If you’re at the point in your career where you’re thinking about a CISM, you’ve probably reached a career decision that management is the route you’d like to take.
Keep in mind, once you make that decision, it’s very difficult to go back towards execution and delivery.
So if you’re serious about the CISM, today’s article will give you some insight about being about CISM certification, the requirements, benefits, and the options you have.
What is the CISM Certification?
The CISM (Certified Information Security Manager) certification is a highly regarded credential in cybersecurity offered by the Information Systems Audit and Control Association (ISACA) and accredited by ANSI under ISO/IEC 17024:2012.
Candidates interested in this certification must demonstrate their ability to manage, design, oversee, and assess an organization’s information security program.
If you’re not already familiar with ISACA, its an organization that’s been around for several decades and is commonly known for its training and certification of IT and cybersecurity professionals. After an individual passes any one of their certifications, they are then awarded a certificate for having gained the knowledge in their chosen skillset.
In this case, by earning a CISM certification, ISACA has validated that the test taker has the knowledge and experience necessary to potentially succeed in the field of information security management.
Why is being CISM certified important?
There is a certain distinction to earning the CISM; of the approximately 4 million cybersecurity professionals in the world, only 48k of those professionals are holders of the CISM certificate.
Because ISACA is recognized as a global community of IT and information security professionals, the CISM certification is understood as the industry standard for those functioning in a managerial capacity.
Therefore, by indicating on your resume that you’re CISM certified, you’re letting employers know that you’ve already shown leadership in the field, and now you’re taking the necessary steps to advance your cybersecurity career even further.
This not only adds to your credibility, it also increases your value in the cybersecurity job market enabling you to secure a higher paying job.
Who should be CISM certified?
CISM certification is one of the most reputed and highly sought-after cybersecurity certifications.
This exam is specifically designed for those with technical knowledge and experience in information security management or even senior cybersecurity professionals functioning in a supervisory role.
If you’re wondering about benefits other than having that self-satisfaction, the answer depends on whether you’re deciding to move up the corporate ladder.
The CISM is a great certification to have if you’re a:
- Information System Security Officer
- Cybersecurity Architect
- Information Security Manager
- GRC Manager
- Cybersecurity Director
- Chief Information Officer
- Chief Information Security Officer
To clarify, the CISM certification is not meant for entry level cybersecurity professionals.
If you’re current military or a government employee, it’s also important to know that the CISM certification is an approved DoD Directive 8570/8140 Baseline Certification for IAM Level 3 personnel.
If you’re a veteran that possesses an information security background and have chosen to re-enter the workforce as a security manager, the CISM is a huge benefit. You’ve got the best background of information security and leadership to be bid as key personnel for government contracts.
What does the CISM exam cover?
The exam will cover four specific areas of cybersecurity such as: enterprise governance and information security strategy, risk management assessment and response, program development and management, and incident management readiness and operations.
The CISM exam is 4 hours long and consists of 150 multiple-choice questions. The exam covers the 4 CISM domains or content areas:
1. Information Security Governance (17% of exam)
- Enterprise Governance & Information Security Strategy
2. Information Security Risk Management (20% of exam)
- Information Security Risk Assessment & Response
3. Information Security Program (33% of exam)
- Information Security Program Development & Management
4. Incident Management (30% of exam)
- Incident Management Readiness & Operations
Candidates must score 70% or higher on each of four main sections of the exam to be considered CISM certified.
Once you pass your CISM certification exam, ISACA will issue you an electronic certificate through your online account in about two weeks after testing.
For more specifics on what the exam covers, readers are encouraged to visit ISACA’s website for the latest information.
How do I prepare for the CISM exam?
Chances are, if you’ve attempted another ISACA cert such as CISA, CRISC, or CDPES; then you’re already familiar with the how the exam looks and feels as well as the certification process.
And, if you believe that you meet the eligibility requirements for taking the CISM Certification exam, then it’s time that you utilize the right resources to prepare for the exam.
In order to pass the exam, you must score a minimum of 450 out of the 800 points required to apply for certification.
To understand the content of the exam, ISACA provides a content outline so that you may better prepare.
While questions such as, “How do I pass the exam on the first try?” are beyond the scope of this article, applicants should review the following freely available content:
YouTube. This platform provides an immense wealth of information regarding the CISM Certification and passing the exam.
Practice exams and questions. These are great methods of determining the type of questions you’ll encounter and to see if you’re ready for the real exam. If you’re inclined, Simplilearn offers a full 200 question, 4 hour practice exam.
Reddit/Facebook. Both platforms are great resources for CISM related questions and answers, although Reddit may have a slight edge due to the nature of the platform.
LinkedIn Learning. LinkedIn is a powerful source of freely availably learning material. Here you will find several hours of videos related to CISM training.
Study Material. You can always find older study books and guides online and from former test takers, but be advised that it’s always best to use the most recent study materials, usually available through official channels.
