menu image
AssuranceSecurityGovernanceMembers & LeadersProfessionals & PractitionersStudents & EducatorsExhibitors & Advertisers
menu shadow
CISM Certification
 Requirements
 Code of Professional Ethics
 Exam
 Application & Maintenance
 Continuing Education Policy
 Item Writing Program
 CISM in the News
 FAQ
Education & Conferences
Professional Resources
Downloads
Bookstore
Membership
My ISACA
Career Centre
spacer image
Print this page
spacer image

Home SecurityCISM Certification FAQ

CISM logo

CISM Frequently Asked Questions (FAQ)

Exam Registration & Administration :: Certification Requirements :: Exam Content :: Other

Exam Registration & Administration

  1. When will I receive my admission ticket for the June 2009 exam?
  2. What is the exact location of the test site for my June 2009 exam?
  3. What time should I arrive at the exam site?
  4. Can I still defer my June 2009 exam?
  5. What should I bring to the exam?
  6. What is the next exam date?
  7. When will registration open for the 12 December 2009 exam?

1. When will I receive my admission ticket for the June 2009 exam?

Electronic exam admission e-tickets have been released to paid candidates via email on 30 April 2009 to the email address listed in your profile. Please check your inbox as well as spam filters for your e-Ticket.

The hard copy admission tickets have been released to the preferred mailing address in your profile. Candidates can use either a print out of the e-Ticket or the hard copy admission ticket for entry into the exam. Again, only one exam ticket is needed for entry.

If you have not received an exam admission ticket by 1 June 2009 please contact exam@isaca.org immediately. Please put “Exam Admission Ticket” in the subject line.

2. What is the exact location of the test site for my June 2009 exam?

The exam details, including the exact exam location, are listed on your exam admission ticket. To ensure that you arrive in plenty of time for the exam, we recommend that you become familiar with the exact location and the best travel route to your exam site prior to the date of the exam. Test center phone numbers and web site references have been provided (when available) to assist you in obtaining directions to the facility.

3. What time should I arrive at the exam site?

Your arrival time is listed on your exam ticket. Please check your admission ticket for the exam time for your exam location as time can vary by site.

NO CANDIDATE WILL BE ADMITTED TO THE TEST CENTER ONCE THE CHIEF EXAMINER BEGINS READING THE ORAL INSTRUCTIONS. Any candidate who arrives after the oral instructions have begun will not be allowed to sit for the exam and will forfeit their registration fee.

4. Can I still defer my June 2009 exam?

Candidates unable to take the exam can request a deferral of their registration fees to the next exam date. From 25 April 2009 through 28 May 2009, a processing fee of US $100 will be charged. Deferral requests will not be accepted after 28 May 2009. To request a deferral, please go to www.isaca.org/examdefer to complete the process. The exam and deferral fees are nonrefundable. Please note: Deferral requests will not be processed until deferral fees have been paid in full. Payment is due in full by 13 June 2009. All deadlines are based upon Chicago, Illinois USA, 5 p.m. CT (central time).

5. What should I bring to the exam?

In addition to your admission ticket, bring several sharpened No. 2 or HB pencils, an eraser, and an acceptable form of photo identification such as a driver’s license, passport or government ID. This ID must be a current and original government issued identification that contains both your name as it appears on the admission ticket and your photograph. Any candidate who does not provide an acceptable form of identification will not be allowed to sit for the exam and will forfeit their registration fee.

Please visit www.isaca.org/cismbelongings for a list of items which are permitted and are not permitted in the exam site.

6. What is the next exam date?

The next exam date is 12 December 2009.

7. When will registration open for the 12 December 2009 exam?

Registration is currently open for the 12 December 2009 exam. You can register for the 12 December 2009 exam at www.isaca.org/examreg.

Certification Requirements :: Exam Content :: Other

Certification Requirements

  1. What do I need to do if I've received a revocation notice?
  2. How can I earn CPE credits online?
  3. How do I submit my annual continuing professional education (CPE) hours to ISACA?
  4. What do I need to do if I've received an audit notice for my 2007 CPE hours?
  5. I've submitted the documentation for the audit of my 2007 CPE hours. When will I receive a confirmation?
  6. Where can I find the CISM application for certification?
  7. What are the qualifications to earn the CISM credential?
  8. What does the CISM continuing professional education policy require?
  9. Why does ISACA offer an information security certification?
  10. Who is eligible to become CISM certified and what makes CISM unique?
  11. Will CISAs qualify for CISM?
  12. What constitutes information security management experience for CISM Certification?
  13. I have been an audit manager for many years. I have audited the information security program numerous times. May I count this as information security management?
  14. What type of consulting can I use for security management experience?
  15. Regarding the three (3) years of required information security management experience needed for certification, must I have 3 years of experience in each of three or more areas, or can I have one year in each of three different areas?
  16. Will CISSPs and other security credential holders qualify for CISM?
  17. How is CISM different from the other security certifications?
  18. How is CISM different from the Certified Information Systems Security Professional (CISSP)?
  19. What does a CISM “in good standing” mean?

