Cyber Security

CISM Requirements For Certification

August 8, 2017

Bita Beigishah

You successfully passed the CISM exam, it would be logical to assume you now hold the title of ISACA Certified Information Security Manager – but that’s not really the case. In fact, you still have a way to go before you can add that acronym to your signature. For any advanced certification, passing the test is just one part of the verification process to ensure you are worthy of the title and for CISM a candidate must complete the following steps:

  1. Pass the CISM exam
  2. Agree to the Code of Ethics
  3. Agree to the Continuing Education Policy
  4. Verify the required years of InfoSec work experience
  5. Submit a CISM application

Pass The CISM Exam

This is a little bit of a no-brainer but it needs to be said – you have to pass the CISM exam. The part of this that is not as well known, is the fact that you have 5 years from the date you first pass your exam to complete the remaining steps in the CISM certification process.

Note: Changes have been made to ISACA’s testing dates starting in 2017 – Learn more

Download Our CISM Study Guides

Agree To The Code Of Ethics

In order to earn any of the ISACA certifications, a candidates needs to pledge compliance to the ISACA Code of Professional Ethics. This code applies not only to a candidate’s work life but to his/her personal life as well. If it is thought that someone is not adhering to the code an investigation may ensue and could result in disciplinary measures.

Agree to the Continuing Education Policy

Most certifications require that their holders’ submit a specific number of education hours over a designated time period in order to maintain the credential; CISM is no different. The reason for this is simply that the information security industry changes rapidly and continuing education is necessary to ensure that CISMs hold a level of current knowledge and skills, so as not to mislead any stakeholders as to their skill set related to today’s InfoSec environment. For new CISMs, the 3-year reporting period begins on January 1st of the succeeding year of heir certification.

The continuing education requirements for CISM include:

  • Submitting an annual maintenance fee
    • Members: $45
    • Non-Members: $85
  • Attain and report a minimum of 20 CPE hours annually
  • Total CPE hours attained and reported during the 3-year reporting period must equal 120 hours

Typically if a candidate participates in a qualifying activity where the majority of the content relates back to the CISM job practice areas he/she will earn 1 CPE per hour spent in the activity. Qualifying activities for earning CISM CPEs include:

  • Attending webinars or virtual conferences – earn a max of 36 CPEs/year
  • In-person conferences – earn a max of 32 CPEs/event
  • Live training courses – earn a max of 32 CPEs/course
  • Self-paced training – earn a max of 26 CPEs/course
  • ISACA members only journal quizzes – earn a max of 6 CPEs/year
  • ISACA volunteer – earn a max of 20 CPEs/year
  • Mentoring someone for the CISM exam – earn a max of 10 CPEs/year

Verify the required years of InfoSec work experience

In order to apply for the CISM certification, one must verify the following:

  • He/she has a minimum of 5 years work in the InfoSec field
  • At least 3 of the 5 years includes work in at least 3 of the job practice areas listed below:
    • InfoSec Governance
    • Information Risk Management
    • InfoSec Program Development and Management
    • InfoSec Incident Management

Candidates can accumulate this experience in the period between 10 years prior to submitting the CISM application and 5 years after passing the CISM exam. While candidates essentially have a 15-year period to gain their 5 years of necessary work experience, ISACA will substitute either 1 or 2 years of the general InfoSec work experience if the following conditions are met:

2-year substitution

  • Holds a current CISA or CISSP certification
  • Holds a post-graduate degree in one of the following fields:
    • Information security
    • Business administration
    • Information assurance
    • Information systems

1 year substitution

  • One year of security or information systems management
  • Holds a current skills-based certification such as the MCSE or Security+
  • Completed an InfoSec management program at an approved institution

Submit a CISM application

Once you have completed all of the above requirements within the 5-year period after passing the CISM exam you can now finally submit your CISM application. You can complete ISACA CISM application online here. 

While the application itself doesn’t require a lot of documentation for verifying your work experience and the same is true when it comes time to submit your CPEs, make sure you still have a lot of great documentation for your experiences and activity participation just in case you are randomly chosen for an audit.

Have Questions About Submitting Your CISM Application?

Reach out to our team of training consultants any time at 301-258-8200 to discuss this or any other certification questions. 

subscribe by email

Stay Ahead

Phoenix TS needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.