CISM Certification Exam

How do I get my CISM Certification?

Thinking about getting the CISM? This is an easy guide to all the practical steps you need to take to get it, and the all the requirements … starting with why the CISM is a good idea.

If you’re more interested in tips on how to prepare for the exam, check out our other post here.

Why get the ISACA CISM® Certification?

ISACA’s Certified Information Security Manager (CISM) certification is for those with technical expertise and experience in IS/IT security and control and wants to make the move from team player to manager. CISM can add credibility and confidence to your interactions with internal and external stakeholders, peers and regulators.

The CISM® certification indicates expertise in information security governance, program development and management, incident management and risk management.

There are over 46,000 CISM credential holders worldwide.  Plus,  studies show the average salary for a CISM holder is US$118k+.



Globally recognised certification

The CISM is aimed at mid-career IT professionals aspiring to senior management roles in IT security and control.  CISM is focused on management skills for IT and security professionals, helping practitioners move to more strategic thinking and looking at over-arching frameworks and solutions.

Here are a couple of other resources that might give you a taste of what’s involved with the CISM:

Meeting the CISM experience requirement (

CISM Masterclass | CISM – Domains and Scope | Best resources for CISM by infosec Train – YouTube

Which should you do: CISM® vs CISSP®


Both the CISP and the CISSP e highly sought-after IT security certifications. So, which should you go for?

Both the CISM and the CISPP have a common body of knowledge for information security professionals and managers. They are both global, with high numbers of certification holders around the globe.  Both are accredited under ISO/IEC 17024:2012. Both are vendor-neutral, require 5 years of experience in information security management to achieve, and mandate completion of continuing education to maintain.

How are they different? From a competitive perspective, the CISSP and CISM complement rather than directly compete with one other. The CISM certification is more management-focused, while CISSP is more technical. The CISM lens is more one of governance and risk while the CISSP is security element focused.

This is clear from the different domains.

What do you need to get your CISM® Certification?

You must:

  • Meet the practical experience requirement (though you can take the exam without it and complete the requirement after);
  • Pass the CISM Exam
  • Agree to the ISACA Code of Ethics
  • Submit an application

Practical experience requirement

People looking to get the CISM must have five (5) or more years of experience in information security management.

The experience must be in the areas described in the CISM job practice areas. The work experience for CISM certification must be gained within the 10-year period preceding the application date for certification.   However, you also have 5-years from the passing date to apply for certification, which gives you additional time to meet the experience requirement.



Many individuals choose to take the CISM exam prior to meeting the experience requirements. This practice is acceptable although the CISM designation will not be awarded until all requirements are met.

Prerequisites: 5+ years experience in information security management, this can be accrued after passing the exam.

Waivers from 5-year experience requirement

However, waivers are available for a maximum of two (2) years (which means that must be at least 3 years of information security management work experience).  Waivers can be attained for other certifications or experience including:

Two Years:

  • Certified Information Systems Auditor (CISA) in good standing
  • Certified Information Systems Security Professional (CISSP) in good standing
  • Post-graduate degree in information security or a related field (e.g., business administration, information systems, information assurance)

One Year:

  • One full year of information systems management experience
  • One full year of general security management experience
  • Skill-based security certifications (e.g., SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security +, Disaster Recovery Institute Certified Business Continuity Professional (CBCP), ESL IT Security Manager)

The experience substitutions will not satisfy any portion of the 3-year information security management work experience requirement.

Exception: Every 2-years as a full-time university instructor teaching the management of information security can be substituted for every 1-year of information security experience.

Pass the CISM® Certification Exam

You must pass the CISM exam (4 hours and 150 multiple choice questions).

The examination is open to all individuals who have an interest in information security management. All are encouraged to work toward and take the examination.

The exam

CISM certification exams can now be taken via online remote proctored or at an in-person testing centre.

If you want to take the exam at an in-person testing site, you can check out the available sites here, to work out which might be best for you.

There are sites throughout most capital cities in Australia.

How much?

Cost = Member US$575 or Non Member US$760

ISACA Membership is US$130 plus local chapter dues, so it makes sense to become a member if you’re going to sit an exam.

Join ISACA here.

Your exam registration payment will be due within 90 days from the date of registration. Once you pay, your registration will be valid for one year from the date of registration. You will forfeit your fees if you do not schedule and take the exam during your 12-month eligibility period. No eligibility deferrals or extensions are allowed.

Eligibility is established at the time of exam registration and is good for twelve (12) months (365 days).

Registration process

Exam registration and payment are required before you can schedule and take an exam.

You can register any time via the ISACA website.  Register here.

There’s a really helpful Scheduling Guide with step by step details and screen shots on how to register for an exam that you can download from the ISACA site here.

When you schedule tour exam, you have the option to select either remote proctoring (or at home exam) or to do it at a test site.

Cancelling and re-scheduling

You can re-schedule or cancel your exam without penalty provided you do it within 48 hours of the scheduled exam time.  However, you can’t get a refund.

Re-scheduling and cancellations can be done via your ISACA account. Refer to the Scheduling Guide for more information.

All rescheduling and cancelling of testing appointment must be done a minimum of 48 hours prior to your originally scheduled appointment. After this point, candidates must either take the exam as scheduled or forfeit their registration fees.

