Should I get CISM Certified?
The Certified Information Systems Manager (CISM) qualification is provided by ISACA, and roughly on a par with it’s CISA IT audit qualification.
It is a certification for IT security managers, and like CISA tries to strike a balance between technical IT knowledge and business understanding, with a focus on information risk management, information security governance, incident management, and developing and managing an information security program.
It requires a four hour multiple choice exam and five years relevant experience in an information security management role, although part of this can e waived for other relevant experience. Holders can use the post-nominal letters ‘CISM’, and their status can be verified on ISACA’s web site.
How can I obtain a CISM qualification?
There are two things you need to do to qualify: Pass a multiple choice exam, and demonstrate relevant experience. As with other ISACA qualifications, you can get a year or two off the experience requirement from relevant degrees and qualifications. You will also need to:
Adhere to the Code of Professional Ethics: - Agree to adhere to the ISACA Code of Professional Ethics, which sets the standards for professional behaviour and competence.
Submit the CISM Application: - After passing the exam, submit your CISM application, verifying your work experience and adherence to the Code of Professional Ethics.
Adhere to Continuing Professional Education (CPE) Requirements: - Maintain your CISM certification by earning and reporting CPE hours annually, ensuring you stay updated on the latest developments in information security.
What does it cover?
The syllabus is split into four domains. You need to do well in all areas to pass the exam, but just like CISA, some areas are more important than others:
Information Security Governance (17%)
This domain will provide you with a thorough insight into the culture, regulations and structure involved in enterprise governance, as well as enabling you to analyse, plan and develop information security strategies.
Any wider information security management experience, and other qualifications such as ISC2’s SSCP or CISSP, will help you with this.
Information Security Risk Management (20%)
This is about being able to analyse and identify potential information security risks, threats and vulnerabilities as well as giving you all the information about identifying and countering information security risks you will require to perform at management level.
Any previous experience in operational risk, or wider risk management certifications, will help you here.
Information Security Program (33%)
This domain covers the resources, asset classifications and frameworks for information security as well as managing information security programs - including security control, testing, communications, and reporting and implementation.
Incident Management (30%)
This domain provides in-depth training in risk management and preparedness, including how to prepare a business to respond to incidents and guiding recovery. The second module covers the tools, evaluation and containment methods for incident management.
This does not require hands-on forensic experience - it is about managing incidents rather than the technical handling. However, if you do have a background in security operations (SOC), incident response (CERT), or forensic processes, this will help.
Is is suitable for IT Auditors and assurance professionals?
It’s a great option for those looking to demonstrate knowledge of information security - a domain that is also 26% of CISA qualification. It’s also a great idea if you are looking to transition from IT Audit to Information Security Management or Cyber Security disciplines in the future. Whilst not by any means necessary, quite a lot of people have both CISA and CISM as they build on each other well. The alternative ‘addition’ to CISA would by ISC2’s CISSP - many who have moved from IT audit to information security, me included, have CISA and CISSP. However if you are considering doing CISM and CISSP, most people do CISM first as it is considered a little easier - the CISSP syllabus is broader in technical areas.
How long will it take?
If you are have prior management and/or information security experience beyond audit, good IT knowledge and a strong background in business, you may find it quite easy. However is is unwise to be complacent as the syllabus is quite broad and distinctly different to CISA. You may want to take relevant courses, read up in weak areas, and spend a few months preparing for the exam.
If you’re doing well in every area question bank quizzes, you should do well in the exam.
Do I get letters after my name?
Yes, you can use the letters CISM, as long as you keep your certification up to date.
Do I need to do CPD?
Yes. Like CISA you need 20 hours of verifiable CPD a year, and a total of 120 hours over 3 years. However, if you don’t have the time to go on a week-long course each year, ISACA branches run regular seminars, and you can also gain CPD from completing a quiz in their journal or from taking part in branch activities.
How do I get started with a CISM certification?
Visit the CISM pages on the ISACA web site and enrol.