Guide to CISM Certification

Written by Coursera • Updated on

Wondering what a CISM certification is and if it’s right for you? This information security credential requires a combination of experience and expertise in safeguarding networks and systems from cybercrime. Learn more with our guide.

[Featured Image] Two women and two men are sitting in a circle at a computer lab.

The Certified Information Security Manager (CISM) certification is designed for information security professionals with some existing experience and expertise. The certification is geared toward proving your skills in one or more of the following four areas: 

  • Information security incident management

  • Information risk management

  • Information security governance

  • Information security program development and management

There are more than 48,000 CISM-certified professionals around the world according to ISACA, the global association that offers the credential [1]. Indeed, an employment site, notes that CISM is one of the most in-demand certifications within the information security world. While it takes some time and effort to earn, gaining the CISM credential could be an effective way to move your career forward, particularly if you’d like to pursue a leadership role in cybersecurity. 

Let’s take a closer look at CISM certifications and their benefits to help you decide. 

What is CISM certification?

Earning a  CISM certification may help demonstrate your proficiency in information security and your advanced skills and knowledge of how security fits into business goals. As a CISM certified professional, you'll be able to design, implement, and manage an organization's security network. You'll also be tasked with identifying possible threats and reducing damage in case of security breaches.

CISM certification is offered by ISACA, an association with more than 145,000 members in 188 countries [2]. For more than 50 years, ISACA, has been helping information security and information technology professionals stay on top of all the latest changes in this fast-paced, ever-evolving technological landscape. 

Placeholder

CISM vs. CISSP

The Certified Information Systems Security Professional (CISSP) certification is another in-demand certification offered by (ISC)² Enterprise Solutions, a company that provides registry and information management services for public records and data. 

While both certifications are geared toward information security professionals, CISM also requires you to demonstrate that you grasp information security from a business standpoint-not just a technical point of view. If you're looking to work with leadership or advance your career to work in management, the CISM certification could be a good option. 

CISSP certification requires you to demonstrate a technical understanding across a large list of security domains with some managerial responsibilities, too. You can pursue both certifications since they complement each other, but if you’re looking to advance to a management position, CISM is the one to earn first. 

Read more: 10 Popular Cybersecurity Certifications 

Benefits of CISM certification

When you’re weighing your options, it helps to keep your eyes on the future and the potential benefits that this certification offers. One of the biggest benefits is that it puts you among a community of elite information security professionals. 

Because this certification may be challenging to get, it shows your commitment to your career and in information security. Two additional benefits include increased job opportunities and higher potential earning power. 

Job potential

Cybercrime costs an estimated $6 trillion in damages around the world in 2021 and is anticipated to rise to $10.5 trillion by 2025, according to Cybersecurity Ventures [3]. The skyrocketing costs of cybercrime may drive steady demand for knowledgable and skilled information security professionals. Cybersecurity Ventures also projects that the cybersecurity market will grow by 12 to 15 percent through 2025, with increased cybersecurity spending from small businesses to huge enterprises to governments shoring up their defenses against security breaches.

The job outlook varies depending on the role you’re in or interested in pursuing. Indeed notes that becoming CISM certified can help give you a competitive edge for IT positions at every level. 

Salary outlook

The average salary of CISM holders in the United States is more than $118,000, with a salary increase of 42 percent for managerial roles [1]. The average salary range for CISM certified professionals goes up to $243,610, according to InfoSec [4].

Is CISM right for me?

If you have a combination of information security experience and expertise, and you want to shift from working in a team to leading one, CISM may be a good match. It's ANSI-accredited, which ensures that it meets international consistency and integrity standards. ISACA estimates that CISM holders see the following: 

  • 70 percent increase in on-the-job performance

  • 90 percent more effective teams

  • 70 percent efficiency and expertise increase

Pros and cons

This suggests that gaining this credential may boost your credibility, performance, and confidence. Before deciding if CISM is the right option, consider the benefits and drawbacks, which go beyond the increased job and earning potential. 

ProsCons
Your skills and expertise will be recognized around the world because CISM certification is ANSI-approved under ISO/IEC 17024:2012.It requires a minimum of five years of relevant work experience to qualify, unless you meet qualified substitutions.
You'll have increased networking chances as you join a group of CISM-certified professionals.There are upfront and ongoing costs. In addition to an application and exam registration fee, you’ll also pay an annual maintenance fee 5.
CISM merges IT auditing with information security as an independent function

Requirements for CISM certification

To get certified, you’ll need to meet five criteria, starting with passing the CISM certification exam. This test covers four topics: 

  • Information security incident management

  • Information security program development and management

  • Information risk management

  • Information security governance

The test is multiple-choice with 150 questions that you'll have four hours to complete. If you don't meet the following four requirements, your score will be voided. Additionally, you need to apply for certification within five years of passing the exam. Other criteria include:

  • Complying with ISACA's "Code of Professional Ethics," requiring you to maintain strict standards and your information systems proficiency

  • Completing 20 hours or more of continuing professional education every year, and 120 hours or more within a three-year period [6]

  • Verification of your work experience from your employer. You need at least five years in the information security field, including three or more years in information security management within five years of the day you pass your certification exam.

