The Certified Information Security Manager (CISM) is ISACA’s flagship credential for security leaders who design and run enterprise information security programs. It tests management judgment, not deep technical skill. The four-hour, 150-question exam covers four domains and requires a scaled score of 450 out of 800 to pass.
Key Points
- Exam: 150 multiple-choice questions, 4 hours, passing score 450/800 (scaled).
- Four domains: Governance (17%), Risk Management (20%), Security Program (33%), Incident Management (30%).
- Experience: 5+ years in infosec, with 3 years across 3+ CISM practice areas.
- Cost: $575 (ISACA member) / $760 (non-member) for the exam.
- Salary: CISM holders in the US average over $149,000, per ISACA.
- Watch the date: An updated exam content outline takes effect November 3, 2026.
What the CISM Certification Covers
The Certified Information Security Manager (CISM) certification, offered by ISACA, validates that an IT security professional can assess risk, build governance, run a security program, and lead incident response from a business perspective. Unlike deeply technical credentials, CISM asks what a security manager should decide — which control is most appropriate, which risk is greatest, who should be notified first. ISACA frames it as a certification for professionals who already work in information security and want to move into leadership.
More than 100,000 professionals have earned CISM since ISACA launched it in 2002, according to Coursera’s guide citing ISACA. ISACA itself reports 185,000 members across 188 countries, making CISM one of the most recognized security-management credentials globally. It sits alongside CISA, CRISC, CGEIT, and the newer AI-focused credentials (AAIA, AAIR, AAISM) in ISACA’s portfolio.
Where CISSP (from ISC2) is broader and more technical across eight domains, CISM is narrower and explicitly managerial. Many professionals hold both, and if you are weighing CISM against other security-specialty credentials you may find our CCSP vs AWS Security Specialty pay comparison useful. But if your next move is into a CISO, security manager, or GRC leadership role — a path mapped in our cybersecurity certification roadmap — CISM is usually the more direct signal. It proves you can align security with business objectives rather than only harden systems.
CISM Exam Structure and Domains
The CISM exam is a computer-based test administered through PSI testing centers or online proctoring. It consists of 150 multiple-choice questions that you must complete within four hours, as confirmed by The Knowledge Academy and ISACA’s published requirements. That works out to roughly 1.6 minutes per question — comfortable for knowledge questions, tight for the long scenario-based items that dominate the later domains.
To pass, you need a scaled score of 450 out of 800. As DestCert explains, this is not a flat 56% correct threshold. ISACA converts your raw score to a scaled score using a method that accounts for question difficulty, so the exact percentage needed varies. Practically, most candidates who pass report scoring comfortably above 70% on reliable practice banks before exam day.
The current four domains and their weights, per the official ISACA exam content outline and Edudelphi’s domain breakdown, are:
| Domain | Weight | Approx. Questions |
|---|---|---|
| Information Security Governance | 17% | ~25 |
| Information Security Risk Management | 20% | ~30 |
| Information Security Program | 33% | ~50 |
| Incident Management | 30% | ~45 |
Notice where the weight sits: the Security Program and Incident Management domains together account for 63% of the exam. If you are short on study time, those two areas carry the most marks and deserve the most practice. Governance is the smallest domain but tends to appear early and sets the management-thinking frame for everything else.
The November 2026 Content Update
ISACA has announced an updated CISM Exam Content Outline effective November 3, 2026, reflecting evolving job practice areas. Both CertCompanion and CertMage report that updated preparation materials will be available in September 2026 to align with the new outline.
What does this mean for your planning? If you can sit the exam before November 3, 2026, study against the current four-domain structure and weights above — the materials you buy today remain valid. If you schedule after that date, verify the latest domain weights and content directly on ISACA’s official CISM exam outline page before finalizing your study plan, because practice tests and review manuals written for the old outline may not match.
A sensible rule: register for a window before the change if you are already deep into prep, or wait for the September 2026 materials if you are just starting. Sitting an exam during a content transition is the worst option, because third-party question banks lag the official change and your practice scores become unreliable.
