CISM Exam Preparation Guide - How to Become a Certified Information Security Manager (CISM)

What Does a CISM Do - Roles & Responsibilities

A CISM manages information security programs. This includes starting, developing, and maintaining information security systems and initiatives. Though it can involve some hands-on tasks, most of the job is managerial. If you’re more interested in the technical side of information security, becoming a Certified Information Security Auditor (CISA) might be preferable.

You can get a sense of what a CISM does from the official ISACA CISM exam content outline. It describes the key domains, subtopics, and tasks a CISM must master to pass the test. Some of the main CISM tasks include the following:

• Identify internal and external influences to the organization that affect the information security strategy
• Establish and/or maintain an information security strategy in alignment with organizational goals and objectives
• Establish and/or maintain an information security governance framework
• Establish and maintain information security policies to guide the development of standards, procedures, and guidelines
• Develop business cases to support investments in information security
• Gain ongoing commitment from senior leadership and other stakeholders to support the successful implementation of the information security strategy
• Define, communicate, and monitor information security responsibilities throughout the organization and lines of authority
• Compile and present reports to key stakeholders on the activities, trends, and overall effectiveness of the information security program
• Evaluate and report information security metrics to key stakeholders
• Establish and/or maintain the information security program in alignment with the information security strategy
• Align the information security program with the operational objectives
• Establish and maintain information security processes and resources
• Establish, communicate, and maintain organizational information security policies, standards, guidelines, procedures, and other documentation
• Establish, promote, and maintain a program for information security awareness and training
• Integrate information security requirements into organizational processes to maintain the organization’s security strategy
• Integrate information security requirements into contracts and activities of external parties
• Monitor external parties’ adherence to established security requirements
• Define and monitor management and operational metrics for the information security program
• Establish and/or maintain a process for information asset identification and classification
• Identify legal, regulatory, organizational, and other applicable compliance requirements
• Participate in and/or oversee the risk identification, risk assessment, and risk treatment process
• Participate in and/or oversee the vulnerability assessment and threat analysis process
• Identify, recommend, or implement appropriate risk treatment and response options to manage risk to acceptable levels based on organizational risk appetite
• Determine whether information security controls are appropriate and effectively manage risk to an acceptable level
• Facilitate the integration of information risk management into business and IT processes
• Monitor for internal and external factors that may require reassessment of risk
• Report on information security risk, including noncompliance and changes in information risk, to key stakeholders in order to facilitate the risk management decision-making process
• Establish and maintain an incident response plan, in alignment with the business continuity plan and disaster recovery plan
• Establish and maintain an information security incident classification and categorization process
• Develop and implement processes to ensure the timely identification of information security incidents
• Establish and maintain processes to investigate and document information security incidents in accordance with legal and regulatory requirements
• Establish and maintain incident-handling process, including containment, notification, escalation, eradication, and recovery
• Organize, train, equip, and assign responsibilities to incident response teams
• Establish and maintain incident communication plans and processes for internal and external parties
• Evaluate incident management plans through testing and review, including table-top exercises, checklist review, and simulation testing at planned intervals
• Conduct post-incident reviews to facilitate continuous improvement, including root-cause analysis, lessons learned, corrective actions, and reassessment of risk

If these sounds like tasks you would enjoy performing, then becoming a CISM might be right for you. In the next sections, we’ll go over exactly what you need to do to certify as a CISM.

CISM Certification: Requirements, Prerequisites, and Cost

So how do you get the CISM certificate? First, you must meet the prerequisites. These include at least five years of experience in information security management. You must have gained this experience within 10 years of applying for the CISM certification and no more than five years after passing the CISM exam.

However, there are ways to waive up to two years of work experience. The following will waive one year of experience:

• One full year of information systems management experience
• One full year of general security management experience
• Skill-based security certifications (e.g., SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security +, Disaster Recovery Institute Certified Business Continuity Professional (CBCP), ESL IT Security Manager)

To waive two years of experience, you must have one of the following:

• Certified Information Systems Auditor (CISA) in good standing
• Certified Information Systems Security Professional (CISSP) in good standing
• Postgraduate degree in information security or a related field (e.g., business administration, information systems, information assurance)

Once you meet the work experience requirements, you must agree to follow the ISACA Code of Professional Ethics. This means you will:

