Certification After Passing
Key Takeaways
- Passing the exam only makes you exam-eligible; you must also prove experience and submit an application to become a CISM.
- CISM requires five years of information security management experience within the prior 10 years, and up to two years can be waived.
- You have five years from your exam pass date to submit a successful certification application or the pass expires.
- Maintaining the credential requires 120 CPE hours per three-year cycle and at least 20 CPE hours every year.
- Active status also requires the annual maintenance fee and compliance with ISACA's Code of Professional Ethics.
Certification After Passing
Passing the exam does not make you a CISM. It makes you exam-eligible. To earn the credential you must also prove qualifying work experience and submit a certification application, and you have five years from your exam pass date to do so or the pass expires.
The experience requirement
ISACA requires a minimum of five years of professional information security management work experience, gained within the 10 years preceding the application (or within five years of passing the exam). The experience must fall within the CISM job-practice domains, and a portion must be in actual security management, not purely technical work. The intent is that a CISM has genuinely operated as a manager -- setting strategy, owning a program, managing risk and incidents -- rather than only performing analyst tasks.
You can waive up to two years of the five-year requirement with qualifying substitutions, for example:
| Substitution | Maximum waiver |
|---|---|
| Hold CISA or CISSP (in good standing) | 2 years |
| Hold a post-graduate degree in information security or a related field | 1 year |
| Other ISACA-recognized credentials / experience equivalents | 1 year |
Waivers are capped at two years total, so you must always document at least three years of direct security-management experience yourself. A waiver does not stack beyond the cap: holding both CISSP and a master's degree still only buys two years, not three. A supervisor or other independent verifier confirms the experience on the application.
The application and fee
Submit the CISM application through your ISACA account with the verified experience, and pay the US$50 application processing fee. Once approved, you are formally certified and may use the CISM designation. Plan the timing: although you have five years, gathering verifier signatures from past employers gets harder as time passes, so most candidates apply soon after passing while contacts and records are fresh.
Keeping the credential active (CPE)
CISM is not permanent -- it runs on a three-year cycle with Continuing Professional Education (CPE):
| Requirement | Detail |
|---|---|
| Three-year total | Minimum 120 CPE hours per three-year reporting cycle |
| Annual minimum | At least 20 CPE hours every year |
| Maintenance fee | US$45 member / US$85 nonmember, paid annually |
| Conduct | Comply with ISACA's Code of Professional Ethics and the CISM CPE policy |
| Audit | Retain documentation; respond if selected for a CPE audit |
CPE hours come from sources such as ISACA training, conferences, webinars, university courses, vendor training, and certain professional contributions like teaching or publishing -- you keep records (agendas, certificates, attendance proof) in case of audit.
Trap to avoid: assuming a passing exam alone equals certification, or letting the five-year application window lapse. Another common slip is meeting the 120-hour total but missing the 20-hour annual minimum -- you can be compliant on the three-year sum and still fall out of compliance for a single under-target year. A third is forgetting the annual maintenance fee, which lapses the credential independently of CPE. Treat CPE like any control with a metric: track hours continuously, keep evidence, and report on schedule rather than scrambling at renewal.
The discipline mirrors what CISM expects of a security program -- measurable, evidenced, and reported on a defined cadence rather than reconstructed under pressure. If selected for audit, an organized, documented record of hours and sources is what keeps the credential in good standing.
The full path from pass to active credential
It helps to see the whole sequence in one place, because each stage has its own deadline and fee:
| Stage | Requirement | Fee / deadline |
|---|---|---|
| 1. Pass the exam | Scaled score of at least 450 | Per-attempt exam fee |
| 2. Document experience | 5 years (up to 2 waivable) in CISM domains, within prior 10 years | Verifier signatures required |
| 3. Submit the application | Verified experience via ISACA account | US$50; within 5 years of passing |
| 4. Maintain the credential | 120 CPE / 3-year cycle, 20 CPE / year | Annual maintenance fee |
Worked CPE example
Suppose you certify and your three-year cycle runs 2027-2029. You attend a two-day conference in 2027 worth 16 CPE, complete an online course worth 30 CPE, and log ISACA webinars and reading throughout. To stay compliant you must hit at least 20 hours in each of 2027, 2028, and 2029, and 120 across the three years combined. A candidate who front-loads 100 hours in 2027 but earns only 10 in 2028 has met neither the annual minimum for 2028 nor stayed on a clean track -- the annual floor exists precisely to prevent cramming all education into one year.
Spreading hours evenly, roughly 40 per year, comfortably clears both requirements with margin.
Ethics and good standing
Beyond hours and fees, an active CISM must comply with ISACA's Code of Professional Ethics, which covers integrity, due care, confidentiality, and supporting the profession. Misrepresenting experience on the application, sharing protected exam content, or failing a CPE audit can jeopardize the credential. The recurring theme across this entire chapter holds here too: CISM expects you to manage your own certification the way it expects you to manage a security program -- with documented evidence, defined deadlines, and honest reporting, rather than improvisation at the last minute.
How much qualifying work experience does CISM certification require, and how much can be waived?
What are the CISM continuing education requirements to keep the credential active?
How long after passing the CISM exam does a candidate have to submit the certification application?