ISACA CISM

How to Become CISM Certified – Certification Requirements [Updated 2025]

Graeme Messina
April 29, 2025 by
Graeme Messina

The CISM certification (Certified Information Security Manager) is an accomplishment that only a select few IT professionals will attain in their careers. Worldwide, there are over 45,000 CISM professionals, representing only a tiny percentage of people in the field. This security certification is highly sought after, empowering its holders to find their dream job in information system security management.

Because of the rigorous CISM requirements and CISM prerequisites, it isn't easy to secure this credential. Prospective candidates need to follow specific steps in the CISM certification process to become CISM-certified. We will outline each step of how to become CISM certified so you'll better understand the CISM eligibility criteria and how to approach qualifying for CISM. Below, we cover the five steps you'll need to complete and detail what you need to move forward in your certification journey.

$150,040 average salary

$150,040 average salary

ISACA CISM is one of the industry's highest-paying cybersecurity certifications. Take your information security management career to new heights and enroll now to claim your Exam Pass Guarantee!

Five steps to become CISM certified

1. Pass the exam

Passing the CISM exam requires mastering its four domains. You must show understanding and knowledge in various areas of competency. The CISM exam domains as of 2025 are:

  • Information security governance (17%)
  • Information risk management (20%)
  • Information security program (33%)
  • Incident management (30%)

The security governance background knowledge required for this exam is extensive, and preparation is essential. Check the latest CISM exam cost and registration details before beginning your journey.

2. Comply with the Code of Professional Ethics

Members of ISACA or holders of the CISM designation must agree to the Code of Professional Ethics, which will guide their professional and personal conduct. The certification eligibility verification process includes adherence to these principles. The Code of Professional Ethics comprises seven principles:

  1. Support the implementation of, and encourage compliance with, appropriate standards and procedures for the effective governance and management of enterprise information systems and technology, including audit, control, security and risk management.
  2. Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards.
  3. Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of conduct and character and not discrediting their profession or the association.
  4. Maintain the privacy and confidentiality of information obtained in the course of their activities unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.
  5. Maintain competency in their respective fields and agree to undertake only those activities they can reasonably expect to complete with the necessary skills, knowledge and competence.
  6. Inform appropriate parties of the results of work performed, including the disclosure of all significant facts known to them that, if not disclosed, may distort the reporting of the results.
  7. Support the professional education of stakeholders in enhancing their understanding of the governance and management of enterprise information systems and technology, including: audit, control, security and risk management.

3. Participate in the CPE program

The CPE (continued professional education) policy aims to ensure qualified CISM candidates keep their professional security experience and knowledge as up-to-date as possible. This ensures new trends or possible threats are identified and included in new security policies. The CISM CPE requirements are designed to:

  • Maintain competency and ensure that the CISM professional remains knowledgeable and proficient in IT security systems and management. By fulfilling these CISM education requirements, CISMs are far more likely to effectively manage, design and oversee the organization's information security while assessing any potential threats to the security of IT systems.
  • Identify qualified CISMs compared to those not keeping up to date with the CPE program.

You must also pay maintenance fees and keep a minimum of 20 contact hours of CPE annually as part of maintaining CISM certification. In addition, you must complete a minimum of 120 contact hours over a period of three years to comply with ISACA requirements.

4. Meet CISM work experience requirements

The CISM experience requirements are substantial. You must submit verified evidence that you have worked a minimum of five years in the field of information security, with a minimum of three years in information security management experience in at least three of the job practice analysis areas. This CISM work experience must be gained within the 10-year period that precedes the application for certification or within five years from the exam date.

Some security management qualifications can substitute for the full five years' worth of work experience. Here are two scenarios that can lessen the requirements of the individual candidate, based on qualifications and work experience:

Two years:

One year:

  • One full year of information systems management experience
  • One full year of general security management experience
  • Skill-based security certifications (e.g., SANS global information assurance certification (GIAC), Microsoft certified systems engineer (MCSE), CompTIA Security+, Disaster Recovery Institute certified business continuity professional (CBCP), ESL IT security manager)

Please be aware that the experience substitutions listed above are not accepted as a replacement for any part of the three-year information security management work experience. The only exception is two years' worth of full-time university-level instructor teaching information security management, which can substitute one year for every two years worked in such a role.

5. Complete the CISM Application Process

The final step in the CISM application process is to submit a CISM application for certification. This certification application documentation can be completed only after you have passed the CISM exam and acquired the necessary security certification prerequisites, including the required work experience.

$150,040 average salary

$150,040 average salary

ISACA CISM is one of the industry's highest-paying cybersecurity certifications. Take your information security management career to new heights and enroll now to claim your Exam Pass Guarantee!

Conclusion

CISM candidates must adhere to various CISM certification requirements, but this endeavor pays off with an in-demand certification. Positions that require a CISM certification are high-level management roles that require both experience and advanced technical and managerial skills. The CISM is the international standard globally for IT security professionals in security, auditing and systems control.

Attaining this certification is a career-changing milestone that will elevate your professional standing and open the door to better earnings, higher incentives and better benefits, as well as an advanced understanding of security systems management.

Want to know more about the CISM certification exam? Visit Infosec’s CISM hub

Graeme Messina
Graeme Messina

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.