So You Want to Be a Certified Information Security Manager (CISM)

Information security professionals are in high demand around the world. As organizations seek to counter today's sophisticated security threats, they require the services of skilled professionals who can build appropriate defenses. Those professionals, in turn, require leaders who both understand the security field and the role that security plays in broader organizational governance efforts.

In recent years, organizations have found it increasingly difficult to pinpoint and hire these security leaders with a good balance of technical knowledge, soft skills and leadership ability. Individuals possessing this balance find themselves well-suited for a lucrative career in information security management, perhaps as a Chief Information Security Officer (CISO).

The Certified Information Security Manager (CISM) certification offers a great opportunity for individuals seeking to document their ability to master the difficult balance of skills required of a security leader. The credential does include a work experience requirement so it is only available to those who have already demonstrated experience in an information security management role.

It is very well-suited for those seeking to round out their resumes as they prepare to advance their careers to the next level of information security leadership or find a new opportunity in another organization.

Inside the CISM

The Information Systems Audit and Control Association (ISACA) created the CISM program in 2002, recognizing a need for a management and governance-focused certification program. The CISM fit neatly in an industry filled with highly technical certification programs, including the Security+ credential and the industry gold standard Certified Information Systems Security Professional (CISSP) certification. As of today, over 28,000 professionals carry the CISM credential on their resumes.

CISM candidates must have five years of work experience in the information security field, with at least three years of experience in information security management. Individuals who currently hold the CISSP credential, Certified Information Systems Auditor (CISA) credential or a post-graduate degree in information security, business administration or a related field receive a waiver for two of the five years of information security work experience.

Holders of many other security credentials and those with management experience in other domains of information systems or security may qualify to waive one year of the experience requirement. Candidates do not need to complete the experience requirement before taking the exam but must complete the requirement within five years of passing the test.

The CISM exam itself is a bit of a relic from a bygone era. Rather than adopting the computer-based testing favored by the vast majority of certification programs, ISACA requires that candidates complete a paper-based exam. The exam is only offered twice each year in July and September, with registration deadlines about six weeks prior to the exam.

The fee for this rather low-tech experience is $500 for ISACA members and $685 for non-members, with a $50 discount available for early registration. Despite this fairly steep fee, ISACA credits the paper-based nature of the exam for keeping costs low, stating that providers who switch to computer-based exams "increase their exam fees significantly (often by 100 percent) given the higher administrative costs."

The exam itself is a grueling four-hour experience where candidates must answer 200 multiple-choice questions following a typical information security exam format. Unlike other security certifications, expect the exam to focus much less on technical material and more on the proper governance practices for an information security program. The material is drawn from ISACA's four domains of information security management knowledge.

Due to the paper-based nature of the exam, candidates must wait approximately five weeks to receive a score report in the mail. That report will include a final score scaled on a range of 200 to 800 points, where 450 points is the minimum passing score. Candidates who pass the exam may then submit an application for CISM certification demonstrating that they meet the credential's work experience requirement and agree to abide by the ISACA Code of Professional Ethics.

CISM's Four Domains of Knowledge

The CISM exam includes questions drawn from ISACA's four domains of knowledge for information security management. These domains include Information Security Governance, Information Risk Management and Compliance, Information Security Program Development and Management, and Information Security Incident Management. ISACA developed these domains with input from practicing information security managers as part of a job practice analysis.

Information Security Governance, the first CISM domain, accounts for 24 percent of the questions on the exam. ISACA expects that candidates will understand how to align an organization's information security strategy with the organization's overall goals and objectives. This domain also requires the ability to create a business case for information security and establish appropriate information security metrics.

Information Risk Management and Compliance questions make up 33 percent of the questions on the CISM exam. Individuals answering these questions on the exam must demonstrate a thorough knowledge of risk assessment and risk management techniques. The domain also includes questions related to evaluating the effectiveness of information security controls and their ability to mitigate risk facing the organization.

The third CISM domain, Information Security Program Development and Management, comprises 25 percent of the exam questions. Candidates preparing for this domain should understand how to create an information security program that achieves the objectives outlined in the organization's information security strategy. This is where the rubber meets the road and candidates must show that they can design, implement and measure information security controls.

Unfortunately, even the most well-designed information security programs sometimes experience setbacks and that's where the fourth CISM domain enters the picture. Candidates will find that the remaining 18 percent of the exam includes questions about Information Security Incident Management, including building a comprehensive organizational ability to identify and respond to adverse information security events.

What's Next?

Candidates earning the CISM credential demonstrate a commitment to the profession of information security leadership and position themselves well to serve as both technical and business leaders in many different types of organizations. As with many certification programs, receiving the certificate in the mail marks the start of a career-long professional development journey.

CISMs must earn a minimum of 20 professional education credit hours each year and a total of 120 hours per three-year recertification cycle. Fortunately, there are many ways to earn these credits while continuing to build the important base of security knowledge necessary for professional success.