To become a Certified Information Security Manager (CISM), an applicant must:

1. Score a passing grade on the CISM exam. A passing score on the CISM exam, without completing the required work experience as outlined below, will only be valid for five years. If the applicant does not meet the CISM certification requirements within the five year period, the passing score will be voided.
   
2. Submit verified evidence of five (5) years of work experience in the field of information security. Three (3) of the five (5) years of work experience must be gained performing the role of an information security manager. In addition, this work experience must be broad and gained in three of the five job practice areas (see reverse side of Verification of Work Experience form). The management portion of this experience must be earned while in an information security management position with responsibility for information security management programs or processes, or while working as an information security management consultant (where the CISM candidate has been actively engaged in the development and/or management of information security programs or processes for the client organization(s). Please note that in most cases work performed while in an IT audit or similar assurance role outside of the information security function cannot be considered as security management experience. Work experience must be gained within the ten-year period preceding the application date for certification or within five years from the date of initially passing the exam.

   Substitutions for work performed in the role of an information security manager are not allowed. However, a maximum of two (2) years for general work experience in the field of information security may be substituted as follows:
   • Two years of general work experience may be substituted for currently holding one of the following broad security-related certifications or a post-graduate degree:
       – Certified Information Systems Auditor (CISA) in good standing or
       – Certified Information Systems Security Professional (CISSP) in good standing or
       – Post-graduate degree in information security or a related field (for example: business administration, information systems, information assurance)
   
   OR
   • A maximum of one year of general information security work experience may be substituted for one of the following:
       – One full year of information systems management experience or
       – One full year of general security management experience
       – Currently holding a skill-based or general security certification [(e.g., SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security+ _CE, Disaster Recovery Institute Certified Business Continuity Professional (CBCP), ESL IT Security Manager].
   
   For example, an applicant holding either a CISA or CISSP will qualify for two years of general information security experience substitution. However, the applicant also must possess a minimum of three years information security management work experience in three of the five job practice areas.
   
       – Completion of an information security management program at an institution aligned with the Model Curriculum.
   Exception: Two years as a full-time university instructor teaching the management of information security can be substituted for every one year of information security management experience.

3. Agree to abide by the ISACA Code of Professional Ethics.
4. Agree to abide by the CISM Continuing Education Policy which can be viewed at www.isaca.org/cismcpepolicy.

Application Form Instructions

1. Section A—Information Security Management Experience

For each employer (starting with the most current), enter the following information:

• Name of employer where information security management services were performed
• Job title held where information security management experience is claimed. If multiple positions were held use one line for each title.
• Date range (month and year) in which information security management services were performed.
• Number of years and months, by employer and in total, performing information security management services.

Section B—General Information Security Experience

For each employer (starting with the most current), enter information pertaining to experience gained performing general information security services. Experience claimed in Section A cannot also be claimed as general information security experience.

• Name of employer where general information security services were performed (can be same employer as above)
• Position title held where general information security experience is claimed.
• Date range (month and year) in which general information security services were performed
• Number of years and months, by employer and in total, performing general information security services.

Section C—Substitution for General Information Security Experience

Two-year substitution—Enter information pertaining to broad security-related certification or graduate degrees earned.

• Certifications held in good standing (include copy of certification or letter indicating good standing).
• Post-graduate degree in information security or related field (for example: business administration, information systems, information assurance) including the name of the institution where earned, the degree title, the date the degree was awarded, and an explanation of the relevancy of this degree to information security management. (An original or copy of a transcript or letter confirming degree status must accompany your application. To reduce processing time, please do not send the transcript separately.)

One-year substitution—Enter information pertaining to information systems management experience, security management, or skill-based security-related certifications earned, or information related to completion of a security management program at an institution aligned with the Model Curriculum.

• Information systems management services
  • Name of employer and job title where information systems (non-security) management services were performed
  • Date (month and year) in which information systems management services were performed
• Security Management Experience Gained Outside of Information Security
• Enter information pertaining to experience gained performing security management activities including physical security, personnel security, risk management, investigations management etc.
• Name of employer and job title where other security management services were performed
• Dates during which security management services were performed.
• Description of security management services performed.
• Skill-based security certification—Enter the certification name and issuing organization (include copy of certification or letter indicating good standing).

Section D—Summary of Work Experience

Record the total number of years and months from sections A, B and C in the appropriate box. The total in box A must be three (3) or more. The total in box C can be no greater than two (2) years, which is the maximum allowable general information security experience substitution allowed. Then add boxes A, B, and C and record the total number of years and months in the box following the line titled "Total Work Experience." This total must be equal to or greater than five (5) years to qualify for CISM certification.

