Common CISM job titles [updated 2022]

Graeme Messina
July 12, 2022 by
Graeme Messina

Successful candidates who manage to gain ISACA’s Certified Information Security Manager (CISM) certification will find many new opportunities open. CISM holders are far more likely to land senior roles that come with more responsibility, greater benefits and higher remuneration. This is due to the comprehensive nature of the CISM. As a result, CISMs are highly sought-after IT professionals that an organization can benefit greatly from.

$150,040 average salary

$150,040 average salary

ISACA CISM is one of the industry's highest-paying cybersecurity certifications for 2023. Take your information security management career to new heights and enroll now to claim your Exam Pass Guarantee!

A student must successfully completed the CISM exam and then perform the required tasks, such as accruing work experience and continuing their studies, to be officially certified. This is no easy task because the requirements are very specific, including constant cycles of studying and training. This ensures that candidates are always up to date with the CISM certification and that they remain current with their knowledge and familiar with new technologies and emerging trends in the information security industry. For all of these reasons, the CISM is a highly valuable certification to have.

What kind of jobs can I get with the CISM certification?

The CISM is a higher-level certification that opens many opportunities for progressing further in your information security career. This is because you can specialize after attaining this qualification and, at the same time, learn a multitude of invaluable skills and information security theory. The kinds of jobs that a CISM can get are varied and exciting; they lean toward managerial positions, technical roles, systems auditing, information security risk assessment, and even systems development roles. For these reasons the CISM is an important certification for security professionals.

The CISM certification is for those who have technical expertise and experience in IS/IT security and control and want to access managerial roles. Exam candidates need three to five years of working experience in ISM. The CISM exam is an experience-based exam that validates the familiarity of an information security managers (ISMs) working in the areas of security, risk and control and the knowledge necessary to perform those tasks. 

What are the most common CISM job titles and descriptions?

The CISM encompasses many different skills that can be used in both technical and managerial positions, all the way up to the executive level of an organization. Let’s look at three different job titles and what they entail. It is important to bear in mind that many roles overlap, and this may vary from organization to organization.

Information system security officer

As the ISSO in an organization, your job is multifunctional in many respects. An ISSOs is the primary contact between departments regarding system security issues. ISSOs are in constant communication with the information system owner, the business process owner, the chief information security officer, and the information security manager on all technical and logistical challenges that involve the security of the organization’s information. Some key functions of this position are:

  • Web security and encryption
  • Leadership
  • Strategic planning
  • Computer security
  • ISO 27001
  • Cyber security

Information/privacy risk consultant

This role is highly focused on processes and policies. There are many points of failure within any information security system, and an information and privacy risk consultant’s job is to identify and mitigate these risks. The CISM teaches fundamental risk assessment skills invaluable to an information and privacy risk consultant. Documentation and policy adherence is a large part of what this job requires and the CISM teaches you how to stay in control of these systems. Roles that an information and privacy risk consultant may have to perform include:

  • Information security
  • Risk assessment
  •  Risk analysis and threat assessment
  • Privacy impact assessments
  • Organizational privacy reviews

Information security manager

The information security manager is the key person responsible for the safe keeping of IT infrastructure within a company or enterprise. This includes responsibility for ensuring that all systems are kept safe and secure and that data and security policies are kept up to date and are implemented to the highest standards of compliance. Security threats such as virus attacks, data breaches by hackers and cyber-criminal activities such as phishing and electronic fraud must be protected against. An information security manager is responsible for:

  • Operations management
  • IT risk
  • Penetration testing
  • SAP security
  • Data analysis

CISM job titles based on experience level

CISM jobs vary widely but, generally speaking, they are senior-level or management jobs: see PayScale's info on Certified Information Security Manager (CISM) Jobs by Salary. 

With this said, please note that the CISM credential will help you get jobs across the spectrum of job experience levels based on the value you can bring to an organization. Here is a list of CISM job titles categorized by level of professional experience.

Entry-level positions:

  • Systems analyst
  • Developer
  • Security designer trainee
  • Security systems trainee
  • Security auditor trainee

Earn a $150,040 Salary with an ISACA CISM

Earn a $150,040 Salary with an ISACA CISM

The employment of information systems managers is projected to grow 16% by 2031. Get your ISACA CISM to launch into the field — backed with an Exam Pass Guarantee.

Technical specialists (mid-level technical):

  • Security consultant
  • Business analyst
  • Security product manager
  • Security designer
  • Security systems professional
  • Security auditor
  • Information risk consultant

Technical managers (mid-level managerial):

  • Product manager
  • Program manager
  • Project manager
  • Team leader
  • Account sales manager

Expert level (high-level technical):

  • Principal IT consultant
  • Senior IT systems professional
  • Senior IT development engineer
  • Senior IT architect
  • Senior information security auditor

Manager/director (high-level managerial):

  • Operations consulting
  • Systems development
  • Systems and infrastructure
  • Internal auditing
  • Information and privacy risk consultant

Senior executive level (executive C-level):

  • Chief information officer
  • Chief operating officer
  • Chief technology officer
  • Chief information security officer
  • Chief architecture officer

$150,040 average salary

$150,040 average salary

ISACA CISM is one of the industry's highest-paying cybersecurity certifications for 2023. Take your information security management career to new heights and enroll now to claim your Exam Pass Guarantee!


The benefits of taking and passing the CISM are obvious: better pay, more responsibility and a detailed, fundamental understanding of information security management, as well as how it relates to the successful operation of a company or organization’s information security. Candidates who complete their CISM will be virtually guaranteed better job prospects and will be on their way to climbing up the management structures within the organization.

It is also worth noting that the CISM is globally recognized, so candidates will find that they can work wherever they choose. This creates further opportunities for anyone who wishes to branch out and broaden their horizons in another country.

Want to know more about the CISM certification exam? Visit Infosec’s CISM hub. 


  1. CISM Exam Content Outline, ISACA
  2. ISACA’s Scheduling Guide, ISACA
  3.   Certification Exam Candidate Guide, ISACA
Graeme Messina
Graeme Messina

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.