The CISM Certification Guide: Why This Might be the Best Cert You Get This Year

Written by Mark Hillyard

ISACA has been working in the information business for half a century. They’re the organization behind COBIT – and they offer several highly regarded cybersecurity.

Certified Information Security manager – CISM for short – is the pinnacle of cybersecurity management. The CISM certification demonstrates a security officer’s understanding of the relationship between security and the business’ vision. It has regularly been considered one of the top three highest paying certifications in the industry – it also satisfies DoD 8570 training requirements for IAM Levels 2 and 3.

So, how do I get CISM Certified?

ISACA traditionally marched to its own drumbeat when it came to certification, but that’s all changing in June 2019. At the end of the current certification window (set to conclude on May 24), ISACA will be shifting its certification schedule for CISM to a 12-month cycle, aligning it with most other certification schemes. However, there are several steps to qualifying.

The first step is passing the exam, which consists of 150 questions to be completed within 4 hours. Scoring is on a scale of 200-800. A passing score is 450. It is important to note that the score is not based on an arithmetic or percent average. To receive the minimum passing score, you must demonstrate adequate knowledge in each of the domains, as established by the ISACA Certification Committee.

This, of course, generally leads to the inevitable question about training. Should I self-study, or is it worth taking a training course? Let’s take a look at the pros and cons of each:

CISM Self-Study

CISM study is difficult, but if you’re a hard worker, highly experienced in the cybersecurity industry, and extremely self-motivated you might be tempted to go it alone. Let’s dive into the arguments for and against this:

The Pros:

  • Group study brings support from people who are experienced in the CISM, a community of others to work with and learn from, and an environment geared towards helping you.
  • Working with others can help you identify your weaknesses and highlight areas to improve, something that’s hard to do alone. It brings a ‘fresh pair of eyes’ and external motivation.
  • You get all the resources of the course and the group, not just your own.
  • Doing a course allows you to focus more. Instead of having to shuffle things around every day to find time to study, you can free up a block of your life and dedicate it fully to the course.

The Cons:

  • With a course, you only get so many in-person contact hours. Relying solely on this time to pass the exam may leave you underprepared, so it’s important to work in some solo practice too.

Ultimately, the best approach is a mix. Study entirely alone and you may well end up burnt out, overwhelmed, and missing out on a lot of valuable information. On the other hand, you can’t rely on a course for everything, and you’ll still need to do some study on your own.

A course, however, offers so many advantages and benefits that it’s hard to argue against. If you decide that a structured course is what you’re looking for, try the Beyond20 5-day CISM Boot Camp; it’s a powerful weapon in your quest to become a CISM.

Next, you will need to agree to ISACA’s Code of Professional Ethics (this is similar to the CISSP certification scheme). This is a document that you must understand and sign in order to receive your certification.

Third is the experience requirement. You must demonstrate, through submission of verified evidence, a minimum of five years of information security work—three years must be management in 3 of the 4 job practice analysis areas. This must have been gained within the 10-year period preceding the exam, or within 5 years of successfully passing the exam.

Once these requirements are met, you will apply for your CISM certification, submitting the required evidence of experience, as well as your passing score on the exam itself.

Finally, you will need to comply with the CISM Continuing Education Policy. This policy requires that you maintain an adequate level of current knowledge and proficiency. In order to fulfill this requirement, you will need to establish 120 contact hours during a 3-year fixed period.

This is not so different from the CISSP path. Bear in mind, though, that the domains for CISM are somewhat different. They are more management oriented, less implementation focused:

  • Domain 1: Information Security Governance
  • Domain 2: Information Risk Management
  • Domain 3: Information Security Program Development and Management
  • Domain 4: Information Security Incident Management

So, there you have it. CISM is a powerful certification, backed by one of the oldest, and most respected, organizations in the industry. More questions? Let us know! We’d be happy to help you take the next step in your career.

Originally published April 04 2019, updated April 04 2019