The CISM (Certified Information Security Manager) certification from the ISACA (Information Systems Audit and Control Association) has been developed for professionals who are dedicated to information security management. This defines the knowledge and skills for these professionals to be able to design, monitor, evaluate and manage the information security of an organization. Do you want to know more about the CISM certification and what is its importance?
CISM certification scopes
The information security domains or fields covered by the agenda of this certification are:
- Security strategy.
- Governance framework to support the security program.
- Involvement of the Corporate Government in the Security Government to achieve the strategic objectives.
- Definition and establishment of the Security Policy.
- Development of business cases to optimize security investments.
- Identification of the Organization's Environmental Factors (internal and external context) and the Organization's Process Assets) that influence the development and implementation of the security strategy.
- Definition of security roles and responsibilities.
- Ensuring the commitment of Senior Management and the most important stakeholders.
- Definition and obtaining of the effectiveness indicators of the security program.
- Classification and assurance of information assets.
- Identify the legal obligations of compliance by the organization.
- Regular assurance of risk review, vulnerability analysis and evaluation of mitigation measures.
- Definition and implementation of the response plan to the identified risks.
- Integration of risk management with business processes and information technology.
- Risk monitoring to identify and manage changes in them.
- Assurance that the program and business objectives are aligned.
- Management of the necessary resources for the implementation and fulfillment of the program.
- Establishment and maintenance of the security architecture to carry out the program.
- Define, develop, implement, communicate and review procedures, guides, etc. that support the Information Security Policy.
- Definition of the Safety Training and Awareness Plan.
- Integration of security requirements in the processes of the organization.
- Integration of security requirements with third parties that access the organization's information.
- Monitoring the effectiveness of the program.
- Definition of information security incidents for their identification, classification, communication and follow-up.
- Development of the Response Plan for Security Incidents.
- Development of incident identification procedures.
- Development of incident investigation procedures to determine their causes, comply with legal requirements, etc.
- Development of the Incident Awareness Plan.
- Development of the Incident Communication Plan.
- Review of the effectiveness of the management of security incidents suffered by the organization.
How to get CISM certification?
CISM not only certifies knowledge, but also professional experience. That is why, to be able to take the CISM certification exam, it is necessary to accredit 5 years of work experience in information security management in at least three of the four commented domains, although up to 2 years of experience can be validated required (other security experience, certifications , etc.)
How many questions are on the CISM exam?
The CISM exam questions consists of 150 questions to answer in four hours of which 24% correspond to domain 1, 30% to domain 2, 27% to the third and 19% to the fourth.
There is no reliable information about the percentage of correct questions required to pass the exam, but a score equal to or greater than 75% is considered sufficient.
Read also: CISM vs. CISSP
Having the CISM certification accredits a professional (and their work experience) as an expert in the development and management of security programs. It is recognized internationally and is one of the highest-paid certifications. Thus, obtaining this certification provides a competitive advantage and is convenient as a complement to an official information security study.