CISM
ISACA CISM
The ISACA Certified Information Security Manager (CISM) is the leading credential for information security managers who design, build, and manage enterprise security programs. It focuses on security governance, risk management, information security program development and management, and incident management — testing strategic leadership and management judgment rather than technical implementation skills.
CISM Exam Overview
| Detail | Information |
|---|---|
| Full Name | ISACA CISM |
| Governing Body | ISACA |
| Number of Questions | 150 |
| Time Limit | 4 hours |
| Passing Score | 450/800 |
| Exam Fee | $575 (ISACA members) / $760 (non-members) |
| Category | IT Certifications |
| C3RT App Available On | iPhone, iPad, and Mac |
| Official Source | ISACA official website ↗ |
CISM Content Areas and Domains
| Domain / Content Area | Exam Weight |
|---|---|
| Information Security Governance | 17% |
| Information Security Risk Management | 20% |
| Information Security Program | 33% |
| Incident Management | 30% |
Domain weights are approximate and based on the ISACA content outline. Always verify at the official source before your exam.
Topics Covered
- ✓ Information Security Governance — security strategy, frameworks (ISO 27001, NIST), governance metrics
- ✓ Information Security Risk Management — risk identification, analysis, treatment, monitoring
- ✓ Information Security Program — program development, policy framework, standards, controls, resource management
- ✓ Incident Management — incident response planning, detection, escalation, recovery, lessons learned
How C3RT Helps You Pass the CISM
Adaptive Practice
Questions adapt to your weak areas automatically so every study session on the CISM is time well spent.
Diagnostic Mocks
Full-length mock exams timed to the real CISM format with detailed score breakdowns by topic.
Mistake Bank
Every wrong answer is saved for targeted re-drill. The system resurfaces your mistakes until they stick.
Native on iOS & Mac
Built with SwiftUI, not a web wrapper. Instant load, offline support, hardware-speed rendering.
CISM Frequently Asked Questions
What does CISM stand for?
CISM stands for ISACA CISM. It is administered by ISACA.
Who administers the CISM?
The ISACA CISM (CISM) is administered by ISACA. For official information, visit the ISACA website.
How many questions is the CISM?
The CISM consists of 150 questions. Candidates are given 4 hours to complete the exam.
What is the passing score for the CISM?
The passing score for the CISM is 450/800, as set by ISACA. Scoring methodology and passing standards may be updated periodically. Always verify current requirements with the governing body.
How much does the CISM exam cost?
The CISM exam fee is $575 (ISACA members) / $760 (non-members). This fee is set by ISACA and may vary by testing centre, region, or membership status. Additional fees for registration or rescheduling may apply.
What is the difference between CISM and CISSP?
CISM is a management-focused credential from ISACA — it tests your ability to design and manage a security program, align security with business objectives, and make governance decisions. CISSP from ISC2 is broader, covering 8 technical and management domains. CISM is preferred for CISO and security manager roles; CISSP is more common for senior security architects and practitioners. Many senior professionals hold both.
What are the CISM experience requirements?
CISM requires 5 years of information security work experience, with at least 3 years in information security management in 3 or more of the 4 CISM job practice domains. Experience must be within the 10 years preceding application or within 5 years of passing the exam. ISACA verifies this experience before granting the credential.
Is CISM harder than CISSP?
Difficulty depends on your background. CISM questions are scenario-based, requiring strategic judgment — you must think like a security manager, not a technical expert. Questions often have multiple plausible answers, and you must select the BEST answer from a management perspective. Many technical practitioners find CISM questions more abstract than CISSP. Both require extensive preparation.
When can I take the CISM exam?
ISACA offers CISM year-round at Pearson VUE testing centers globally. You can also take it online via remote proctoring. There is no prerequisite exam — you apply for eligibility, pass the exam, then submit experience verification. The credential is awarded only after ISACA approves your experience documentation.
How difficult is the ISACA CISM exam?
The ISACA CISM is considered intermediate to advanced in difficulty, with ISACA-reported pass rates around 50–60% for first-time candidates. The exam focuses on security management from a strategic and governance perspective, emphasizing risk management, program development, and incident management. Candidates from a management background find the conceptual style more natural than those from a purely technical background.
What are the eligibility requirements for ISACA CISM?
You must have five years of information security management work experience, including at least three years in security management specifically. Waivers for up to two years are available through relevant degrees or other approved credentials. You may sit for the exam before meeting the full experience requirement.
How long should I study for ISACA CISM?
Most candidates need 3–5 months using the ISACA CISM Review Manual and the official QAE practice question database. The exam rewards management-level thinking — candidates should focus on governance frameworks, risk strategy, and security program management rather than technical implementation details.
What career value does ISACA CISM provide?
CISM is one of the top credentials for information security management and CISO-track professionals. Security managers, ISOs, and VP-level security leaders with CISM typically earn $110,000–$160,000+. It is particularly valued in financial services, healthcare, and multinational enterprise environments.
What is the ISACA CISM retake policy?
ISACA allows three attempts within a 12-month window with no mandatory wait period between retakes. Fees apply for each registration attempt.
How long is the ISACA CISM credential valid?
CISM requires annual maintenance through continuing education and payment of the annual maintenance fee. Active status requires meeting CPE requirements on an ongoing basis.
What continuing education is required for ISACA CISM renewal?
Renewal requires 120 CPE hours over three years with a minimum of 20 CPE per year. The annual maintenance fee must be paid to maintain active credential status.
How does ISACA CISM compare to ISC2 CISSP for senior security management roles?
CISM is a focused security management credential from ISACA, emphasizing governance, risk, and program management. CISSP from ISC2 covers a much broader technical and management landscape across eight domains. CISM is preferred in governance-focused and audit-heavy environments; CISSP is preferred in organizations that value both technical and managerial security depth. For CISO-track candidates, holding both CISSP and CISM is often considered the ideal combination.
C3RT is a native iOS and macOS exam preparation platform covering the ISACA CISM (CISM), a IT Certifications certification, administered by ISACA. C3RT is not affiliated with or endorsed by ISACA. Certification names and trademarks are the property of their respective organisations. For official exam registration, eligibility requirements, and content outlines, visit the ISACA official website ↗ .