Certifications  >> FAQs Certification >> CISM

CISM Certification Requirements - FAQ

1.What do I need to do if I've received a revocation notice?
2.How can I earn CPE credits online?
3.What do I need to do if I've received an audit notice for my CPE hours?
4.Where can I find the CISM application for certification?
5.What are the qualifications to earn the CISM credential?
6.What does the CISM continuing professional education policy require?
7. Why does ISACA offer an information security certification?
8.Who is eligible to become CISM certified and what makes CISM unique?
9.Will CISAs qualify for CISM?
10.Will CISSPs and other security credential holders qualify for CISM?
11.How is CISM different from the other security certifications?
12.How is CISM different from the Certified Information Systems Security Professional (CISSP)?

1. What do I need to do if I've received a revocation notice?
If you have received a revocation notice, please contact certification@isaca.org.

2. How can I earn CPE credits online?
ISACA members can earn CPE hours by taking an Information Systems Control Journal CPE Quiz online. One CPE hour is awarded per quiz. ISACA members may also earn CPEs online by participating in e-symposia. The e-symposia are offered live each month or may be accessed on demand via the archives. For more information, please go to http://www.isaca.org/webcasts. In order to claim the CPE hours (generally 3 hours per e-symposia), a passing score must be earned on the quiz.

4. I've submitted the documentation for the audit of my CPE hours. When will I receive a confirmation?
If any additional information is required or there are questions regarding your documentation, we will contact you directly. Once your documentation has been reviewed and approved, a notice will be sent to you.

5. Where can I find the CISM application for certification?
CISM applications are located at http://www.isaca.org/CISMapp.

6. What are the qualifications to earn the CISM credential?
Qualifying for CISM requires a combination of four "e's": experience, ethics, education and exam. Specifically, the requirements are:
Earn a passing score on the CISM exam
Adhere to the ISACA Code of Professional Ethics
Commit to abide by the Continuing Professional Education Policy
Submission of verified evidence of a minimum of five years of information security work experience, with a minimum of three years of information security management work experience in three or more of the job practice areas. Waivers for general information security work experience are available, if certain education or certification requirements are met.

7. What does the CISM continuing professional education policy require?
In order to become and remain a CISM an individual must agree to comply with the CISM continuing professional education policy. This policy requires an individual to earn a minimum of twenty (20) continuing professional education hours annually and one hundred and twenty (120) continuing professional education hours for every three year cycle. In addition, an annual maintenance fee of US $40 ISACA member and US $75 nonmember is required.

8. Why does ISACA offer an information security certification?
ISACA's name reflects its obligation to offer products, services and benefits not only to the information systems audit profession, but to those who play a vital role in information systems control as well. More than 20 years ago ISACA pioneered the Certified Information Systems Auditor (CISA) credential and has developed and offered training programs to information systems auditors, information security practitioners and those involved in information technology governance.
Most recognized in the industry are a series of ISACA conferences that are known as CACS (computer audit, control and security). These programs are held each year worldwide and meet the educational needs of a wide variety of information systems professionals.
In recent years, ISACA has undertaken other information security and IT control activities: increased focus on security in the Information Systems Control Journal, creation of the IT Governance Institute, and development of research of particular interest and benefit to security management professionals. The maturity of ISACA membership and CISAs and their requested need for an information security credential that goes beyond the practitioner level has led ISACA to the development the CISM credential.

9. Who is eligible to become CISM certified and what makes CISM unique?
CISM is unique in the information security credential marketplace because it is designed specifically and exclusively for individuals who have experience managing an information security program. Experience requirements and the CISM exam are based on the experience required to competently perform the duties and responsibilities of an information security manager. These requirements and the tasks and knowledge that are tested were developed by information security leaders and later validated by subject matter experts and information security managers. The requirements are designed to measure an individual's management experience in information security situations, not general practitioner skills.

10. Will CISAs qualify for CISM?
The CISM certification program recognizes the achievement of the CISA credential as a baseline representation that an individual has gained general information security skill and knowledge. As such, CISAs receive a two-year general information security waiver. However, CISAs will not be eligible to earn a CISM unless they have the required experience and can demonstrate proficiency and practical knowledge in the role of an information security manager.

11. Will CISSPs and other security credential holders qualify for CISM?
The CISM certification program recognizes the achievement of the CISSP credential as a baseline representation that an individual has gained general information security skill and knowledge, just as it does with individuals who have earned a CISA. As such, CISSPs receive a two-year general information security experience waiver. However, CISSPs will not be eligible to earn a CISM unless they have the required experience and can demonstrate proficiency and practical knowledge in the role of an information security manager. Holders of other, more specialized credentials, such as the SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security + Credential and the Disaster Recovery Institute Certified Business Continuity Professional (CBCP) also can receive a one-year general information security experience waiver.

12. How is CISM different from the other security certifications?
CISM differs from the many other security certifications by virtue of its experience requirements and focus on the job performed by an information security manager. Other security certifications are characterized by a focus on technical skills or platform- or product-specific knowledge, or they are aimed at the practitioner in the earlier years of their career. Only CISM targets the information security manager-the individual who has progressed beyond the practitioner focus, whose emphasis is no longer technical or specialist skills, and who has moved on to the management of an enterprise's information security program. CISM is for the individual who must manage and oversee the enterprise's information security effort, including the practitioners, many of whom may hold other certifications the field offers. The focus on management that makes CISM unique is demonstrated in its experience requirement, which calls for a minimum of three years in information security management, and in its exam focus that is based on the practices performed by information security managers.

13. How is CISM different from the Certified Information Systems Security Professional (CISSP)?
Although there are many differences between the CISSP common body of knowledge and the CISM job practice areas, the most obvious differences is in the experience requirements. Only CISM requires information security management experience, in addition to general information security experience. CISSP has no such management requirement. Earning the CISSP and/or the CISA credential is complementary to the attainment of the CISM credential and is encouraged.