📋 Table of Contents
- The Standard 5-Year CISM Experience Requirement
- What the Experience Waiver Actually Does
- Credentials That Qualify for the Waiver
- CISSP Holders: Your Specific Path to CISM
- Stacking Waivers to Hit the 3-Year Floor
- What Experience Actually Counts
- How to Apply the Waiver During Your Application
- Frequently Asked Questions
The Standard 5-Year CISM Experience Requirement
CISM is explicitly a management credential. Unlike CISSP, which can be held by architects, engineers, and practitioners across a wide range of roles, every CISM holder is expected to have genuine management experience in the information security field. That intent is built directly into the eligibility rules.
To qualify for CISM certification, ISACA requires all of the following (per the official CISM Certification Requirements published by ISACA):
- 5 years of total information security work experience, gained within the 10-year period preceding your application date or within 5 years of passing the CISM exam
- A minimum of 3 of those 5 years must be in information security management, covering at least 2 of the 4 CISM domains
- Experience must be verifiable - ISACA conducts audits and requires work history documentation
The 5-year clock starts when you begin accumulating IS work experience, not when you pass the exam. You can sit for the exam at any point, but you have a 5-year window after passing to complete your application and demonstrate the required experience.
What the Experience Waiver Actually Does
ISACA's experience substitution policy recognizes that certain credentials demonstrate IS knowledge that partially overlaps with the general IS experience requirement. Holding a qualifying certification signals that a candidate already possesses a verified foundation of IS knowledge - so ISACA reduces the total experience bar accordingly.
The mechanics are straightforward:
- Each qualifying credential substitutes for 1 year of the 5-year general IS experience requirement
- Substitutions are capped at 2 years maximum, regardless of how many qualifying credentials you hold
- The 3-year IS management experience requirement remains fixed - it is not affected by any waiver
- The 10-year lookback window and 5-year post-exam application window are not changed by a waiver
In practice, this means that with the maximum 2-year waiver, a candidate needs a minimum of 3 years of total IS experience (all 3 of which must be in IS management, covering 2 or more CISM domains). This is the fastest legitimate path to CISM eligibility.
Credentials That Qualify for the Waiver
ISACA officially recognizes the following as qualifying substitutions toward the CISM experience requirement. Each provides a 1-year waiver (maximum 2 years combined):
| Credential | Issuing Body | Waiver Amount | Notes |
|---|---|---|---|
| CISSP | (ISC)2 | 1 year | Most common waiver among CISM candidates; must be active at time of application |
| CISA | ISACA | 1 year | Demonstrates IS audit and control knowledge; credential must be in good standing |
| CRISC | ISACA | 1 year | Risk and IS control focus; popular stack with CISM among GRC professionals |
| Graduate degree in IS or related field | Accredited university | 1 year | Master's or doctorate in information security, computer science, information systems management, or equivalent accredited program |
ISACA periodically reviews the substitution list. Always verify against the current CISM Certification Requirements document at isaca.org before submitting your application, since the list can change. ISACA also publishes a list of other certifications it will accept on a case-by-case basis for the 1-year substitution, so if you hold a credential not listed above it is worth contacting ISACA directly.
Note that CISM itself cannot be used as a waiver toward other certifications retroactively through this mechanism, though CISM does qualify for the CISSP experience waiver under (ISC)2's separate program - see the related guide on the CISSP experience waiver and why CISM qualifies.
CISSP Holders: Your Specific Path to CISM
CISSP is by far the most common credential that CISM candidates hold when applying for a waiver. If you already have your CISSP, here is exactly what the waiver means for your eligibility timeline.
With CISSP only (1-year waiver)
Your 5-year requirement becomes a 4-year requirement. Of those 4 years, at least 3 must still be in information security management across 2 or more CISM domains. The most likely scenario: a CISSP-certified security manager who has 4+ years of total IS experience, with at least 3 in management, can apply immediately without waiting to accumulate a fifth year of general IS work.
With CISSP + one additional qualifying credential (2-year waiver)
If you also hold CISA or CRISC, or if you have a qualifying graduate degree, the 5-year requirement drops to 3 years. All 3 years must be in IS management in the relevant domains. A CISSP+CISA holder in a management role for 3 years is immediately eligible, with no further waiting.
