CISM logo

Application for CISM Certification

Requirements to Become a Certified Information Security Manager (Click to Expand or Collapse Requirements)

Instructions for Completing the Application (Click to Expand or Collapse Instructions)

CISM Certification—Code of Professional Ethics

I have read and understand the above referenced Ethics statements and will adhere to them.

CISM logo

Application for CISM Certification

Page A-1

Application Form

Applicant Information

First Name Middle Name/Initial Last/Family Exam ID
Maiden Name or Former Name:  
Preferred Mailing Address: Home Business  
Home Address State / Province
Street Address Line 2 Postal/Zip Code
City Country
Applicant Home Telephone Applicant Email Address

Present Employer Information

Job Title Business Name
Business Street Address State / Province
Street Address Line 2 Postal/Zip Code
City Country
Business Telephone Business Fax
Business Email Address
Immediate Supervisor Name: Supervisor Title
I hereby apply to ISACA for issuance to me of certification, as a Certified Information Security Manager (CISM) in accordance with and subject to the procedures and regulations of ISACA. I have read and agree to the conditions set forth in the Application for CISM Certification and CISM Continuing Education Policy in effect at the time of my application, covering the certification process; and Continuing Education policies. I agree to denial of certification and to forfeiture and redelivery of any certificate or other credential granted me by ISACA in the event that any of the statements or answers made by me in this application are false or in the event that I violate any of the rules or regulations governing such exam. I understand that all certificates are owned by ISACA and if my certificate is granted and then revoked, I will destroy the certificate.

I authorize ISACA to make whatever inquiries and investigations it deems necessary to verify my credentials and my professional standing. If you become a Certified Information Systems Auditor, your certification status will become public, and may be disclosed by ISACA to third parties who inquire. If my application is not approved, I understand that I am able to appeal the decision by contacting certification@isaca.org. By signing below, you authorize ISACA to disclose your certification status. The contact information will be used to fulfill your request, and may also be used by ISACA to send you information about related ISACA goods and services, and other information in which we believe you may be interested. By signing below, you authorize ISACA to contact you at the address and numbers you have provided, including to provide you with marketing and promotional communications. You further represent that the information you provided is yours and is accurate. To learn more about how we use the information you have provided on this form, please read our Privacy Policy, available at www.isaca.org. If you are already an ISACA member, and/or if you elect to attend one of our events or purchase other ISACA programs or services, information you submit may also be used as described to you at that time.

I hereby agree to hold ISACA, its officers, directors, examiners, employees, and agents, harmless from any complaint, claim, or damage arising out of any action or omission by any of them in connection with this application; the application process; the failure to issue me any certificate; or any demand for forfeiture or redelivery of such certificate.

I understand that the decision as to whether I qualify for certification rests solely and exclusively with ISACA and that the decision of ISACA is final. I have read and understand these statements and I intend to be legally bound by them.
     
     
Name: Date:
 
Signature:  
CISA logo

Application for CISM Certification

Page A-2
Applicant Name: Exam ID:

