CISM Disclosure

Certified Information Security Manager

The CISM designation is awarded to individuals with an interest in security management who meet the following requirements:

1. Successfully Pass the CISM Exam

Score a passing grade on the CISM exam. A passing score on the CISM examination, without completing the required work experience as outlined below, will only be valid for 5 years. If the applicant does not meet the CISM certification requirements within the five year period, the passing score will be voided.

2. The Code of Professional Ethics

Members of ISACA and/or holders of the CISM designation agree to a Code of Professional Ethics to guide professional and personal conduct.

3. Continuing Education Policy

The objectives of the continuing education program are to:

  • Maintain an individual's competency to ensure that all CISMs maintain an adequate level of current knowledge and proficiency. CISMs who successfully comply with the CISM CPE policy will be better equipped to manage, design, oversee and assess an enterprise's information security.

  • Provide a means to differentiate between qualified CISMs and those who have not met the requirements for continuation of their certification.

Maintenance fees and a minimum of 20 contact hours of CPE are required annually. In addition, a minimum of 120 contact hours is required during a fixed 3-year period.

View the complete CISM Continuing Education Policy, available in English, Spanish, Japanese and Korean.

4. Work Experience

Submit verified evidence of a minimum of five years of information security work experience, with a minimum of three years of information security management work experience in three or more of the job practice analysis areas. The work experience must be gained within the 10-year period preceding the application date for certification or within 5 years from the date of originally passing the exam.

Experience Substitutions 
The following security-related certifications and information systems management experience can be used to satisfy the indicated amount of information security work experience.

Two Years:

  • Certified Information Systems Auditor (CISA) in good standing

  • Certified Information Systems Security Professional (CISSP) in good standing

  • Post-graduate degree in information security or a related field (e.g., business administration, information systems, information assurance)

One Year:

  • One full year of information systems management experience

  • One full year of general security management experience

  • Skill-based security certifications (e.g., SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security +, Disaster Recovery Institute Certified Business Continuity Professional (CBCP), ESL IT Security Manager)

  • Completion of an information security management program at an institution aligned with the Model Curriculum

The experience substitutions will not satisfy any portion of the 3-year information security management work experience requirement.

Exception: Two years as a full-time university instructor teaching the management of information security can be substituted for every 1 year of information security experience.

5. Submit an Application for CISM Certification

Once a CISM candidate has passed the CISM certification exam and has met the work experience requirements, the final step is to complete the CISM Application for Certification found at isaca.org/CISMApp.