What CISSP experience does NOT substitute for
CISSP is a broad technical and management credential. The overlap with CISM's management domains is significant - both cover governance, risk management, and incident response frameworks. But holding CISSP does not mean your experience automatically qualifies as IS management for CISM purposes. The job functions you performed matter, not just the credential you hold. A CISSP-certified cloud security engineer doing purely technical work in a non-management role still needs to demonstrate IS management experience separately.
Already Have Your CISSP? Add CISM Next.
Practice with thousands of expert-verified CISM-style questions built specifically for experienced security professionals. AI-powered gap analysis shows you exactly where to focus.
Start Free 7-Day Trial →Stacking Waivers to Hit the 3-Year Floor
ISACA allows combining multiple qualifying credentials up to the 2-year cap. In practice this means three credential combinations reach the maximum waiver:
| Credentials Held | Waiver Applied | Minimum Experience Needed | Min. Management Years |
|---|---|---|---|
| None | 0 years | 5 years | 3 years |
| CISSP only | 1 year | 4 years | 3 years |
| CISA only | 1 year | 4 years | 3 years |
| CRISC only | 1 year | 4 years | 3 years |
| Graduate IS degree only | 1 year | 4 years | 3 years |
| CISSP + CISA | 2 years (max) | 3 years | 3 years |
| CISSP + CRISC | 2 years (max) | 3 years | 3 years |
| CISSP + graduate IS degree | 2 years (max) | 3 years | 3 years |
| CISSP + CISA + CRISC | 2 years (max cap reached) | 3 years | 3 years |
The cap at 2 years means that holding three qualifying credentials gives you no additional benefit over holding two. If you are timing your CISM application, two credentials are sufficient to claim the maximum reduction.
One nuance worth noting: the waiver credentials themselves must be active and in good standing at the time of your CISM application. A lapsed CISSP or CISA does not count. If your CISSP is in a grace period or you have missed CPE requirements, resolve that before relying on the waiver for your CISM application.
What Experience Actually Counts Toward CISM
Because the management experience requirement is non-waivable, understanding what ISACA considers qualifying IS management experience is critical. The four CISM domains are:
- Domain 1 - Information Security Governance (17% of exam): Establishing and maintaining the IS governance framework, aligning IS strategy with organizational goals, developing policies and standards
- Domain 2 - Information Security Risk Management (20%): Identifying, assessing, and responding to IS risks; developing risk management frameworks
- Domain 3 - Information Security Program (33%): Developing and managing the IS program, managing resources, overseeing security architecture
- Domain 4 - Incident Management (30%): Developing incident response and recovery capabilities, managing incidents and business continuity
Your management experience must cover work in at least 2 of these 4 domains. ISACA's application asks you to map your experience to specific domain activities. Vague claims ("responsible for security") will not pass an audit. You need concrete role descriptions that map to domain tasks: leading a risk assessment program, owning a security policy framework, directing incident response operations, managing a security team.
Job functions that typically qualify
- Information Security Manager with direct reports or program ownership
- GRC Manager or Risk Manager with IS program scope
- Security Program Manager overseeing IS strategy and governance
- Director-level or above with IS portfolio responsibility
- Security Architect with defined governance or risk management accountability (not purely technical implementation)
Job functions that typically do not qualify as IS management
- Security analyst or engineer roles without management accountability
- Penetration tester or red team roles (these are individual-contributor technical functions)
- SOC analyst positions without supervisory or program responsibility
- Developer or DevSecOps engineer roles, even with security focus
- IT auditor roles - these may qualify for CISA but do not automatically meet CISM's management experience standard
When in doubt, err on the side of submitting experience and letting ISACA evaluate it. Many CISM applicants are surprised by what qualifies - a senior analyst who co-owns a risk management process or sits on an IS governance committee can have legitimate domain experience even without a management title. Conversely, a "Manager" title with purely supervisory responsibilities over technical staff and no program governance work may not fully satisfy the domain requirement.
