Candidates interested in careers as information security professionals need to know what to expect if they choose to become a Certified Information Security Manager (CISM). People often ask the question, “What does this certification holder do in the real world?“ A lot of confusion exists, and part of it comes from the industry itself. Some companies advertise positions for a Certified Information Security Auditor (CISA) when what they really need is a CISM. This article provides insight into the job duties of a CISM and what a typical day might look like.
A CISM’s responsibility relates to management positions rather than hands-on responsibilities. A CISA, which is a hands-on position, requires the titleholder be able to effectively monitor systems, recognize and analyze threats, apply solutions to stop intrusions, minimize risks, and secure the organization’s systems. In contrast, a CISM manages security processes carried out by others.
Let’s choose one example domain of knowledge covered by the exam and see how that knowledge is applied. In this case, we’ll choose Domain 1—Information Security Governance. Read this list of example task statements from the ISACA site and notice the “managerial” aspect of them all:
- Establish and/or maintain an information security strategy in alignment with organizational goals and objectives to guide the establishment and/or ongoing management of the information security program.
- Establish and/or maintain an information security governance framework to guide activities that support the information security strategy.
- Integrate information security governance into corporate governance to ensure that organizational goals and objectives are supported by the information security program.
- Establish and maintain information security policies to guide the development of standards, procedures, and guidelines in alignment with enterprise goals and objectives.
As you can see, CISMs are in charge of starting, developing, and maintaining security systems and initiatives, rather than performing individual tasks that deploy those systems.
Posted by: Josh Hester