Exam Registration & Administration
Certification Requirements | Exam Content | Other
Exam Registration & Administration
- When will I receive my September 2014 exam results?
- Why does it take 5 weeks for CISA and CISM and 8 weeks for CGEIT and CRISC to process exam results?
- How is the exam scored?
- How do I provide comments on testing conditions?
- What is the date of the next exam administration?
- When does registration open for the December exam?
- What is the registration deadline of the December exam and what are the fees?
- Can I take the CISA, CISM, CGEIT and CRISC exams on the same day?
- Can I change my exam site or language?
- Can I defer my exam?
- Where can I find CISA/CISM/CGEIT/CRISC applications for certification?
- What are the requirements for CISA/CISM/CGEIT/CRISC certification?
- Why doesn’t ISACA currently offer computer-based testing (CBT)?
1. When will I receive my September 2014 exam results?
The CISA and CISM exam results from the September 2014 exam were released via email on 9 October 2014 to those candidates who elected to received the email results notification during the registration process and do not have a balance due on the exam. CISA and CISM hard copy result letters were sent out the week of 13 October. Additionally, candidates can view exam results in their online profile at MyISACA > MyCertifications > Exam Result History. Please allow for adequate postal delivery time to your mailing location. To ensure the confidentiality of scores, exam results will not be reported by telephone, fax or email other than the one-time notification email.
2. Why does it take 5 weeks for CISA and CISM and 8 weeks for CGEIT and CRISC to process exam results?
ISACA takes the processing of exam results very seriously. Best practice dictates that item performance be carefully reviewed after each exam administration to ensure that items performed in a fair and consistent manner.
Starting in 2013, CISA and CISM exam results are released within 5 weeks of the exam administration (in place of the 8 weeks as currently exists for CGEIT and CRISC). This change was viable due to the maturity of the respective exams and item pool.
ISACA works with its testing agency to administer our exams in over 250 locations worldwide. The first step in the grading process is the review of the preliminary statistical analysis which begins when a majority of answer sheets are returned. This usually occurs a week or two after the exam administration date. This preliminary analysis is conducted on each exam item in every language that the exam item is offered. Currently, ISACA offers 4 different exams, in up to 10 languages. This step is essential because it identifies items that did not perform well based on statistics. Items with poor statistics are reviewed by the members of the respective certification committee. If an error or inconsistency is discovered within an item, the answer key is adjusted to ensure candidates are not penalized for the error.
Items with performance statistics on translated exams are also reviewed to determine if errors in translation occurred, impacting the candidate’s ability to answer an item correctly. This review is performed by multilingual ISACA members who hold the respective certifications.
Once the answer keys are finalized, a passing point is determined and approved by the Certification Committee for each certification. At this point, the testing agency processes each of the exam candidate’s final grades by converting it into a score between 200 and 800.
ISACA and our testing agency are dedicated to the efficient processing of exam results. We are also committed to performing the proper due diligence so that test results are reliable.
3. How is the exam scored?
ISACA uses a 200-800 point scale with 450 as the passing mark for the exams. A scaled score is a conversion of the raw score on an exam to a common scale. It is important to note that the exam score is not based on an arithmetic or percent average. For example, the scaled score of 800 represents a perfect score with all 200 questions answered correctly; a scaled score of 200 is the lowest score possible and signifies that only a small number of questions were answered correctly.
A candidate must receive a scaled score of 450 or higher to pass the exam. A score of 450 represents a minimum consistent standard of knowledge as established for the exam by the respective ISACA Certification Committee. The passing score of 450 represents the minimum number of questions that must be answered correctly by the candidate in order to demonstrate practical application of the job task and knowledge statements. A candidate receiving a passing score may then apply for certification if all other requirements are met.
4. How do I provide comments on testing conditions?
Candidates wishing to comment on the test administration conditions may do so at the conclusion of the testing session by completing the “Test Administration Questionnaire.” The Test Administration Questionnaire is presented at the back of the examination booklet.
Candidates who wish to address any additional comments or concerns about the examination administration or content of the examination should contact ISACA international headquarters by email (firstname.lastname@example.org). These comments or concerns are to be received by ISACA within 2 weeks after the examination date. Only those comments received by ISACA during the first 2 weeks after the exam administration will be considered in the final scoring process of the examination.