How to Apply the Waiver During Your Application
ISACA's online application system handles waivers as part of the standard CISM application. The process:
- Pass the CISM exam first (or have it scheduled). You must have passed within the last 5 years to apply.
- Log in to ISACA's Certification portal and start the CISM application.
- In the Experience section, enter your work history, mapping each role to CISM domains.
- In the Substitutions section, list your qualifying credentials with certification numbers and issuing body information. ISACA will verify active status directly with the issuing organizations for major credentials like CISSP.
- Calculate your total experience using the adjusted requirement (5 years minus your waiver). The system will flag whether you have met the threshold.
- Submit and pay the application fee (currently $50 for ISACA members, $75 for non-members).
Your application will be reviewed by ISACA staff. A small percentage of applications are selected for audit, in which case you will need to provide employer-signed verification of your experience. Keeping documentation of your roles, responsibilities, and relevant projects is good practice regardless of whether you expect to be audited.
For the full application walkthrough including experience documentation requirements, see the CISM experience requirements guide. For an overview of all costs involved, see the CISM certification cost breakdown.
Frequently Asked Questions
Does CISSP waive 1 year or 2 years of CISM experience?
CISSP alone waives 1 year of the 5-year CISM requirement, reducing it to 4 years. To reach the 2-year maximum waiver (3-year minimum experience), you need CISSP plus one additional qualifying credential, such as CISA, CRISC, or a qualifying graduate degree.
Can I apply the experience waiver before I pass the CISM exam?
The waiver is claimed during the certification application, which occurs after passing the exam. You cannot apply for certification until you have passed. The waiver does not affect exam eligibility - anyone can sit for the CISM exam regardless of current experience level. Experience is verified only at the application stage.
Does my CISSP need to be active when I apply for CISM?
Yes. ISACA requires that qualifying credentials be active and in good standing at the time of your CISM application. If your CISSP is lapsed or in a CPE delinquency period, resolve the status before submitting your CISM application or the waiver will not be recognized.
If I hold CISSP and CISA, can I apply for CISM with just 3 years of experience?
Yes, with an important condition: all 3 years of experience must be in information security management across at least 2 CISM domains. The 2-year maximum waiver from CISSP plus CISA reduces the total requirement from 5 years to 3 years, but the management experience floor does not change. A candidate with 3 years of IS management experience and both CISSP and CISA active is fully eligible to apply.
Does a bachelor's degree in cybersecurity count for the waiver?
No. ISACA's academic substitution applies to graduate degrees (master's or doctorate) in information security, computer science, information systems management, or closely related fields from accredited institutions. Bachelor's degrees do not qualify for the substitution, though they may be considered as part of general education background in the application context.
I'm a CISSP holder targeting CISO roles. Is CISM worth pursuing?
For most security management career tracks, yes. CISM and CISSP are increasingly viewed as complementary rather than competing - CISSP demonstrates technical breadth while CISM signals governance and management focus. Many CISO job postings at regulated companies list both as preferred credentials. The CISSP waiver means the incremental experience cost to qualify for CISM is just 1 additional year of documentation, not a new multi-year commitment. See the full CISM vs CISSP comparison and the CISM ROI analysis for a deeper treatment.
What happens if ISACA audits my experience application?
If selected for audit, ISACA will ask you to provide employer-signed verification forms documenting your role, responsibilities, and IS management activities. The audit is not a judgment of whether you are qualified - it is a verification that the experience you claimed matches what your employer records show. Candidates who have documented their roles accurately pass audits without issue. The key is that your experience claims in the application are honest and specific enough to be verifiable.
Related Guides
CISM Experience Requirements (Full Guide)
Complete walkthrough of the 5-year requirement, what counts as management experience, the 10-year window, and the application process.
CISM vs CISSP (2026)
Side-by-side comparison: exam, experience, salary, career paths, and why experienced professionals often pursue both.
CISSP Experience Waiver: Why CISM Qualifies
The flip side: how CISM holders can use their credential as a 1-year waiver toward the CISSP experience requirement.
Is CISM Worth It? (2026 ROI Analysis)
Salary premium, career impact, and who should pursue CISM - including the case for CISSP holders adding it as a second credential.