CISM certification preparation guide

The Certified Information Security Manager certification can help those who want to make a career in the field.

Are you looking for a bright and lucrative career as an information security manager? If yes, then getting the Certified Information Security Manager (CISM) certification can be the master key. The CISM certification can be of great help to individuals who plan to design, build and manage enterprise information security programs. It’s a security certification that’s recognized both locally and globally. The CISM certification is administered by the Information Systems Audit & Control Association (ISACA), a U.S.-based organization having chapters all over the world.

Qualification requirements

Let’s take a look at the qualification requirements for CISM certification.

1) You must pass the CISM exam; it is held by ISACA across the world in June and December every year.

2) You must have overall five years of work experience in information security in the 10 years preceding the date on which you apply for CISM certification. Of this, at least three years must be in the role of information security manager, and work experience must be broad-based and in at least three of the five CISM Job Practice Areas.

3) You must agree to abide by the ISACA Code of Ethics and the CISM Policy for Continuing Professional Education.

Up to two years of the total work experience requirements for CISM certification can be substituted by any of the following:

1) Education/Certification—two years:

a) CISA or CISSP certification.

b) Post-graduate degree in information security or a related field (information systems, etc).

2) General work experience and certification—one year:

a) One-year of full-time information systems (or other) security management.

b) Skill-based or general certifications such as MCSE, CompTIA Security+, CBCP and SANS GIAC.

The only exception available is for information security management instructors as they can claim a full substitution by replacing one year for every two years of full-time teaching. It’s important to note that the exam scores are valid for five years to give you time to apply for CISM certification, or to be able to cover any shortfall in the work experience requirements.

CISM certification exam

This is a test of knowledge and skills in five information security ‘job practice areas,’ and requires one to answer 200 multiple choice questions in four hours. The areas are indicated below, and have varying emphasis in the exam indicated by the percentage alongside.

1) Information security governance (23%).

Establish and maintain a framework to provide assurance that information security strategies are aligned with the business objectives and consistent with applicable laws and regulations.

2) Information risk management (22%).

Identify and manage information security risks to achieve business objectives.

3) Information security program development (17%).

Create and maintain a program to implement the information security strategy.

4) Information security program management (24%).

Oversee and direct information security activities to execute the information security program.

5) Incident management and response (14%).

Plan, develop and manage capability to detect, respond to and recover from information security incidents.

(Source: CISM Bulletin of Information 2010, ISACA)

The CISM certification exam is assessed using a common scale from 200 to 800. To pass, a candidate must score 450 and above. Within the 200 questions, some are not considered in the scoring and are included only for research purposes; however, these questions are not identified separately so all questions have to be answered.

The results are declared approximately eight weeks after the examination date, and are advised in an email followed by a detailed mark-sheet in the post a few weeks later.

Cracking the CISM certification exam

The examination tests your practical skills and knowledge in job practice areas, hence the only way to pass it is to learn on the job, read and add to your knowledge, and network and learn from the experience of your peers and seniors in information security. For example, you can

1) Join the CISM and CISA mailing lists and groups to connect with your peers; you can learn a lot from the daily interactions.

2) Obtain study materials from the ISACA bookstore as these are most relevant for preparation. These materials include the CISM Review Manual and the Question/Answers bank. Along with online and offline training programs, books and guides from other publishers are also available. Visit www.isaca.org and download the numerous free articles on CISM certification.

3) Contact the local ISACA chapter which conducts CISM Review Classes; the trainers are certified members who provide domain and practical knowledge.

4) Start your exam preparation with a mock test doing 200 questions in four hours. Your score will set a baseline and identify areas which need improvement. Plan additional mock tests at periodic intervals to assess your score (but do not use the same questions).

5) Form a study group, online or offline. Meet weekly to set study goals, motivate each other, review work and administer tests. Find a mentor for your group who can guide all of you, is available to help solve problems, and can provide practical tips and knowledge.

After you have passed the exam, you have to apply for the CISM certification providing ISACA with evidence of your experience. Remember, you cannot use the CISM designation just because you have passed the exam—and you do not get any marks for saying ‘Passed CISM’ in your résumé.


About the author: Dinesh Bareja, CISA, CISM, ITIL, is an information security consultant specializing in strategic and customized IS solutions, MSS, SOCs, PCI, ISMS, ITSM and more. He is involved in training and conducts regular online mentoring sessions. Bareja also maintains thefaqproject.com for InfoSec certifications. You can connect with him at [email protected] 

Read more on IT technical skills