How to become CISM certified – certification requirements [updated 2022]

Graeme Messina
July 2, 2022 by
Graeme Messina

CISM (Certified Information Security Manager) certification is an accomplishment that only a select few IT professionals will attain in their careers. Worldwide, there are an estimated 48,000 CISM professionals, a tiny percentage of the planet’s population. This certification is highly sought after and holders of the CISM are almost guaranteed to find a dream job in information system security management.

Because the CISM is so highly sought after, it is difficult to secure. Prospective candidates need to follow specific steps to become CISM-certified. We will outline each step so you’ll have a better idea of how to approach it. We will cover the five steps that you'll need to complete the CISM and we will go into detail about what you need to move forward in your certification journey.

$150,040 average salary

$150,040 average salary

ISACA CISM is one of the industry's highest-paying cybersecurity certifications for 2023. Take your information security management career to new heights and enroll now to claim your Exam Pass Guarantee!

Five steps to become CISM certified

Pass the exam

Surprisingly, passing the CISM exam is the least of your worries when getting your CISM certification, although the exam is no mean feat in itself. You must show understanding and knowledge in various domains of competency. As of 2022, these are:

  • Information security governance (17%)
  • Information risk management (20%)
  • Information security program (33%)
  • Incident management (30%)

Comply with the code of professional ethics

  1. Members of ISACA or holders of the CISM designation must agree to the Code of Professional Ethics, which will guide their professional and personal conduct. The Code of Professional Ethics is made up of seven principles: Support the implementation of, and encourage compliance with, appropriate standards and procedures for the effective governance and management of enterprise information systems and technology, including audit, control, security and risk management.
  2. Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards.
  3. Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of conduct and character and not discrediting their profession or the association.
  4. Maintain the privacy and confidentiality of information obtained in the course of their activities unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.
  5. Maintain competency in their respective fields and agree to undertake only those activities they can reasonably expect to complete with the necessary skills, knowledge and competence.
  6. Inform appropriate parties of the results of work performed, including the disclosure of all significant facts known to them that, if not disclosed, may distort the reporting of the results.
  7. Support the professional education of stakeholders in enhancing their understanding of the governance and management of enterprise information systems and technology, including: audit, control, security and risk management.

Participate in CPE program

The main idea behind the CPE (continued professional education) policy is that qualified CISM candidates should keep their knowledge as up-to-date as possible. This will ensure that new trends or possible threats are identified and included in new security policies. The main goals of the CPE program can therefore be thought of as:

  • A means of maintaining competency and ensuring that the CISM professional remains knowledgeable and proficient in IT security systems and management. By doing these things, CISMs are far more likely to effectively manage, design and oversee the organization’s information security while assessing any potential threats to the security of IT systems.
  • Allowing for the identification of qualified CISMs compared to those who are not keeping up to date with the CPE program.

You must also pay maintenance fees and keep a minimum of 20 contact hours of CPE annually. In addition, you must complete a minimum of 120 contact hours over a period of three years to comply with ISACA requirements. Here’s more information on CPE.

Work experience

You must also submit verified evidence that you have worked a minimum of five years in the field of information security, with a minimum of three years in information security management in at least three of the job practice analysis areas. This work experience must be gained within the 10-year period, which precedes the application for certification or within five years from the exam date. Some qualifications can act as a substitute for the full five years’ worth of work experience. Here are two scenarios that can lessen the requirements of the individual candidate, based on qualifications and work experience.

Two years:

One year:

  • One full year of information systems management experience
  • One full year of general security management experience
  • Skill-based security certifications (e.g., SANS global information assurance certification (GIAC), Microsoft certified systems engineer (MCSE), CompTIA Security +, Disaster Recovery Institute certified business continuity professional (CBCP), ESL IT security manager)

Please be aware that the experience substitutions that are listed above are not accepted as a replacement for any part of the three-year information security management work experience. The only exception is two years’ worth of full-time university-level instructor teaching information security management, which can substitute one year for every two years worked in such a role.

Submit CISM application to ISACA

The final step is to submit a CISM application for certification. This can be done only after you have passed the CISM exam and acquired the necessary work experience.

Earn a $150,040 Salary with an ISACA CISM

Earn a $150,040 Salary with an ISACA CISM

The employment of information systems managers is projected to grow 16% by 2031. Get your ISACA CISM to launch into the field — backed with an Exam Pass Guarantee.


CISM candidates have a lot to complete before they can attain certification, but it is well worth the effort because CISM certifications are in high demand and are quite rare. Positions that require a CISM certification are high-level management roles that require both experience and advanced technical and managerial skills.

The CISM can be seen as a combination of roles, such as IT auditor and information security execution, creating a unified function within the organization. The CISM is seen as the international standard globally for IT security professionals in security, auditing and systems control.

CISM professionals are almost guaranteed to land a dream job in IT management with skills and managerial processes that corporations highly value. Achieving this certification is a career-changing milestone that will elevate your professional standing within the organization and is likely to open the door to better earnings, higher incentives and better benefits, as well as an advanced understanding of security systems management.

Want to know more about the CISM certification exam? Visit Infosec’s CISM hub


  1.   Get CISM Certified, ISACA
  2.   CISA Exam Content Outline, ISACA
  3.   Code of Professional Ethics, ISACA
  4.   Maintain CISM Certification, ISACA
Graeme Messina
Graeme Messina

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.