• Support the implementation of, and encourage compliance with, appropriate standards and procedures for the effective governance and management of enterprise information systems and technology, including: audit, control, security and risk management
• Perform the duties with objectivity, due diligence, and professional care, in accordance with professional standards
• Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of conduct and character, and not discrediting the profession or the Association
• Maintain the privacy and confidentiality of information obtained in the course of your activities unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.
• Maintain competency in your respective fields and agree to undertake only those activities you can reasonably expect to complete with the necessary skills, knowledge, and competence
• Inform appropriate parties of the results of work performed, including the disclosure of all significant facts known to you that, if not disclosed, might distort the reporting of the results
• Support the professional education of stakeholders in enhancing their understanding of the governance and management of enterprise information systems and technology, including: audit, control, security and risk management

Next, you must register for the CISM exam. The exam costs $575 for ISACA members and $760 for non-members. Before you register, make sure there is a PSI testing site located near you (unless you choose to take the exam online with remote proctoring). There are 1,300 PSI locations across the world. From the time you register for the exam, you will have one year to take it, after which you lose eligibility to earn the certification.

The CISM exam has 150 multiple-choice questions across four CISM domains. Here are the domains and the portion of the exam questions that fall under each:

• Information security governance (17% of questions)
• Information security risk management (20% of questions)
• Information security program (33% of questions)
• Incident management (30% of questions)

You are allowed four hours to complete the CISM exam. As soon as you finish, you’ll see your preliminary test results, which tell you whether you passed. To pass, you need to score at least 450 out of 800 points. Your detailed test results will be sent to you within 10 work days.

Once you pass the exam, you may apply for CISM certification on the ISACA website for $50. You must apply for certification within five years of passing the CISM exam. ISACA filters through applications in the order they are received, so they’ll get back to you as soon as possible to inform you whether you are eligible for the CISM certification.

To maintain the CISM certificate, you must also complete 120 hours of continuing professional education (CPE) every three years. This is to ensure you maintain adequate knowledge and proficiency with regard to information security management. ISACA offers many CPE opportunities, including the following:

• Conferences (up to 32 CPEs)
• Training weeks (32 CPEs)
• Online training (up to 36 CPEs per year)
• One-in-Tech educational events (up to 36 CPEs per year)
• On-demand learning (up to 28 CPEs per course)
• Journal quizzes (one CPE for each of six journals annually)
• Volunteering with ISACA (up to 20 CPEs per year)
• Volunteering with One in Tech (up to 20 CPEs per year)
• Skills-based training/lab activities

There are also several qualifying professional education activities that may count toward CPEs, such as the following:

• ISACA professional education activities and meetings (no limit)
• Non-ISACA professional education activities and meetings (no limit)
• Self-study courses (no limit)
• Vendor sales/marketing presentations (10-hour annual limit)
• Teaching/lecturing/presenting (no limit)
• Publication of articles, monographs, and books (no limit)
• Exam question development and review (no limit)
• Passing related professional examinations (no limit)
• Working on ISACA boards/committees (20-hour annual limit)
• Contributions to the profession (20-hour annual limit)
• Mentoring (10-hour annual limit)

For more details on the CPE requirements, read the full CPE policy on the ISACA website.

As long as you follow the steps above and pass the CISM exam, you’re guaranteed to receive the CISM certificate.

CISM vs CISSP: Is the CISM Better Than the CISSP?

You may know that ISACA’s CISM isn’t the only cybersecurity certification. Another popular cybersecurity credential is the CISSP (Certified Information Systems Security Professional) by (ISC)². Both the CISM and the CISSP are vendor-neutral information security management certifications that require five years of experience, but there are essential differences.

The CISM is management-focused and highly business-oriented. None of its four information security domains (governance, risk management, security program, or incident management) involve heavy technical skills. In contrast, the CISSP program covers both managerial and technical skills. So its focus is broader. In fact, the CISSP spans eight information security domain areas:

• Security and Risk Management
• Asset Security
• Security Architecture and Engineering
• Communication and Network Security
• Identity and Access Management (IAM)
• Security Assessment and Testing
• Security Operations
• Software Development Security

When you’re attempting to decide whether the CISM or the CISSP is more suitable for you, study how the two exams differ. The CISM costs $760 (or $575 for ISACA members), lasts four hours, includes 150 multiple-choice questions, and requires 450 out of 800 points to pass. The CISSP costs $749, takes three hours, has 100 to 150 questions, and requires 700 out of 1,000 points to pass.

