Partnered with
iVox.ai
Sign Up
Login
Sign Up
Login

Certified Information Security Manager (CISM)

About CISM

The Certified Information Security Manager (CISM) certification is globally recognized for validating an individual's competency in managing enterprise information security teams. It focuses on governance, risk management, and incident response along with the importance of aligning security programs with business objectives.

The topics included in the CISM Common Body of Knowledge (CBK) ensure its relevancy across all disciplines in the field of information security. Successful candidates are competent in the following four domains:

  • Information Security Governance
  • Information Security Risk Management
  • Information Security Program
  • Information Security Incident Management

For more detailed information, please visit the CISM Exam Content Outline on the ISACA website.

Exam Requirements

Candidates must have a minimum of five years cumulative paid work experience in information security management, with at least three years of experience in three or more of the CISM domains. Substitutions for experience may be available for certain educational and other professional certifications.

A candidate who does not have the required experience to become a CISM may become an Associate of ISACA by successfully passing the CISM examination. The Associate of ISACA will then have five years to earn the required experience. More information about CISM experience requirements and how to account for part-time work and internships can be found at www.isaca.org/certifications/cism.

Accreditation

CISM is in compliance with the stringent requirements of ISO/IEC 17024:2003 standard.

Job Task Analysis (JTA)

ISC2 has an obligation to its membership to maintain the relevancy of the CISM. Conducted at regular intervals, the Job Task Analysis (JTA) is a methodical and critical process of determining the tasks that are performed by security professionals who are engaged in the profession defined by the CISM. The results of the JTA are used to update the examination. This process ensures that candidates are tested on the topic areas relevant to the roles and responsibilities of today's practicing information security professionals focusing on information security management.

Examination Information

Length of exam 4 hours
Number of items 150
Item format Multiple choice
Passing grade 450 out of 800 points
Exam language availability English, Spanish, Chinese, and Japanese
Testing center Pearson VUE Testing Center

Domains

A–Enterprise Governance
  • Organizational Culture
  • Legal, Regulatory and Contractual Requirements
  • Organizational Structures, Roles and Responsibilities
B–Information Security Strategy
  • Information Security Strategy Development
  • Information Governance Frameworks and Standards
  • Strategic Planning (e.g., Budgets, Resources, Business Case)
A–Information Security Risk Assessment
  • Emerging Risk and Threat Landscape
  • Vulnerability and Control Deficiency Analysis
  • Risk Assessment and Analysis
B–Information Security Risk Response
  • Risk Treatment / Risk Response Options
  • Risk and Control Ownership
  • Risk Monitoring and Reporting
A–Information Security Program Development
  • Information Security Program Resources (e.g., People, Tools, Technologies)
  • Information Asset Identification and Classification
  • Industry Standards and Frameworks for Information Security
  • Information Security Policies, Procedures and Guidelines
  • Information Security Program Metrics
B–Information Security Program Management
  • Information Security Control Design and Selection
  • Information Security Control Implementation and Integrations
  • Information Security Control Testing and Evaluation
  • Information Security Awareness and Training
  • Management of External Services (e.g., Providers, Suppliers, Third Parties, Fourth Parties)
  • Information Security Program Communications and Reporting
A–Incident Management Readiness
  • Incident Response Plan
  • Business Impact Analysis (BIA)
  • Business Continuity Plan (BCP)
  • Disaster Recovery Plan (DRP)
  • Incident Classification/Categorization
  • Incident Management Training, Testing and Evaluation
B–Incident Management Operations
  • Incident Management Tools and Techniques
  • Incident Investigation and Evaluation
  • Incident Containment Methods
  • Incident Response Communications (e.g., Reporting, Notification, Escalation)
  • Incident Eradication and Recovery
  • Post-Incident Review Practices

Exam Preparation

Preparation for the CISM exam can be intensive. ISACA provides a variety of resources including review manuals, online training, and interactive exam preparation resources. Candidates are encouraged to join study groups and participate in training sessions to enhance their preparation. Engaging in practical exercises and scenario-based questions is crucial for success on the exam. Additionally, using the WannaPractice platform can enhance your preparation with interactive practice questions and scenarios that are specifically tailored to the CISM domains.

Responsive Footer