1. What do I need to do if I've received a revocation notice?

If you have received a revocation notice, please contact certification@isaca.org.

2. How can I earn CPE credits online?

ISACA members can earn CPE hours by taking an Information Systems Control Journal CPE Quiz online. One CPE hour is awarded per quiz. ISACA members may also earn CPEs online by participating in e-symposia. The e-symposia are offered live each month or may be accessed on demand via the archives. For more information, please go to http://www.isaca.org/webcasts. In order to claim the CPE hours (generally 3 hours per e-symposia), a passing score must be earned on the quiz.

3. How do I submit my annual continuing professional education (CPE) hours to ISACA?

CPE hours are reported annually during the renewal process which begins in October/November of each year. At renewal time, you will be asked to report the total number of CPE hours that you earn during the cycle year. Please keep track of the activities you take and retain the supporting documentation so that you are able to properly report your hours. You will be sent an email notification when the renewal process opens each year. At that time, you can go to our web site and pay your annual dues and report your CPE hours. Alternatively, you can wait until we send you the hard copy annual invoice and use that as the mechanism to make your payment and report your CPE hours.

4. What do I need to do if I've received an audit notice for my 2007 CPE hours?

If you have received an audit notice, please follow the steps provided to you in the letter to comply with the audit. When submitting your documentation, please note that it should be in the form of a letter, certificate of completion, attendance roster or Verification of Attendance form (located at http://www.isaca.org/cismcpepolicy).

At a minimum, each record should include the name of the attendee, name of the sponsoring organization, activity title, activity description, activity date, and the number of continuing professional education hours awarded or claimed. Please submit photocopies, as the documents will not be returned.

5. I've submitted the documentation for the audit of my 2007 CPE hours. When will I receive a confirmation?

If any additional information is required or there are questions regarding your documentation, we will contact you directly. Once your documentation has been reviewed and approved, a notice will be sent to you.

6. Where can I find the CISM application for certification?

CISM applications are located at http://www.isaca.org/CISMapp.

7. What are the qualifications to earn the CISM credential?

Qualifying for CISM requires a combination of four "e's": experience, ethics, education and exam. Specifically, the requirements are:

  • Earn a passing score on the CISM exam
  • Adhere to the ISACA Code of Professional Ethics
  • Commit to abide by the Continuing Professional Education Policy
  • Submission of verified evidence of a minimum of five years of information security work experience, with a minimum of three years of information security management work experience in three or more of the job practice areas. Waivers for general information security work experience are available, if certain education or certification requirements are met.

For further details, click here.

8. What does the CISM continuing professional education policy require?

In order to become and remain a CISM an individual must agree to comply with the CISM continuing professional education policy. This policy requires an individual to earn a minimum of twenty (20) continuing professional education hours annually and one hundred and twenty (120) continuing professional education hours for every three year cycle. In addition, an annual maintenance fee of US $40 ISACA member and US $80 nonmember is required.

To access the CPE policy, click here.

9. Why does ISACA offer an information security certification?

ISACA's name reflects its obligation to offer products, services and benefits not only to the information systems audit profession, but to those who play a vital role in information systems control as well. More than 20 years ago ISACA pioneered the Certified Information Systems Auditor (CISA) credential and has developed and offered training programs to information systems auditors, information security practitioners and those involved in information technology governance.

Most recognized in the industry are a series of ISACA conferences that are known as CACS (computer audit, control and security). These programs are held each year worldwide and meet the educational needs of a wide variety of information systems professionals.

In recent years, ISACA has undertaken other information security and IT control activities: increased focus on security in the Information Systems Control Journal, creation of the IT Governance Institute, and development of research of particular interest and benefit to security management professionals. The maturity of ISACA membership and CISAs and their requested need for an information security credential that goes beyond the practitioner level has led ISACA to the development the CISM credential.