Information Security Experience

A. Information Security Management Experience—For each employer (starting with the most current), enter information pertaining to the positions where you have been responsible for performing information security management activities.
  Dates of employment
in IS Audit, Control or Security
Duration of experience
MM/YY to MM/YY Years Months
Employer Name Job Title to
Employer Name Job Title to
Employer Name Job Title to
Total years information security management experience (must be 3 or more) Total:
B. General Information Security Experience—For each employer (starting with the most current), enter information pertaining to the positions where you have been responsible for performing general information security services. Experience claimed in Section A cannot be repeated for general experience.
  Dates of Employment in
General Information Security
Duration of experience
MM/YY to MM/YY Years Months
Employer Name Job Title to
Employer Name Job Title to
Employer Name Job Title to
Total years general information security experience. Total:
C. Substitutions for General Information Security Experience
Two-Year Substitution
Current CISA in good standing? Yes No    Current CISSP in good standing? Yes No (Attach a copy of CISSP certificate of certification)
Post-graduate degree? Yes No (If Yes, send an original or copy of the transcript or letter confirming degree status to ISACA with your application.)
Institution Name Degree name
Date awarded Relevancy of degree to Information Security management:
One-Year Substitution:
Information systems management experience? Yes No    Years: Months: (Must be a minimum of one year to qualify.)
Job Title Employer
Begin Date     Left Position on (Date) Experience gained in areas of traditional security management including physical security, personnel security, investigations management etc.
Employer Job Title
Begin Date Left Position on (Date):
Describe areas of security management experience:
Skill-based or general security certification? Yes No (Attach a copy of certificate of certification.)
D. Summary of Work ExperienceRecord the total number of years from sections A, B and C in the appropriate box. The total in box A must be three (3) or more. The total in box C can be no greater than two (2) years, which is the maximum allowable general information security experience substitution allowed.
    Years Months
A—Total years of information security management experience (Must be 3 or more) A
B—Total years of general information security experience B
C—Total number of years being substituted (Must be 2 or less) C
Total Work Experience – Total Years of Boxes A, B and C (Must be 5 or more) Total
E. Individuals Verifying Work Experience DetailsPlease record here the names and contact information of the individual(s) that will verify your work experience in sections A and B above.
1. Name Title
Company Tel. No. E-mail
2. Name Title
Company Tel. No. E-mail
3. Name Title
Company Tel. No. E-mail
CISM logo

Application for CISM Certification

Page V-1
Applicant Name: Exam ID:

Verification of Work Experience(page 1 of 2)

I, , am applying for certification through ISACA as a Certified Information Security Manager (CISM). As such, my information security work experience must be independently verified by my current and/or previous employer(s). The individual verifying the work experience must be an independent verifier and not of any relation to the applicant nor can the applicant verify his/her own work. If I currently or once worked as an independent consultant, I can use a knowledgeable client or an individual certified as a CISM to perform this role.

I would appreciate your cooperation in completing this form, by verifying my information security work experience as noted on my application form attached and as described by CISM job practice area and task statements (see page V-2). Please return the complete form to me for my submission to ISACA. If you have any questions concerning this form, please direct them to certification@isaca.org or +1.847.660.5660. Thank you.

DateApplicant's Signature

Employer's Verification Information

Verifier's Name Company Name
Job Title
Street Address State / Province
Street Address Line 2 Postal/Zip Code
City Country
Verifier's Telephone Number Verifier's Email Address
Name of company relating to candidate's employment from page A-2
1. I have functioned in a supervisory or other related position to the applicant and can verify his/her:
• information security management work experience (see Section A of Application) Yes No N/A
• general information security work experience (see Section B of Application) Yes No N/A
2. I can attest to the duration of the applicant's:
• information security management work experience (see Section A of Application) with my organization.
If no, I attest to years.
Yes No N/A
• general information security work experience (see Section B of Application) with my organization.
If no, I attest to years.
Yes No N/A
3. I am qualified and willing to verify the applicant's:
• information security management work experience (see Section A of Application) prior to his/her affiliation with my organization. Yes No N/A
• general information security work experience (see Section B of Application) prior to his/her affiliation with my organization. Yes No N/A
4. If verifying information security management experience:
• I can attest that the tasks performed by the applicant with my organization, as listed on page V-2, is correct to the best of my knowledge.
If no, what is incorrect?
Yes No
• I can attest to the fact that, according to the CISM job practice areas and task statements, the applicant has worked in, and is competent in, performing tasks in these areas and have signed where indicated on page V-2 of this form. Yes No
5. Is there any reason you believe this applicant should not be certified as an information security manager? Yes No

DateVerifier's Signature

CISM logo

Application for CISM Certification

Page V-2
Applicant Name: Exam ID:
Verifier Name:

Applicant required to indicate with an (x) in each box the task they performed to be confirmed by the verifier.

