CISM Prerequisites & Eligibility
The CISM is a gated security-management credential — you must show five years of information-security experience, of which three years are in management, before ISACA will certify you. Here is exactly what counts, the waivers you can claim, and how the pass-first route lets you sit the exam before you have it all.
01 The short answer
This is what sets the CISM apart from most technical security certifications — there is no “just book it and you’re done” route to the letters after your name. You can take the exam at any time, but ISACA will not grant the certification until your experience is independently verified. The good news: the requirements are clearly defined, and most working security managers already meet them — or are close.
Five years of information-security experience Required
Professional, verifiable work in information security — the foundation layer on which the management requirement sits.
Three years in security management Required
At least three of the five years must be in information-security management, spanning three or more of the four CISM domains. This portion is never waivable.
Verified, recent experience Recommended
Have a supervisor or independent verifier lined up, and confirm your experience falls inside ISACA’s time window before you apply.
02 The experience breakdown & waivers
The five-year requirement is best understood in two layers: a general security-experience layer, of which up to two years can be substituted, and a management layer that is fixed. The table below shows what each requirement and substitution is worth.
| Requirement or substitution | Amount |
|---|---|
| General information-security experience (the full baseline) | 5 years |
| Information-security management experience (within the five, never waivable) | 3 years (fixed) |
| Current CISA or CISSP in good standing | Waives 2 years |
| Postgraduate degree in information security or a related field | Waives up to 2 years |
| Relevant bachelor’s degree (e.g. information systems) | Waives 1 year |
03 What counts as “security management”
The three management years are the part most candidates underestimate. ISACA wants experience in managing security — building programmes, governing risk, and running response — not purely hands-on technical work. It must span three or more of the four CISM domains below.
Information security governance Domain 1
Establishing and maintaining a security strategy and governance framework aligned to business goals.
Information security risk management Domain 2
Identifying, assessing, and treating information risk to keep it within acceptable levels.
Information security programme Domain 3
Developing and managing the programme — people, processes, and technology — that delivers the strategy.
Incident management Domain 4
Planning, establishing, and managing the capability to detect, respond to, and recover from incidents.
04 The path from “eligible” to “certified”
Meeting the experience bar is the heart of it, but certification is a sequence. Here is the full route — and note that the exam can come before the experience is complete.
Build the experience
Accumulate five years of security work, including three in management across the domains.
Pass the exam
Sit and pass the CISM exam — you can do this before the experience is finished.
Apply with verified experience
Submit the certification application with your experience independently verified.
Pay & stay certified
Pay the certification fee, then maintain it with annual CPE and the maintenance fee.
05 Which route is yours?
Almost everyone fits one of two paths: certify now because the experience is already there, or pass the exam first and finish the experience afterwards.
You can apply for full CISM now
- You have five years of information-security experience (or three-to-four plus a valid waiver)
- At least three of those years are in security management across 3+ domains
- You can have that experience independently verified
- Your experience falls within ISACA’s 10-year look-back window
Pass the exam first
- You are still building toward the five years, or the three management years
- Sit and pass the exam now while the material is fresh
- You then have five years to gain and submit the required experience
- This locks in your exam result while your career catches up to the bar
06 FAQ
What are the prerequisites for CISM certification?
To be certified you need five years of professional information-security work experience, with at least three of those years spent in information-security management across three or more of the four CISM domains. Up to two years of the general five-year experience can be waived with certain credentials or qualifications, but the three years of management experience can never be waived. There is no formal education degree requirement to apply for the certification.
Can I take the CISM exam before I have the experience?
Yes. ISACA lets you sit and pass the exam first, then gain and submit the required experience afterwards. You have five years from the date you pass the exam to apply for certification with the verified experience. If you do not apply within that window, the passing result lapses and you would need to retake the exam.
What experience can be waived for CISM?
Up to two years of the general five-year experience requirement can be substituted. A current CISA or CISSP in good standing waives two years; a postgraduate degree in information security or a related field can waive up to two years; a relevant bachelor's degree may waive one year. Only one waiver can be applied in total, and none of these substitutions can reduce the mandatory three years of information-security management experience.
How far back can CISM experience count?
Your qualifying experience must have been gained within the 10 years preceding your application for certification, or within five years after you pass the exam. All experience must be independently verified by your employer, supervisor, or another professional who can confirm it before ISACA grants the certification.
