Sign in Subscribe

CISM – Certified Information Security Manager

Last updated on 
CISM – Certified Information Security Manager

Introduction:

Certified Information Security Manager (CISM) is an advanced level certification program designed for professionals who are responsible for managing, designing, and overseeing the security of an organization's information systems. The certification is awarded by the Information Systems Audit and Control Association (ISACA) and is recognized globally as a mark of excellence in the field of information security management. In this article, we will discuss the CISM exam and certification process, syllabus, and other relevant information.

CISM Exam:

The CISM exam is a 4-hour computer-based test consisting of 150 multiple-choice questions. The exam is divided into four domains:

  1. Information Security Governance (24%)
  2. Information Risk Management and Compliance (33%)
  3. Information Security Program Development and Management (25%)
  4. Information Security Incident Management (18%)

The exam is designed to test the candidate's knowledge and understanding of the concepts and practices of information security management. The exam is conducted in various languages, including English, Spanish, French, Chinese, Japanese, and Korean.

CISM Certification Process:

To become a CISM, a candidate must meet the following requirements:

  1. Pass the CISM exam
  2. Agree to abide by the ISACA Code of Professional Ethics
  3. Agree to abide by the CISM Continuing Education Policy
  4. Meet the work experience requirements

Work Experience Requirements:

To qualify for the CISM certification, a candidate must have a minimum of five years of information security work experience, with a minimum of three years of experience in information security management. The work experience must be within ten years of passing the CISM exam or within five years of submitting the CISM application.

Waivers for Work Experience:

There are certain waivers available for the work experience requirement:

  1. Two years of general information security work experience or one year of information security management work experience may be waived if the candidate has earned a qualifying degree.
  2. One year of information security work experience may be waived if the candidate has earned a qualifying certification.

Continuing Education Requirements:

To maintain the CISM certification, a candidate must adhere to the CISM Continuing Education Policy. This policy requires the candidate to earn a minimum of 20 continuing education hours annually and a minimum of 120 continuing education hours every three years. The continuing education hours must be related to the CISM domains.

CISM Syllabus:

The CISM syllabus is based on the four domains of the exam:

Information Security Governance:

This domain covers the development of a comprehensive information security strategy, the integration of information security into the business strategy, and the establishment of an information security governance framework. The topics covered in this domain include:

  • Developing an information security strategy
  • Developing an information security governance framework
  • Integrating information security into the business strategy
  • Establishing information security policies, standards, and procedures
  • Developing business cases for information security investments
  • Identifying and managing information security risks

Information Risk Management and Compliance:

This domain covers the identification, assessment, and management of information security risks and compliance with laws, regulations, and standards. The topics covered in this domain include:

  • Developing an information security risk management program
  • Conducting information security risk assessments
  • Identifying and evaluating information security threats and vulnerabilities
  • Developing information security risk treatment plans
  • Implementing information security controls
  • Ensuring compliance with laws, regulations, and standards

Information Security Program Development and Management:

This domain covers the development, implementation, and management of an information security program. The topics covered in this domain include:

  • Developing an information security program
  • Implementing an information security program
  • Managing information security resources
  • Developing and managing information security training and awareness programs
  • Managing information security incidents
  • Managing information security metrics

Information Security Incident Management:

This domain covers the management of information security incidents, including the identification, investigation, and resolution of incidents. The topics covered in this domain include:

  • Developing an information security incident management program
  • Detecting and responding to information security incidents
  • Investigating information security incidents
  • Developing and implementing incident response plans
  • Coordinating incident response with internal and external stakeholders
  • Managing post-incident activities

CISM Exam Preparation:

To prepare for the CISM exam, candidates should follow the following steps:

  1. Review the CISM Exam Candidate Guide: This guide provides detailed information about the exam content, format, and exam process.
  2. Understand the CISM Domains: Review and understand the concepts, principles, and practices covered in each domain.
  3. Study the CISM Review Manual: The CISM Review Manual is the official study guide for the CISM exam. It provides comprehensive coverage of the exam content and includes practice questions and answers.
  4. Take a CISM Exam Prep Course: ISACA offers a variety of exam prep courses to help candidates prepare for the exam. These courses cover the exam content and provide practice questions and answers.
  5. Practice with Sample Questions: ISACA offers a database of sample questions to help candidates prepare for the exam. Practicing with sample questions can help candidates identify areas where they need to focus their studies.

Conclusion:

The CISM certification is a highly respected credential in the field of information security management. It is designed to validate the candidate's knowledge and understanding of information security management concepts, principles, and practices. To become a CISM, a candidate must pass the CISM exam, meet the work experience requirements, agree to abide by the ISACA Code of Professional Ethics, and adhere to the CISM Continuing Education Policy. The exam covers four domains: Information Security Governance, Information Risk Management and Compliance, Information Security Program Development and Management, and Information Security Incident Management. Candidates can prepare for the exam by reviewing the CISM Exam Candidate Guide, studying the CISM Review Manual, taking a CISM Exam Prep Course, and practicing with sample questions.