5. What is the date of the next exam administration?
The next exam administration for the CISA, CISM, CGEIT or CRISC exam is 13 December 2014 unless otherwise specified at www.isaca.org/examlocations.
6. When does registration open for the December exam?
Registration for the 13 December 2014 CISA, CISM, CGEIT or CRISC exam is now open at www.isaca.org/examreg.
Please note that the CISA German, CISA Hebrew and CISA Italian languages are not available at the December 2014 exam administration. The next available administration for CISA German, CISA Hebrew and CISA Italian is June 2015.
7. What is the registration deadline of the December exam and what are the fees?
Early registration deadline: 20 August 2014
Final registration deadline: 24 October 2014
Please visit www.isaca.org/examguide for more details, including fees.
Candidates can save US $75 on the exam registration fee by registering online.
8. Can I take the CISA, CISM, CGEIT and CRISC exams on the same day?
The CISA, CISM, CGEIT and CRISC exams are given simultaneously in a 4-hour time frame. It is not possible to take multiple exams on the same day.
9. Can I change my exam site or language?
Yes, changes to the exam site, language, exam type or name changes are permitted until 31 October**. Exam registration changes are subject to the following charges:
- On or before 24 October 2014…………………………no charge
- 25 October through 31 October 2014….……………………..$50
No exam registration changes will be granted after 31 October 2014.
**Please note that all deadlines are based on Chicago, Illinois, USA 5 p.m. Central Time.
For name, exam site, language or exam type changes, please send an email to email@example.com. These changes do not include deferrals.
10. Can I defer my exam?
Candidates unable to take the exam can request a deferral of their registration fees to the next exam date. To learn more about deferring your exam, including deferral deadlines and costs, please visit www.isaca.org/examdefer.
11. Where can I find CISA/CISM/CGEIT/CRISC applications for certification?
CISA applications are located at www.isaca.org/cisaapp.
CISM applications are located at www.isaca.org/cismapp.
CGEIT applications are located at www.isaca.org/cgeitapp.
CRISC applications are located at www.isaca.org/criscapp.
12. What are the requirements for CISA/CISM/CGEIT/CRISC certification?
CISA requirements for certification are available at www.isaca.org/cisarequirements.
CISM requirements for certification are available at www.isaca.org/cismrequirements.
CGEIT requirements for certification are available at www.isaca.org/cgeitrequirements.
CRISC requirements for certification are available at www.isaca.org/criscrequirements.
13. Why doesn’t ISACA currently offer computer-based testing (CBT)?
ISACA is often asked why our exams are not offered in an online environment. It’s a great question, especially given that ISACA members and certifieds are primarily IT professionals. It is also an issue that ISACA’s Credentialing and Career Management Board and certification committees continue to evaluate each and every year. There are three primary objectives that ISACA considers when offering exams:
- Can exams be offered more efficiently?
- Can exams be offered more securely?
- Can exams be offered more affordably?
In order to determine whether to move from paper-based testing to computer-based testing, ISACA has weighed various factors including, but not limited to, being assured that:
- Exam candidates are offered a consistent and suitable exam experience regardless of where they sit for the exam
- Exam items are properly safeguarded
- Exams are offered at a reasonable and fair fee
It is clear that there are advantages and disadvantages to offering exams in both paper-based and computer-based formats. Research has indicated that suitable CBT sites are not available in many of the more than 250 locations that ISACA currently offers exams, and many other CBT sites are not viable and secure for high-stakes exams. In addition, we have seen others who have shifted from paper-based testing to CBT increase their exam fees significantly (often by 100%) given the higher administrative costs.
At this time, ISACA’s Credentialing and Career Management Board has determined that the cost of transitioning to CBT would outweigh the benefits to test takers and to ISACA as a whole. ISACA is proud of the success and demand for our certifications that has been achieved, and is committed to continuing to look at additional options for offering ISACA exams.
Certification Requirements | Exam Content | Other
- What do I need to do if I've received a revocation notice?
- How do I renew my certification and/or report my CPE?
- Do I need to submit documentation CPE hours?
- I was selected for an audit of my CPE hours and have provided the documentation. When will I receive a confirmation?
- Where can I find the CISM application for certification?
- Is there a fee to apply for certification?
- What are the qualifications to earn the CISM credential?
- What does the CISM continuing professional education policy require?
- Why does ISACA offer an information security certification?
- Who is eligible to become CISM certified and what makes CISM unique?
- Will CISAs qualify for CISM?
- What constitutes information security management experience for CISM Certification?
- I have been an audit manager for many years. I have audited the information security program numerous times. May I count this as information security management?
- What type of consulting can I use for security management experience?
- Regarding the three (3) years of required information security management experience needed for certification, must I have 3 years of experience in each of three or more areas, or can I have one year in each of three different areas?
- Will CISSPs and other security credential holders qualify for CISM?
- How is CISM different from the other security certifications?
- How is CISM different from the Certified Information Systems Security Professional (CISSP)?
- What does a CISM “in good standing” mean?
- Does ISACA provide discount on certification maintenance (renewal) fees if I have multiple certifications?
1. What do I need to do if I've received a revocation notice?
If you have received a revocation notice, please contact firstname.lastname@example.org.
2. How do I renew my certification and/or report my CPE?
To renew the certification requires earning and reporting CPE hours annually and over a fixed 3-year cycle period and paying an annual certification maintenance fee.
Our CPE reporting system has recently been enhanced and certified individuals are now able to report CPE as they are earned.
How to report your CPE:
To pay the annual maintenance fee:
3. Do I need to submit documentation CPE hours?
Documentation of CPE hours does not need to be provided to ISACA unless you are selected for an audit of your CPE hours. You will be notified via email and hard copy letter if you are selected for an audit of your CPE hours.
4. I was selected for an audit of my CPE hours and have provided the documentation. When will I receive a confirmation?
If any additional information is required or there are questions regarding your audit documentation, we will contact you directly via email. Once your audit documentation has been reviewed and approved, a notice will be sent to you via the post. If you have not been contacted or received notification of compliance from the certification department please contact us at CISMaudit@isaca.org.
5. Where can I find the CISM application for certification?
6. Is there a fee to apply for certification?
For certification applications received on 1 June 2012 and forward, an application processing fee of US $50 will be required to apply for certification. The application processing fee will support our dedication to efficient and proper processing of certification applications according to industry standards. The fee will also help support the integrity of the application process, which in turn reinforces the strength and reputation of the overall certification programs.
Payment for the CISM application processing fee can be made online at www.isaca.org/cismpay.
7. What are the qualifications to earn the CISM credential?
Qualifying for CISM requires a combination of four "e's": experience, ethics, education and exam. Specifically, the requirements are:
- Earn a passing score on the CISM exam
- Adhere to the ISACA Code of Professional Ethics
- Commit to abide by the Continuing Professional Education Policy
- Submission of verified evidence of a minimum of five years of information security work experience, with a minimum of three years of information security management work experience in three or more of the job practice areas. Waivers for general information security work experience are available, if certain education or certification requirements are met.
For further details, click here.
8. What does the CISM continuing professional education policy require?
In order to become and remain a CISM an individual must agree to comply with the CISM continuing professional education policy. This policy requires an individual to earn a minimum of twenty (20) continuing professional education hours annually and one hundred and twenty (120) continuing professional education hours for every three year cycle. In addition, an annual maintenance fee of US $45 ISACA member and US $80 nonmember is required.
CISM CPE Policy
9. Why does ISACA offer an information security certification?
ISACA's name reflects its obligation to offer products, services and benefits not only to the information systems audit profession, but to those who play a vital role in information systems control as well. More than 20 years ago ISACA pioneered the Certified Information Systems Auditor (CISA) credential and has developed and offered training programs to information systems auditors, information security practitioners and those involved in information technology governance.
Most recognized in the industry are a series of ISACA conferences that are known as CACS (computer audit, control and security). These programs are held each year worldwide and meet the educational needs of a wide variety of information systems professionals.
