Embracing the Infosec Imperative? Consider CISM

Infosec remains a top priority for organizations as both data volumes and attack vectors expand. Tech Republic noted 89% of companies now point to widespread threats such as phishing and ransomware as their biggest security issues. In comparison, 53% said problems with unpatched systems are paving the way for potential attacks.

The result? There's no shortage of demand for skilled and certified information security professionals. ISACA's Certified Information Security Manager (CISM) certification is one of the most well-known and well-respected industry qualifications. It is sought after by both IT and non-tech firms alike.

If you're embracing the infosec imperative to design a career path around defensive data management, CISM is a great starting point. Here's what you need to know about the CISM qualification, its key requirements, how it stacks up against other infosec options — and what this certification can do for your career.

What is CISM?

ISACA offers the CISM certification to showcase one's expertise in information security governance, data protection program development, specific incident management, and overall risk management. With more than 450,000 certification holders worldwide, CISM is often a top priority for firms looking to shore up their infosec management strategy with skilled security professionals.

The CISM qualification focuses on four key practice areas:

  • Information security governance
  • Information risk management and compliance
  • Information security program development and management
  • Information security incident management

It's worth noting that this is a management-track certification, meaning it has more extensive requirements than entry-level infosec qualifications. CISM also offers a way for passionate security professionals to combine front-line experience with management expertise since infosec pros are often tasked with aligning security and business strategies to ensure that both work in concert to deliver consistent ROI and reduce total risk. Common CISM areas of practice include:

  • Providing security leadership and guidance to front-line staff.
  • Reviewing, implementing, and documenting the deployment of new security policies and controls.
  • Managing security audits at scale.
  • Integrating solutions and strategies to minimize incident risk and improve recovery time.

What are the CISM Certification Requirements?

CISM certification offers a path to management for front-line security professionals looking to leverage current expertise and take on the more significant security oversight challenge across the enterprise.

As a result, applying for CISM certification requires at least five years of professional information security management work experience, as defined by ISACA's four key practice areas. Waivers may also be obtained to account for part of this experience. For example, a post-graduate degree in business administration or information systems waives two years of the experience requirement, while skill-based certifications such as GIAC, MCSE, or CompTIA Security+ waive one year. Candidates must then pass the CISM exam with a score of at least 450 on a 200-800 point scale. Note that this is not a percentage; the raw score is converted to a common scale established by ISACA. Certifications are valid for three years.

While no CISM training is required for certification, it's often worth the investment for security professionals already working full-time. Although in-situ experience often aligns with CISM practice areas, reputable online courses help ensure that security professionals have the focused knowledge needed to complete the CISM exam.

In general, skills training is also valuable. As noted by Dark Reading, while certifications remain a priority for enterprises looking to shore up security best practices, expanding skill sets are critical for IT experts to keep pace with evolving infosec threats.


Companies are now looking for various infosec credentials to ensure they have the depth and breadth of in-house talent necessary to combat emerging issues. As a result, other popular certifications such as CISA and CISSP are often mentioned in the same CISM conversation. But which is your best bet?

The answer depends on one's preferred career path. While the Certified Information Systems Auditor (CISA) and the Certified Information Systems Security Professional (CISSP) target specific aspects of information governance and security, they lack CISM's larger management focus. Simply put - if infosec management roles are your priority, opt for CISM certification.

Common CISM Careers

CISM-certified professionals typically see salaries of $120,000 or more, depending on their specific corporate role and experience. Some common job titles include:

  • Information system security officer— These experts are responsible for ensuring infosec cooperation and coordination across disparate enterprise departments.

  • Information privacy and risk consultant— Risk and privacy consultants focus on processes and policies. It's their job to identify potential weak points, draft defensive strategies, and implement them at scale.

  • Information security manager— Infosec security managers are responsible for the safety and security of enterprise networks, databases, and IT technology by ensuring systems are up-to-date, and best practices are effectively implemented.

Are you looking to make a move from front-line security to infosec strategy, design, and management? CISM certification has you covered.

Start learning with Cybrary

Create a free account

Related Posts

All Blogs