ISACA. Believe or not, ISACA does a have a few free study and online CISM training materials available for test takers to review. Don’t forget to check them out, after all, they are the owners of the exam!
Cybrary/Udemy. If you’re willing to pay a minimal amount for video learning lessons, then these two platforms may be an option for you. They offer quite a bit of value and are much cheaper than a security bootcamp.
Bootcamp. As mentioned, bootcamps aren’t cheap but they have a pretty strong satisfaction rate among students that have opted for this learning path. Read below for more info regarding the CISM boot camp.
Word of Caution about Study Materials
Since the focus of this article is to inform you about the exam, not how to pass the exam, you’re invited to use any material in your arsenal to help you pass the exam.
However, readers are advised to prioritize ISACA study materials over other sources as their materials will be based upon their exam.
However, if you decide not to pay for the ISACA materials, utilize all freely available materials first before deciding to pay for training materials or courses.
When in doubt, always stick with official ISACA courses and study materials as these are guaranteed to be relevant to the latest version of the exam.
Yes there is a cost for the ISACA study materials, but if you want to maximize your chances of passing the CISM exam in the first attempt, it may be worth the costs.
Requirements for CISM Certification
Before applying for CISM certification, please ensure you’re fulfilling all the eligibility requirements.
While it is common for individuals to take and pass the CISM exam before meeting the eligibility requirements, ISACA will not grant you the CISM certification until all requirements have been satisfied.
Applicants are required to agree to ISACA’s code of professional ethics, terms and conditions, and security agreement.
Since this is generally not an issue, applicants must then demonstrate five years of work experience in the field of information security management.
The benefit is that ISACA doesn’t require you to have knowledge or experience in a specific cyber security field to qualify for the CISM exam. As long as you have any information security management experience, you’re good to take the exam.
Better yet, applicants may obtain a waiver for two out of the five years; however, a minimum of three years spent as an information security manager is required without exception; you may be required to submit evidence of professional work experience in order to apply for the CISM exam.
How much does the CISM Cert Cost?
The CISM exam fees range from $575 USD for ISACA Members to $760 USD for non-members.
Keep in mind registration fees are non-refundable and non-transferrable; however, applicants do have up to 12 months after registration to take the exam. Applicants are warned that after the 12 month period expires, deferrals or extensions of your exam are no longer allowed.
Individuals can take an exam four times in a rolling year and are required to purchase a new exam registration for each exam attempt.
If you decide to taking a CISM training program from an authorized partner, you may be entitled to an exam voucher allowing you to take the CISM exam for free because it’s already included in the price of the training.
CISM Bootcamp
If you have a bit of money to spend, or if your employer is paying, consider taking a CISM bootcamp. This particular ISACA boot camp costs roughly between $2k – $3k which is much cheaper than most.
If you make the decision to try a CISM boot camp, only take one that’s provided by an authorized ISACA partner.
The problem with an unauthorized ISACA bootcamp is that they won’t teach you about the latest updates on the CISM exam and may even offer exam vouchers that are likely fraudulent; in short, they’re probably a scam!
A properly vetted ISACA training facility offers live and online instruction, practice exams, an exam voucher, and is updated with the latest changes in the exam. That means you won’t have to worry in the middle of your studies if ISACA suddenly changes something, it’s unlikely to happen but possible.
Additionally, in the small chance that you do fail the exam, the training center is very likely to offer an “Exam Pass Guarantee.” This guarantee allows you to retake the course in case you fail the exam the first time.
As a forewarning, not all bootcamps are made the same; make sure that your CISM bootcamp offers these basic amenities as part of the package and do yourself a favor by shopping around. Want to know if a cybersecurity bootcamp is worth it?
CISM Certification Maintenance Requirements
Passing the exam isn’t enough; to be officially CISM certified, you’re also required to apply for certificate and pay the $50 USD application fee.
Additionally, as a CISM certified professional, you need to pay the ISACA annual maintenance fee of $45 as an ISACA member or $85 as a non-member.
ISACA also requires CISM certified professionals to maintain their security knowledge by obtaining continuing professional education (CPE) hours; these are hours provided by various organizations for completing coursework, attending training sessions, webinars, etc. that count towards your professional education.
You must earn and log 20 CPE hours per year and 120 hours across three years to maintain your certification. Logging your CPEs is very important if you’re ever selected for a CPE audit.
Conclusion
In today’s article we have covered what is the CISA certification, why it’s important, your eligibility to take the exam, how to prepare, what it costs, what are the topic areas, how to maintain your certification.
For more up-to-date information, ISACA offers an in-depth CISM Exam Candidate Guide that provides all the necessary information regarding exam registration, scheduling, preparation, rules, administration, scoring, retake policy, etc.
Becoming CISM certified is a wonderful way to demonstrate a high level of commitment with your information security management skills.
by Amit Doshi
If you enjoyed reading today’s article please subscribe here.
