CISM certification: Requirements, training, exam, and cost

What is CISM?

Certified Information Security Manager (CISM) is an advanced certification for IT and cybersecurity professionals that demonstrates they ability to develop and manage an infosec program at the enterprise level. CISM is offered by ISACA, a nonprofit professional association focused on IT governance, and it is a popular and valuable certifications for IT professionals interested in making business decisions about cybersecurity and working with — or joining — their organization’s IT leadership ranks. 

Benefits of CISM certification

Earning a CISM credential can have several beneficial impacts on your career, including:

• Career advancement and recognition: CISM certification demonstrates your expertise and interest in information security management, setting you apart for potential promotions and leadership roles.
• Increased knowledge and skills: The training process involved in achieving CISM certification will expose you to a wide range of infosec management responsibilities, thereby elevating your knowledge of management principles, frameworks, and best practices that you can apply in real-world scenarios.
• Additional job security: By demonstrating your commitment to IT security management and validating your skills are up-to-date, CISM certification can make you a more prized member of your security team and ensure you are perceived as someone with leadership potential, thereby improving your job security longer term.

Networking opportunities: By achieving your CISM and joining various communities for CISM certification holders, including ISACA, you will gain access to opportunities for knowledge sharing, collaboration, mentorship, and employment.

Is CISM worth it? CISM salary 

CISM certification involves a number of steps, so the obvious question arises: Is it worth it? If you’re interested in a management position — and the higher salaries such positions command — earning a CISM certification is a great way to signal your expertise, as well as your seriousness about your career and ambitions. Job titles that match up with CISM credentials include information security manager, information risk compliance specialist, and, yes, CIO.

According to ZipRecruiter, CISMs make on average approximately $95,000 a year. SkillSoft, however, pegs the average salary of a CISM holder at $167,396 in its IT Skills and Salary Report, among the top 15 for certifications across IT.

CISM vs. CISSP

What’s the difference between CISM and CISSP, one of the other most popular advanced cybersecurity certs? Both CISM and CISSP require infosec technical savvy, but CISM specifically requires that you show that you understand the incentives around information security from a business point of view, rather than just a technical standpoint. It is strongly oriented towards managers and those who aspire to be promoted to management. A CISSP certification, by contrast, demonstrates in-depth technical knowledge over a broad list of security domains, though it involves some managerial responsibilities as well.

The two certs are not an either/or proposition — ISC2, the organization that offers the CISSP, says they complement one another. It’s not uncommon for the same people to pursue both certifications, though often a CISM certification heralds a career pivot to management.

What domains are covered by the CISM?

The CISM exam covered four core domains, which also provide the foundation for the work experience requirements to earn the certification. The four CISM domains, with estimated exam coverage, are:

• Information security governance (17%): This domain ensures candidates can analyze, plan, and develop information security strategies, including legal, regulatory, and contractual requirements; organizational structure, roles, and responsibilities; governance frameworks and standards; and strategic planning.
• Information security risk management (20%): This domain ensures candidates can analyze and identify at a management level infosec risks, threats, and vulnerabilities, including the ability to assess emerging risks and the threat landscape; to perform vulnerability, control deficiency, and risk analysis; and to conduct risk monitoring and reporting, in addition to other risk response tasks.
• Information security program (33%): This domain ensures candidates can manage infosec programs, including security control, testing, reporting, and implementation. Included in this domain are security program resource strategies; asset identification and classification; security policies, procedures, and guidelines; infosec metrics; security awareness and training; and management of external services.
• Incident management (30%): This domain ensures candidates can prepare a business to respond to incidents and guide their recovery. Included in this domain are incident response planning; business continuity and disaster recovery planning, business impact analysis; incident management training, testing, and evaluation; containment methods; and post-incident review practices.

CISM requirements

To earn a CISM certification, candidates must fulfill two requirements:

• Pass the CISM exam
• Demonstrate the required work experience

To meet the second requirement, candidates must have five years of experience in information security within the decade before they apply for the certification, with three years of management experience in three or more of the core areas listed above, which ISACA refers to as job practice areas. Certain lower-level certs can stand in for years of experience, and time spent teaching infosec at the university level can substitute as well.

