top of page

CISM: The Certified Information Security Manager®


Untitled design (87).png

1st Choice

Untitled design (87).png

Great Career

Untitled design (87).png

What is CISM by ISACA?

CISM stands for "Certified Information Security Manager" and it's a prestigious training course and certification by ISACA that teaches IT Professionals how to assess risks, implement effective governance and proactively respond to incidents.

This ISACA CISM course provides training on data breaches, ransomware attacks and other constantly evolving security threats are top-of-mind for today’s IT professionals.

What will I learn with the ISACA CISM certification?

Information Security Governance

This domain will provide you with a thorough insight into the culture, regulations and structure involved in enterprise governance, as well as enabling you to analyze, plan and develop information security strategies. Together, this will affirm high-level credibility in information security governance to stakeholders.


  1. Organizational Culture

  2. Legal, Regulatory and Contractual Requirements

  3. Organizational Structures, Roles and Responsibilities


  1. Information Security Strategy Development

  2. Information Governance Frameworks and Standards

  3. Strategic Planning (e.g., Budgets, Resources, Business Case)

Information Security Risk Management

This domain empowers you to analyze and identify potential information security risks, threats and vulnerabilities as well as giving you all the information about identifying and countering information security risks you will require to perform at management level.


  1. Emerging Risk and Threat Landscape

  2. Vulnerability and Control Deficiency Analysis

  3. Risk Assessment and Analysis


  1. Risk Treatment / Risk Response Options

  2. Risk and Control Ownership

  3. Risk Monitoring and Reporting

Information Security Program

This domain covers the resources, asset classifications and frameworks for information security as well as empowering you to manage information security programs, including security control, testing, comms and reporting and implementation.


  1. Information Security Program Resources (e.g., People, Tools, Technologies)

  2. Information Asset Identification and Classification

  3. Industry Standards and Frameworks for Information Security

  4. Information Security Policies, Procedures and Guidelines

  5. Information Security Program Metrics


  1. Information Security Control Design and Selection

  2. Information Security Control Implementation and Integrations

  3. Information Security Control Testing and Evaluation

  4. Information Security Awareness and Training

  5. Management of External Services (e.g., Providers, Suppliers, Third Parties, Fourth Parties)

  6. Information Security Program Communications and Reporting

Incident Management

This domain provides in-depth training in risk management and preparedness, including how to prepare a business to respond to incidents and guiding recovery. The second module covers the tools, evaluation and containment methods for incident management.


  1. Incident Response Plan

  2. Business Impact Analysis (BIA)

  3. Business Continuity Plan (BCP)

  4. Disaster Recovery Plan (DRP)

  5. Incident Classification/Categorization

  6. Incident Management Training, Testing and Evaluation


  1. Incident Management Tools and Techniques

  2. Incident Investigation and Evaluation

  3. Incident Containment Methods

  4. Incident Response Communications (e.g., Reporting, Notification, Escalation)

  5. Incident Eradication and Recovery

  6. Post-Incident Review Practices

How do I become a CISM?

There are five requirements you must satisfy to get a CISM certification:

1. Pass the CISM exam

The first step to getting a CISM certification is passing an exam that consists of the following topics:

  • Information security incident management

  • Information security program development and management

  • Information risk management

  • Information security governance

The exam is multiple choice, consisting of 150 questions. Applicants have four hours to complete it. If CISM candidates do not meet the rest of the requirements, then their test score is voided.

2. Adhere to the code of professional ethics

The second step to obtaining a CISM certification is to agree to the “Code of Professional Ethics.” ISACA set forth this ethics code to guide the professional and personal conduct of CISM certification holders. The code of ethics requires CISM holders to maintain ISACA’s standards and maintain proficiency in the information systems field.

3. Complete continuing education

The third step to achieving certification is to follow a strict continuing education policy set forth by ISACA. You are required to complete a minimum of 20 hours of continuing professional education annually and a minimum of 120 hours of CPE within a three-year period. The main objective of this continuing education policy is to ensure that you maintain an adequate level of current knowledge and proficiency in information security.

4. Complete work experience

The fourth step to getting your CISM certification is submitting evidence verified by your employer of a minimum of five years of information security work experience.

Additionally, these five years must include at least three years of information security management work experience in three or more job practice analysis areas, which include information security governance, information risk management, information security program development, and management and information security incident management.

The work experience must be gained within five years from the day you passed the exam.Because you need five years of work experience while also meeting this certification requirement in less than five years, you will need to begin working in the information security field before you pass your CISM exam.

