CISM: The Certified Information Security ManagerĀ®
Prestigious
Worldwide
Employers
1st Choice
Great Career
Opportunities
What is CISM by ISACA?
CISM stands for "Certified Information Security Manager" and it's a prestigious training course and certification by ISACA that teaches IT Professionals how to assess risks, implement effective governance and proactively respond to incidents.
This ISACA CISM course provides training on data breaches, ransomware attacks and other constantly evolving security threats are top-of-mind for todayās IT professionals.
What will I learn with the ISACA CISM certification?
Information Security Governance
This domain will provide you with a thorough insight into the culture, regulations and structure involved in enterprise governance, as well as enabling you to analyze, plan and develop information security strategies. Together, this will affirm high-level credibility in information security governance to stakeholders.
ENTERPRISE GOVERNANCE
Organizational Culture
Legal, Regulatory and Contractual Requirements
Organizational Structures, Roles and Responsibilities
INFORMATION SECURITY STRATEGY
Information Security Strategy Development
Information Governance Frameworks and Standards
Strategic Planning (e.g., Budgets, Resources, Business Case)
Information Security Risk Management
This domain empowers you to analyze and identify potential information security risks, threats and vulnerabilities as well as giving you all the information about identifying and countering information security risks you will require to perform at management level.
INFORMATION SECURITY RISK ASSESSMENT
Emerging Risk and Threat Landscape
Vulnerability and Control Deficiency Analysis
Risk Assessment and Analysis
INFORMATION SECURITY RISK RESPONSE
Risk Treatment / Risk Response Options
Risk and Control Ownership
Risk Monitoring and Reporting
Information Security Program
This domain covers the resources, asset classifications and frameworks for information security as well as empowering you to manage information security programs, including security control, testing, comms and reporting and implementation.
INFORMATION SECURITY PROGRAM DEVELOPMENT
Information Security Program Resources (e.g., People, Tools, Technologies)
Information Asset Identification and Classification
Industry Standards and Frameworks for Information Security
Information Security Policies, Procedures and Guidelines
Information Security Program Metrics
INFORMATION SECURITY PROGRAM MANAGEMENT
Information Security Control Design and Selection
Information Security Control Implementation and Integrations
Information Security Control Testing and Evaluation
Information Security Awareness and Training
Management of External Services (e.g., Providers, Suppliers, Third Parties, Fourth Parties)
Information Security Program Communications and Reporting
Incident Management
This domain provides in-depth training in risk management and preparedness, including how to prepare a business to respond to incidents and guiding recovery. The second module covers the tools, evaluation and containment methods for incident management.
INCIDENT MANAGEMENT READINESS
Incident Response Plan
Business Impact Analysis (BIA)
Business Continuity Plan (BCP)
Disaster Recovery Plan (DRP)
Incident Classification/Categorization
Incident Management Training, Testing and Evaluation
INCIDENT MANAGEMENT OPERATIONS
Incident Management Tools and Techniques
Incident Investigation and Evaluation
Incident Containment Methods
Incident Response Communications (e.g., Reporting, Notification, Escalation)
Incident Eradication and Recovery
Post-Incident Review Practices
How do I become a CISM?
There are five requirements you must satisfy to get a CISM certification:
1. Pass the CISM exam
The first step to getting a CISM certification is passing an exam that consists of the following topics:
Information security incident management
Information security program development and management
Information risk management
Information security governance
The exam is multiple choice, consisting of 150 questions. Applicants have four hours to complete it. If CISM candidates do not meet the rest of the requirements, then their test score is voided.
2. Adhere to the code of professional ethics
The second step to obtaining a CISM certification is to agree to the āCode of Professional Ethics.ā ISACA set forth this ethics code to guide the professional and personal conduct of CISM certification holders. The code of ethics requires CISM holders to maintain ISACAās standards and maintain proficiency in the information systems field.
3. Complete continuing education
The third step to achieving certification is to follow a strict continuing education policy set forth by ISACA. You are required to complete a minimum of 20 hours of continuing professional education annually and a minimum of 120 hours of CPE within a three-year period. The main objective of this continuing education policy is to ensure that you maintain an adequate level of current knowledge and proficiency in information security.
