Requirements for CISM Certification

To earn the CISM designation, candidates will be required to:

Successfully pass the CISM exam.
Adhere to ISACA's Code of Professional Ethics.
Agree to comply with the Continuing Education Policy.
Work experience in the field of information security.
Submit an Application for CISM Certification.

1. Successfully Pass the CISM Exam

Score a passing grade on the CISM exam. A passing score on the CISM examination, without completing the required work experience as outlined below, will only be valid for five years. If the applicant does not meet the CISM certification requirements within the five year period, the passing score will be voided.

2. The Code of Professional Ethics

Members of ISACA and/or holders of the CISM designation agree to a Code of Professional Ethics to guide professional and personal conduct.

3. Continuing Education Policy

Continuing Education Program Objectives

The objectives of the continuing education program are to:

Maintain an individual's competency by requiring the update of existing knowledge and skills in the areas of information systems auditing, management, accounting and business areas related to specific industries (e.g., finance, insurance, business law, etc.)
Provide a means to differentiate between qualified CISMs and those who have not met the requirements for continuation of their certification
Provide a mechanism for monitoring information systems audit, control and security professionals' maintenance of their competency
Aid top management in developing sound information systems audit, control and security functions by providing criteria for personnel selection and development

Maintenance fees and a minimum of 20 contact hours of CPE are required annually. In addition, a minimum of 120 contact hours is required during a fixed 3-year period. Upon completing the requirements for initial certification, the CISM will be provided with the CPE policy booklet for detailed criteria to be used in developing a personal CPE program.

The CISM CPE Policy is available below for the following languages:

CISM CPE - English (PDF, 348K)
CISM CPE - Spanish (PDF, 136K)
CISM CPE - Japanese (PDF, 349K)

4. Work Experience

Submit verified evidence of a minimum of five years of information security work experience, with a minimum of three years of information security management work experience in three or more of the job practice analysis areas. The work experience must be gained within the ten-year period preceding the application date for certification or within five years from the date of originally passing the exam.

Experience Substitutions

The following security-related certifications and information systems management experience can be used to satisfy the indicated amount of information security work experience.

Two Years:
- Certified Information Systems Auditor (CISA) in good standing
- Certified Information Systems Security Professional (CISSP) in good standing
- Post-graduate degree in information security or a related field (e.g., business administration, information systems, information assurance)
One Year:
- One full year of information systems management experience
- Skill-based security certifications (e.g., SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security +, Disaster Recovery Institute Certified Business Continuity Professional (CBCP), ESL IT Security Manager)

The experience substitutions will not satisfy any portion of the three-year information security management work experience requirement.

5. Submit an Application for CISM Certification

Once a CISM candidate has passed the CISM certification exam and has met the work experience requirements, the final step is to complete the CISM Application for Certification. There are three ways to obtain the CISM application:

Complete and print an online application;
Download application in PDF format (PDF, 150K); or
Request an application (sent in postal mail).