Here are some other details to consider:

• For the CISM, you have to complete 120 hours of continuing education credits each year to keep your certificate active, but for CISSPs, it’s 120 hours every three years.
• Worldwide, there are around 28,000 CISM certificate holders, compared to 136,428 CISSP certificate holders.
• The average CISM salary is $131,209, while the average CISSP salary is $129,902.

Ultimately, whether to go for the CISM or the CISSP is up to you. One isn’t necessarily better than the other, and both will advance your cybersecurity career. If you’re interested in CISM and CISSP, you could even earn both of them!

Difference Between CISM and CISA Certification

Another cybersecurity certification you may have considered is the CISA, which stands for certified information systems auditor. The CISA and the CISM have a lot in common, but they also have important differences. Let’s go over the similarities first.

For one, the CISA and the CISM are both issued by ISACA and accredited by ANSI under ISO/IEC. They both require five years of professional experience in information security as well as a four-hour exam with 150 multiple-choice questions. In both cases, the exam costs $575 for ISACA members and $760 for non-members.

But the two certifications also involve substantial differences. Whereas the CISA certification shows you can audit, control, monitor, and assess an organization’s information technology and business systems, the CISM is geared toward information security governance, program development and management, and incident and risk management.

To get a better sense of how the CISA is different, consider its five domains:

• Information Systems Auditing Process
• Governance and Management of IT
• Information Systems Acquisition, Development, and Implementation
• Information Systems Operations and Business Resilience
• Protection of Information Assets

The CISA is actually ISACA’s longest-standing certification. That’s why there are more than 140,000 CISA holders, compared to only about 28,000 CISM certificate holders. However, the average salary for CISAs is $106,267, a bit lower than the $131,209 the average CISM makes.

As far as CISA career paths, common CISA job positions include:

• Internal auditor
• Public accounting auditor
• IS analyst
• IT audit manager
• IT project manager
• Network operation security engineer
• Cyber security professional

In contrast, CISM holders tend to take on higher-level roles as information security managers, chief information officers, information risk compliance specialists, information systems security officers, and information/privacy risk consultants.

Ultimately, the biggest difference between the CISA and the CISM is scope. CISAs focus mostly on technical cybersecurity skills, while CISMs focus on managing an entire cybersecurity program.

How to Prepare for the CISM Exam?

There are many ways to prepare for the CISM exam. To increase your chances of passing, it’s wisest to adopt multiple approaches. These are our top exam preparation tips to help you succeed:

• Schedule the exam. Before you do anything else, you must register for the CISM exam on the ISACA website. The exam is available online with remote proctoring or in person at a PSI testing center (there are 1,300 PSI locations across the world). Either way, make sure you give yourself ample time to prepare.
• Create a study plan. Once you have an exam date set, you’re ready to develop a study plan. Take a look at the four CISM domains (governance, risk management, security program, and incident management) and break up the material into manageable chunks. Pay attention to each domain’s weighting and identify areas where you are not as strong. Be sure to dedicate a greater amount of time to the harder topics and reduce the gaps in your knowledge. A well-designed study plan is key to not running out of preparation time.
• Review the official ISACA study materials. ISACA has a lot of free study resources on its website. For example, its Exam Candidate Information Guide contains information about exam registration, deadlines, preparation rules, administration, scoring, exam-day details, retake policy, and exam length, languages, and terminology. You can also check out ISACA’s exam prep materials (note that the CISM exam and exam content outline were updated on 1 June 2020, so make sure you have the most up-to-date versions).
• Take a course. In addition to using ISACA’s study materials, take advantage of third-party CISM exam prep courses. For example, you could take the ISACA CISM CERTIFICATION boot camp course by Readynez. It lasts only four days, and you can take it virtually for 2,350 Euro. The course includes all course materials and a certification guarantee! Other courses are self-paced and focus on differing learning methods: visual, writing/reading, listening, and so on. Pick a course that fits your learning style.
• Do practice exams. Studying can only get you so far. At some point, you ought to take a practice exam to know what the actual experience will be like. Give yourself a four-hour time limit to simulate the real experience. You can find many free and paid practice exams online.
• Develop good test-taking skills. Doing well on the CISM exam is like any other big academic test. It requires good test-taking skills. That means you should pace yourself. Skip questions that stump you and come back to them later. If you know some answers are wrong, use the process of elimination to identify the most likely one. Read questions with care and pay special attention to terms such as “MOST, LEAST, NOT, ALL, NEVER, and ALWAYS,” which can dramatically change the meaning of a question. Break up the four hours by getting a drink of water or taking a walk. When you don’t know the answer, follow your gut. There's no penalty for incorrect answers, so you might as well guess when you run out of time. Finally, think like an information security manager. After all, that’s what the exam is testing you on.
• Show up ready on exam day. When exam day arrives, make sure you get a good night’s rest beforehand and eat a good breakfast. Arrive early (30 minutes ahead of time is ideal). If you are more than 15 minutes late, you’ll be treated as absent. And don’t forget to have an official ID ready to show (acceptable forms of ID include your driver’s license, state identity card, passport, military ID, green card, and national identification card). If you miss or fail the exam, you will have to wait 30 days to retake it. If you fail again, you must wait 90 days from the first retake to take the exam again. And if you fail a third time, you must wait 90 days from your second retake to take the exam again.