10. Who is eligible to become CISM certified and what makes CISM unique?

CISM is unique in the information security credential marketplace because it is designed specifically and exclusively for individuals who have experience managing an information security program. Experience requirements and the CISM exam are based on the experience required to competently perform the duties and responsibilities of an information security manager. These requirements and the tasks and knowledge that are tested were developed by information security leaders and later validated by subject matter experts and information security managers. The requirements are designed to measure an individual's management experience in information security situations, not general practitioner skills.

11. Will CISAs qualify for CISM?

The CISM certification program recognizes the achievement of the CISA credential as a baseline representation that an individual has gained general information security skill and knowledge. As such, CISAs receive a two-year general information security waiver. However, CISAs will not be eligible to earn a CISM unless they have the required experience and can demonstrate proficiency and practical knowledge in the role of an information security manager.

12. What constitutes information security management experience for CISM Certification?

Information security management is a broad field, and encompasses many specialties within the security profession. ISACA categorizes these management activities into five areas, as defined in the most recent Job Task Analysis. Each area is broken into discreet tasks, and each task is further broken down into the supporting knowledge required to perform each task. In order to qualify for the CISM certification, the CISM candidate must have a minimum of five years of information security experience, of which three or more years must be information security management work. Note that the requirement does not dictate that the individual must have a specific position that designates them as a CISO or any other specific security management title. However, for those that do not have this designation, the role that they perform must clearly map to tasks within 3 of the 5 management areas as defined in the CISM Job Task Analysis. While less common these days, there are still organizations that have individuals in hybrid roles that include duties of an information security manager along with other unrelated responsibilities. This is particularly true in smaller organizations that do not have sufficient staff for an information security department or dedicated role. Note that audits, reviews, gap analysis, or other activities that assess the effectiveness of an information security program that is managed by others do not fully meet the standard for information security management. For more information, see the question below regarding audit experience.

13. I have been an audit manager for many years. I have audited the information security program numerous times. May I count this as information security management?

While it is certainly true that auditors often have a great deal of involvement with the information security program, they are not actively managing the program nor do they have any direct accountability for its success or failure. Also, audits are point-in-time events, whereas program management or even program development is a daily, ongoing activity. Auditors can generally map their work to Areas 1 and 2 (Information Security Governance and Information Risk Management), if they have been working actively in IT assurance. However, they generally do not have appropriate experience to qualify in areas 3, 4, and 5 (Information Security Program Development, Information Security Program Management, and Incident Management and Response). Generally speaking, an individual whose career has been exclusively in IT Audit will not have the appropriate experience to qualify for CISM certification. There are a number of individuals who have worked managing or building a security program that have subsequently moved to IT Audit, and there are also individuals who have moved from Audit into an Information Security Management role. In each of these instances, the candidate will more than likely be able to leverage time from both roles to qualify for certification, although the minimum time actually managing a program is at least one full year. Note that in small organizations, individuals in IT Audit occasionally have a dual role that shares audit duties with information security management. In this case, they may be able to earn sufficient experience to be awarded the CISM certification if they can demonstrate that their activities managing information security were completely exclusive from their audit activities and that experience falls within the required 10 year window.

14. What type of consulting can I use for security management experience?

In order to determine if consultative experience can be utilized for information security management experience, there are several qualifying questions that should be considered. Note that even with these criteria, this is not a binary decision, and cases must at times be considered on an individual basis. However, using these questions will assist the candidate to characterize their experience appropriately:

  1. During the consulting engagement, did the consultant actively participate in the design and/or implementation of a security program or process?
  2. Did the consulting analyze the current state, determine root cause for any issues encountered, and work with the client to plan and/or implement a course of action to address the issues cited (as opposed to simply providing an assessment of the current state i.e. a security assessment, audit, or gap assessment)?
  3. Did the consultant actually work in a defined role within the client organization performing security management tasks that map to one or more of the five Job Task areas?

Additionally, the nature of the consulting role in any of the above three scenarios would need to map to one or more of the five job task areas.

An affirmative answer to one or more of these three questions and mapping to one or more job task areas is a good indication that the experience will qualify for information security management.

In summary, a review of the consultative work performed assessed by the qualifying questions and compared to the job task areas and their related task statements is the proper way to determine if consultative work should be counted. As a final point, time should be considered as well. As consultants may have well worked on many different projects at one time, the candidate should ensure that the for the time period submitted, the majority of their time was actually dedicated to management level security consulting.

15. Regarding the three (3) years of required information security management experience needed for certification, must I have 3 years of experience in each of three or more areas, or can I have one year in each of three different areas?

