Cybersecurity Credential Verification
How to Verify a CISM Certification
The CISM (Certified Information Security Manager) is ISACA's flagship management-level cybersecurity credential. ISACA provides a free public verification tool for confirming active certification status. The CISM is frequently sought for CISO, security director, and security governance roles.
Quick answer
Verify CISM (and all ISACA certifications) at isaca.org/credentialing/verify-a-certification. Search by first name, last name, and certification type to confirm active status. The search is free. You can also ask the candidate to provide their ISACA member number for a more precise lookup.
What the CISM certification is
The CISM is issued by ISACA (previously the Information Systems Audit and Control Association) and is designed for security managers, directors, and CISOs. It focuses on information security governance, risk management, program development, and incident management — the organizational and strategic layer of security rather than technical implementation.
CISM requirements:
- › Experience: Five years of information security work experience, with at least three years in security management in three or more of the four CISM domains
- › Exam: Pass the CISM exam (150 questions, 4 hours)
- › Ethics: Agree to ISACA's Code of Professional Ethics
- › Annual maintenance: 20 CPE hours per year (minimum), 120 CPE hours over a 3-year period, plus annual maintenance fee
The CISM is widely respected in enterprise security, especially in regulated industries (financial services, healthcare, government). It is one of the certifications named in DoD 8140 for cybersecurity workforce roles.
How to verify CISM status
Step 1: Go to the ISACA verification tool
Navigate to isaca.org/credentialing/verify-a-certification. This is the official ISACA public verification portal. It covers all ISACA certifications: CISM, CISA, CRISC, CGEIT, CDPSE, and CSX-P.
Step 2: Enter name and certification type
Enter the candidate's first name, last name, and select the certification type (CISM). The tool returns active certifications matching the search. For common names, having the ISACA member number available allows for a precise match.
Members who have chosen not to be listed publicly will not appear. In that case, ask the candidate to provide their ISACA member ID or a verification letter from ISACA confirming active status.
Step 3: Confirm active certification
The result confirms whether the certification is currently active. ISACA certifications expire if CPE requirements or annual fees are not met. An active result confirms the person is in good standing for the current year.
All ISACA certifications and how to verify them
ISACA issues several related credentials, all verifiable through the same portal:
| Credential | Full name | Focus area |
|---|---|---|
| CISM | Certified Information Security Manager | Security management & governance |
| CISA | Certified Information Systems Auditor | IT audit, control, and assurance |
| CRISC | Certified in Risk and Information Systems Control | IT and enterprise risk management |
| CGEIT | Certified in the Governance of Enterprise IT | IT governance for senior management |
| CDPSE | Certified Data Privacy Solutions Engineer | Privacy engineering and implementation |
| CSX-P | CSX Cybersecurity Practitioner | Technical cybersecurity skills (performance-based) |
All ISACA certifications require the same annual maintenance: minimum 20 CPE hours per year, 120 hours per 3-year reporting period, and payment of the annual maintenance fee.
CISM vs. CISSP: choosing the right credential to verify
| Dimension | CISM | CISSP |
|---|---|---|
| Issuing body | ISACA | ISC² |
| Primary focus | Management, governance, risk | Broad technical + management (8 domains) |
| Best fit | CISO, security director, security manager | Senior security practitioner, security architect |
| Experience required | 5 years (3 in management domains) | 5 years in 2+ CISSP domains |
| Verification | isaca.org/credentialing/verify-a-certification | isc2.org/verify |
Many security leaders hold both CISM and CISSP. They address different dimensions of the role — CISSP demonstrates technical breadth; CISM demonstrates management and governance focus. For CISO and VP Security hiring, both are worth verifying independently.
Verify the degree behind the credential
CISM candidates often hold degrees in computer science, information systems, or business. Use VerifyED to confirm that a candidate's degree is from a legitimately accredited institution — and catch any diploma mill credentials in your security leadership hiring pipeline.
Search Schools and Accreditation →