Introduction to CISM - Part Two
Introduction to CISM - Part Two

This course introduces and outlines the CISM (Certified Information Security Management) certification from ISACA. You will learn a little background information about the certification, how you will be assessed, how the exams are structured and carried out, the requirements of the exam, and recommendations for passing. We will also cover how to maintain the certification and the code of ethics that holders of the certification must adhere to. You will also learn about additional resources that can help you when studying for your exams.

If you have any feedback relating to this course, feel free to contact us at

Learning Objectives

  • Outline the CISM certification and what to expect when studying for it
  • Learn how the exams are taken and structured
  • Learn some helpful tips for taking and passing the exam
  • Understand the administrative aspects of the exams (enrolment, duration, etc)

Intended Audience

The CISM is intended for those in security, supervisory, or management positions, or for anyone who wants to obtain the CISM certification.


Any experience relating to information security would be advantageous, but not essential. All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of their experience within the security field.



So with regard to your experience, there are several combinations of things that you can use to meet this. The basic goal is to demonstrate and validate a minimum five-year security work. Three of those must be in a supervisory or management role, and must involve you're working three or more of the job practice areas.

Since these are under regular review and can change at any time without notice, I recommend you consult the ISACA website, found at to find out the latest information on this. And by the way ISACA and its website should be the only source you treat as authoritative when it comes to information about the CISM and its requirements. While others may strive to be correct, as we certainly do here, using ISACA as the only true authoritative source is really the only way you can be certain of the latest and most accurate information.

Here, you see a portion up to two years that is of the total five years experience can be covered by other activities, but three of the five must be in some form of security management role. This really should not be unexpected. The CISM is intended for persons in any security, supervisory, or management position.

In fact, looking at the job market these days, and I do that periodically to see what experience, what specialties and what certifications are being sought by hiring managers and companies, ISACA and its sister organization (ISC)² routinely do this. I see that the CISM being required or highly preferred when the role is advertised is for a senior role. For example, the CISO roles, in particular, frequently features the CISM as one of the required professional certifications.

For those years that can be substituted, let's move on and see what ISACA allows. Here you see the various substitutions ISACA will accept if the five-year minimum experience requirement has not been fully met. For two years, ISACA will accept the CISA, the Certified Information Systems Auditor. ISACA accepts this of course, because it's their own, and it has its own experience requirement, and they're very familiar with the CISA content.

The Certified Information System Security Professional known as the CISSP, and ISACA accepts this for the very same reason that they accept the CISA, they know its content and its quality.

Postgraduate degree in information security or related field, which could include business administration, information systems, or information assurance. Many of these degree programs rely on content from ISACA and ISC2 programs. So the same reasoning as with the CISA and the CISSP would hold true here as well.

Now, for one year substitution, we have these options. One year of information security systems management experience, this satisfies a basic but essential requirement. One full year of general security management experience. Here's one year of management experience in a security role, but of a more general nature than IT.

Skill-based security certifications such as the SANS GIAC, the Microsoft MCSE, the CompTIA Security+, or the Disaster Recovery Institute Certified Business Continuity Planner, the CBCP. With these, ISACA recognizes what is required to obtain these and essentially gives credit for the work involved to get them. Most of these also have an experience requirement, but again, they are not complete in terms of what ISACA looks for. Thus, they satisfy only foundational requirements.

Completion of an information security management program at an institution aligned with the model curriculum. The same as the above is true here, because if it's essential attributes being known and accepted by ISACA.

So as I mentioned, here is the ISACA code of ethics. As is common with nearly every security certification body, ISACA requires that every candidate and certificate holder adhere to a strict code of ethics. ISACA understands the necessity of this and requires that all members uphold in all of their work. This is to ensure that any employer of one can have confidence that he or she will perform their duties responsibly and with integrity. 

Along with this code comes a designated panel to investigate allegations of misconduct. There is a well-defined process intended to ensure a fair hearing to determine the nature and validity of the allegations, and to hear the individual explain or defend themselves. Any violation is considered nontrivial, and disciplinary action recommended by this panel include sanctions up to and including forfeiture of the holder certification. Be sure you read through these cannons carefully. I cannot say for sure that you will see a question about this on the exam, but it's always best to be prepared. 

Here, you see the current arrangement and subject matter for each of the CISM domains. This order reflects areas of knowledge and empirical competence that ISACA believes, after considerable research among professionals and employers, that a CISM holder should have. The candidate is required to make claims of experience in one or more of these areas and provide individuals themselves certification holders, preferably, who will validate the candidate's claims.

In total, the candidate must demonstrate the minimum five years experience in one or more validated by another can be more than one year or one person to cover the total years claimed. ISACA then contacts the individuals named and provides documents to be completed as evidence of validation. Once accomplished, the certificate can then be awarded.

This is the domain organization of 2017. About every five years, ISACA formally reviews and may revise this arrangement to ensure it accurately reflects the body of knowledge that the CISM should contain, and that a general update is performed to maintain its currency.

I want to mention one very important point. In preparing this course material we have included information from the ISACA website regarding the test composition, the experience requirements, and other items concerning the overall process. As I've mentioned before, ISACA can change these requirements at any time as they deem necessary. So your best course is to confirm these details on their website before taking your exam for the most current and accurate information.

So with that in mind, let's take a look at the exam overview. As of this writing, this exam consists of 150 multiple choice questions that cover the respective job practice areas created from the most recent job practice survey analysis. Candidates will have up to four hours, 240 minutes that is, to complete this exam. Exam questions are developed with the intent of measuring and testing practical knowledge and the application of general concepts and standards.

Now each question will have several options, but there is only one best answer. Each question has a stem that is what ISACA refers to as the question and four options. Your objective is to choose to correct or best answer from the options. The stem itself can take the form of either a question or an incomplete statement to be completed by your answer choice.

Now, in some cases, a scenario may be included. The questions normally include a description of the situation and require you to answer two or more questions based on the information provided. Now in the scenario that is presented, the scenario itself will take only a matter of a few seconds to read, it won't be pages and pages in other words. Now I recommend that you copy these points down before moving on.

Preliminary exams results will be on the screen immediately following the completion of your exam, with the official score being emailed and available online within 10 working days. Those successful will receive details on how to apply for certification along with this. The email notification will be sent to the email address listed on your profile, and also through the pages that you see there MyISACA with the sub page MyCertifications page found on the ISACA website.

Now the scoring criteria shows a scaled score, and this is a conversion of a candidate's raw score on an exam to a common uniform scale. The purpose of this is to ensure that a standard way of reporting outcomes is used across disparate versions of the exam so that different versions are comparable and fair, or put another way, anyone who scores a 400 should feel that their exam fairly represents the material and is comparable to any other candidates achieved score of 400 also.

ISACA uses and report scores on a common scale from 200 to 800 points. To pass this exam, you must receive a score of 450 points or higher, which represents the minimum standard of knowledge required to pass the exam.

Exam outcome is based on total score only. Sub-domain scores are reported only to provide a relative performance in each area. Dividing the reported scores by the number of domains for an average score does not accurately reflect the total score. It is possible to achieve low scores in multiple domains and still pass and high scores in certain sub demands, but still fail.

A score of 450 represents the minimum standard of knowledge and performance that has been met by the candidate. And a candidate receiving this level or higher can then apply for certification assuming all the other requirements have been met.


Introduction to CISM - Part One - Introduction to CISM - Part Two - Introduction to CISM - Part Three

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.

Covered Topics