News about ISACA CISM and “Grandfathering”

Posted on
Share on Google+Share on LinkedInShare on FacebookShare on RedditTweet about this on TwitterEmail this to someone

ISACA, the Information Systems Audit and Control Association, sponsors the well-known and successful Certified Information Systems Audit (CISA) credential, as well as the brand-new Certified Information Security Manager (CISM) credential. The former (CISA) currently boasts over 37,000 credential holders; over 11,000 people signed up in 2003 to take that exam (given just once yearly). The latter (CISM) just launched this summer when the first-ever exam was administered on June 14, 2003 in 95 locations in 47 countries. According to Debra Vohasek, VP of Certifications at ISACA:



  • The CISM exam was administered during a four-hour session and consisted of 200 multiple-choice questions.

  • There currently are 843 individuals who have been certified and another 300 applications are currently in process.

  • The next CISM exam will be held on June 12, 2004, and will be offered at 210 sites around the world.




For a first-time effort, these represent a major commitment from the sponsoring organization. The results, in terms of the number of individuals already certified—which probably includes test-takers as well as other individuals who’ve successfully sought “grandfathering” into the credential—and in terms of applications under consideration, are pretty substantial but not earth shattering. After all, the other ISACA credential (CISA) had over 11,000 test takers this year, so CISM clearly has a long way to go to catch up. That said, the prospect of over 1,000 certified individuals in the first year of a program’s life is nothing to sneeze at, either.




In fact, the grandfathering option for CISM is pretty interesting all by itself. Here’s a brief overview of what’s required to qualify under that provision, which remains in effect until December 31, 2003:


·         Candidates must complete and submit a grandfather application before 12/31/2003 (


·         Candidates must agree to adhere to the ISACA’s Code of Professional Ethics (


·         Candidates must submit evidence of eight years of work experience in the field of information security. Five of those eight years must have been in the role of information security manager, and be verified by an immediate supervisor or someone else in the organization of higher rank. Also, such experience must be broad and involve four of the five job practice analysis areas (documented at


·         Experience substitutions of one and two years are possible (but may not replace any of the five years required as an information security manager). One year is available to those with one year of IS management experience, who also possess SANS GIAC, Microsoft MCSE, or CompTIA Security+ credentials. Two years is available to those who possess a current CISA, a current CISSP, or who have a post-graduate degree in information security or a related field.


Share on Google+Share on LinkedInShare on FacebookShare on RedditTweet about this on TwitterEmail this to someone


Posted in Archive|