In recent years, ISACA has undertaken other information security and IT control activities: increased focus on security in the Information Systems Control Journal, creation of the IT Governance Institute, and development of research of particular interest and benefit to security management professionals. The maturity of ISACA membership and CISAs and their requested need for an information security credential that goes beyond the practitioner level has led ISACA to the development the CISM credential.
10. Who is eligible to become CISM certified and what makes CISM unique?
CISM is unique in the information security credential marketplace because it is designed specifically and exclusively for individuals who have experience managing an information security program. Experience requirements and the CISM exam are based on the experience required to competently perform the duties and responsibilities of an information security manager. These requirements and the tasks and knowledge that are tested were developed by information security leaders and later validated by subject matter experts and information security managers. The requirements are designed to measure an individual's management experience in information security situations, not general practitioner skills.
11. Will CISAs qualify for CISM?
The CISM certification program recognizes the achievement of the CISA credential as a baseline representation that an individual has gained general information security skill and knowledge. As such, CISAs receive a two-year general information security waiver. However, CISAs will not be eligible to earn a CISM unless they have the required experience and can demonstrate proficiency and practical knowledge in the role of an information security manager.
12. What constitutes information security management experience for CISM Certification?
Information security management is a broad field, and encompasses many specialties within the security profession. ISACA categorizes these management activities into five areas, as defined in the most recent Job Task Analysis. Each area is broken into discreet tasks, and each task is further broken down into the supporting knowledge required to perform each task. In order to qualify for the CISM certification, the CISM candidate must have a minimum of five years of information security experience, of which three or more years must be information security management work. Note that the requirement does not dictate that the individual must have a specific position that designates them as a CISO or any other specific security management title. However, for those that do not have this designation, the role that they perform must clearly map to tasks within 3 of the 5 management areas as defined in the CISM Job Task Analysis. While less common these days, there are still organizations that have individuals in hybrid roles that include duties of an information security manager along with other unrelated responsibilities. This is particularly true in smaller organizations that do not have sufficient staff for an information security department or dedicated role. Note that audits, reviews, gap analysis, or other activities that assess the effectiveness of an information security program that is managed by others do not fully meet the standard for information security management. For more information, see the question below regarding audit experience.
13. I have been an audit manager for many years. I have audited the information security program numerous times. May I count this as information security management?
While it is certainly true that auditors often have a great deal of involvement with the information security program, they are not actively managing the program nor do they have any direct accountability for its success or failure. Also, audits are point-in-time events, whereas program management or even program development is a daily, ongoing activity. Auditors can generally map their work to Areas 1 and 2 (Information Security Governance and Information Risk Management and Compliance), if they have been working actively in IT assurance. However, they generally do not have appropriate experience to qualify in areas 3 and 4 (Information Security Program Development and Management and Information Security Incident Management). Generally speaking, an individual whose career has been exclusively in IT Audit will not have the appropriate experience to qualify for CISM certification.
14. What type of consulting can I use for security management experience?
In order to determine if consultative experience can be utilized for information security management experience, there are several qualifying questions that should be considered. Note that even with these criteria, this is not a binary decision, and cases must at times be considered on an individual basis. However, using these questions will assist the candidate to characterize their experience appropriately:
- During the consulting engagement, did the consultant actively participate in the design and/or implementation of a security program or process?
- Did the consulting analyze the current state, determine root cause for any issues encountered, and work with the client to plan and/or implement a course of action to address the issues cited (as opposed to simply providing an assessment of the current state i.e. a security assessment, audit, or gap assessment)?
- Did the consultant actually work in a defined role within the client organization performing security management tasks that map to one or more of the five Job Task areas?
Additionally, the nature of the consulting role in any of the above three scenarios would need to map to one or more of the five job task areas.
An affirmative answer to one or more of these three questions and mapping to one or more job task areas is a good indication that the experience will qualify for information security management.
In summary, a review of the consultative work performed assessed by the qualifying questions and compared to the job task areas and their related task statements is the proper way to determine if consultative work should be counted. As a final point, time should be considered as well. As consultants may have well worked on many different projects at one time, the candidate should ensure that the for the time period submitted, the majority of their time was actually dedicated to management level security consulting.
