CISM - Frequently Asked Questions
Below are some of the more frequent questions we receive regarding CISM (Certified Information Security Manager). A more comprehensive FAQ, covering Exam Registration as well as Certification information, is available on the ISACA CISM web site.
What qualifications do I need?
Will CISAs qualify for CISM?
Do other certification holders qualify?
How is CISM different from other certifications?
How is CISM different from CISSP?
What credit does CCSE+ give me?
1. What are the qualifications to earn the CISM credential?
Qualifying for CISM requires a combination of four "e's": experience, ethics, education and examination. Specifically, the requirements are:
- Successful completion of the CISM exam
- Adherence to a code of professional conduct
- Commitment to continuing professional education
- Submission of verified evidence of a minimum of five years of information security work experience, with a minimum of three years of information security management work experience in three or more of the job practice areas. Waivers for general information security work experience are available, if certain education or certification requirements are met
Back To Top
2. Will CISAs qualify for CISM?
The CISM certification program recognizes the achievement of the CISA credential as a baseline representation that an individual has gained general information security skill and knowledge. As such, CISAs receive a two-year general information security waiver. However, CISAs will not be eligible to earn a CISM unless they have the required experience and can demonstrate proficiency and practical knowledge in the role of an information security manager.
3. Will CISSPs and other security credential holders qualify for CISM?
The CISM certification program recognizes the achievement of the CISSP credential as a baseline representation that an individual has gained general information security skill and knowledge, just as it does with individuals who have earned a CISA. As such, CISSPs receive a two-year general information security experience waiver. However, CISSPs will not be eligible to earn a CISM unless they have the required experience and can demonstrate proficiency and practical knowledge in the role of an information security manager. Holders of other, more specialized credentials, such as the SANS Global Information Assurance Certification (GIAC), Microsoft Security Systems Engineer (MCSE), CompTIA Security + Credential and the Disaster Recovery Institute Certified Business Continuity Professional (CBCP) also can receive a one-year general information security experience waiver.
4. How is CISM different from the other security certifications?
CISM differs from the many other security certifications by virtue of its experience requirements and focus on the job performed by an information security manager. Other security certifications are characterized by a focus on technical skills or platform- or product-specific knowledge, or they are aimed at the practitioner in the earlier years of their career. Only CISM targets the information security manager-the individual who has progressed beyond the practitioner focus, whose emphasis is no longer technical or specialist skills, and who has moved on to the management of an enterprise's information security program. CISM is for the individual who must manage and oversee the enterprise's information security effort, including the practitioners, many of whom may hold other certifications the field offers.
The focus on management that makes CISM unique is demonstrated in its experience requirement, which calls for a minimum of three years in information security management, and in its exam focus that is based on the practices performed by information security managers.
5. How is CISM different from CISSP (Certified Information Systems Security Professional)?
Although there are many differences between the CISSP Common Body Of Knowledge and the CISM Job Practice Areas, the most obvious differences is in the experience requirements. Only CISM requires information security management experience, in addition to general information security experience. CISSP has no such management requirement.