The management portion of this experience must be earned while in an information security management position with responsibility for information security management programs or processes, or while working as an information security management consultant (where the CISM candidate has been actively engaged in the development and/or management of information security programs or processes for the client organization(s). Please note that in most cases work performed while in an IT audit or similar assurance role outside of the information security function cannot be considered as security management experience.

Section E—Individuals Verifying Work Experience Details

Please record here the names and contact information of the individual(s) that will verify your work experience in sections A and B.

2. Complete the top portion on the Verification of Work Experience form (pages V-1 and V-2) and check the boxes on page V-2 that indicate the tasks you performed that are being verified by each verifier. Give the forms to each person(s) verifying your work experience; and a copy of your completed application. This person should be your immediate supervisor or a person of higher rank within the organization. The individual verifying the work experience must be an independent verifier and not of any relation to the applicant nor can the verifier verify his/her own work. If one person cannot verify all required experience for you to become a CISM, previous employers must be asked to complete this form. Two copies of the form are included. If additional copies are required, photocopy the forms. All Verification of Work Experience forms, pages V-1 and V-2, must be signed by your verifier and submitted along with your application. To reduce processing time, please send the completed verification forms with your application.

3. In order for your application to be efficiently processed, please collect all supporting documentation (verification of work experience form(s) and any applicable university transcript or letter) and submit your completed Application for CISM Certification via fax, e-mail or mail to:

Certification Coordinator
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, Il
60008-3124 USA

E-mail: certification@isaca.org
Tel: +1.847.253.1545
Fax: +1.847.253.1443

Please allow approximately eight weeks for the processing of your completed Application for CISM Certification. Upon approval, you will receive a certificate package via mail containing a letter of certification and your CISM certificate.

Hide Instructions

I have read and understand the above referenced Ethics statements and will adhere to them.

Application for CISM Certification

Page A-1

Application Form

Applicant Information

First Name Middle Name/Initial Last/Family Exam ID

Maiden Name or Former Name:
Preferred Mailing Address: Home Business
Home Address	State / Province
Street Address Line 2	Postal/Zip Code
City	Country
Applicant Home Telephone	Applicant Email Address
Present Employer Information
Job Title	Business Name
Business Street Address	State / Province
Street Address Line 2	Postal/Zip Code
City	Country
Business Telephone	Business Fax
Business Email Address
Immediate Supervisor Name:	Supervisor Title
I hereby apply to ISACA for issuance to me of certification, as a Certified Information Security Manager (CISM) in accordance with and subject to the procedures and regulations of ISACA. I have read and agree to the conditions set forth in the Application for CISM Certification and CISM Continuing Education Policy in effect at the time of my application, covering the certification process; and Continuing Education policies. I agree to denial of certification and to forfeiture and redelivery of any certificate or other credential granted me by ISACA in the event that any of the statements or answers made by me in this application are false or in the event that I violate any of the rules or regulations governing such exam. I understand that all certificates are owned by ISACA and if my certificate is granted and then revoked, I will destroy the certificate. I authorize ISACA to make whatever inquiries and investigations it deems necessary to verify my credentials and my professional standing. If you become a Certified Information Systems Auditor, your certification status will become public, and may be disclosed by ISACA to third parties who inquire. If my application is not approved, I understand that I am able to appeal the decision by contacting certification@isaca.org. By signing below, you authorize ISACA to disclose your certification status. The contact information will be used to fulfill your request, and may also be used by ISACA to send you information about related ISACA goods and services, and other information in which we believe you may be interested. By signing below, you authorize ISACA to contact you at the address and numbers you have provided, including to provide you with marketing and promotional communications. You further represent that the information you provided is yours and is accurate. To learn more about how we use the information you have provided on this form, please read our Privacy Policy, available at www.isaca.org. If you are already an ISACA member, and/or if you elect to attend one of our events or purchase other ISACA programs or services, information you submit may also be used as described to you at that time. I hereby agree to hold ISACA, its officers, directors, examiners, employees, and agents, harmless from any complaint, claim, or damage arising out of any action or omission by any of them in connection with this application; the application process; the failure to issue me any certificate; or any demand for forfeiture or redelivery of such certificate. I understand that the decision as to whether I qualify for certification rests solely and exclusively with ISACA and that the decision of ISACA is final. I have read and understand these statements and I intend to be legally bound by them.
Name: Date:   Signature:

Application for CISM Certification

Page A-2

Applicant Name:

Exam ID:

Information Security Experience
A. Information Security Management Experience—For each employer (starting with the most current), enter information pertaining to the positions where you have been responsible for performing information security management activities.
		Dates of employment in IS Audit, Control or Security			Duration of experience
		MM/YY	to	MM/YY	Years	Months
Employer Name	Job Title		to
Employer Name	Job Title		to
Employer Name	Job Title		to
Total years information security management experience (must be 3 or more)				Total:

B. General Information Security Experience—For each employer (starting with the most current), enter information pertaining to the positions where you have been responsible for performing general information security services. Experience claimed in Section A cannot be repeated for general experience.
		Dates of Employment in General Information Security			Duration of experience
		MM/YY	to	MM/YY	Years	Months
Employer Name	Job Title		to
Employer Name	Job Title		to
Employer Name	Job Title		to
Total years general information security experience.				Total:

C. Substitutions for General Information Security Experience
Two-Year Substitution
Current CISA in good standing? Yes No    Current CISSP in good standing? Yes No (Attach a copy of CISSP certificate of certification)
Post-graduate degree? Yes No (If Yes, send an original or copy of the transcript or letter confirming degree status to ISACA with your application.)
Institution Name	Degree name
Date awarded	Relevancy of degree to Information Security management:
One-Year Substitution:
Information systems management experience? Yes No    Years: Months: (Must be a minimum of one year to qualify.)
Job Title	Employer
Begin Date     Left Position on (Date)	Experience gained in areas of traditional security management including physical security, personnel security, investigations management etc.
Employer	Job Title
Begin Date	Left Position on (Date):
Describe areas of security management experience:
Skill-based or general security certification? Yes No (Attach a copy of certificate of certification.)

D. Summary of Work Experience—Record the total number of years from sections A, B and C in the appropriate box. The total in box A must be three (3) or more. The total in box C can be no greater than two (2) years, which is the maximum allowable general information security experience substitution allowed.
		Years	Months
A—Total years of information security management experience (Must be 3 or more)	A
B—Total years of general information security experience	B
C—Total number of years being substituted (Must be 2 or less)	C
Total Work Experience – Total Years of Boxes A, B and C (Must be 5 or more)	Total

E. Individuals Verifying Work Experience Details—Please record here the names and contact information of the individual(s) that will verify your work experience in sections A and B above.
1.	Name		Title
	Company		Tel. No.		E-mail
2.	Name		Title
	Company		Tel. No.		E-mail
3.	Name		Title
	Company		Tel. No.		E-mail

Application for CISM Certification

Page V-1

Applicant Name:

Exam ID:

Verification of Work Experience(page 1 of 2)

I, , am applying for certification through ISACA as a Certified Information Security Manager (CISM). As such, my information security work experience must be independently verified by my current and/or previous employer(s). The individual verifying the work experience must be an independent verifier and not of any relation to the applicant nor can the verifier verify his/her own work. If I currently or once worked as an independent consultant, I can use a knowledgeable client or an individual certified as a CISM to perform this role. I would appreciate your cooperation in completing this form, by verifying my information security work experience as noted on my application form attached and as described by CISM job practice area and task statements (see page V-2). Please return the complete form to me for my submission to ISACA. If you have any questions concerning this form, please direct them to certification@isaca.org or +1.847.660.5660. Thank you. DateApplicant's Signature

Employer's Verification Information
Verifier's Name	Company Name
Job Title
Street Address	State / Province
Street Address Line 2	Postal/Zip Code
City	Country
Verifier's Telephone Number	Verifier's Email Address
Name of company relating to candidate's employment from page A-2

1.	I have functioned in a supervisory or other related position to the applicant and can verify his/her:
	• information security management work experience (see Section A of Application)	Yes No N/A
	• general information security work experience (see Section B of Application)	Yes No N/A
2.	I can attest to the duration of the applicant's:
	• information security management work experience (see Section A of Application) with my organization. If no, I attest to years.	Yes No N/A
	• general information security work experience (see Section B of Application) with my organization. If no, I attest to years.	Yes No N/A
3.	I am qualified and willing to verify the applicant's:
	• information security management work experience (see Section A of Application) prior to his/her affiliation with my organization.	Yes No N/A
	• general information security work experience (see Section B of Application) prior to his/her affiliation with my organization.	Yes No N/A
4.	If verifying information security management experience:
	• I can attest that the tasks performed by the applicant with my organization, as listed on page V-2, is correct to the best of my knowledge. If no, what is incorrect?	Yes No
	• I can attest to the fact that, according to the CISM job practice areas and task statements, the applicant has worked in, and is competent in, performing tasks in these areas and have signed where indicated on page V-2 of this form.	Yes No
5.	Is there any reason you believe this applicant should not be certified as an information security manager?	Yes No
DateVerifier's Signature

