CISM certification guide: Requirements, prerequisites, and cost

The CISM certification is a great way to show you understand how security fits into your organization's business goals.

Strategic world map to certification in a binary world.
Natali Mis / Matejmo / Getty Images

CISM definition

Certified Information Security Manager, or CISM, is a certification for advanced IT professionals who want to demonstrate that they can develop and manage an infosec program at the enterprise level. It's offered by ISACA, a nonprofit professional association focused on IT governance, and focuses on four core areas:

  • Information security management
  • Information risk management and compliance
  • Information security program development and management
  • Information security incident management

If you're interested in making business decisions about cybersecurity and working with — or maybe joining — your organization's leadership, the CISM is worth pursuing. 

CISM vs. CISSP

What's the difference between CISM and CISSP, one of the other most popular advanced cybersecurity certs? Both CISM and CISSP require infosec technical savvy, but CISM specifically requires that you show that you understand the incentives around information security from a business point of view, rather than just a technical standpoint. It is strongly oriented towards managers and those who aspire to be promoted to management. A CISSP certification, by contrast, demonstrates in-depth technical knowledge over a broad list of security domains, though it involves some managerial responsibilities as well.

The two certs are not an either/or proposition — ISC2, the organization that offers the CISSP, says they complement one another. It's not at all uncommon for the same people to pursue both certifications, though often a CISM certification heralds a career pivot to management.

CISM requirements and prerequisites 

In order to be CISM certified, you need to fulfill two requirements:

  • You need to pass the CISM exam, and
  • You need to demonstrate a minimum required amount of work experience

To meet that second requirement, you need five years of experience in information security within the decade before you apply for the certification, with three years of management experience in three or more of the core areas we listed above, which ISACA refers to as job practice areas. There is some wiggle room here: Certain lower-level certs can stand in for years of experience, and time spent teaching infosec at the university level can substitute as well. But clearly, this is not a certification for newbies: you need to have been around the block a while, and have worked in management for some time as well.

One interesting facet of this prerequisite is that you don't actually need to fulfill the entire job experience requirement in order to begin the process of getting your CISM cert. You can take the exam even if you don't have enough professional experience to qualify for the certification, and if you pass it, you can apply for the certification once you do gain the needed experience, as long as it's within the next five years. ISACA calls this practice "acceptable" and says that's common. 

CISM exam

The CISM exam is at the heart of the certification. It covers all four of the job practice areas outlined above, more or less equally. There's a very thorough breakdown of the key domains, subtopics, and tasks on which you'll be tested on IASCA's website. (You'll need to create an account with IASCA in order to access that link, but there's no charge to do so.) Blogger Ammar Hasayen has a pretty good breakdown of what sort of real-world topics you can expect under the umbrellas of each of those domains. For instance, information security governance questions aim to see how you'd develop both an infosec strategy and a framework that will guide organizational activities to support that strategy.

The CISM exam can be taken either online or in person, consists of 200 questions, and, like the SAT, is scored on a scale of 200 to 800, with 450 being a passing score. (If you don't pass, you can retake the exam as often as four times a year.) Also like the SAT, the CISM exam is multiple choice. But don't let that lull you into complacency. IT security architect Jeremiah Walker, in an article on LinkedIn, says that "unlike most multiple-choice exams, most questions have at least three good answers. You will see a lot of questions that ask, 'What is the MOST important thing to do in this situation?' or 'Which step should you take FIRST?' You won’t be able to guess at these questions. You must truly understand the CISM material."

Another important thing to keep in mind while taking the exam: You should keep the certification's management orientation in mind and view the questions through that lens.

CISM exam cost

How much does the CISM exam cost? It's not cheap: most people will pay $760, though a discounted price of $575 is available for ISACA members.  ISACA membership runs $130 per year, plus a one-time upfront fee when joining and dues to a local chapter, though you do get benefits beyond the exam discount. 

CISM study guide

There are various official and unofficial study guides for the CISM exam. Perhaps the most important is ISACA's Question, Answer, and Explanation (QAE) database, which can be accessed with a free ISACA account. Keep in mind that the QAE database doesn't include the actual questions you'll encounter on the exam; rather, it will show you the types of questions that you can expect. "The questions were good at showing how the real questions would be worded," says one Reddit user who recently passed the exam. "Having the reasons the answers were correct and incorrect is probably the best thing. Not a single question from the QAE database was on the actual exam, but I feel like I learned a lot reading the descriptions of the answers."

ISACA also publishes an official review manual, which is available for $135 from ISACA or Amazon. There are also unofficial study guides out there, as is the case for most big certifications: one that comes recommended from several quarters is the CISM All-in-One Exam Guide, which costs only $40 on Amazon.

CISM training 

Looking to go beyond the study guides and want to learn in a more structured way? A number of training courses are available to you. Again, there's an official offering here: ISACA offers a CISM Online Review Course, which includes 17 hours of instruction and costs $895. (Members get a $100 discount.)

There are plenty of other online courses you can take as well from a variety of vendors. Some of the highest-rated offerings include:

If you're looking for something lower cost and lower impact, there are a number of courses available on Udemy for as little as $11.99. 

CISM certification and CISM certification cost

Once you've passed your exam and accumulated enough work experience to qualify, you're ready to apply for your CISM certification. This is a relatively painless process, and requires a one-time $50 application processing fee.

However, CISM is not a one-shot, get-it-and-forget cert. In order to maintain your certification, you need to take at least 120 continuing professional education (CPE) hours over a three-year reporting cycle, with a minimum of 20 hours in each year. There are lots of ways you can meet this requirement, including attending university classes, corporate trainings, or vendor sales presentations, or participating in professional education activities and meetings. You can get more details by reading ISACA's CISM CPE Policy. It's also worth noting that one of the benefits of ISACA membership is free programs that count towards your CPE hours.

If you're CISM-certified, you're also expected to adhere to the CISM code of professional ethics. Finally, you do have to pay an annual maintenance fee of $85, though that's reduced to $45 for ISACA members, and if you hold multiple ISACA certifications you get a bulk discount on maintenance.

CISM: Jobs and salary benefits

This is a lot of hoops to jump through, and so the obvious question arises: is it worth it? Well, if you're interested in a management position — and the higher salaries such positions command — it's a great way to signal your expertise, as well as your seriousness about your career and ambitions. Job titles that match up with CISM credentials include information security manager, information risk compliance specialist, and, yes, CIO.

Those job titles generally come with hefty salaries. A recent survey by Certification Magazine looked at the average salaries of holders of various security certs — and CISM came out on top, at $127,063. And it's worth noting that 48% of those surveyed said they got a raise within a year of earning their most recent security certification.

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies