CISM Application - please help

SturekscStureksc Posts: 4Registered Users ■□□□□□□□□□
Hello everybody,
I just passed the CISM exam. I have a couple of questions regarding the application.

1. Page A2 (Section A and B): What is the definition of "General Information Security"? I am the Director of IT at my company, and I do have "Information Security Management"experience as I started and established the cyber security program at my company.
I can claim around 7 years of experience in "Information Security Management". I was an Application Developer before and never really worked on information security prior to assuming this Director of IT role. Does that mean that I cannot claim any experience in "General Information Security" section? I am little confused. Would really appreciate your help.

2. Page V-1: I report to the CFO. Should I ask him to attest sections 1 and 2 only? Will that work? Since my boss is not a security professional, is he qualified to attest section 3 and 4?

Thank you all for your help.


  • PJ_SneakersPJ_Sneakers The ceiling is glass. USAPosts: 877Member ■■■■■■□□□□
    Not to be a smartass, but. It's self explanatory, look and see if what you did in your job matches the sentence next to the checkbox.
  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,204Admin Admin
    Looking at page V-1 on the CISM application under the section Employer's Verification, there does not seem to be a requirement that the employer answering the verification questions be an InfoSec professional.

    Contact [email protected] to get the official ruling.
  • roxerroxer Posts: 130Member ■■■□□□□□□□
    You just need 5 years as an IS manager, so you are covered with seven. You can only put up to ten years on the primary anyway--the rest has to be IT Management related. An no, you do not need a security pro to sign off. It just needs to be someone in a high enough position--think VP/CIO or above--that can vouch for you and sign the form.
    2018 Goals:
    To Complete: CISSP-ISSAP | CCSP | CAPM
    Start Master's Degree: WGU - MBA.ITM

    B.S., Business Studies in Computer Information Technology | SNHU
  • SturekscStureksc Posts: 4Registered Users ■□□□□□□□□□
    Thank you JDMurray and Roxer for your help.
  • SturekscStureksc Posts: 4Registered Users ■□□□□□□□□□
    Hi PJ_Sneakers,
    Page A-2 does not have an sentence with checkbox. I am good with page V-2. I am just not sure what "general information security services" means. Is it ok to leave Section B blank on page A-2 since I have more than 5 years of Section A (IS Manager) experience?
  • PJ_SneakersPJ_Sneakers The ceiling is glass. USAPosts: 877Member ■■■■■■□□□□
    Do you have a degree or other exemption that can reduce the need for general security experience?
  • lamont29lamont29 Posts: 27Member ■■□□□□□□□□
    Just call ISACA if you are confused. They are very helpful.
  • SturekscStureksc Posts: 4Registered Users ■□□□□□□□□□
    No IS related degree. For CISM certification, is "general information security service experience" a must have? My role over the last 7 years has been IS management related. I don't have hands-on Infrastructure or Application security adminstration experience. I lead a team that does the hands-on work.
  • PJ_SneakersPJ_Sneakers The ceiling is glass. USAPosts: 877Member ■■■■■■□□□□
    I believe it's 5 years total infosec, with a minimum of 3 in a management role.
  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,204Admin Admin
    I believe it's 5 years total infosec, with a minimum of 3 in a management role.

    The actual work experience must be broad and gained in three of the four CISM job practice areas (see page V-s, Verification of Work Experience form).
  • zaphod99zaphod99 Posts: 2Registered Users ■□□□□□□□□□
    I am also applying for certification after passing the exam and have also problems withe the application form.

    How many boxes in each section have to be ticked to gain certification?
    I know that I have to verify in at least three of the domains my practical knowledge, but how deep and wide isn't said.

    I also have the problem that I worked more than eleven years for a company where I have not any contact from leadership to get my verification. I do have a detailed employment reference letter with all the projects and tasks listed, but there is no time mentioned for the tasks.

    My current employer can only verify my last two years.

    Any additional information would be appreciated.
Sign In or Register to comment.