Apply for Certification
Get CISM certified and join an elite group of IT professionals recognized and sought after for their expertise. This is a designation that will get you instant credibility with peers, stakeholders and regulators.
A US$50 application processing fee is required for all
submissions. The application fee is a one-time, non-refundable payment.
Candidates must apply for certification within
5 years of having passed the exam.
Finalize your payment and submit your completed
application to ensure an expedited processing time.
CISM Certification Requirements
The ISACA community – members, volunteers and professionals – is guided by our Purpose and Promise, which define the essence of who we are and what we do. Our Purpose is the reason we exist – to help business technology professionals and their enterprises around the world realize the positive potential of technology. Our Promise is how we as an organization and as individuals, deliver on our Purpose – the work we do every day to inspire confidence that enables innovation through technology.
Applicants must meet the following requirements to become CISM Certified:
- Successfully Complete the CISM Examination: The examination is open to all individuals who have an interest in information systems audit, control and security. All are encouraged to work toward and take the examination. Successful examination candidates will be sent all information required to apply for certification with their notification of a passing score.
For a more detailed description of the exam see CISM Certification Job Practice.
- Adhere to the Code of Professional Ethics: Members of ISACA and/or holders of the CISM designation agree to a Code of Professional Ethics to guide professional and personal conduct.
- Adhere to the Continuing Professional Education (CPE) Policy: The objectives of the continuing education policy are to:
- Maintain an individual's competency to ensure that all CISMs maintain an adequate level of current knowledge and proficiency. CISMs who successfully comply with the CISM CPE Policy will be better equipped to manage, design, oversee and assess an enterprise’s information security
- Provide a means to differentiate between qualified CISMs and those who have not met the requirements for continuation of their certification
- Demonstrate the Required Minimum Work Experience: A minimum of 5-years of professional information systems auditing, control or security work experience - as described in the CISM job practice areas - is required for certification. The work experience for CISM certification must be gained within the 10-year period preceding the application date for certification. Candidates have 5-years from the passing date to apply for certification.
- Certified Information Systems Auditor (CISA) in good standing
- Certified Information Systems Security Professional (CISSP) in good standing
- Post-graduate degree in information security or a related field (e.g., business administration, information systems, information assurance)
- One full year of information systems management experience
- One full year of general security management experience
- Skill-based security certifications (e.g., SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security +, Disaster Recovery Institute Certified Business Continuity Professional (CBCP), ESL IT Security Manager)
Substitutions and waivers may be obtained for a maximum of 2-years as follows:
The experience substitutions will not satisfy any portion of the 3-year information security management work experience requirement.
Exception: Every 2-years as a full-time university instructor teaching the management of information security can be substituted for every 1-year of information security experience.
It is important to note that many individuals choose to take the CISM exam prior to meeting the experience requirements. This practice is acceptable and encouraged although the CISM designation will not be awarded until all requirements are met.