If you follow through on all of these CISM exam preparation tips, you’ll have a much better chance of passing. So start preparing today, and you’ll be off to an excellent beginning!

Benefits CISM Certification

Now that we’ve covered how to prepare for and take the CISM exam, let’s talk about the benefits of getting your CISM certificate. Here are a few:

• Earn a higher salary. Among those who earn the CISM, 48% get a salary boost within a year. Many of those salary increases are in the 20% to 25% range. So a CISM certificate is well worth the investment. The average CISM salary is $131,209.
• Gain more credibility. The CISM is recognized worldwide. It will help you stand out from your peers when employers make hiring and promotion decisions.
• Expand your knowledge. Of course, earning the CISM will increase your mastery of the field. Not only must you prove your skills by passing the exam but you must possess professional experience across five information security domains.
• Advance your career. Earning the CISM helps you move from a technical role to a managerial position. “Manager” is in the name (certified information security manager), after all. If you’ve been stuck in the same position for a long time, the CISM might be just what you need to move up in the company.
• Improve your job performance. Even if you don’t enjoy a promotion right away, a CISM will boost your job performance. Eventually, this will impress your employer and earn you a promotion or at least a raise.
• Open networking opportunities. ISACA provides many networking opportunities for CISMs through events and continuing education programs. But even outside ISACA, you’ll find that a CISM certificate will open doors to job experiences you never had before.

Any way you slice it, earning a CISM certificate has many benefits. So don’t underestimate its power to boost your cybersecurity career.

Job Prospects after doing a CISM Certification? Career Path

The job prospects for CISM holders are substantial. Take a look at these statistics reported by the National Initiative for Cybersecurity Education (NICE):

• There is a global shortage of 2.72 million cybersecurity workers.
• On average, 50% of hiring managers surveyed generally don’t believe their applicants are well qualified, and an additional 16% are either unable to or uncomfortable about making the determination.
• As of November 2021, there were 597,767 total cybersecurity job openings and 1,053,468 total employed in the cybersecurity workforce.
• Between 2016 and 2026, computer and mathematical occupations will grow by 13.5%, much faster than the average job growth.

It’s fairly clear that cybersecurity professionals are in high demand, and the demand is only going to rise in the future. Some common career paths after earning your CISM certificate include the following:

• Information Security Manager—In this position, you oversee all of a firm’s information technology. You make sure the company is taking cybersecurity seriously through anti-virus software, strong passwords, firewalls, multi-factor authentication (MFA), and more. Information security managers also lead regular cybersecurity trainings to keep everyone up to date and on the same page.
• Chief Information Officer—This is a high-ranking executive position that oversees information technology and IT specialists within a company’s IT section, and helps ensure outcomes that support the goals of the business. This includes overseeing the day-to-day maintenance of all computer systems (both hardware and software). Chief information officers must also be agile and quick to respond to trends within the cybersecurity industry and shifts within the organization.
• Information Risk Compliance Specialist—This position is responsible for identifying and assessing cybersecurity threats to an organization. It involves providing internal control testing, auditing, monitoring, and risk management and mitigation. The information risk compliance specialist creates risk management models to assess exposure and educates managers, frontline workers, and other executives with regard to this information. This ensures the organization will know how to respond to threats and retain a competitive advantage.
• Information System Security Officer—In this position, you monitor an organization’s information technology system, search for security threats, and establish protocols to neutralize them. You also help maintain and update anti-virus software to block threats. To do this, information system security officers have to understand security frameworks, possess good problem-solving and analytical skills, and be able to educate others on information security threats in simple terms.
• Information/Privacy Risk Consultant—In this role, you help monitor and assess information security programs by developing privacy program metrics, creating and updating privacy policies and procedures, and helping to reduce or eliminate risk as much as possible. Information and privacy risk consultants tailor their policy recommendations to the unique needs of each organization.

