CISM Foundations: Introduction
Introduction to CISM - Part One

This course introduces and outlines the CISM (Certified Information Security Management) certification from ISACA. You will learn a little background information about the certification, how you will be assessed, how the exams are structured and carried out, the requirements of the exam, and recommendations for passing. We will also cover how to maintain the certification and the code of ethics that holders of the certification must adhere to. You will also learn about additional resources that can help you when studying for your exams.

If you have any feedback relating to this course, feel free to contact us at

Learning Objectives

  • Outline the CISM certification and what to expect when studying for it
  • Learn how the exams are taken and structured
  • Learn some helpful tips for taking and passing the exam
  • Understand the administrative aspects of the exams (enrolment, duration, etc)

Intended Audience

The CISM is intended for those in security, supervisory, or management positions, or for anyone who wants to obtain the CISM certification.


Any experience relating to information security would be advantageous, but not essential. All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of their experience within the security field.



Hello, and welcome to Cloud Academy presentation of the ISACA Certified Information Security Manager Review Seminar. I'm Ross Leo and I will be your host as we explore the details of this certification to help you get prepared to take and pass your CISM examination. So let's go ahead and get started.

The CISM is one of the most-in demand certifications for information security professionals worldwide. It has been developed and maintained by ISACA at the highest level of quality to meet the ANSI standard 17024 of 2012, a very strict standard that sets a very high bar for the training and certifying of professionals. Shared with the ISO, the 17024 ensures that the CISM is recognized and accepted by the profession, commercial employers, and government agencies worldwide.

Generally speaking, the sections will be presented in modules of 40 to 60 minutes average length. The idea is to give you bite-sized sessions that you can do over lunch, in the evening, on your flight, or even taking a ferry among the Greek Islands while on vacation. The best way, of course, is to sit, focus, listen carefully, and take very good notes.

This course will give you a lot to think about, a lot of other reading that you might want to do. The better your attention, the better your understanding. And of course, the better you will do, probably. I must emphasize that this test is a difficult one to pass. It will require you to draw on book learning and experience.

There are no labs in this exam, in the course, or on the test itself, but things that you may have learned in labs or exercises may very well come in handy. One important thing is that this test is vendor and technology neutral. No vendor products are discussed, to ensure that there is no favoritism or focus on a particular brand. Certain technologies are, of course, mentioned, but only in a very general manner. And usually to set the context, when a question is asked or in giving examples.

If you're deeply committed to a single vendor's line or way of doing things, I would strongly recommend that you exercise caution to prevent your seeing everything in this course and on the test through that particular lens.

So once again, welcome. Having first been offered in 2002, the CISM is by no means new, but neither is it old and rusty. The ISACA team works diligently to maintain its currency and its quality, to ensure its holders are kept on the leading edge, and the certification itself remains relevant and in demand.

Intended for security professionals who are moving into senior or higher roles, it focuses on areas that represent the vital elements of governance and control. In the coming modules, I will guide you through a process of thinking and learning as we move into this body of knowledge.

First will come the basics of information security, which is presented to you as both a refresher and as a return to the foundations of our professional practice so to start you out thinking along the right lines. Following that will be an in-depth discussion of the four domains of the CISM shown here: 

  • Information security governance
  • Information risk management and compliance
  • Information security program development and management
  • Information security incident management

As we go through each topical section, we will cover some important points, of course, and then follow with a few questions, which you will draw from your book. Here's how that will work. I will pose a few questions, pausing several seconds to give you a chance to think about what I've asked and then put up the answers so that you can check yours with mine.

I, of course, have to admit that I have the advantages. I know both the questions and each correct answer, but since this is really a one-sided conversation with me doing all the talking, this is the best way to help you check your grasp of the topics. My advice with that, be honest with yourself about how you answered. If you got it right, that's good. If not, well, you need to know why you got it wrong and study that as well as learning the correct answer. Approaching your preparation like this will help very greatly.

Like most of its peer certifications, the CISM will have some important qualifications for each candidate to meet before they can achieve it. As you see on this slide, there are several. They include:

  • Verified work experience in the field of information security
  • Adhering to ISACA's Code of Professional Ethics
  • Successfully passing the CISM exam
  • Agreeing to comply with the Continuing Education Policy
  • Submitting an application for the CISM Certification

Some are about your experience. Some are requirements to commit to a Code of Ethics, which it should be said, most of us in the profession consider a pretty important thing to do. I certainly do and I'm sure you do as well. Like its peers, you will need to get regular training to maintain your standing, but if you have other certifications now, then this will come as no surprise. And of course, there's paperwork to do. That part is inescapable, but of great importance as well.

So let's take a few moments and let's take a look at these points. Of course, to be successful every candidate must pass the exam and the general consensus among test takers is to make every effort to do so on the first go. Easier said than done, but working to make that happen is the main reason we're here.

Like most certification exams at this level, this one has an experience requirement, which I will show you shortly. For those who may not have that accomplished, taking and passing the exam would not be pointless now. Doing this now and succeeding will lock in your having done so, allowing you to build up the necessary experience in the following five years, or if you already have some, whatever the difference is between that and the required five total years you'll need.

Once you complete that portion, you're standing as a CISM holder will be completed and your certification will be validated and issued. There would be no need to take the exam again. Like almost every professional-level certification, such as the CISSP, the CCSP, and the CIPP, the association backing them requires the candidate agreed to follow a Code of Ethics. This is certainly true in this case. I'll show you that in just a few more slides so that you can familiarize yourself with it.

Make no mistake though, ISACA takes this code and our adoption of it very seriously and it expects us all to do the same in our work. Failing to do so has cost some their certifications over the years, enough said on that.

Also, like its peer certifications, the CISM has a continuing professional education requirement that must be met each year. The base certification period is three years, and during that time, the holder must acquire a total of 120 contact hours with no less than 20 CPE credits in any given year. The ISACA website will provide information about this process and all the different ways to obtain these, usually through classes, webinars, conferences, public speaking, delivering training, and several others. Staying current with our fast-moving, oft-changing cybersecurity landscape is the objective, of course, and each candidate must fulfill this requirement every year. Not doing this risks losing the certification and having to take the test again. I can assure you that having taken it once, you really won't want to go through that again. So be sure to take care of your CPEs each year.


Introduction to CISM - Part One - Introduction to CISM - Part Two - Introduction to CISM - Part Three

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.

Covered Topics