Application Window, Experience, and Ethics

Application Window, Experience, and Ethics

Passing the exam starts a clock. You must submit a successful certification application within five years of your exam pass date; miss that window and the pass is void and you must sit the exam again. The application proves you meet the work-experience requirement, the part of CISM that catches many candidates who pass the test but cannot yet certify.

The core experience rule:

The management requirement is what distinguishes CISM from technical certifications -- ISACA wants evidence you have led, not just operated, security functions.

The "three of the four domains" rule trips up specialists. An engineer who spent five years deep in incident response may have abundant Incident Management experience but little in Governance, Risk, or Program management -- and would not satisfy the breadth requirement. Map your roles to domains honestly before applying. If you are short on breadth, you can keep the exam pass valid for up to five years while you accumulate the missing domain experience, then apply once the spread is met.

Experience waivers

You can substitute a maximum of two years of the general (non-management) experience with qualifying credentials. The 3-year management requirement cannot be waived. Typical substitutions:

• Two-year waiver: holding CISA or CISSP in good standing, or a postgraduate degree in information security or a related field.
• One-year waiver: one year of general IT/security management experience, a related bachelor's/master's degree, or certain skill-based security certifications.

Waivers stack only up to the two-year cap, so even with both CISA and a degree you still need three verified years of management experience.

The Code of Professional Ethics

Applying binds you to the ISACA Code of Professional Ethics, which is enforceable -- violations can lead to investigation and revocation of the credential. On the exam, ethics questions test whether you would choose the response that upholds the Code over expediency. Core duties include:

1. Support implementation of and encourage compliance with standards and procedures.
2. Perform duties with objectivity, due diligence, and professional care.
3. Serve stakeholders lawfully and maintain high conduct and character.
4. Maintain confidentiality of information obtained, except where legally required to disclose.
5. Maintain competency and undertake only tasks you can reasonably complete with skill.
6. Inform appropriate parties of results, disclosing all material facts.
7. Support professional education of stakeholders.

A classic exam scenario: you discover a serious control failure that embarrasses a manager who asks you to stay quiet. The Code-aligned answer is to report it through the proper channel with all material facts -- objectivity and stakeholder duty outrank loyalty to an individual.

Verification and the application itself

Experience cannot be self-attested. Each role you claim must be independently verified by someone who can confirm it -- typically a current or former supervisor, HR, or an ISACA member who knows your work. ISACA may contact verifiers, so list people who will respond. Assemble the application carefully:

1. Map your roles to the four job-practice domains and show at least three domains in your management years.
2. Record start and end dates for each role; experience must fall within the allowed recency window.
3. Identify and document any waivers (CISA/CISSP in good standing, qualifying degree) up to the two-year cap.
4. Confirm verifier contacts for every role before submitting.
5. Pay the application/certification processing fee and agree to the Code.

Why ethics questions feel different

Unlike technical items, ethics questions rarely have a clever trick -- they test whether you will default to the principled action. Reliable tie-breakers: protect the organization and stakeholders over any individual; disclose material facts rather than conceal; act only within your competence; and preserve confidentiality unless law requires disclosure. If an option asks you to ignore a finding, mislead a stakeholder, exceed your competence, or breach confidentiality for convenience, it is wrong on the exam regardless of how pragmatic it sounds.

The same Code governs you after certification: a substantiated violation can trigger investigation and revocation, so the exam habit and the professional duty are one and the same.

Timing the application around the five-year window

The five-year clock starts the day you pass the exam, and it is the most common reason a hard-won pass goes to waste. Build a simple plan the moment you pass: note the expiry date, gather verifier contacts early (people move on and become hard to reach), and submit as soon as you genuinely meet the five-year/three-year-management/three-domain thresholds rather than waiting. There is no benefit to delaying once eligible, and several risks to it -- lost verifiers, changed rules, or simply forgetting.

If you will clearly miss the window, understand the consequence plainly: the pass is void and re-certification means re-sitting and re-passing the 150-question exam, paying the exam fee again, and restarting the application. Treat the application as the second half of the same project as the exam, not an optional afterthought.