To apply for CISM certification, you must have five or more years of work experience in information security management, with at least three years of that experience in three or more of the job practice analysis areas - or domains - listed below. At the discretion of ISACA, you may use some security-related certifications and information systems management experience to satisfy up to two years of the required five years of experience.
About the CISM Exam
You will have four hours to answer 200 questions based on the four domains:
- Domain 1: Information Security Governance
- Domain 2: Information Risk Management and Compliance
- Domain 3: Information Security Program Development and Management
- Domain 4: Information Security Incident Management
The CISM continuing professional education (CPE) policy requires that you attain at least 20 CPE hours per year and 120 CPE hours every three years.