ISACA Certified Information Security Manager - CISM

The intent of the certification is to provide a common body of knowledge for information security management. The CISM focuses on information risk management as the basis of information security. It also includes material on broader issues such as how to govern information security as well as on practical issues such as developing and managing an information security program and managing incidents.

The point of view in the certification is that of widely accepted cross-industry best practices, where information security gets its justification from business needs. The implementation includes information security as an autonomous function inside wider corporate governance.

To qualify for the exam, applicants must have five years of verified experience in the infosec field, with a minimum of three years of infosec management experience in three or more of the CISM content areas. Experience must be gained within a 10-year period preceding the application date or within five years from the date of passing the exam.

CISM certification holders must adhere to ISACA's Code of Professional Ethics, agree to comply with ISACA's continuing education policy and satisfy work experience requirements. To maintain CISM certification, individuals must sustain an adequate level of knowledge and proficiency in the field of information systems security management, complete 20 CPE hours annually and follow ISACA's Code of Ethics.


One exam; only offered in June, September and December; candidates are encouraged to register early.

The CISM requires demonstrated knowledge in four functional areas of information security The updated current job practice analysis contains the following domains and percentages:

Information Security Governance (24%)
Information Risk Management and Compliance (33%)
Information Security Program Development and Management (25%)
Information Security Incident Management (18%)