The CISM certification is a great way to show you understand how security fits into your organization's business goals. Credit: Natali Mis / Matejmo / Getty Images CISM definitionCertified Information Security Manager, or CISM, is a certification for advanced IT professionals who want to demonstrate that they can develop and manage an infosec program at the enterprise level. It’s offered by ISACA, a nonprofit professional association focused on IT governance, and focuses on four core areas:Information security managementInformation risk management and complianceInformation security program development and managementInformation security incident managementIf you’re interested in making business decisions about cybersecurity and working with — or maybe joining — your organization’s leadership, the CISM is worth pursuing. CISM vs. CISSPWhat’s the difference between CISM and CISSP, one of the other most popular advanced cybersecurity certs? Both CISM and CISSP require infosec technical savvy, but CISM specifically requires that you show that you understand the incentives around information security from a business point of view, rather than just a technical standpoint. It is strongly oriented towards managers and those who aspire to be promoted to management. A CISSP certification, by contrast, demonstrates in-depth technical knowledge over a broad list of security domains, though it involves some managerial responsibilities as well.The two certs are not an either/or proposition — ISC2, the organization that offers the CISSP, says they complement one another. It’s not at all uncommon for the same people to pursue both certifications, though often a CISM certification heralds a career pivot to management. CISM requirements and prerequisites In order to be CISM certified, you need to fulfill two requirements:You need to pass the CISM exam, andYou need to demonstrate a minimum required amount of work experienceTo meet that second requirement, you need five years of experience in information security within the decade before you apply for the certification, with three years of management experience in three or more of the core areas we listed above, which ISACA refers to as job practice areas. There is some wiggle room here: Certain lower-level certs can stand in for years of experience, and time spent teaching infosec at the university level can substitute as well. But clearly, this is not a certification for newbies: you need to have been around the block a while, and have worked in management for some time as well. One interesting facet of this prerequisite is that you don’t actually need to fulfill the entire job experience requirement in order to begin the process of getting your CISM cert. You can take the exam even if you don’t have enough professional experience to qualify for the certification, and if you pass it, you can apply for the certification once you do gain the needed experience, as long as it’s within the next five years. ISACA calls this practice “acceptable” and says that’s common. CISM examThe CISM exam is at the heart of the certification. It covers all four of the job practice areas outlined above, more or less equally. There’s a very thorough breakdown of the key domains, subtopics, and tasks on which you’ll be tested on IASCA’s website. (You’ll need to create an account with IASCA in order to access that link, but there’s no charge to do so.) Blogger Ammar Hasayen has a pretty good breakdown of what sort of real-world topics you can expect under the umbrellas of each of those domains. For instance, information security governance questions aim to see how you’d develop both an infosec strategy and a framework that will guide organizational activities to support that strategy.The CISM exam can be taken either online or in person, consists of 200 questions, and, like the SAT, is scored on a scale of 200 to 800, with 450 being a passing score. (If you don’t pass, you can retake the exam as often as four times a year.) Also like the SAT, the CISM exam is multiple choice. But don’t let that lull you into complacency. IT security architect Jeremiah Walker, in an article on LinkedIn, says that “unlike most multiple-choice exams, most questions have at least three good answers. You will see a lot of questions that ask, ‘What is the MOST important thing to do in this situation?’ or ‘Which step should you take FIRST?’ You won’t be able to guess at these questions. You must truly understand the CISM material.”Another important thing to keep in mind while taking the exam: You should keep the certification’s management orientation in mind and view the questions through that lens.CISM exam costHow much does the CISM exam cost? It’s not cheap: most people will pay $760, though a discounted price of $575 is available for ISACA members. ISACA membership runs $130 per year, plus a one-time upfront fee when joining and dues to a local chapter, though you do get benefits beyond the exam discount. CISM study guideThere are various official and unofficial study guides for the CISM exam. Perhaps the most important is ISACA’s Question, Answer, and Explanation (QAE) database, which can be accessed with a free ISACA account. Keep in mind that the QAE database doesn’t include the actual questions you’ll encounter on the exam; rather, it will show you the types of questions that you can expect. “The questions were good at showing how the real questions would be worded,” says one Reddit user who recently passed the exam. “Having the reasons the answers were correct and incorrect is probably the best thing. Not a single question from the QAE database was on the actual exam, but I feel like I learned a lot reading the descriptions of the answers.” ISACA also publishes an official review manual, which is available for $135 from ISACA or Amazon. There are also unofficial study guides out there, as is the case for most big certifications: one that comes recommended from several quarters is the CISM All-in-One Exam Guide, which costs only $40 on Amazon.CISM training Looking to go beyond the study guides and want to learn in a more structured way? A number of training courses are available to you. Again, there’s an official offering here: ISACA offers a CISM Online Review Course, which includes 17 hours of instruction and costs $895. (Members get a $100 discount.)There are plenty of other online courses you can take as well from a variety of vendors. Some of the highest-rated offerings include:The course from Certified Information Security, which includes direct phone support with a mentor and costs $666.60.The CyberVista CISM Training Course, available in both live online and on-demand formats, costs $1,724.65.com, despite the name, also offers an online CISM bootcamp, which costs $498.SimpleLearn’s CISM Certification Training includes 16 hours of e-learning content and costs $599.If you’re looking for something lower cost and lower impact, there are a number of courses available on Udemy for as little as $11.99. CISM certification and CISM certification costOnce you’ve passed your exam and accumulated enough work experience to qualify, you’re ready to apply for your CISM certification. This is a relatively painless process, and requires a one-time $50 application processing fee.However, CISM is not a one-shot, get-it-and-forget cert. In order to maintain your certification, you need to take at least 120 continuing professional education (CPE) hours over a three-year reporting cycle, with a minimum of 20 hours in each year. There are lots of ways you can meet this requirement, including attending university classes, corporate trainings, or vendor sales presentations, or participating in professional education activities and meetings. You can get more details by reading ISACA’s CISM CPE Policy. It’s also worth noting that one of the benefits of ISACA membership is free programs that count towards your CPE hours.If you’re CISM-certified, you’re also expected to adhere to the CISM code of professional ethics. Finally, you do have to pay an annual maintenance fee of $85, though that’s reduced to $45 for ISACA members, and if you hold multiple ISACA certifications you get a bulk discount on maintenance.CISM: Jobs and salary benefitsThis is a lot of hoops to jump through, and so the obvious question arises: is it worth it? Well, if you’re interested in a management position — and the higher salaries such positions command — it’s a great way to signal your expertise, as well as your seriousness about your career and ambitions. Job titles that match up with CISM credentials include information security manager, information risk compliance specialist, and, yes, CIO.Those job titles generally come with hefty salaries. A recent survey by Certification Magazine looked at the average salaries of holders of various security certs — and CISM came out on top, at $127,063. And it’s worth noting that 48% of those surveyed said they got a raise within a year of earning their most recent security certification. Related content news Conti-linked ransomware takes in $107 million in ransoms: Report A ransomware campaign linked to the ostensibly defunct Conti malware group has targeted mostly US businesses, in a costly series of attacks. By Jon Gold Nov 30, 2023 4 mins Ransomware Malware Cybercrime news Okta confirms recent hack affected all customers within the affected system Contrary to its earlier analysis, Okta has confirmed that all of its customer support system users are affected by the recent security incident. By Shweta Sharma Nov 30, 2023 3 mins Data Breach news Top cybersecurity product news of the week New product and service announcements from Wiz, Palo Alto Networks, Sophos, SecureAuth, Kasada, Lacework, Cycode, and more. By CSO staff Nov 30, 2023 17 mins Generative AI Security feature How to maintain a solid cybersecurity posture during a natural disaster Fire, flood, eathquake, hurricane, tornado: natural disasters are becoming more prevalent and they’re a threat to cybersecurity that isn’t always on a company’s radar. Here are some ways to prepare for the worst. By James Careless Nov 30, 2023 8 mins Security Operations Center Data and Information Security Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe