An Expert Overview of CISM®

A Springboard to Career Success

CISM® (Certified Information Security Manager) is a globally recognised qualification that provides a good understanding of IT security with a management flavour.

But with so much in the news about AI, Cloud security and other niche areas of cyber security, it’s easy to overlook the importance of such solid, tried-and-tested qualifications in information security.

Adesoji ‘Soji’ Ogunjobi is a cyber security specialist and instructor, with nearly two decades of experience as a cyber security professional and IT auditor.

He also has an MSc in Information Technology, Computer and Information Systems, as well as CISM, CISSP, CISA, CCSP and various other cyber security qualifications.


In this interview

  • Topics covered by CISM
  • Who CISM is aimed at
  • Career opportunities
  • Alternatives to CISM
  • The benefits of IT Governance’s CISM training course

What ground does CISM cover?

There are four domains:

  1. Information Security Governance [17% of the CISM exam]
  2. Information Security Risk Management [20% of the exam]
  3. Information Security Program [33% of the exam]
  4. Incident Management [30% of the exam]

We describe these four information security principles as the shelves that you put your cyber security books on. Without them, you’ve just got a pile of knowledge without structure or context. The ISACA CISM curriculum gives you a strong grounding in the fundamentals.

How is CISM different from general information security certifications?

It’s not just technical training – it’s management training.

The key difference is the perspective you take.

CISM improves your understanding of stakeholder management. You learn how information security functions interact with one another, and with other areas of the organisation.

This puts you in a better position to empathise, anticipate, negotiate and add to the management function of the business, as well as to the technical area you work in.

Being CISM certified shows employers you have put in the effort to understand how and why your operational area contributes to the business. However much you love your field, when you want to move into management, knowledge of areas other than IT and business is crucial.

If you specialise too soon, you could get stuck in a career corridor. You get better and better at one technical area, but don’t get to manage teams or put your forte to use in steering the organisation in your niche.

In short, studying for CISM opens your eyes to areas of information security you may want to explore further. At the same time, CISM is recognised for giving you a grounding in management.

With that in mind, who is CISM aimed at?

The CISM course is aimed at people working in – and passionate about – information security. Specifically, for those who want to take on more responsibility or progress their careers.

That includes people assessing information security infrastructures as auditors and consultants.

According to ISACA [the awarding body], CISM is also suitable for people interested in learning how to manage, design, oversee and assess information security within an organisation.

My take-away from that statement is that you don’t have to be a passionate information security careerist – you can just be intellectually curious.

So, people who come from an operations or IT support background may benefit from this course.

Likewise, people who sell information security products, or sell to information security companies, and want to understand the field a bit more, may wish to take this course. But they need to be prepared to deal with a lot of technical content.

What career opportunities are there for CISM graduates?

CISM is one of the qualifications employers often list as either a requirement or desirable when hiring for fairly senior positions.

In large organisations, it’s common to be working with people with similar qualifications.

In smaller organisations, the CISO [chief information security officer] or cyber security manager tends to be an important but solitary role.

So, the CISM qualification gives hiring managers reassurance that you can interact with other managers, but also take responsibility and work independently on security matters.

What is an alternative information security qualification to CISM?

CISSP® [Certified Information Systems Security Professional] is another senior managerial qualification that is very well regarded – perhaps even a step above CISM.

Many people hold both CISM and CISSP certifications – probably because the course material for both is fascinating and useful.

However, CISSP explores the many domains of information security, covering a much broader range of topics. Whereas CISM looks a little more broadly at how IT security is run – it’s more managerial in nature.

What other information security training should IT professionals look into?

CISA® [Certified Information Systems Auditor] is another popular senior-level qualification. As the name suggests, CISA focuses on auditing and is more role specific.

In my experience, people take this because their role – managing information security compliance frameworks – requires auditing skills.

They may also take it because they want to become auditors, or use auditing skills as consultants assessing and recommending improvements to existing infrastructures.

That said, the qualification gaining the most traction is CCSP [Certified Cloud Security Professional]. This ISC2 course really takes a management view of Cloud computing and infrastructure. It recognises that organisations can’t afford to have a blind spot in this area, as operations increasingly move into the Cloud.

Anyone aspiring to acquire CISM, CISSP, CISA or CCSP also needs to look at short courses that dive into the different frameworks and regulations CISOs commonly deal with, like ISO 27001. After all, managers need a breadth of knowledge – not just in-depth expertise of a particular area or skill set.

IT Governance offers a CISM training course. How is it different from other CISM courses?

The quality of the training material, the support and, of course, the trainers are outstanding.

IT Governance is expert-led: all trainers are qualified in the subjects they teach. Moreover, they’ve applied those qualifications in the field.

You could go to a company that only sells training courses – but there’s no guarantee that the instructors have a hand in the training material, or will even be expert practitioners.

They may be good teachers, but lack the experience to be able to help students understand why the topics are important and/or share real-life scenarios in which they’ve put them into action.

Do you have any final words of advice?

If you’re young, CISM puts you in the running for management roles. It can also help you secure good mentors as you gain experience.

If you’re mid-career or transitioning into cyber security, CISM is a fantastic bridge into a much-needed area of IT.

The course is serious, but not onerous, and you can go for a four-day course to make good use of a few days’ annual leave. Plus, before you even get the qualification, a professional network is ready to support and guide you.

How can people get in touch?

If you’re stuck trying to decide between CISM and CISSP, or any of our other courses, contact our training team on training@itgovernance.co.uk, or call us on +44 (0)333 800 7000.

We have some handy guides to help you determine which one is best for you.


Ready to start your CISM journey?

Our specialist-led, four-day exam preparation course will help you build your senior career in information security management.

It covers:

  • Information security concepts;
  • Industry best practice;
  • Information around the key CISM job practice domains; and
  • Exam preparation exercises.