Information Security Governance—Establish and maintain an information security governance framework and supporting processes to ensure that the information security strategy is aligned with organizational goals and objectives, information risk is managed appropriately and program resources are managed responsibly.
Establish and maintain an information security strategy in alignment with organizational goals and objectives to guide the establishment and ongoing management of the information security program.
Establish and maintain an information security governance framework to guide activities that support the information security strategy.
Integrate information security governance into corporate governance to ensure that organizational goals and objectives are supported by the information security program.
Establish and maintain information security policies to communicate management’s directives and guide the development of standards, procedures and guidelines.
Develop business cases to support investments in information security.
Identify internal and external influences to the organization (for example, technology, business environment, risk tolerance, geographic location, legal and regulatory requirements) to ensure that these factors are addressed by the information security strategy.
Obtain commitment from senior management and support from other stakeholders to maximize the probability of successful implementation of the information security strategy.
Define and communicate the roles and responsibilities of information security throughout the organization to establish clear accountabilities and lines of authority.
Establish, monitor, evaluate and report metrics (for example, key goal indicators [KGIs], key performance indicators [KPIs], key risk indicators [KRIs]) to provide management with accurate information regarding the effectiveness of the information security strategy.
Information Risk Management and Compliance—Manage information risk to an acceptable level to meet the business and compliance requirements of the organization.
Establish and maintain a process for information asset classification to ensure that measures taken to protect assets are proportional to their business value.
Identify legal, regulatory, organizational and other applicable requirements to manage the risk of noncompliance to acceptable levels.
Ensure that risk assessments, vulnerability assessments and threat analyses are conducted periodically and consistently to identify risk to the organization’s information.
Determine appropriate risk treatment options to manage risk to acceptable levels.
Evaluate information security controls to determine whether they are appropriate and effectively mitigate risk to an acceptable level.
Identify the gap between current and desired risk levels to manage risk to an acceptable level.
Integrate information risk management into business and IT processes (for example, development, procurement, project management, mergers and acquisitions) to promote a consistent and comprehensive information risk management process across the organization.
Monitor existing risk to ensure that changes are identified and managed appropriately.
Report noncompliance and other changes in information risk to appropriate management to assist in the risk management decision-making process.
Information Security Program Development and Management— Establish and manage the information security program in alignment with the information security strategy.
Establish and maintain the information security program in alignment with the information security strategy.
Ensure alignment between the information security program and other business functions (for example, human resources [HR], accounting, procurement and IT) to support integration with business processes.
Identify, acquire, manage and define requirements for internal and external resources to execute the information security program.
Establish and maintain information security architectures (people, process, technology) to execute the information security program.
Establish, communicate and maintain organizational information security standards, procedures, guidelines and other documentation to support and guide compliance with information security policies.
Establish and maintain a program for information security awareness and training to promote a secure environment and an effective security culture.
Integrate information security requirements into organizational processes (for example, change control, mergers and acquisitions, development, business continuity, disaster recovery) to maintain the organization’s security baseline.
Integrate information security requirements into contracts and activities of third parties (for example, joint ventures, outsourced providers, business partners, customers) to maintain the organization’s security baseline.
Establish, monitor and periodically report program management and operational metrics to evaluate the effectiveness and efficiency of the information security program.
Information Security Incident Management—Plan, establish and manage the capability to detect, investigate, respond to and recover from information security incidents to minimize business impact.
Establish and maintain an organizational definition of, and severity hierarchy for, information security incidents to allow accurate identification of and response to incidents.
Establish and maintain an incident response plan to ensure an effective and timely response to information security incidents
Develop and implement processes to ensure the timely identification of information security incidents..
Establish and maintain processes to investigate and document information security incidents to be able to respond appropriately and determine their causes while adhering to legal, regulatory and organizational requirements.
Establish and maintain incident escalation and notification processes to ensure that the appropriate stakeholders are involved in incident response management.
Organize, train and equip teams to effectively respond to information security incidents in a timely manner.
Test and review the incident response plan periodically to ensure an effective response to information security incidents and to improve response capabilities.
Establish and maintain communication plans and processes to manage communication with internal and external entities.
Conduct postincident reviews to determine the root cause of information security incidents, develop corrective actions, reassess risk, evaluate response effectiveness and take appropriate remedial actions.
Establish and maintain integration among the incident response plan, disaster recovery plan and business continuity plan.

DateVerifier's Signature

Insert Additional Verification of Work Experience (1)

Insert Additional Verification of Work Experience (2)

Clicking the Print button below does not submit your information.
Please sign the completed application and either email, fax or postal mail your application to:

ISACA
3701 N. Algonquin Rd.
Suite 1010
Rolling Meadows, IL, USA 60008
Fax: 847.253.1443
Email: certification@isaca.org