Guide to CISM Certification

Written by Coursera Staff • Updated on

Wondering what a CISM certification is and if it’s right for you? This information security credential requires a combination of experience and expertise in safeguarding networks and systems from cybercrime. Learn more with our guide.

[Featured image] A group of cybersecurity engineers is at a computer lab.

The Certified Information Security Manager (CISM) certification is designed for information security professionals with some existing experience and expertise. The certification is geared toward proving your skills in one or more of the following four areas: 

  • Information security incident management

  • Information risk management

  • Information security governance

  • Information security program development and management

There are more than 48,000 CISM-certified professionals worldwide, according to ISACA, the global association that offers the credential [1]. While it takes some time and effort to earn, gaining the CISM credential could be an effective way to earn a higher salary and to move your career forward, particularly if you’d like to pursue a leadership role in cybersecurity. 

Let’s take a closer look at CISM certifications and their benefits to help you decide. 

What is CISM certification?

Earning a  CISM certification may help demonstrate your proficiency in information security and your advanced skills and knowledge of how security fits into business goals. As a CISM-certified professional, you'll be able to design, implement, and manage an organization's security network. You'll also be tasked with identifying possible threats and reducing damage in case of security breaches.

CISM certification is offered by ISACA, an association with more than 165,000 members in 188 countries [2]. For more than 50 years, ISACA, has been helping information security and information technology professionals stay on top of all the latest changes in this fast-paced, ever-evolving technological landscape. 



The Certified Information Systems Security Professional (CISSP) certification is another in-demand certification offered by (ISC)² Enterprise Solutions, which provides registry and information management services for public records and data. 

While both certifications are geared toward information security professionals, CISM also requires you to demonstrate that you grasp information security from a business standpoint-not just a technical point of view. If you're looking to work with leadership or advance your career to work in management, the CISM certification could be a good option. 

CISSP certification requires you to demonstrate a technical understanding across a large list of security domains with some managerial responsibilities, too. You can pursue both certifications since they complement each other, but if you’re looking to advance to a management position, CISM is the one to earn first.

Benefits of CISM certification

When you’re weighing your options, it helps to keep your eyes on the future and the potential benefits this certification offers. One of the biggest benefits is that it puts you among a community of elite information security professionals. 

Because this certification may be challenging to get, it shows your commitment to your career and in information security. Two additional benefits include increased job opportunities and higher potential earning power. 

Job potential

Cybercrime costs an estimated $7 trillion USD in damages worldwide in 2022, according to Cybersecurity Ventures [3]. The skyrocketing costs of cybercrime may drive steady demand for knowledgeable and skilled information security professionals. Cybersecurity Ventures also projects that the cybersecurity market will grow by 12 to 15 percent through 2025, with increased cybersecurity spending from small businesses to huge enterprises to governments shoring up their defenses against security breaches [4].

The job outlook varies depending on the role you’re in or interested in pursuing. Indeed notes that becoming CISM certified can help give you a competitive edge for IT positions at every level. 

Salary outlook

The average salary of CISM holders in Canada is $119,000 CAD [5]. Keep in mind that salaries may be influenced by location, years of experience, and industry. 

Is CISM right for me?

If you have a combination of information security experience and expertise, and you want to shift from working in a team to leading one, CISM may be a good match. It's ANSI-accredited, which ensures that it meets international consistency and integrity standards. ISACA estimates that CISM holders see the following: 

  • 70 percent increase in on-the-job performance

  • 90 percent more effective teams

  • 70 percent efficiency and expertise increase

Pros and cons

This suggests that gaining this credential may boost your credibility, performance, and confidence. Before deciding if CISM is the right option, consider the benefits and drawbacks, which go beyond the increased job and earning potential. 

Your skills and expertise will be recognized around the world because CISM certification is ANSI-approved under ISO/IEC 17024:2012.It requires a minimum of five years of relevant work experience to qualify, unless you meet qualified substitutions.
You'll have increased networking chances as you join a group of CISM-certified professionals.There are upfront and ongoing costs. In addition to an application and exam registration fee, you’ll also pay an annual maintenance fee 6.
CISM merges IT auditing with information security as an independent function

Requirements for CISM certification

To get certified, you’ll need to meet five criteria, starting with passing the CISM certification exam. This test covers four topics: 

  • Information security incident management

  • Information security program development and management

  • Information risk management

  • Information security governance

The test is multiple-choice with 150 questions that you'll have four hours to complete. If you don't meet the following four requirements, your score will be voided. Additionally, you need to apply for certification within five years of passing the exam. Other criteria include:

  • Complying with ISACA's "Code of Professional Ethics," requiring you to maintain strict standards and your information systems proficiency

  • Completing 20 hours or more of continuing professional education every year, and 120 hours or more within a three-year period [7]

  • Verification of your work experience from your employer. You need at least five years in the information security field, including three or more years in information security management within five years of the day you pass your certification exam.

  • Submitting your CISM application and paying the application fee. ISACA will confirm all of your information before awarding you the certification.

Do I need a degree?

There’s no requirement from ISACA that requires a degree, but having work experience in information security is a must. Many information security employers look for candidates with a bachelor’s degree in cybersecurity, information security, computer science, or a related subject. 

However, because of the demand for information security professionals, you can break into the field without a degree. Some popular alternatives include attending an information security bootcamp or earning another certification, such as the Certified Information Systems Auditor (CISA) credential, which is also issued by ISACA. This certification also requires a minimum of five years of work experience, passing an exam, and completing continuing education.


Required work experience

You need to have five or more years of work experience in information security to qualify to take the CISM exam. At least three of those years need to be in a minimum of three job practice areas, with one year or more in each. These areas include:

  • Information security management

  • Information risk management

  • Information security program development

  • Information security governance

There are several qualifying factors that may reduce the amount of work experience required. For example, holding CISA certification reduces it by two years, and each skill-based security certification, such as CBCP or GIAC, reduces it by one year.

Complete continuing education.

There’s a reason CISM certified professionals have a high regard because they’re held to a stringent standard. You’ll have to adhere to proper conduct and also keep up with the latest issues, techniques, and information security threats. 

You'll have many opportunities to meet the requirements by attending corporate training, vendor sales presentations, and university classes. ISACA also hosts professional education meetings and activities that can go toward the continuing education requirement. You can also self-study courses that provide a completion certificate with the number of CPE hours earned for each course. 

Getting started

If you’re ready to get started in a cybersecurity career, consider enrolling in the Google Cybersecurity Professional Certificate on Coursera. Learn how to use job essential tools like Splunk, Chronicle, and more. This program is designed ​​to help individuals with no previous experience find their first job in the cybersecurity field, all at their own pace. 

Article sources


ISACA. “CISM,” Accessed September 8, 2023.

Keep reading

Updated on
Written by:

Editorial Team

Coursera’s editorial team is comprised of highly experienced professional editors, writers, and fact...

This content has been made available for informational purposes only. Learners are advised to conduct additional research to ensure that courses and other credentials pursued meet their personal, professional, and financial goals.