO/IEC 17024:2003.
CISM is designed for professionals who focus on information security management, like IT managers, information security analysts, or consultants supporting information security management. A CISM-certified individual is expected to manage the company’s information security, develop policies and practices, and understand the relationship between information security and business objectives.
CISM vs. CISSP
CISM is one of the two most popular certifications for IT professionals; the other one is CISSP (Certified Information Systems Security Professional). What are the similarities and differences between CISM and CISSP?
- CISM is offered by ISACA, while CISSP is by (ISC)2. Both organizations are independent and nonprofit.
- Both CISM and CISSP will certify a candidate’s skills against a standard body of knowledge. Both require at least 5 years of experience in specific domains. Both need CPE (continuing professional education) credits for continued certification.
- CISM’s emphasis is on management and strategy. On the other hand, CISSP focuses on the operation and threat response. This is the crucial difference between these two certifications.
How to Become a CISM
CISM certification involves several steps, including registration, taking the exam, and maintaining certification.
CISM Certification Exam
The CISM certification process starts with a 150-question multiple-choice exam. This exam is scored with a 200-800 scaled scoring method; the CISM passing score is 450. The exam covers the 4 CISM domains or content areas:
- Information security governance
- Information risk management
- Information security program development and management
- Information security incident management
CISM Prerequisites
Not every IT professional can take the exam. Someone who aspires to be CISM-certified must have 5 years of experience in information security, with at least 3 years of information security management experience in 3 or more of the CISM domains mentioned above. Moreover, the experience should be gained within 10 years before the application date or within 5 years after passing the exam.
After passing the exam, applicants can then apply for CISM certification within 5 years.
How To Prepare for the CISM Exam
Here are a few practical tips on preparing for the CISM exam:
- Download and read the latest ISACA Certification Exam Candidate Guide. This document contains all the useful information about the exam, like registration, deadlines, exam-day details, CISM domains, tips, and the length, languages, and number of questions of the exam.
- Check the official CISM Exam Resources and the CISM Review Manual. The manual covers the exam content.
- Do CISM practice tests. Start with ISACA’s free 10-question practice quiz. After that, move to the official CISM Review Questions, Answers & Explanations, which contains 1,000 questions and detailed answers.
- Create your study plan. You can prepare on your own, but if possible, explore attending a CISM training course. ISACA also has available prep solutions, like CISM study aids that can be purchased and a sponsored CISM exam study community.
- During the exam, think like a manager. Remember: CISM is management-focused. While having technical expertise is handy, always approach the questions with a manager’s mindset.
Here are the requirements for maintaining the CISM certification. The person must:
- Sustain an adequate level of knowledge and proficiency in information systems security management.
- Complete 20 CPE hours every year.
- Follow ISACA's Code of Professional Ethics.
Benefits of CISM Certification
Should you seek CISM certification? Here are some points you can consider:
Higher Salary
According to an analysis by the InfoSec Institute, the average CISM salary in the U.S. "likely falls between $136,000 and $172,000, with a rough estimate of around $152,037." This is an increase of $23,037 compared to their previous estimate of $129,000, meaning the salaries of those who are CISM-certified are on a sharp upward trajectory.
This is roughly consistent with a salary survey conducted by Certification Magazine, which lists the average salary of American CISM holders as $148,680.
More Credibility
As employers are having a hard time looking for qualified professionals, having CISM certification is a great way to screen whether a candidate has the expertise and experience. However, note that a CISM certification is not always a guarantee that a candidate for an information security management job will be successful in the long run.
More Knowledge
Perhaps the best value CISM certification can provide to CISM holders is that it gives a standard understanding of essential concepts. CISM-certified individuals understand the business of their organizations. They can identify issues and adapt business practices to allow the management of information technologies.
Being CISM-certified shows that you have the skills and background to understand the relationship between an information security program and business objectives. Such a skillset is in high demand, making CISM an excellent choice for career progression. In the end, choosing whether to pursue CISM certification must be aligned with the person’s long-term career goals.