Exam day at home

ISACA offers a ‘remote proctoring’ option, which means that you can do the exam at home.

If you’re thinking about taking this option, make sure you’ve got a good internet connection plus you won’t be interrupted for the 4 hours it might take you tom complete the exam.  If either of these might be an issue, go for doing it at a test site.

You will also be required to share your device camera by clicking Share My Camera & Screen. Clicking Don’t Share will terminate the exam eligibility.  If you’re not comfortable doing this, then don’t select the remote proctoring option.

More information about the exam day at home is available here: online remote proctoring.

This is an example of how the Computer-Based Testing Interface will look and feel.

Exam day at a test site

There are over 1,300 location across the world where you can do the exam, at any time that the location has available. 1,300 PSI locations across the world Availability is subject only to the number of rooms or spots available for exam takes at a given time on a given day at that location.

When you arrive at the test site, you will be required to identify yourself, sign in, and you may be required to sign an agreement. You must turn in your smartphone, your smart watch, your wallet or purse, and other personal items for safekeeping.   They are often stored in a locker that you access after the exam.

You may have a physical check before you’re allowed to enter the exam room or other location where you will do the exam.  This might mean that are  required to roll up your sleeves or show that there’s nothing on your arms or feet.

Be prepared for not being allowed to take anything into the exam – no snacks, handkerchiefs, throat lozenges or even water.  The only thing you will be allowed is  a form of identification. There should be a small slate sized personal whiteboard that you can use to make notes, that will be cleaned off when you leave.

If you want to leave the room at any time during the exam, you need to request that via the on-line chat box.

While you take your exam, you will be physically supervised by the proctor sitting near where you are doing the exam. You are also likely to be virtually monitored by an online proctor who will use video surveillance to make sure that no one can cheat on the exam.   You probably will have to identify yourself to the online proctor, and then read and agree to the exam terms.

The online proctor will be continuously observing you and if you speak, cover your mouth or move your head up, down or sideways – you may be asked to stop (via a chat session).

The exam experience

Each registrant has four hours to take the multiple-choice question exam. There are 150 questions on the exam. Each question has four answer choices; test-takers can select only one best answer.

You can skip questions and return to them later, and you can also flag questions that you want to review later if time permits. While you are taking your exam, the time remaining will appear on the screen.

When you have completed the exam, you are directed to close the exam.  You are asked to confirm this decision which prevents an accidental completion.

At that time, the exam will display your pass or fail status, with a reminder that your score and passing status is subject to review. You will be scored for each job practice area and then provided one final score.

All scores are scaled. Scores range from 200 to 800; however, a final score of 450 is required to pass.

Exam questions are derived from a job practice analysis study conducted by ISACA. The areas selected represent those tasks performed in a CISM’s day-to-day activities and represent the background knowledge required to develop and manage an information security program.

You can find more detailed descriptions of the task and knowledge statements that are part of the CISM  CISM Certification Job Practice.

Agree to the ISACA Code of Ethics

Members of ISACA and/or holders of the CISM designation must agree to a Code of Professional Ethics to guide professional and personal conduct.  View ISACA’s Code of Professional Ethics

Submit a CISM® Certification application form

Once you’ve passed the exam, you can submit an application for the certification to CISM.   This includes an agreement to the ISACA Code of Ethics.

ISACA emails out to all successful examination candidates the information required to apply for certification, together with formal notification of a passing score.  You can also access an application form here.

You will have to pay another, one-off, non-refundable application fee of US$50, when you lodge your application.

As part of completing that application form you will have to:

  • Provide details of your practical experience, to meet the practical experience requirements and any wavers you are relying on;
  • Have those details of your relevant work experience independently verified by a supervisor or manager with whom you have worked.

Verifiers cannot be immediate or extended family, nor can they work in the Human Resources department. They must attest to the applicant’s work experience as noted on their application form and as described by the CISM Job Practice Domains and task statements.  The verifier must also confirm that:

  • there is no reason you should not be certified as an information systems manager;
  • he or she is also willing, if required, to answer questions from ISACA about the information in the application form.

It can take 2 – 3 weeks for the application to be processed.

Candidates have 5-years from the passing date to apply for certification.

CISM Training with us

Privacy108, and its sister company, IT Security Training Australia run regular CISM training seminars.

Lead instructor Dr Jodie Siganto is one of Australia’s foremost privacy and security trainers. The training classes are widely recognised as the best preparatory resource for test takers, with a focus on preparing students to take the exam.

In addition to the 3 days of instructor led online training, you’ll receive the comprehensive ISACA CISM/ textbook and lots of exam practice.

Our next course is scheduled for June 28 – 30, 2021.  More information is available here.

Is it worth it?

At various times you are sure to ask yourself whether it is worth it.  The answer is a resounding ‘yes.’

Once you’ve got your CISM, you just need to keep up the CPDs and pay your annual maintenance fee and you never need to do the exam again.

And it is all worth it to be able to put those four letters after your name.

Other references:

CISM Certification | Certified Information Security Manager | ISACA

CISM Certification Job Practice

Gain CISM Certification | IT Certification | ISACA


Register for CISM Training now: Certified Information Security Manager (CISM) Online Training – Privacy108 | Australian Data Privacy & Security Consulting

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.