15. Regarding the three (3) years of required information security management experience needed for certification, must I have 3 years of experience in each of three or more areas, or can I have one year in each of three different areas?
The minimum acceptable time is 1 year of experience in each of at least 3 of the 5 areas (and an additional two years general information security experience or a combination of time and qualifying educational or certification substitutions that are listed on the CISM Application).
16. Will CISSPs and other security credential holders qualify for CISM?
The CISM certification program recognizes the achievement of the CISSP credential as a baseline representation that an individual has gained general information security skill and knowledge, just as it does with individuals who have earned a CISA. As such, CISSPs receive a two-year general information security experience waiver. However, CISSPs will not be eligible to earn a CISM unless they have the required experience and can demonstrate proficiency and practical knowledge in the role of an information security manager. Holders of other, more specialized credentials, such as the SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security + Credential and the Disaster Recovery Institute Certified Business Continuity Professional (CBCP) also can receive a one-year general information security experience waiver.
17. How is CISM different from the other security certifications?
CISM differs from the many other security certifications by virtue of its experience requirements and focus on the job performed by an information security manager. Other security certifications are characterized by a focus on technical skills or platform- or product-specific knowledge, or they are aimed at the practitioner in the earlier years of their career. Only CISM targets the information security manager-the individual who has progressed beyond the practitioner focus, whose emphasis is no longer technical or specialist skills, and who has moved on to the management of an enterprise's information security program. CISM is for the individual who must manage and oversee the enterprise's information security effort, including the practitioners, many of whom may hold other certifications the field offers. The focus on management that makes CISM unique is demonstrated in its experience requirement, which calls for a minimum of three years in information security management, and in its exam focus that is based on the practices performed by information security managers.
18. How is CISM different from the Certified Information Systems Security Professional (CISSP)?
Although there are many differences between the CISSP common body of knowledge and the CISM job practice areas, the most obvious differences is in the experience requirements. Only CISM requires information security management experience, in addition to general information security experience. CISSP has no such management requirement. Earning the CISSP and/or the CISA credential is complementary to the attainment of the CISM credential and is encouraged.
19. What does a CISM “in good standing” mean?
In order to be a CISM “in good standing”, the following must be achieved:
- Certification granted from the corresponding Board, resulting from an approved application
- Continuing professional education is current and up-to-date
- All renewal fees/maintenance payments are current
- Continued compliance with the ISACA’s Code of Professional Ethics
20. Does ISACA provide discount on certification maintenance (renewal) fees if I have multiple certifications?
Yes, for those individuals who are renewing 3 or more ISACA certifications, a discount on the 3rd and 4th renewal fees of $20 for members and $35 for nonmembers is provided.
Exam Registration & Administration :: Exam Content :: Other
- How long is the exam?
- What does the CISM exam cover?
- What is the CISM job practice analysis and how was it developed?
1. How long is the exam?
A candidate is given 4 hours to complete a 200 multiple-choice question exam.
2. What does the CISM exam cover?
The CISM exam will cover five information security management areas, each of which is further defined and detailed through task and knowledge statements.
3. What is the CISM job practice analysis and how was it developed?
ISACA's philosophy toward certification is to measure the individuals' ability and knowledge as it pertains to the performance of their job. To define what security managers do and what they need to know ISACA brought together a task force of prominent industry leaders, subject matter experts and industry practitioners to define the job practice analysis on which the certification exam is based. Due to the importance of the job task analysis and the change experienced in the information security profession, ISACA is currently reviewing the job task analysis. In addition to the CISM's who are participating in this effort we have been joined by representatives from the Information Systems Security Association, the Information Security Forum and ASIS International.
CISM Job Practice >>
Exam Registration & Administration :: Certification Requirements :: Other
- How do I request additional information or report an issue regarding a current or past credential holder?
- How can I become a CISM Exam Item Writer?
1. How do I request additional information or report an issue regarding a current or past credential holder?
To request additional information or to report an issue regarding a current or past credential holder, please contact the CISM certification department:
2. How can I become a CISM Exam Item Writer?
You can apply online to become a CISM Exam Item Writer.
Exam Registration & Administration :: Certification Requirements