Exam Requirements
Eligibility is established at the time of exam registration and is good for twelve (12) months (365 days). Exam registration and payment are required before you can schedule and take an exam. You will forfeit your fees if you do not schedule and take the exam during your 12-month eligibility period. No eligibility deferrals or extensions are allowed.
is the reason we exist – to help business technology professionals and their enterprises around the world realize the positive potential of technology. Our Promise is how we as an organization and as individuals, deliver on our Purpose – the work we do every day to inspire confidence that enables innovation through technology.
Applicants must meet the following requirements to become CISM Certified:
Successfully Complete the CISM Examination: The examination is open to all individuals who have an interest in information systems audit, control and security. All are encouraged to work toward and take the examination. Successful examination candidates will be sent all information required to apply for certification with their notification of a passing score.
For a more detailed description of the exam see CISM Certification Job Practice.
Adhere to the Code of Professional Ethics: Members of ISACA and/or holders of the CISM designation agree to a Code of Professional Ethics to guide professional and personal conduct.
View ISACA’s Code of Professional Ethics
Adhere to the Continuing Professional Education (CPE) Policy: The objectives of the continuing education policy are to:
Maintain an individual’s competency to ensure that all CISMs maintain an adequate level of current knowledge and proficiency. CISMs who successfully comply with the CISM CPE Policy will be better equipped to manage, design, oversee and assess an enterprise’s information security
Provide a means to differentiate between qualified CISMs and those who have not met the requirements for continuation of their certification
Demonstrate the Required Minimum Work Experience: A minimum of 5-years of professional information systems auditing, control or security work experience – as described in the CISM job practice areas – is required for certification. The work experience for CISM certification must be gained within the 10-year period preceding the application date for certification. Candidates have 5-years from the passing date to apply for certification.
Substitutions and waivers may be obtained for a maximum of 2-years as follows:
Two Years:
Certified Information Systems Auditor (CISA) in good standing
Certified Information Systems Security Professional (CISSP) in good standing
Post-graduate degree in information security or a related field (e.g., business administration, information systems, information assurance)
One Year:
One full year of information systems management experience
One full year of general security management experience
Skill-based security certifications (e.g., SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security +, Disaster Recovery Institute Certified Business Continuity Professional (CBCP), ESL IT Security Manager)
The experience substitutions will not satisfy any portion of the 3-year information security management work experience requirement.
Exception: Every 2-years as a full-time university instructor teaching the management of information security can be substituted for every 1-year of information security experience.
It is important to note that many individuals choose to take the CISM exam prior to meeting the experience requirements. This practice is acceptable and encouraged although the CISM designation will not be awarded until all requirements are met.
CISM CPE Policy: English | Chinese Simplified | Japanese | Korean | Spanish
CISM Maintenance Requirements
The CISM CPE policy requires the attainment of CPE hours over an annual and three-year certification period. CISMs must comply with the following requirements to retain certification:
Earn and report an annual minimum of twenty (20) CPE hours. These hours must be appropriate to the currency or advancement of the CISM’s knowledge or ability to perform CISM-related tasks. The use of these hours towards meeting the CPE requirements for multiple ISACA certifications is permissible when the professional activity is applicable to satisfying the job-related knowledge of each certification.
Earn and report a minimum of one hundred and twenty (120) CPE hours for a three-year reporting cycle period.
Pay the CISM annual maintenance fee
Comply with the annual CPE audit if selected
Comply with ISACA’s Code of Professional Ethics
Failure to comply with these certification requirements will result in the revocation of an individual’s CISM designation. In addition, as all certificates are owned by ISACA, if revoked, the certificate must be destroyed immediately.
The goal of the continuing professional education (CPE) policy is to ensure that all CISMs maintain an adequate level of current knowledge and proficiency in the field of information systems security management. CISMs who successfully comply with the CPE policy will be better equipped to manage, design, oversee and assess an enterprise’s information security.
QUESTION 1
Which of the following should be the FIRST step in developing an information security plan?
A. Perform a technical vulnerabilities assessment
B. Analyze the current business strategy
C. Perform a business impact analysis
D. Assess the current levels of security awareness
Correct Answer: B
Section: INFORMATION SECURITY GOVERNANCE
QUESTION 2
Senior management commitment and support for information security can BEST be obtained through presentations that:
A. use illustrative examples of successful attacks.
B. explain the technical risks to the organization.
C. evaluate the organization against best security practices.
D. tie security risks to key business objectives.
Correct Answer: D
QUESTION 3
The MOST appropriate role for senior management in supporting information security is the:
A. evaluation of vendors offering security products.
B. assessment of risks to the organization.
C. approval of policy statements and funding.
D. monitoring adherence to regulatory requirements.
Correct Answer: C
QUESTION 4
Which of the following would BEST ensure the success of information security governance within an organization?
A. Steering committees approve security projects
B. Security policy training provided to all managers
C. Security training available to all employees on the intranet
D. Steering committees enforce compliance with laws and regulations
Correct Answer: A
QUESTION 5
Information security governance is PRIMARILY driven by:
A. technology constraints.
B. regulatory requirements.
C. litigation potential.
D. business strategy.
Correct Answer: D
QUESTION 6
Which of the following represents the MAJOR focus of privacy regulations?
A. Unrestricted data mining
B. Identity theft
C. Human rights protection D.
D. Identifiable personal data
Correct Answer: D
QUESTION 7
Investments in information security technologies should be based on:
A. vulnerability assessments.
B. value analysis.
C. business climate.
D. audit recommendations.
Correct Answer: B
QUESTION 8
Retention of business records should PRIMARILY be based on:
A. business strategy and direction.
B. regulatory and legal requirements.
C. storage capacity and longevity.
D. business ease and value analysis.
Correct Answer: B
QUESTION 9
Which of the following is characteristic of centralized information security management?
A. More expensive to administer
B. Better adherence to policies
C. More aligned with business unit needs
D. Faster turnaround of requests
Correct Answer: B
QUESTION 10
Successful implementation of information security governance will FIRST require:
A. security awareness training.
B. updated security policies.
C. a computer incident management team.
D. a security architecture.
Correct Answer: B
Click here to
view complete Q&A of CISM Exam
Certkingdom Review,
Certkingdom PDF
Best Isaca CISM Certification, Isaca CISM Training at certkingdom.com
