CISM is a certification issued by ISACA.
The purpose of this post is to explain the procedure for a candidate to get CISM certification, and related requirements.
It is important to know two things about CISM Certification:
- CISM Certification is not obtained just by passing an exam; other requirements, as proving a minimum related work experience, are required
- CISM Certification has a limited validity; nevertheless, there are ways to extend it
This post takes into account the conditions that applied on July 2020, and is not expected to be updated; in any case, it will still serve as a guide if conditions are similar. Please check the official website for updates.
Frequently Asked Questions
What are the requirements to get CISM certification?
CISM, unlike other certifications, is not obtained just by passing an exam; you also need to meet some requirements. You may get passing score on CISM exam, but not CISM certitification itself.
Candidates need to meet these requirements to get CISM certification:
- Getting a passing score on CISM exam (in the 5 years before submitting application)
- Submitting required work experience
- Paying CISM Application Processing fees
- Comply with Terms & Conditions (including Code of Professional Ethics, Continuing Professional Education (CPE) policy, IS auditing standards)
Some of these requirements are explained in deeper detail below.
How do I prepare CISM exam?
Check this post about how to prepare CISM exam.
What is the work experience required to get CISM certification?
The applicant needs to demonstrate at least 5 years of experience in the field of information security. 3 of the 5 years of work experience must be in the role of managing information security. This experience must be within the 10-year period preceding the application.
Work experience must cover at least 3 of the 4 CISM Job Practices. They correspond to each chapter of CISM Review Manual.
CISM Job Practices as of 2020 are:
- Information Security Governance
- Information Risk Management
- Information Security Program Development and Management
- Information Security Incident Management
Substitutions and waivers may be obtained for a maximum of 2-years as follows:
Two Years:
- Certified Information Systems Auditor (CISA) in good standing
- Certified Information Systems Security Professional (CISSP) in good standing
- Post-graduate degree in information security or a related field (e.g., business administration, information systems, information assurance)
One Year:
- One full year of information systems management experience
- One full year of general security management experience
- Skill-based security certifications (e.g., SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security +, Disaster Recovery Institute Certified Business Continuity Professional (CBCP), ESL IT Security Manager)
How do I demonstrate the required experience?
Documentation to submit:
- CISM Application form including experience or substitution/wavers details, filled and signed by the candidate.
- One CISM Experience Verification form for each experience, filled and signed by a verifier (i.e., supervisor, manager, colleague or client).
- Copy of degree or letter from university/collegue, or CIMA or ACCA certificate, if any of them applies.
Application templates are available to download in the “Get CISM certified” page of ISACA’s web, at the bottom of the page. You can fill it online using a PDF Viewer like Adobe Reader.
Data you need to enter:
- Applicant Details. Basic identification data (name, ISACA ID, contact details)
- Step 1. Pass Exam. Year when exam has been passed.
- Step 2. Report Work Experience.
- Section A. CISM Job Practice Work Experience. Up to 4 experiences must be entered, including employee and date range. You must detail to which of the CISM Job Practice each experience corresponds; it must be linked to one at least.
- Section B: General Work Experience Wavers. Experience on general IS or audit work.
- Section C: Education Experience Wavers. Studies that can be used as waivers..
- Section D: Experience total. Sum of total years of experience.
Some of the documents need to be signed, so you may consider printing it in order to sign it..
If you have any printed document, you need to scan it as application is submitted online. Use common file formats (jpg, png, pdf).
How much cost to get CISM certification?
The quick answer is: US$1,000. (approx.). And this is assuming that you pass the exam the first time and preparation material does not get outdated.
Preparation material and exams prices are lower if you are an ISACA member.
Total costs when you are an ISACA member:
Professional Membership fee (annual): US$135.00
CISM Review Manual: US$109.00
CISM Review Questions, Answers & Explanations Manual: US$129.00
Exam fee: US$575.00
Application Processing Fee: $50
TOTAL: US$998.00
Total costs when you are not an ISACA member:
CISM Review Manual: US$139.00
CISM Review Questions, Answers & Explanations Manual: US$159.00
Exam fee: US$760.00
Application Processing Fee: US$50
TOTAL: US$1108.00
As a conclusion, if you get to complete the exam on the first year, it is worth to become an ISACA member just from an economic point of view. In any case, there are additional benefits of being an ISACA member.
Take into account that maintaining the certification imply further costs. This ISACA post details much of the related costs.
How do I pay CISM Application Processing fees?
You can buy CISM Application Processing Fees as an item that can be added to basket in this link.
Consider getting a receipt to attach it to application as a payment method.
How do I apply for CISM certification?
Use the form in this external link with these parameters:
- Topic: Certifications & Certificate Programs
- Category: Submit an application
- Certification Type: CISM
You can attach multiple files. The attach files must contain, at least:
- CISM Application form
- One CISM Experience Verification form for each experience
- Copy of degree or letter from university/collegue, or CIMA or ACCA certificate, if any of them applies.
- Receipt of payment of CISM Application Processing Fees
How long does it take to get certification after application?
After receiving the application, a confirmation notification is sent via e-mail after 2-3 weeks. In my case, it took almost 5 weeks.
The subsequent certification packet (including CISM certificate and pin) is sent via postal mail after 4-8 weeks. In my case, it took 5 weeks after confirmation notification.
What happens if I fail the exam?
You can retake it after waiting some days. You can do the exam up to 4 times per year. Read this post about retakes.
I have not read anything of reduced exam fees for retaking the exam, so exam fees will probably cost the same.
What is the validaty of CISM Certification?
Continuing Professional Education (CPE) policy determines that certain CPE hours must be completed and reported in a periodical basis to keep CISM Certification
CISA Certification is revoked if:
- CPE’s are not completed or reported annually
- Standards or codes are not followed.
- Membership fee is not paid
Requirements regarding CPE hours:
- Earn and report an annual minimum of twenty (20) CPE hours. These hours must be appropriate to the currency or advancement of the CISM’s knowledge or ability to perform CISM-related tasks. The use of these hours towards meeting the CPE requirements for multiple ISACA certifications is permissible when the professional activity is applicable to satisfying the job-related knowledge of each certification.
- Earn and report a minimum of one hundred and twenty (120) CPE hours for a three-year reporting cycle period.
How do I maintain CISM Certification? How much does it cost?
Getting a certification and maintaining it are topics completely different.
Please check this post about how to maintain CISA Certification, that applies also to CISM.
[…] How to get CISM Certification […]