Does ISACA have any substitutions or waivers for its certification requirements?
Yes, it does. The following substitutions and waivers may be obtained:
- Candidate has earned the Certified Information Systems Auditor (CISA)® credential and is in good standing
- Candidate has earned the Certified Information Security Professional (CISP)® credential and is in good standing
- Candidate has a post-graduate degree in information security or a related field such as information assurance
- Candidate has skill-based security certifications such as CompTIA Security+ or Microsoft Certified Systems Engineer (MCSE)
- Candidate has one year of experience in information systems management
- Candidate has one year of experience in general security management experience
Keep in mind that experience substitutions do not replace the three-year information security management work experience requirement. The only exception is for university instructors teaching information security management. Every two years of their experience working full-time is equal to one year of information security experience.
How does ISACA rate candidates in the CISM exam?
ISACA rates candidates on a regular scale from 200 to 800. To pass the CISM® certification exam, you need to achieve a score of 450 or above.
What does the CISM certification exam cover?
The certification exam covers the four domains below, which are shown with their weights:
- Domain 1 – Information Security Governance (24%)
- Domain 2 – Information Risk Management (30%)
- Domain 3 – Information Security Program Development and Management (27%)
- Domain 4 – Information Security Incident Management (19%)
What are the certification pre-requisites?
In addition to passing the exam, you will need to fulfil the requirements listed below to earn the CISM credential:
- Demonstrate a minimum of five (5) years of professional information systems auditing, control, or security work experience; this experience should be within the 10-year period preceding the date you applied for the certification
- Adhere to the Code of Professional Ethics
- Adhere to ISACA’s Continuing Professional Education (CPE) Policy
How can I maintain my certification?
CISM® credential holders will need to do the following to maintain their certification:
- Earn and report a minimum of 20 CPE hours every year, starting from the year after they were certified
- Earn and report a minimum of 120 CPE hours over the span of three years
- Pay the annual maintenance fee
- Comply with the CPE audit if selected
- Comply with ISACA’s Code of Professional Ethics
When will I receive my exam results?
You will get your preliminary results immediately after submitting your exam. You will receive your official score via email within 10 working days. Alternatively, your score will be available online within 10 working days.
What other languages can I attempt the examination in?
In addition to English, you can choose to take the CISM examination in Simplified Chinese, Japanese, or Spanish.
What will happen to my CISM certification status if I no longer practice or decide to retire?
ISACA offers a Non-Practicing and a Retired status for professionals as long as they meet certain requirements.
The Non Practicing status is provided to active certification holders who have short- or long-term unemployment or disability, no longer work in the field but wish to retain their certification, or have extenuating circumstances which have been approved by the Certification Working Group. Non-practicing CRISC professionals will need to pay the annual maintenance fee even if they do not earn CPEs.
As for the Retired status, this is provided to professionals who are above 55 years of age and have retired from their profession, or those unable to perform specific job functions due to permanent disability. Unlike the Non-Practicing status, practitioners cannot return to Active once they retire. They will need to re-take and pass the certification exam before re-applying for the certification.