minimum of five years of information security work experience, with a minimum of three years of information security management work experience in three or more of the job practice analysis areas .
Find more details here http://www.isaca.org/Certification/CISM-Certified-Information-Security-Manager/How-to-Become-Certified/Pages/default.aspx
The job practice domains and task and knowledge statements are as follows:
Domain 1—Information Security Governance (24%)
Domain 2—Information Risk Management (30%)
Domain 3—Information Security Program Development and Management (27%)
Domain 4—Information Security Incident Management (19%)
Domain 1 – Information Security Governance
- Explain the need for and the desired outcomes of an effective information security strategy
- Create an information security strategy aligned with organizational goals and objectives
- Gain stakeholder support using business cases
- Identify key roles and responsibilities needed to execute an action plan
- Establish metrics to measure and monitor the performance of security governance
Domain 2 – Information Risk Management
- Explain the importance of risk management as a tool to meet business needs and develop a security management program to support these needs
- Identify, rank, and respond to a risk in a way that is appropriate as defined by organizational directives
- Assess the appropriateness and effectiveness of information security controls
- Report information security risk effectively
Domain 3- Information Security Program Development and Management?
- Align information security program requirements with those of other business functions ?
- Manage the information security program resources
- Design and implement information security controls ?
- Incorporate information security requirements into contracts, agreements and third-party management processes
Domain 4 – Information Security Incident Management
- Understand the concepts and practices of Incident Management
- Identify the components of an Incident Response Plan and evaluate its effectiveness
- Understand the key concepts of Business Continuity Planning, or BCP and Disaster Recovery Planning, or DRP
- Be familiar with techniques commonly used to test incident response capabilities