Step by Step Guide on How to Get a CISM Certification


Overview of the Certification

A Certified Information Security Manager (CISM) course is offered by the Information Systems Audit and Control Association (ISACA). This course enhances an individual’s expertise and knowledge of how information security programs and processes tie in with broader business targets. This certification is proof that a candidate has applied experience in developing, implementing and managing security programs for the information generation processes in an enterprise

This certification is particularly useful for individuals who have considerable hands-on experience in dealing with the development and management processes of information security programs. It covers a total of four domains and is an ideal course for students and professionals alike. At the base of it, this is a professional audit certification. Professionals who are dealing with or want to venture into information security audit and control programs will benefit from this course.

CISM certification validates a professional’s commitment to understanding and integrating technical competence, business processes, and strategic targets. Given how valuable it is, it not hard to understand why companies are clamoring to hire people with this certification.

New threats and vulnerabilities are emerging every day. This is shifting the focus of information security from protection to prediction. As companies look to tighten information security while predicting threats, their biggest risk comes not from outside, but inside – lack of professionals skilled to handle the shift.

CISM certification stands out over other courses by ISACA because it is more management-oriented. It was introduced to promote international security practices while managing an enterprise’s information security programs.

Also Read:  Top Paying IT Certifications 

Is This Course Right for You?

There is no set of rules that dictate whether you should get this certification or not. There are stringent testing criteria and heavy work experience requirements. Before you delve into the world of information security, you need to analyze whether you can spend a considerable period of a career in this field. This course is generally ideal for

  • Information security managers and officers who want to advance in the company faster
  • IT consultants who want to get recognized for the value of services they provide
  • IT auditors who want to offer better services to their clients or advance within the organization if they are inhouse
  • IT Security policymakers who want to understand their system weaknesses, best practices, and governance policies for their organization
  • Information Privacy officers who want to work on building more robust best practices for a company
  • Network Administrators and Network Security Engineers
  • Anybody else who foresees themselves settling in the IT security field for the long haul.

Recommended Articles:

How to Get a Certified in Risk and Information Systems Control (CRISC)

A Step by Step Guide on How to Get a CISSP Certification

What are the Eligibility Criteria?

To become a security manager, there are some CISM certification requirements. They are

  • Take the CISM exam and pass it
  • Adhere to the Code of Professional Ethics
  • Adhere to the Continuing Professional Education (CPE) policy even after you’ve passed the exam
  • Comply with Information Systems Auditing standards
  • Demonstrate the required work experience which is as follows
    • A minimum of 5 years of experience in IT systems audit and control, or security as described in the CISA job practice areas.
    • This work experience may be gained before the certification or after the certification.
    • If the work experience is gained before the certification, then the 5 years must have been completed in the preceding 10 years.
    • If the work experience is gained after the exam, then the candidates have five years to get relevant work experience to get the certification
    • Many people prefer the latter, and ISACA encourages them to do. However, without completing all the relevant formalities, certification will not be given
    • There are, however, some substitutions and exceptions to the 5-year rule
      • Two years maybe knocked off from the minimum experience for the following reasons
      • The individual is a CISA in good standing
      • The individual is a Certified Information Security Systems Professional in good standing
      • Master’s Degree in information security or related fields.
    • One year may be knocked off from the minimum experience for
      • 1 year of information systems management experience
      • 1 year of general security management experience
      • Skill-based certified as notified by ISACA from time to time
    • It must, however, be noted that points 1 and 2 can only provide a maximum substitution of 2 years. The other 2 years must be a work experience from information systems audit work.
    • The exception to the rule above is if the individual wants to convert every 2 years of full-time university tutor experience in a related field.

What is the Certification Process?

The CISM exam is conducted twice a year – in June and December. The exam itself contains 200 questions that are multiple-choice and multiple-answer questions. The total duration of the exam is four hours. Candidates are generally tested in four different domains. For candidates to pass the exam, they need to earn a scaled score of 450 or higher. These four domains are

  • Information security governance – 24%
  • Information risk management and compliance – 33%
  • Information security program development and management – 25%
  • Information security incident management – 18%

The percentages denote weightage in the exam. These weights and the domains themselves could be changed to keep abreast of the changing tides in information security. However, major changes that have a huge impact on the examination taking are rare.

The pass percentage for the CISM exam hovers between 40% – 60%. This pass percentage is average compared to the other exams in the same area. If someone comes from a background of information security, the pass percentage can be higher.

For those individuals who don’t have the experience of working in an information security role, the pass percentage would be slightly lower. So, stating objectively why the percentage is low, is an incorrect statement to make.

CISM Certification Cost

CISM costs vary depending on whether you’re a member of ISACA or not. Apart from the $50 application fee, you can expect to pay anywhere between $415 to $595. If you’re not a member, then the early registration fee would be $545, while it would be $415 for members.

The final application fee for members would be $465 and $595 for non-members of ISACA. After you’ve cleared the exam, you have to pay a continuing education fee as well in line with their CPE policy

How Long Does the Certification Last?

The life of a CISM certification is 3 years. You’re expected to earn 20 continuing professional education hours the year you complete your exam. By the end of 3 years, you’re expected to show 120 continuing professional education hours to qualify for the renewal of your certification. After showing that minimum experience, you have to pay a fee, and your certificate gets renewed. These credit hours must be completed in a job where you can apply the principles of your certification directly.

What are the Benefits of CISM Certification?

As a CISM professional, you would be recognized for your ability, technical competence, and knowledge of how to integrate business objectives with the information security requirements in an enterprise. It is easy to stride ahead with this certification because of its global recognition.

Because of the time and financial investment required, completing this certification shows commitment to the course. This certification, along with ISACA membership, will add value to your professional network through idea exchange, thus opening up new job avenues for you.

CISM Salary and Job Prospects

Some roles that CISM professionals can get into are

  • Information System Security Officer
  • Information and Privacy Risk Consultant
  • Information Security Manager

Apart from this, there are a lot of positions open for professionals at each level of management. There is no dearth of job opportunities for them. Case in points – in 2018, more than 8500 jobs were posted that needed CISM qualification. The salary for CISM professionals in various capacities ranging from $75000 to $243000. However, the average salary(1) is about $150000.

Where to Get Certified and Get Online Resources?

ISACA has access to a lot of online practice guides, study materials, practice questions, mock exams, and other material required to do well in the exam. Apart from that, there are a lot of other third parties who provide practice studies for the exam.