How to Become a Certified Information Security Manager

Becoming a Certified Information Security Manager (CISM) is a strategic move for professionals looking to transition from technical "doing" to leade

author avatar

0 Followers
05, Feb 26 2 min read 0 comments 27 views
Bookmark Report
How to Become a Certified Information Security Manager

Becoming a Certified Information Security Manager (CISM) is a strategic move for professionals looking to transition from technical "doing" to leadership and governance. Unlike more technical certifications, CISM focuses on how security integrates with business goals.

Here is the step-by-step roadmap to earning and maintaining your CISM in 2026.

1. Pass the CISM Exam

The first step is proving your knowledge. You can take the exam before you even have the required work experience.

  • Format: 150 multiple-choice questions.
  • Duration: 4 hours.
  • Passing Score: A scaled score of 450 (on a 200–800 scale).
  • The Four Domains:
  1. Information Security Governance (17%): Policy development and strategy alignment.
  2. Information Risk Management (20%): Identifying and mitigating business risks.
  3. Information Security Program Development & Management (33%): Designing and implementing the security plan.
  4. Information Security Incident Management (30%): Handling breaches and recovery.

Pro Tip: Think like a manager, not an engineer. When answering exam questions, the "best" answer is often the one that minimizes business impact or aligns with organizational policy, even if a technical fix is more immediate.

2. Meet the Experience Requirements

To actually receive your certificate, you must demonstrate five years of professional information security work experience.

  • Management Requirement: At least three of those five years must be in information security management across three or more CISM domains.
  • Timeline: This experience must be gained within the 10 years before your application or within 5 years after passing the exam.
  • Substitutions & Waivers: You can reduce the five-year total (but not the three-year management requirement) with:
  • 2 Years: For holding a current CISSP or CISA certification, or a Master’s degree in Information Security.
  • 1 Year: For a Bachelor’s degree in an IT/Security-related field or holding certifications like Security+ or GIAC.

3. Apply for Certification

Once you’ve passed the exam and met the experience criteria, you must formally apply through ISACA.

  1. Pay the Fee: A one-time application processing fee of $50.
  2. Verify Experience: You will need a former supervisor or manager to verify your work history.
  3. Submit Documentation: Provide proof of any degrees or other certifications used for waivers.

4. Maintenance and Ethics

The CISM isn't a "one-and-done" achievement. To keep your status, you must:

  • Abide by Ethics: Agree to ISACA’s Code of Professional Ethics.
  • Earn CPEs: Complete at least 120 Continuing Professional Education (CPE) hours every three years (with a minimum of 20 per year).
  • Pay Annual Fees: Pay the annual maintenance fee ($45 for members, $85 for non-members).

Estimated 2026 Costs

Item

Member Price

Non-Member Price

ISACA Membership

~$135–$170 (varies by chapter)

N/A

CISM Exam Fee

$575

$760

Application Fee

$50

$50

Official Review Manual

~$109

~$139


Share blog posts from your blog
Top
Share blog posts from your blog
Comments (0)
Login to post.