Eligibility and Experience Requirements
Passing the exam earns you the right to apply for certification — it does not, by itself, make you a CISM. To be certified you must meet ISACA’s experience requirement: five or more years of work experience in information security, of which at least three years must be in three or more of the CISM job practice areas, per ISACA’s certification steps and the Coursera CISM guide.
You can take the exam before you fully satisfy the experience requirement, but you must submit your completed certification application within five years of passing. This flexibility matters: many candidates sit the exam while they are still accumulating qualifying experience, then certify once their three years across practice areas are documented. A two-year waiver is available under specific conditions (such as holding certain other credentials or completing ISACA-approved experience), but do not assume you qualify — check the waiver rules on ISACA’s site.
Be precise when you document your work. ISACA asks for a manager or supervisor to verify your experience, and applications are audited. Map each role you list to specific CISM practice areas (governance, risk, program development, incident management) with concrete examples — designing a policy, running a risk assessment, building a control framework, leading an incident response. Vague descriptions are the most common reason applications get delayed.
How Much CISM Costs in 2026
The official CISM exam registration fee is USD $575 for ISACA members and $760 for non-members, according to ISACA’s published cost breakdown. Once certified, you pay an annual maintenance fee of $45 (members) or $85 (non-members) to keep the credential active.
Because members save $185 on the exam alone, many candidates join ISACA before registering. Global ISACA membership runs roughly $135 plus local chapter dues, as noted by DestCert’s cost guide — so even in year one the math often favors membership, and it unlocks member pricing on review courses, conferences, and the CISM Review Manual.
Beyond fees, budget for study materials. A realistic all-in spend looks like this:
| Item | Estimated Cost (USD) |
|---|---|
| Exam registration (member) | $575 |
| CISM Review Manual (CRM) | $100–$150 |
| Question bank / practice exams | $50–$150 |
| Video course or bootcamp | $0–$1,500 |
| Annual maintenance fee | $45 |
A self-study candidate can get certified for around $800–$900 total. A bootcamp path can push past $2,500. The exam fee is non-refundable if you no-show, so schedule only when your practice scores are consistently above your target.
Building Your CISM Study Plan
CISM rewards structured, consistent study over cramming. A realistic plan runs 8–12 weeks for someone already working in security, longer if you are newer to management concepts. CertDemand’s 2026 guide estimates 150+ study hours, which maps to roughly 2–3 hours a day over 10 weeks. The plan below assumes an 8-week schedule for a working professional; extend it if you need more time on Governance or Risk.
- Weeks 1–2 — Governance + Risk: Read the CISM Review Manual (CRM) for Domains 1 and 2. Take notes in your own words. Governance is conceptual; Risk is where most candidates need extra reps on risk assessment methodologies and treatment options.
- Weeks 3–5 — Security Program (Domain 3): This is the heaviest domain at 33%. Study program development, standards and frameworks (ISO 27001, NIST), metrics, and resource management. Build a one-page map of how each control category feeds the program.
- Weeks 5–6 — Incident Management (Domain 4): Cover the incident lifecycle: preparation, detection, containment, eradication, recovery, and lessons learned. Memorize who gets notified and in what order — that reasoning shows up on dozens of questions.
- Week 7 — Full practice exams: Switch to timed, full-length 150-question sets. Aim for 75%+ raw before you schedule.
- Week 8 — Weak-spot review: Re-read CRM sections where your practice scores are lowest. Lighten the load in the final 3 days; do not introduce new material.
Track your scores per domain. If Incident Management practice sits at 60% while Governance is at 85%, redistribute your remaining hours to Incident Management. The exam weights make Domain 3 and 4 worth the most points, so protect those gains.
Best CISM Study Materials
The single most important resource is ISACA’s own CISM Review Manual (CRM), which is written directly from the exam content outline. It is dense and dry, but it is the authoritative source — every other material is an interpretation of it. Read it cover to cover at least once, and use it as your reference when you miss practice questions.
