Definition of CISM

CISM (Certified Information Security Manager) is “an advanced certification which indicates that an individual possesses the knowledge and experience required to develop and manage an enterprise information security program.” This certification is offered by ISACA, a nonprofit, independent association. CISM is accredited by ANSI under ISO/IEC 17024:2003.

CISM is designed for professionals who focus on information security management, like IT managers, information security analysts, or consultants supporting information security management. A CISM-certified individual is expected to manage the company’s information security, develop policies and practices, and understand the relationship between information security and business objectives.

CISM vs. CISSP

CISM is one of the two most popular certifications for IT professionals; the other one is CISSP (Certified Information Systems Security Professional). What are the similarities and differences between CISM and CISSP?

• CISM is offered by ISACA, while CISSP is by (ISC)2. Both organizations are independent and nonprofit.
• Both CISM and CISSP will certify a candidate’s skills against a standard body of knowledge. Both require at least 5 years of experience in specific domains. Both need CPE (continuing professional education) credits for continued certification.
• CISM’s emphasis is on management and strategy. On the other hand, CISSP focuses on the operation and threat response. This is the crucial difference between these two certifications.

How to Become a CIMS

CIMS certification involves several steps, including registration, taking the exam, and maintaining certification.

CISM certification exam

The CISM certification process starts with a 150-question multiple-choice exam. This exam is scored with a 200-800 scaled scoring method; the CISM passing score is 450. The exam covers the 4 CISM domains or content areas:

• Information security governance
• Information risk management
• Information security program development and management
• Information security incident management

CISM prerequisites

Not every IT professional can take the exam. Someone who aspires to be CISM-certified must have 5 years of experience in information security, with at least 3 years of information security management experience in 3 or more of the CISM domains mentioned above. Moreover, the experience should be gained within 10 years before the application date or within 5 years after passing the exam.

After passing the exam, applicants can then apply for CISM certification within 5 years.

How to prepare for the CISM exam

Here are a few practical tips on preparing for the CISM exam:

• Download and read the latest ISACA Certification Exam Candidate Guide. This document contains all the useful information about the exam, like registration, deadlines, exam-day details, CISM domains, tips, and the length, languages, and number of questions of the exam.
• Check the official CISM Exam Resources and the CISM Review Manual. The manual covers the exam content.
• Do CISM practice tests. Start with ISACA’s free 10-question practice quiz. After that, move to the official CISM Review Questions, Answers & Explanations, which contains 1,000 questions and detailed answers.
• Create your study plan. You can prepare on your own, but if possible, explore attending a CISM training course. ISACA also has available prep solutions, like CISM study aids that can be purchased and a sponsored CISM exam study community.
• During the exam, think like a manager. Remember: CISM is management-focused. While having technical expertise is handy, always approach the questions with a manager’s mindset.

How to maintain CIMS certification

Here are the requirements for maintaining the CISM certification. The person must:

• Sustain an adequate level of knowledge and proficiency in information systems security management.
• Complete 20 CPE hours every year.
• Follow ISACA's Code of Professional Ethics.