ISACA does allow for work experience substitutions in which you can substitute one or two years of information security work experience with the following:

  • Two years substituted if you are a CISA (Certified Information Systems Auditor)

  • Two years substituted if you are a CISSP (Certified Information Systems Security Professional)

  • Two years substituted if you have a post-graduate degree in information security or a related field

  • One year substituted for 12 months of information systems management experience

  • One year substituted for 12 months of general security management experience

  • One year substituted for every skill-based security certification you hold (GIAC, MCSE, CBCP)

  • One year substituted for the completion of an information security management program at an institution aligned with the model curriculum

Even if you substituted all five years with a combination of some of these work experience substitutions, you still must have three years of work experience in an information security management position.

5. Submit an application for CISM certification

Once you have passed the exam, agreed to the ethics code, paid your recurring annual fee, followed the continuing education policy and maintained the required work experience, you can submit an application for the CISM certification. Once ISACA confirms your information, you are awarded the CISM certification and designation.


Eligibility to sit for the CISM exam requires a minimum of five years' experience in the field of information security. Out of these five years, three must encompass work across at least three different job practice areas, with no less than a year of experience in each area.

The relevant job practice areas are as follows:

  • Information Security Management

  • Information Risk Management

  • Information Security Program Development

  • Information Security Governance

However, certain qualifications can decrease the required amount of work experience. For instance, possessing a CISA certification can shorten this requirement by two years, while each additional skill-based security certification, such as CBCP or GIAC, can reduce the requirement by one year.

It is not necessary to hold a degree to gain this certification.


The test is multiple-choice with 150 questions that you'll have four hours to complete. If you don't meet the following four requirements, your score will be voided.

Additionally, you need to apply for certification within five years of passing the exam. Other criteria include:

  • Complying with ISACA's "Code of Professional Ethics," requiring you to maintain strict standards and your information systems proficiency

  • Completing 20 hours or more of continuing professional education every year, and 120 hours or more within a three-year period [7]

  • Verification of your work experience from your employer. You need at least five years in the information security field, including three or more years in information security management within five years of the day you pass your certification exam.

  • Submitting your CISM application and paying the application fee. ISACA will confirm all of your information before awarding you the certification.

Achieving CISM certification involves fulfilling five essential criteria, beginning with the successful completion of the CISM certification exam.

The exam follows four key domains:

  • Information Security Incident Management

  • Information Security Program Development and Management

  • Information Risk Management

  • Information Security Governance

The examination consists of 150 multiple-choice questions, and candidates are allocated four hours to complete it. Failure to meet the next four requirements will result in the annulment of your exam score. Moreover, candidates must submit their certification application within five years after passing the exam. The additional requirements are as follows:

  • Adherence to ISACA's "Code of Professional Ethics," which mandates the maintenance of high ethical standards and proficiency in information systems

  • Accumulation of at least 20 hours of continuing professional education annually, reaching a minimum of 120 hours over a three-year span

  • Employer verification of your professional experience, necessitating a minimum of five years in the information security sector, with at least three of those years in a managerial role in information security, all within five years from the date of passing your certification exam

  • Submission of the CISM application along with the requisite application fee, after which ISACA will verify your credentials prior to awarding the certification.

Course Study Options

Self Study

In Person

Live Online

In Person Training Locations

  • Doha, Qatar

  • Lusail, Qatar

  • Riyadh, Saudi

  • NEOM, Saudi

  • Dubai, UAE

  • Abu Dhabi, UAE

  • Manama, Bahrain

  • Kuwait City, Kuwait

  • Ras Al Khaimah, UAE

  • Jeddah, Saudi Arabia

  • Casablanca, Morocco

  • Muscat, Oman

 To find out more about this course, to chat with us about it or to book please click here to contact us and we'll get back to you right away.

MENA Executive Training Offer a variety of ISACA Training Courses and Certifications in Qatar, Saudi Arabia and UAE including CISA by ISACA, CISM by ISACA, CIRSC by ISACA, CDPSE by ISACA and CGEIT by ISACA. All ISACA Training Courses and Certifications we offer Online and in-person in Qatar, Saudi & UAE. ISACA's certifications are tailored for IT professionals in Qatar, Saudi Arabia, and the UAE, enhancing skills in audit, risk management, and security. Available courses like CISA, CISM, and CRISC, among others, are designed to meet the specific needs of these regions, offering professionals in Qatar, Saudi Arabia, and the UAE a pathway to elevate their careers. ISACA's commitment to providing top-tier IT certification courses in Qatar, Saudi Arabia, and the UAE underscores their role in advancing IT excellence globally. 

bottom of page