Thumb taotastic closer look cism blog button banner

A Closer Look at the CISM Certification

The Certified Information Security Manager certification has been around for over a decade now, and it's only grown in prominence. What makes ISACA CISM so important and how does it compare to its peers?

The ISACA Certified Information Security Manager (CISM) is a signature certification created by a reputable ISACA professional organization. Since its introduction in 2003, the CISM has evolved and is now ranked as one of the top five certifications in 2016 for information security professionals. ISACA -- founded in Los Angeles in 1969 and currently headquartered in Rolling Meadows, Illinois -- has 140,000 members and 208 chapters worldwide. ISACA has morphed from a focus on information security auditing to include Governance, Risk, and Compliance (GRC) and, more recently, cybersecurity. 

Let's takes a closer look at the ISACA Certified Information Security Manager certification, the value it provides career security professionals, how it compares with other certifications.


What is the ISACA CISM?

The ISACA CISM is a certification intended for information security managers, aspiring managers, or IT consultants who support information security program management. The first-ever exam was administered on June 14, 2003, at 95 locations in 47 countries. Applicants could submit a grandfather application before the end of 2003. Candidates had to submit evidence of eight years of information security work experience. Five of those eight years must have been in the role of information security manager and must be verified by an immediate supervisor or someone else of higher rank in the organization.

It is not as technical of a certification as the Certified Information Systems Security Professional (CISSP) or other specialized SANS Institute certifications. CISM is comprised of four domains: Information Security Governance, Risk Management, and Compliance, Security Program Development and Management, and Information Security Incident Management.

This common body of knowledge (CBK) is critical for the chief information security officer (CISO) and information security manager. CISM is a vendor-neutral, information security management examination.

Technical information security knowledge specializing in network security, encryption, operating systems, authentication, penetration studies, malware reverse engineering, and other areas of expertise are left to SANS, EC-Council, and others.


Value of the ISACA CISM

The CISM is of great value to the designation holder. It relays the message to enterprises hiring information security managers or CISOs that the holder has knowledge of risk, governance, incident response, and the information security program. This is evidenced by its worldwide acceptance. For the first years after its introduction, some information security professionals could grandfather into the program.

Because of the CISM's focus on business and risk management issues associated with information security, it continues to be required -- if not desired -- certification for CISOs, directors, and managers of information security.

CISM compared to other certifications

According to Ron Hale, chief knowledge officer for ISACA International, "The CISM does not compete with the CISSP or SANS courses. They are complementary."

The cybersecurity professional can be either very technical or a generalist. Managers can be technical, but they also need to understand the business. Today, we need cybersecurity professionals who can do both. The CISM -- coupled with technical designations -- accomplishes this need.

It's been said that the information security professional is a jack-of-all-trades and a master-of-none. An information security professional can be a jack-of-all-trades, but he also needs to be a master of at least one. The question is, which one?


"There is a growing need for valuable guidance, credentials, tools, networking, and training for professionals in this fast-moving field. Cybersecurity is everybody's business, and it is necessary that we work together to close the skills gap and protect our enterprises," said Robert E. Stroud.

Having a certification does not guarantee the holder is an expert in the area of information security it covers. That, unfortunately, holds true, as security managers have all seen those that who have certifications are not always experts. But without the certification, the non-holder, who is an expert, may never have the opportunity to demonstrate his expertise. Certifications provide assurance that the holder has the foundation -- the CBK -- for the covered area; it opens doors.  ISACA with the CISM certification is providing that foundation and is meeting the demand for information security professional training, certifications, and skilled resources.