Application for CISM Certification

Page V-2

Applicant Name:	Exam ID:
Verifier Name:

Applicant required to indicate with an (x) in each box the task they performed to be confirmed by the verifier.
Information Security Governance Tasks—Establish and maintain a framework to provide assurance that information security strategies are aligned with the business objectives and consistent with applicable laws and regulations.
	Develop an information security strategy aligned with business goals and objectives.
	Align information security strategy with corporate governance.
	Develop business cases justifying investment in information security.
	Identify current and potential legal and regulatory requirements affecting information security.
	Identify drivers affecting the organization (e.g., technology, business environment, risk tolerance, geographic location) and their impact on information security.
	Obtain senior management commitment to information security.
	Define roles and responsibilities for information security throughout the organization.
	Establish internal and external reporting and communication channels that support information security.
Information Risk Management Tasks—Identify and manage information security risks to achieve business objectives.
	Establish a process for information asset classification and ownership.
	Implement a systematic and structured information risk assessment process.
	Ensure that business impact assessments are conducted periodically.
	Ensure that threat and vulnerability evaluations are performed on an ongoing basis.
	Identify and periodically evaluate information security controls and countermeasures to mitigate risk to acceptable levels.
	Integrate risk, threat and vulnerability identification and management into lifecycle processes (e.g., development, procurement, and employment lifecycles).
	Report significant changes in information risk to appropriate levels of management for acceptance on both a periodic and event-driven basis.
Information Security Program Development Tasks—Create and maintain a program to implement the information security strategy.
	Develop and maintain plans to implement the information security strategy.
	Specify the activities to be performed within the information security program.
	Ensure alignment between the information security program and other assurance functions (e.g., physical, HR, quality, IT).
	Identify internal and external resources (e.g., finances, people, equipment, systems) required to execute the information security program.
	Ensure the development of information security architectures (e.g., people, processes, technology).
	Establish, communicate, and maintain information security policies that support the security strategy.
	Design and develop a program for information security awareness, training, and education.
	Ensure the development, communication, and maintenance of standards, procedures, and other documentation (e.g., guidelines, baselines, codes of conduct) that support information security policies.
	Integrate information security requirements into the organization’s processes (e.g., change control, mergers and acquisitions) and life cycle activities (e.g., development, employment, procurement).
	Develop a process to integrate information security controls into contracts (e.g., with joint ventures, outsourced providers, business partners, customers, third parties).
	Establish metrics to evaluate the effectiveness of the information security program.
Information Security Program Management Tasks—Oversee and direct information security activities to execute the information security program.
	Manage internal and external resources (e.g., finances, people, equipment, systems) required to execute the information security program.
	Ensure that processes and procedures are performed in compliance with the organization’s information security policies and standards.
	Ensure that the information security controls agreed to in contracts (e.g., with joint ventures, outsourced providers, business partners, customers, third parties) are performed.
	Ensure that information security is an integral part of the systems development process.
	Ensure that information security is maintained throughout the organization’s processes (e.g., change control, mergers and acquisitions) and life cycle activities (e.g., development, employment, procurement).
	Provide information security advice and guidance (e.g., risk analysis, control selection) to the organization.
	Provide information security awareness, training and education to stakeholders (e.g., business process owners, users, information technology).
	Monitor, measure, test, and report on the effectiveness and efficiency of information security controls and compliance with information security policies.
	Ensure that noncompliance issues and other variances are resolved in a timely manner.
Incident Management and Response Tasks—Plan, develop, and manage a capability to detect, respond to, and recover from information security incidents.
	Develop and implement processes for detecting, identifying, analyzing, and responding to information security incidents.
	Establish escalation and communication processes and lines of authority.
	Develop plans to respond to and document information security incidents.
	Establish the capability to investigate information security incidents (e.g., forensics, evidence collection and preservation, log analysis, interviewing).
	Develop a process to communicate with internal parties and external organizations (e.g., media, law enforcement, customers).
	Integrate information security incident response plans with the organization’s Disaster Recovery (DR) and Business Continuity Plan (BCP).
	Organize, train, and equip teams to respond to information security incidents.
	Periodically test and refine information security incident response plans.
	Manage the response to information security incidents.
	Conduct reviews to identify causes of information security incidents, develop corrective actions, and reassess risk.
DateVerifier's Signature

Clicking the Print button below does not submit your information. Please sign the completed application and either email, fax or postal mail your application to: ISACA 3701 N. Algonquin Rd. Suite 1010 Rolling Meadows, IL, USA 60008 Fax: 847.253.1443 Email: certification@isaca.org