Information security manager

Information security manager certifications

Greg Belding
March 17, 2020 by
Greg Belding


For many organizations, the role of information security (IS) manager is both pivotal and strategically important. Among their many responsibilities are managing an organization’s security team and assessing current organization technology for possible upgrades and potential vulnerabilities. 

This heightened importance for the organization requires a heightened standard of information security knowledge and skills. Certifications are a great way to verify this expertise, and to this end, most IS managers have at least one certification under their belt. 

ChatGPT: Self-paced technical training

ChatGPT: Self-paced technical training

Take our introductory training to teach you how to securely use ChatGPT to investigate SOC & Incident response issues. Book a meeting with our team to learn more.

This article will detail IS manager certifications and will explore some of the best certifications for this role including the Certified Information Systems Security Professional certification (CISSP), the Certified Information Security Manager (CISM), the Certified Information Systems Security Professional-Information Systems Security Management Professional (CISSP-ISSMP) and the GIAC Security Leadership Certification (GSLC). 


Certified Information Systems Security Professional, or CISSP, is an advanced-level certification hosted by (ISC)2. Its target audience is experienced information security professionals, and organizations seek information security professionals with this certification for the subject matter prowess it verifies. 

This certification covers a vast amount of information that IS managers need to know to excel in this role. To earn CISSP, you are required to pass a certification exam that covers eight domains of knowledge:

  • Security and risk management
  • Security architecture and engineering
  • Asset security
  • Communication and network security
  • Security assessment and testing
  • Security operations
  • Identity and access management (IAM)
  • Software development security

CISSP certification prerequisites

The advanced level of this certification comes with comparatively steep certification prerequisites. CISSP candidates are required to have earned at least five years of cumulative, paid work experience in two or more of CISSP’s certification exam domains of knowledge. 

This seemingly strict standard is softened a bit if you have the right education or prior certification. CISSP candidates with a four-year college degree, or another certification hosted by (ISC)2 from an approved list, will only be required to have four years of work experience. 


Certified Information Security Manager, or CISM, is a management focused certification offered by ISACA. Falling somewhere between intermediate and advanced level in difficulty, this certification is one of the top two most demanded by organizations looking for an IS manager.

This management-focused certification verifies that the certification holder can competently design, oversee, manage and assess information security programs on behalf of organizations. The exam covers four domains of knowledge that are concentrated and packed with more information than meets the eye. These domains of knowledge are:

  • Information security governance
  • Information risk management
  • Information security program development and management
  • Information security incident management

CISM certification prerequisites

Like the other most sought-after certification, CISM has some professional prerequisites that must be satisfied prior to earning the certification. Candidates must have a minimum of five years of experience working in information security, and at least three of those years must be directly in information security management. 

As you can see, this certification is for those currently working in as an IS manager and not for a professional that is looking to use the certification as a springboard to this role. 


The CISSP is one of the top two certifications that organizations demand of an IS manager. It focuses on many facets of security, with management being just one of them. To provide IS managers with a more management-focused certification, the CISSP-Information Systems Security Management Professional concentration certification was released to meet this need.

While not as difficult as CISSP, the ISSMP concentration certification still covers a good amount of material that is pertinent to IS managers on a deeper level than CISSP, which is a daunting challenge in itself! Its certification exam covers six domains of knowledge, which are:

  • Leadership and business management
  • Systems life cycle management
  • Risk management
  • Threat intelligence and incident management
  • Contingency management
  • Law, ethics and security compliance management

CISSP-ISSMP certification prerequisites

CISSP-ISSMP certification candidates need to have previously earned a CISSP certification and it must be in good standing as well as have two years of paid, cumulative full-time work experience within at least one (or more) of CISSP-ISSMP’s six domains of knowledge. As such, this certification is more the icing on the cake of an IS manager’s career and less of the certification that will get their foot into an organization’s door. 


The GIAC®️ Security Leadership Certification, or GSLC, is an intermediate-level certification offered by (as you probably have guessed by now) GIAC. This relatively new certification covers a broad array of the different areas of information security that IS managers and others involved in information security leadership need mastery over for the high level of expertise their roles demand.

GSLC covers a long list of objectives that really touches upon every corner of the diverse, multi-faceted world of information security. These objectives are:

  • Cryptographic applications
  • Cryptography concepts for managers
  • Incident response and business continuity
  • Managing a security operations center
  • Managing application security
  • Managing negotiations and vendors
  • Managing projects
  • Managing security architecture
  • Managing security awareness
  • Managing security policy
  • Managing system security
  • Managing the program structure
  • Network monitoring for managers
  • Network security and privacy
  • Networking concepts for managers
  • Risk management and security frameworks
  • Vulnerability management

GSLC prerequisites

Unlike the other certifications explored in this article, there are no pre-requisites to earning the GSLC certification. Do not let this flexibility fool you — the comprehensiveness of exam objectives demands the knowledge, skills and expertise in information security than only an experienced professional will be able to muster.


Becoming an IS manager is a process that may take an information security professional years to arrive at, and not without long-earned knowledge, skills and expertise that only those who are well-seasoned have. IS managers have a number of solid certifications to choose from and whichever one you choose will go to both verifying your expertise and distinguishing yourself among your peers. 

The interesting thing about IS manager certifications is that most are for those already in the field, with the exception of GSLC, which makes it this author’s pick of a certification for those looking to become an IS manager.

ChatGPT: Self-paced technical training

ChatGPT: Self-paced technical training

Take our introductory training to teach you how to securely use ChatGPT to investigate SOC & Incident response issues. Book a meeting with our team to learn more.



  1. Become a CISSP – Certified Information Systems Security Professional, (ISC)2
  2. Certified information security manager (CISM), TechTarget
  3. CISSP-ISSMP Certification Exam Outline, (ISC)2
  4. GIAC Security Leadership (GSLC), GIAC Certifications 
Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.