Defining Information Security Manager Position Requirements: Guidance for Executives and Managers 


Defining Information Security Management   Download (Registration Required, 270K)
  Download Portuguese Translation (Registration Required, 473K)
  Download Spanish Translation (Registration Required, 482K)

  Provide feedback on this document
Knowledge Center  Visit the Information Security Management Knowledge Center community

This report provides a framework for understanding the many, changing and interrelated requirements of the information security manager position and its requirements assigned to professionals at various levels in an enterprise. It identifies the pathways such professionals often take during their careers to reach these positions. It is intended to help those entering the profession from a university program, planning their career or advancing with the profession. It also serves as a guide for those with responsibility for hiring information security practitioners or for those who, manage, lead or have oversight responsibilities for an information security function.

The research used in preparing this report is extensive, and includes data collected as part of a comprehensive 2006 global survey of approximately 600 information security professionals holding the Certified Information Security Manager (CISM) designation, as well as a working group of information security executives including over 100 CISMs under the direction of ISACA. Additionally, in 2007, ISACA launched its Information Career Progression Survey which generated responses from over 1,400 CISMs worldwide.

The CISM designation is issued by ISACA, and recognized by the International Organization for Standardization (ISO) as one of a select group of information security professional certifications receiving worldwide recognition.

Using this report the reader will gain a clear understanding of the dynamics and requirements for the information security management position in relation to changing employment needs, the rate and degree of technology change taking place, and how these conditions will impact the role of the information security manager. It will help in defining, refining and updating the requirements for information security management positions, keeping in mind that management skills and abilities may be more critical than one’s technical competencies, in particular as one progresses upward within an enterprise.