And the list goes on. There are many other positions for which the CISM comes in handy. This is because organizations worldwide put a premium on CISMs for their proven expertise in information security and management know-how. So CISMs rarely have trouble finding well-paying positions in large organizations and companies around the globe.

CISM Salary

How much do CISMs make? The average CISM salary in 2022 is $131,209. That’s $63.08 per hour, $2,523 per week, or $10,934 per month.

Of course, salaries for CISMs vary by location, skill level, and experience. The lowest recorded salaries are $80,000, and the highest are $190,000. That’s a $110,000 range. The top earners make an average of $174,000, the 75th percentile earns $150,000, and the 25th percentile earns $100,000.

CISM Job Practice Areas

The CISM role spans many job practice areas. The main four are information security governance, information security risk management, information security program, and incident management. Let’s go over the official descriptions of each job practice area from the ISACA website and what they involve.

Information security governance

Information security governance encompasses enterprise governance (including organizational culture; legal, regulatory, and contractual requirements; and organizational structures, roles, and responsibilities) and information security strategy (information security strategy development, information governance frameworks and standards, and strategic planning).

Information security governance is all about understanding the relationship between management and cybersecurity outcomes. It means understanding the relationships among information security organization, design, strategy, processes, technology, human factors, culture, and architecture.

It also involves measuring the value and effectiveness of cybersecurity measures against their outcomes. Does the cost justify the result? A big key to this is understanding cybersecurity metrics and knowing how to explain them to upper management.

Information risk management

Information risk management comprises information security risk assessment (emerging risk and threat landscape, vulnerability and control deficiency analysis, risk assessment and analysis) and information security risk response (risk treatment and response options, risk and control ownership, risk monitoring and reporting).

Successful information risk management requires you to understand an organization’s risk management strategy, priorities, and roles. It requires knowing the threats, vulnerabilities, exposures, and impact as well as the recovery time objective (RTO), recovery point objective (RPO), service delivery objectives (SDOs), and acceptable interruption window (AIW).

These metrics will help you to balance business trade-offs more effectively when responding to information security threats. You must determine the scope and boundaries of information risk management, perform risk assessments, and design a risk treatment plan. It also helps to set control baselines to measure the effectiveness of your information risk management function.

Information security program

Information security program involves information security program development (information security program resources, information asset identification and classification, industry standards and frameworks for information security, information security policies, procedures, and guidelines, and information security program metrics) and information security program management (information security control design and selection, information security control implementation and integrations, information security control testing and evaluation, information security awareness and training, management of external services, and information security program communications and reporting).

Developing and managing a good information security program entails good documentation, including a risk or controls registry and annual statements on the current state of risk to the organization.

Incident management

Incident management involves incident management readiness (incident response plan, business impact analysis, business continuity plan, disaster recovery plan, incident classification/categorization, and incident management training, testing, and evaluation) and incident management operations (incident management tools and techniques, incident investigation and evaluation, incident containment methods, incident response communications, incident eradication and recovery, and post-incident review practices).

Many regards incident management as the most important of the four CISM job practice areas. This is because one security incident could ruin your firm. To keep a good hold on information security incidents, you must identify and contain them quickly.

This allows for incident recovery within an acceptable interruption window. Some technologies that can help with this include a network incident detection system, host intrusion detection systems, and system, database, operating system, and application logs. It’s also vital to keep any evidence of security breaches to show to the courts in case of a lawsuit.

Ultimately, there’s a wide span of job practice areas where you can apply your CISM certification. Choose one that best suits your talents and interests.

Get Certified & Strengthen Your Future - Make Your Choice

If you’re ready to take your information security career to the next level, get CISM certified today! You can apply for certification online by paying a $50 application fee. This is a one-time, non-refundable fee, so only apply if you are committed. You must also apply within five years of passing the CISM exam. If that sounds doable, hit submit!

Finally, remember you must also demonstrate the required minimum of five years of professional work experience in information security, adhere to the ISACA Code of Professional Ethics, and maintain 120 hours of Continuing Education (CPE) credits every three years. If you check all the boxes, you’re well on your way to earning the CISM certificate and having a successful career in information security management.

Please don’t hesitate to reach out to us here if there’s anything we can do to support you on your Certification journey.