  • Submitting your CISM application and paying the application fee. ISACA will confirm all of your information before awarding you the certification.

Do I need a degree?

There’s no requirement from ISACA that requires a degree, but having work experience in information security is a must. Many information security employers look for candidates with a bachelor’s degree in cybersecurity, information security, computer science, or a related subject. 

However, because of the demand for information security professionals, you can break into the field without a degree. Some popular alternatives include attending an information security bootcamp or earning another certification, such as the Certified Information Systems Auditor (CISA) credential, which is also issued by ISACA. This certification also requires a minimum of five years of work experience, passing an exam, and completing continuing education.

Placeholder

Required work experience

You need to have five or more years of work experience in information security. At least three of those years need to be in a minimum of three job practice areas, with one year or more in each. These areas include:

  • Information security management

  • Information risk management

  • Information security program development

  • Information security governance

There are several qualifying factors that may reduce the amount of work experience required. For example, holding CISA certification reduces it by two years, and each skill-based security certification, such as CBCP or GIAC, reduces it by one year.

Complete continuing education

There’s a reason CISM certified professionals have a high regard because they’re held to a stringent standard. You’ll have to adhere to proper conduct and also keep up with the latest issues, techniques, and information security threats. 

You'll have many opportunities to meet the requirements, by attending corporate training, vendor sales presentations, and university classes. ISACA also hosts professional education meetings and activities that can go toward the continuing education requirement. You can also self-study courses that provide a completion certificate with the number of CPE hours earned for each course. 

Getting started

Start building the skills you need for an entry-level role in information security with the IBM Cybersecurity Analyst Professional Certificate. If you’re looking to advance your career into a leadership role, consider the Managing Cybersecurity Specialization from the University System of Georgia. 

Placeholder

professional certificate

IBM Cybersecurity Analyst

Get ready to launch your career in cybersecurity. Build job-ready skills for an in-demand role in the field, no degree or prior experience required.

4.6

(6,370 ratings)

74,483 already enrolled

BEGINNER level

Average time: 8 month(s)

Learn at your own pace

Skills you'll build:

information security analyst, IT security analyst, security analyst, Junior cybersecurity analyst, Information Security (INFOSEC), IBM New Collar, Malware, Cybersecurity, Cyber Attacks, database vulnerabilities, Network Security, Sql Injection, networking basics, scripting, forensics, Penetration Test, Computer Security Incident Management, Application Security, threat intelligence, network defensive tactics, cyber attack, Breach (Security Exploit), professional certificate, cybersecurity analyst

Placeholder

specialization

Managing Cybersecurity

Managing Cybersecurity. Mastering the basics of managing cybersecurity in organizations

4.8

(353 ratings)

7,958 already enrolled

BEGINNER level

Average time: 9 month(s)

Learn at your own pace

Skills you'll build:

Security Management, Network Security, Risk Management, Security Governance, Computer Security Incident Management, Security vulnerabilities and treatments, Threats to cybersecurity, Cybersecurity terminology, cybersecurity program elements, Cybersecurity planning, Cybersecurity performance measurement, Risk identification, Risk treatment, Wireless Security, Intrusion Detection System, Firewall (Computing), Computer Network, Business Continuity, Disaster Recovery, Incident response planning, Cyber-Security Regulation, Cybersecurity Staffing, Contingency Plan, Cybersecurity Governance

Related articles

Article sources

1. ISACA. “CISM, https://www.isaca.org/credentialing/cism.” Accessed May 24, 2022.

2. ISACA. “Why ISACA, https://www.isaca.org/why-isaca.” Accessed May 24, 2022.

3. Cybercrime Magazine. “Cybercrime To Cost The World $10.5 Trillion Annually By 2025, https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021/.” Accessed May 24, 2022.

4. InfoSec. “Average CISM salary, https://resources.infosecinstitute.com/certification/average-cism-salary/.” Accessed May 24, 2022.

5. Indeed, “Guide To Certified Information Security Manager (CISM) Certification, https://www.indeed.com/career-advice/finding-a-job/cism-certification.” Accessed May 24, 2022.

6. ISACA. “Maintain CISM Certification, https://www.isaca.org/credentialing/cism/maintain-cism-certification.” Accessed May 24, 2022.

Written by Coursera • Updated on

This content has been made available for informational purposes only. Learners are advised to conduct additional research to ensure that courses and other credentials pursued meet their personal, professional, and financial goals.

Learn without limits