To be eligible for Certified Information Security Manager (CISM) certification, candidates must pass the CISM exam, have at least five years of qualifying work experience, and agree to ISACA's code of ethics and continuing education policies. 

To earn the CISM credential, you must meet the following criteria: 

1. Pass the CISM exam. The exam has 150 multiple-choice questions covering four domains: Information security governance, information security risk management, information security program development and management, and information security incident management. You must pass within five years of applying for certification.
2. Complete the work experience requirement. A minimum of five years of professional information security management experience within the 10 years before your application is required. This must include at least three years in an information security management role and work in at least three of the four CISM exam domains.
3. Adhere to the Code of Professional Ethics. You must agree to and abide by ISACA's ethical guidelines.
4. Apply for certification. Submit the CISM certification application to ISACA after meeting all requirements. 

Preparation generally involves creating a study plan, using Certified Information Security's CISM SuperReview comprehensive exam preparation (this program), and developing an information security manager's perspective.

How long does it take?

Preparation time varies depending on experience. While many candidates typically spend 100 to 150 hours studying over two to six months with convential ISACA Review Manual preparation, CIS' CISM SuperReview preparation effectively reduces the preparation time required. Most students complete this certification exam preparation program in only 30 - 40 hours, and are able to pass the certification exam on the first attempt.

A Certified Information Security Manager (CISM) certification can lead to a variety of senior-level management and executive roles in cybersecurity, information technology, and risk management. The certification is designed for experienced professionals who manage, design, oversee, and assess an organization's information security. 

Executive leadership

Chief Information Security Officer (CISO): A CISO is a senior-level executive who oversees the entire information security program for an organization, including designing policies, managing security teams, and ensuring compliance with regulations.

• Chief Information Officer (CIO): A CIO is responsible for all technology initiatives and strategies within a company. The CISM's focus on IT governance and risk management is highly relevant for this role.
• Director of Security/Information Technology: A CISM is a pathway to high-level director roles where you manage security or IT infrastructure at an enterprise level. 

Management and governance

• Information Security Manager: This is a primary role for CISM-certified professionals. You are responsible for safeguarding the organization's IT infrastructure, developing data protection policies, and managing security operations.
• IT Risk Manager: These professionals identify, assess, and mitigate security risks that could impact business functions. The CISM provides fundamental skills in risk assessment and translating technical vulnerabilities into business risks.
• Information Security Program Manager: In this position, you manage the development, implementation, and maintenance of an organization's information security programs.
• IT Audit Manager: While the Certified Information Systems Auditor (CISA) is more focused on auditing, a CISM can qualify you to manage IT audit and compliance teams. The two certifications are often complementary. 

Consulting and specialized roles

• Information Security Consultant: As a consultant, you can provide expert advice to organizations on cybersecurity frameworks, compliance, and best practices. The CISM is highly valued for this role, especially for freelance or senior positions.
• Governance, Risk, and Compliance (GRC) Analyst: This role focuses on ensuring an organization's security practices align with internal standards and external regulatory requirements, an area where the CISM's expertise is central.
• Security Architect: A CISM-certified professional can leverage their managerial skills to become a security architect, designing and improving security infrastructure across the enterprise. 

Progression to management from technical roles

For those transitioning from hands-on technical positions, the CISM provides a path to leadership. This includes experienced professionals in roles such as: 

• Cybersecurity Engineer
• Systems Analyst
• Security Analyst 

The Certified Information Security Manager (CISM) certification is widely considered a worthwhile investment for experienced cybersecurity professionals aiming for leadership roles. It is especially valuable for those who wish to move from a technical career path into a management-focused position.

Benefits of CISM certification

• Career advancement: The CISM is explicitly designed for managers, validating your expertise in information security governance, program development, incident management, and risk management. This qualifies you for senior positions like CISO, Security Director, and IT Security Manager.
• Higher earning potential: CISM is consistently ranked among the highest-paying IT certifications globally. In the U.S., CISM-certified professionals can earn an average salary well into six figures, with compensation increasing significantly with experience.
• High demand: Organizations worldwide are facing a significant talent gap for security leadership. CISM certification is frequently listed as a preferred or required credential for many management openings, putting certified professionals in a strong negotiating position.
• Increased credibility: Holding the CISM, offered by the respected ISACA organization, demonstrates to employers that you have the strategic and managerial knowledge to effectively lead and align security programs with business objectives.
• Networking opportunities: Certification includes access to ISACA's global professional community, which offers valuable networking and career growth prospects. 

CISM certification has been around for over 20 years, and is very well-recognized accordingly. Many job opportunities consider CISM certification for candidacy, and after 20 years in the market, many people already have the credential. Consequently, the credential is not the professional differentiator it once was since so many professionals already have it.

Other popular and more exclusive high-profile professional credentials related to CISM include:

Establishing, integrating, managing, and auditing enterprise risk management

• Certified ISO 31000 Internal Controls Risk Analyst (CICRA) - For establishing and managing an Enterprise Risk Management system according to the internationally respected ISO 31000 standard for ERM, as well as conducting and facilitating risk assessments
• NIST AI Risk Management Framework 1.0 Architect - For assessing and auditing AI risks

Implementing and/or auditing cybersecurity programs, risks, and controls

• NIST Cybersecurity Framework 2.0 Lead Implementer - For establishing and managing cybersecurity risk and controls
• NIST Cybersecurity Framework 2.0 Lead Auditor - For auditing information security, cybersecurity, and privacy management controls
• ISO 27001 Lead Implementer - For establishing and managing information security, cybersecurity, and privacy management controls
• ISO 27001 Lead Auditor - For auditing information security, cybersecurity, and privacy management systems

Establishing, integrating, managing, and auditing AI systems, risks, and controls

• ISO 42001 AI Lead Implementer - For establishing and managing AI management systems
• ISO 42001 Lead Auditor - For auditing AI management systems
• NIST AI Risk Management Framework 1.0 Architect - For assessing and auditing AI risks