If you don’t have enough professional experience to qualify for the certification after passing the exam, you can apply for the certification once you do gain the needed experience, as long as it’s within the next five years. ISACA calls this practice “acceptable” and says that’s common. 

CISM certification process

Once you’ve passed your exam and accumulated enough work experience to qualify, you’re ready to apply for your CISM certification. This is a relatively painless process, and requires a one-time $50 application processing fee.

But to maintain your certification, you must take at least 120 continuing professional education (CPE) hours over a three-year reporting cycle, with a minimum of 20 hours in each year. There are lots of ways to meet this requirement, including attending university classes, corporate trainings, or vendor sales presentations, or participating in professional education activities and meetings. You can get more details by reading ISACA’s CISM CPE Policy. It’s also worth noting that one of the benefits of ISACA membership is free programs that count towards your CPE hours.

If you’re CISM-certified, you’re also expected to adhere to the CISM code of professional ethics. Finally, you have to pay an annual maintenance fee of $85, though that’s reduced to $45 for ISACA members, and if you hold multiple ISACA certifications you get a bulk discount on maintenance.

CISM exam

The CISM exam covers the four CISM domains outlined above in the noted proportions. There’s a very thorough breakdown of the key domains, subtopics, and tasks on which you’ll be tested on IASCA’s website.

The CISM exam can be taken either online or in person, consists of 150 multiple-choice questions, and is scored on a scale of 200 to 800, with 450 being a passing score. (If you don’t pass, you can retake the exam as often as four times a year, with a brief waiting period between attempts.) IT security architect Jeremiah Walker, in an article on LinkedIn, says that “unlike most multiple-choice exams, most questions have at least three good answers. You will see a lot of questions that ask, ‘What is the MOST important thing to do in this situation?’ or ‘Which step should you take FIRST?’ You won’t be able to guess at these questions. You must truly understand the CISM material.”

Another important thing to note while taking the exam: You should keep the certification’s management orientation in mind and view the questions through that lens.

CISM exam cost

The CISM exam costs $760, with a discounted ISACA member price of $575. ISACA membership costs $145 to join, with a subsequent  annual fee of $135, though you do get benefits beyond the exam discount. 

CISM study guide

There are various official and unofficial study guides for the CISM exam. Perhaps the most important is ISACA’s Question, Answer, and Explanation (QAE) database, which can be accessed with a free ISACA account. Keep in mind that the QAE database doesn’t include the actual questions you’ll encounter on the exam; rather, it will show you the typesof questions that you can expect. “The questions were good at showing how the real questions would be worded,” says one Reddit user who passed the exam. “Having the reasons the answers were correct and incorrect is probably the best thing. Not a single question from the QAE database was on the actual exam, but I feel like I learned a lot reading the descriptions of the answers.”

ISACA also publishes an official review manual, which is available for $139 from ISACA ($109 for members) or Amazon. There are also unofficial study guides available on the internet, as is the case for most big certifications: one that comes recommended from several quarters is the CISM All-in-One Exam Guide, which costs only $40 on Amazon.

CISM training 

If you are interested in going beyond the study guides to learn in a more structured way, a number of CISM training courses are available. ISACA, for example, offers the official CISM Online Review Course, which includes 16 hours of instruction and costs $895. (Members get a $100 discount.)

There are plenty of online courses available from a variety of vendors. Some of the highest-rated offerings include:

• The course from Certified Information Security, which includes direct phone support with a mentor and costs $795.00.
• The CyberVista CISM Training Course, available in both live online and on-demand formats, with pricing available on request.
• CISSP Exam Practice, despite the name, also offers an online CISM bootcamp, which costs $498.
• SimpleLearn’s CISM Certification Training includes 16 hours of e-learning content and an exam voucher, with pricing available on request.
• Thor Pedersen offers a popular series of courses available on Udemy for approximately $99 per domain.