4. Complete work experience
The fourth step to getting your CISM certification is submitting evidence verified by your employer of a minimum of five years of information security work experience.
Additionally, these five years must include at least three years of information security management work experience in three or more job practice analysis areas, which include information security governance, information risk management, information security program development, and management and information security incident management.
The work experience must be gained within five years from the day you passed the exam.Because you need five years of work experience while also meeting this certification requirement in less than five years, you will need to begin working in the information security field before you pass your CISM exam.
ISACA does allow for work experience substitutions in which you can substitute one or two years of information security work experience with the following:
Two years substituted if you are a CISA (Certified Information Systems Auditor)
Two years substituted if you are a CISSP (Certified Information Systems Security Professional)
Two years substituted if you have a post-graduate degree in information security or a related field
One year substituted for 12 months of information systems management experience
One year substituted for 12 months of general security management experience
One year substituted for every skill-based security certification you hold (GIAC, MCSE, CBCP)
One year substituted for the completion of an information security management program at an institution aligned with the model curriculum
Even if you substituted all five years with a combination of some of these work experience substitutions, you still must have three years of work experience in an information security management position.
5. Submit an application for CISM certification
Once you have passed the exam, agreed to the ethics code, paid your recurring annual fee, followed the continuing education policy and maintained the required work experience, you can submit an application for the CISM certification. Once ISACA confirms your information, you are awarded the CISM certification and designation.
PrerequisitesĀ
Eligibility to sit for the CISM exam requires a minimum of five years' experience in the field of information security. Out of these five years, three must encompass work across at least three different job practice areas, with no less than a year of experience in each area.
The relevant job practice areas are as follows:
Information Security Management
Information Risk Management
Information Security Program Development
Information Security Governance
However, certain qualifications can decrease the required amount of work experience. For instance, possessing a CISA certification can shorten this requirement by two years, while each additional skill-based security certification, such as CBCP or GIAC, can reduce the requirement by one year.
It is not necessary to hold a degree to gain this certification.
Examination
The test is multiple-choice with 150 questions that you'll have four hours to complete. If you don't meet the following four requirements, your score will be voided.
Additionally, you need to apply for certification within five years of passing the exam. Other criteria include:
Complying with ISACA's "Code of Professional Ethics," requiring you to maintain strict standards and your information systems proficiency
Completing 20 hours or more of continuing professional education every year, and 120 hours or more within a three-year period [7]
Verification of your work experience from your employer. You need at least five years in the information security field, including three or more years in information security management within five years of the day you pass your certification exam.
Submitting your CISM application and paying the application fee. ISACA will confirm all of your information before awarding you the certification.
Achieving CISM certification involves fulfilling five essential criteria, beginning with the successful completion of the CISM certification exam.
The exam follows four key domains:
Information Security Incident Management
Information Security Program Development and Management
Information Risk Management
Information Security Governance
The examination consists of 150 multiple-choice questions, and candidates are allocated four hours to complete it. Failure to meet the next four requirements will result in the annulment of your exam score. Moreover, candidates must submit their certification application within five years after passing the exam. The additional requirements are as follows:
Adherence to ISACA's "Code of Professional Ethics," which mandates the maintenance of high ethical standards and proficiency in information systems
Accumulation of at least 20 hours of continuing professional education annually, reaching a minimum of 120 hours over a three-year span
Employer verification of your professional experience, necessitating a minimum of five years in the information security sector, with at least three of those years in a managerial role in information security, all within five years from the date of passing your certification exam
Submission of the CISM application along with the requisite application fee, after which ISACA will verify your credentials prior to awarding the certification.
Course Study Options
Self Study
Online
In Person
Training
Live Online
Training
In Person Training Locations
-
Doha, Qatar
-
Lusail, Qatar
-
Riyadh, Saudi
-
NEOM, Saudi
-
Dubai, UAE
-
Abu Dhabi, UAE
-
Manama, Bahrain
-
Kuwait City, Kuwait
-
Ras Al Khaimah, UAE
-
Jeddah, Saudi Arabia
-
Casablanca, Morocco
-
Muscat, Oman