Pair the CRM with ISACA’s Review Questions, Answers & Explanations (QAE) database. These questions are written by ISACA and mirror the exam’s style of asking for the “best” or “most appropriate” answer among plausible options. Working through the full QAE set is the highest-yield practice you can do, because it trains you to think the way ISACA’s question writers think.
For video learners, destination-certified providers like DestCert and MindFusion offer CISM MasterClass courses that translate the CRM into plain language. For reinforcement, flashcards and mind maps help with the definitional content in Governance and Risk. Avoid exam-dump sites — their questions are recycled, often wrong, and they actively hurt your ability to reason through real scenario questions. Reliable practice is worth far more than volume of unreliable practice.
Whatever materials you choose, make sure they match the current content outline. With the November 3, 2026 update coming, check the publication or revision date on any book or course you buy. Anything predating the announced update is fine for exams before that date; confirm newer materials before relying on them afterward.
Passing the Exam — Question Strategy
CISM questions are management questions, not technical ones. As practice-test providers note, the exam repeatedly asks what a security manager should do, what the GREATEST risk is, or the MOST appropriate control — with four plausible options and one best answer. You will rarely find an obviously wrong option. Success comes from a consistent decision framework, not from knowing a single fact.
Train yourself to answer with this hierarchy, which Training Camp and experienced passers emphasize:
- Think business first. ISACA favors answers that align security with business objectives and senior-management direction. If one option involves business alignment and another is purely technical, the business-aligned one usually wins.
- Follow the process. For incidents, the sequence is detect → contain → eradicate → recover → report. For risks, it is identify → assess → treat → monitor. Pick the option that is the correct next step in the process, not the one that sounds most thorough.
- Escalate correctly. When asked who to notify, the answer is usually the incident response team and management per the documented plan — not law enforcement, the public, or an individual technician.
- Eliminate, then choose. Cross out the two weakest options first. Between the remaining two, ask which one a competent CISM — not a technician — would do.
Time management matters. Flag any question that takes more than 90 seconds and move on; the exam lets you revisit flagged items. Aim to finish a first pass in three hours, leaving an hour to review flagged questions. Because there is no penalty for guessing, never leave a question blank — even on a revisit, mark an answer before moving forward.
CISM Salary and Career ROI
The financial case for CISM is strong. ISACA reports that the average salary of CISM holders in the United States is more than $149,000, according to the Coursera guide citing ISACA’s own data. That places CISM consistently among the highest-paying certifications in the industry, alongside CISSP and CISA.
Demand is driven by rising breach costs and regulatory pressure. Cybercrime is projected to cost an estimated $10.5 trillion globally in 2025, per Cybersecurity Ventures, as cited in the Coursera CISM guide. That spending pushes organizations to hire professionals who can govern and manage security at a program level — exactly the role CISM validates.
For career trajectory, CISM opens roles that pure-technical certifications do not: Information Security Manager, GRC Lead, Security Director, and stepping stones toward CISO. It complements paths like moving on after CompTIA Security+ toward an ethical-hacking cert by sitting on the management side of the same career. Combined with experience, it signals you can own a security program end to end — set strategy, manage risk, build controls, and lead response. If your goal is to move from practitioner to leader, CISM is one of the clearest, most recognized ways to prove you are ready.
References
- ISACA — Certified Information Security Manager (CISM)
- ISACA — How to Get CISM Certified
- ISACA — CISM Exam Content Outline
- ISACA Support — Certification Costs
- Coursera — CISM Certification Guide: Overview, Cost, and Job Benefits
- DestCert — What’s the CISM Passing Score?
- DestCert — CISM Certification Cost Breakdown
- The Knowledge Academy — CISM Exam Preparation and Process
- Edudelphi — CISM Exam Format and Domains Explained
- CertCompanion — CISM Practice Test (November 2026 update)
- CertMage — CRISC vs CISM: Which ISACA Certification in 2026?
- Training Camp — How To Pass CISM Exam on the First Attempt
- CertDemand — CISM Certification Guide (2026)
- Udemy — CISM Practice Tests