The CISM certification is less than 10 years old. The Information Systems Audit and Control Association (ISACA) created it to satisfy a demand for experienced information security managers. The exam requires a strong understanding of and years’ experience in risk management, governance, and information security program management.
Over a relatively short lifespan, the CISM is being adopted at a respectable pace. Today, there are already about 16,000 candidates worldwide who have successfully passed the CISM. The typical successful candidate is moderately experienced. Over a quarter of CISM holders are senior managers, 20% of which hold executive (CEO, CIO, CISO, CTO, CSO, etc) positions. Due to the somewhat senior demographic, the CISM is repeatedly recognized as one of the most highly paid certifications.
Respect for the CISM is consistent through all regions worldwide, unlike other certifications such as CompTIA’s Security+, which is fairly “US-heavy.” In the United States, the CISM is distinguished by the US Department of Defense as one of the few formally recognized certifications by the DoD.
CISM versus CISA
Just so there is no confusion, here are a few facts differentiating CISM from CISA:
- In 2010, over 21,000 candidates registered for the CISA, compared to just 4,900 for the CISM.
- CISA retention hovers near 90 percent; while over 93% for the CISM.
- A 2008 Foote Partners study found the CISM to be the highest paid certification.
- There are 85,000 CISA holders, while CISMs number around 16,000.
As you compare the two certifications, bear in mind as the CISM nears its 10-year birthday, the CISA will be 35 years old. The demands in the workforce are always changing and information security technologies are changing more rapidly. However, one constant is the need for established information security management.
Earning the CISM Certification
Passing the exam is one of two requirements for gaining the CISM designation. The second is meeting the required amount of work experience. The most straightforward way to complete the requirement is to have 5 years of information security management experience, but several variants of exceptions and substitutions exist, e.g. having an advanced degree in IT.
While a candidate could pass the CISM exam before gaining the work experience, it wouldn’t be easy. That said, ISACA encourages candidates to study for and try the exam at any time, but the certification will be awarded only after a candidate meets the experience requirement. A candidate has 5 years after their exam to meet this requirement and apply for the certification.
There are other agreements for a candidate regarding ethics and continued education to obtain the CISM. But this article is about the exam, so consult the ISACA website for more details on gaining the certification.
- Number of questions: 200
- Types of questions: multiple choice
- Passing score: 450 on a scale from 200 (lowest possible) to 800 (perfect)
- Time limit: 4 hours (works to just over a 1 minute per question)
- How to Register: You may register for the CISM exam, next available on 10 December 2011 by visiting the ISACA website.
The exam is open to anyone interested in information security management, risk management and incident response. Obtaining the CISM certification requires passing the exam, work experience and submitting the application.
The exam is offered twice a year, administered worldwide on the same day. For the 2011 exam, you may select from over 100 countries. In the US alone, it’s available in 77 cities across 22 states.
Before registering for the exam, you will create an ISACA account (name and e-mail). Then to register, you provide more demographic information, choose a test site and pay the registration fee. The fee amount depends whether you are an ISACA member or not, available to you during registration.