The minimum acceptable time is 1 year of experience in each of at least 3 of the 5 areas (and an additional two years general information security experience or a combination of time and qualifying educational or certification substitutions that are listed on the CISM Application).

16. Will CISSPs and other security credential holders qualify for CISM?

The CISM certification program recognizes the achievement of the CISSP credential as a baseline representation that an individual has gained general information security skill and knowledge, just as it does with individuals who have earned a CISA. As such, CISSPs receive a two-year general information security experience waiver. However, CISSPs will not be eligible to earn a CISM unless they have the required experience and can demonstrate proficiency and practical knowledge in the role of an information security manager. Holders of other, more specialized credentials, such as the SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security + Credential and the Disaster Recovery Institute Certified Business Continuity Professional (CBCP) also can receive a one-year general information security experience waiver.

17. How is CISM different from the other security certifications?

CISM differs from the many other security certifications by virtue of its experience requirements and focus on the job performed by an information security manager. Other security certifications are characterized by a focus on technical skills or platform- or product-specific knowledge, or they are aimed at the practitioner in the earlier years of their career. Only CISM targets the information security manager-the individual who has progressed beyond the practitioner focus, whose emphasis is no longer technical or specialist skills, and who has moved on to the management of an enterprise's information security program. CISM is for the individual who must manage and oversee the enterprise's information security effort, including the practitioners, many of whom may hold other certifications the field offers. The focus on management that makes CISM unique is demonstrated in its experience requirement, which calls for a minimum of three years in information security management, and in its exam focus that is based on the practices performed by information security managers.

18. How is CISM different from the Certified Information Systems Security Professional (CISSP)?

Although there are many differences between the CISSP common body of knowledge and the CISM job practice areas, the most obvious differences is in the experience requirements. Only CISM requires information security management experience, in addition to general information security experience. CISSP has no such management requirement. Earning the CISSP and/or the CISA credential is complementary to the attainment of the CISM credential and is encouraged.

19. What does a CISM “in good standing” mean?

In order to be a CISM “in good standing”, the following must be achieved:

  • Certification granted from the corresponding Board, resulting from an approved application
  • Continuing professional education is current and up-to-date
  • All renewal fees/maintenance payments are current
  • Continued compliance with the ISACA’s Code of Professional Ethics

Exam Registration & Administration :: Exam Content :: Other

Exam Content

  1. How long is the exam?
  2. What does the CISM exam cover?
  3. What is the CISM job practice analysis and how was it developed?

1. How long is the exam?

A candidate is given 4 hours to complete a 200 multiple-choice question exam.

2. What does the CISM exam cover?

The CISM exam will cover five information security management areas, each of which is further defined and detailed through task and knowledge statements.

3. What is the CISM job practice analysis and how was it developed?

ISACA's philosophy toward certification is to measure the individuals' ability and knowledge as it pertains to the performance of their job. To define what security managers do and what they need to know ISACA brought together a task force of prominent industry leaders, subject matter experts and industry practitioners to define the job practice analysis on which the certification exam is based. Due to the importance of the job task analysis and the change experienced in the information security profession, ISACA is currently reviewing the job task analysis. In addition to the CISM's who are participating in this effort we have been joined by representatives from the Information Systems Security Association, the Information Security Forum and ASIS International.

The detailed CISM Job Practice areas can be viewed at http://www.isaca.org/cismjobpractice.

Exam Registration & Administration :: Certification Requirements :: Other

Other

  1. How do I request additional information or report an issue regarding a current or past credential holder?
  2. How can I become a CISM Exam Item Writer?

1. How do I request additional information or report an issue regarding a current or past credential holder?

To request additional information or to report an issue regarding a current or past credential holder, please contact the CISM certification department:

Email: exam@isaca.org
Tel: +1.847.660.5660
Fax: +1.847.253.1443

2. How can I become a CISM Exam Item Writer?

You can apply online to become a CISM Exam Item Writer.

Exam Registration & Administration :: Certification Requirements :: Exam Content


nav menu image
spacer image
Assurance | Security | Governance
Members & Leaders | Professionals & Practitioners | Students & Educators | Exhibitors & Advertisers
Info Request | Join | Bookstore | My ISACA | About ISACA
Home | Site Map | Shopping Cart | Logout | Contact Us
spacer image
menu shadow

Terms Of Use | Privacy Policy | IP Guidelines
© 2009 ISACA All rights reserved.
3701 Algonquin Road, Suite 1010, Rolling Meadows, Illinois 60008 USA