Guide to CISM Certification

The Certified Information Security Manager (CISM) certification is designed for information security professionals with some existing experience and expertise. The certification is geared toward proving your skills in one or more of the following four areas: 

• Information security incident management

• Information risk management

• Information security governance

• Information security program development and management

There are more than 48,000 CISM-certified professionals worldwide, according to ISACA, the global association that offers the credential [1]. Indeed, an employment site, notes that CISM is one of the most in-demand certifications within the information security world. While it takes some time and effort to earn, gaining the CISM credential could be an effective way to move your career forward, particularly if you’d like to pursue a leadership role in cybersecurity. 

Let’s take a closer look at CISM certifications and their benefits to help you decide. 

What is CISM certification?

Earning a  CISM certification may help demonstrate your proficiency in information security and your advanced skills and knowledge of how security fits into business goals. As a CISM-certified professional, you'll be able to design, implement, and manage an organization's security network. You'll also be tasked with identifying possible threats and reducing damage in case of security breaches.

CISM certification is offered by ISACA, an association with more than 165,000 members in 188 countries [2]. For more than 50 years, ISACA, has been helping information security and information technology professionals stay on top of all the latest changes in this fast-paced, ever-evolving technological landscape. 

CISM vs. CISSP

The Certified Information Systems Security Professional (CISSP) certification is another in-demand certification offered by (ISC)² Enterprise Solutions, which provides registry and information management services for public records and data. 

While both certifications are geared toward information security professionals, CISM also requires you to demonstrate that you grasp information security from a business standpoint-not just a technical point of view. If you're looking to work with leadership or advance your career to work in management, the CISM certification could be a good option. 

CISSP certification requires you to demonstrate a technical understanding across a large list of security domains with some managerial responsibilities, too. You can pursue both certifications since they complement each other, but if you’re looking to advance to a management position, CISM is the one to earn first. 

Read more: 10 Popular Cybersecurity Certifications

Benefits of CISM certification

When you’re weighing your options, it helps to keep your eyes on the future and the potential benefits that this certification offers. One of the biggest benefits is that it puts you among a community of elite information security professionals. 

Because this certification may be challenging to get, it shows your commitment to your career and in information security. Two additional benefits include increased job opportunities and higher potential earning power. 

Job potential

Cybercrime costs an estimated $10.5 trillion in damages worldwide by 2025, according to Cybersecurity Ventures [3]. The skyrocketing costs of cybercrime may drive steady demand for knowledgeable and skilled information security professionals. Cybersecurity Ventures also projects that the cybersecurity market will grow by 12 to 15 percent through 2025, with increased cybersecurity spending from small businesses to huge enterprises to governments shoring up their defenses against security breaches [4].

The job outlook varies depending on the role you’re in or interested in pursuing. Indeed notes that becoming CISM certified can help give you a competitive edge for IT positions at every level. 

Salary outlook

The average salary of CISM holders in the United States is more than $149,000, with a salary increase of 42 percent for managerial roles [1]. The average salary range for CISM certified professionals goes up to $232,000, according to InfoSec [5].

Is CISM right for me?

If you have a combination of information security experience and expertise, and you want to shift from working in a team to leading one, CISM may be a good match. It's ANSI-accredited, which ensures that it meets international consistency and integrity standards. ISACA estimates that CISM holders see the following: 

• 70 percent increase in on-the-job performance

• 90 percent more effective teams

• 70 percent efficiency and expertise increase

Pros and cons

This suggests that gaining this credential may boost your credibility, performance, and confidence. Before deciding if CISM is the right option, consider the benefits and drawbacks, which go beyond the increased job and earning potential. 

Requirements for CISM certification

To get certified, you’ll need to meet five criteria, starting with passing the CISM certification exam. This test covers four topics: 

• Information security incident management

• Information security program development and management

• Information risk management

• Information security governance

The test is multiple-choice with 150 questions that you'll have four hours to complete. If you don't meet the following four requirements, your score will be voided. Additionally, you need to apply for certification within five years of passing the exam. Other criteria include:

• Complying with ISACA's "Code of Professional Ethics," requiring you to maintain strict standards and your information systems proficiency

• Completing 20 hours or more of continuing professional education every year, and 120 hours or more within a three-year period [6]

• Verification of your work experience from your employer. You need at least five years in the information security field, including three or more years in information security management within five years of the day you pass your certification exam.

• Submitting your CISM application and paying the application fee. ISACA will confirm all of your information before awarding you the certification.

Do I need a degree?

There’s no requirement from ISACA that requires a degree, but having work experience in information security is a must. Many information security employers look for candidates with a bachelor’s degree in cybersecurity, information security, computer science, or a related subject. 

However, because of the demand for information security professionals, you can break into the field without a degree. Some popular alternatives include attending an information security bootcamp or earning another certification, such as the Certified Information Systems Auditor (CISA) credential, which is also issued by ISACA. This certification also requires a minimum of five years of work experience, passing an exam, and completing continuing education.

Required work experience

You need to have five or more years of work experience in information security. At least three of those years need to be in a minimum of three job practice areas, with one year or more in each. These areas include:

• Information security management

• Information risk management

• Information security program development

• Information security governance

There are several qualifying factors that may reduce the amount of work experience required. For example, holding CISA certification reduces it by two years, and each skill-based security certification, such as CBCP or GIAC, reduces it by one year.

Complete continuing education.

There’s a reason CISM-certified professionals have a high regard because they’re held to a stringent standard. You’ll have to adhere to proper conduct and also keep up with the latest issues, techniques, and information security threats. 

You'll have many opportunities to meet the requirements, by attending corporate training, vendor sales presentations, and university classes. ISACA also hosts professional education meetings and activities that can go toward the continuing education requirement. You can also self-study courses that provide a completion certificate with the number of CPE hours earned for each course. 

Getting started

If you’re ready to get started in a cybersecurity career, consider enrolling in the Google Cybersecurity Professional Certificate on Coursera. Learn how to use job essential tools like Splunk, Chronicle, and more. This program is designed ​​to help individuals with no previous experience find their first job in the cybersecurity field, all at their own pace.