What is CISM?
Certified Information Security Manager (CISM) is ISACA’s flagship credential for professionals who design, manage, and assess enterprise information security programs. It validates deep knowledge of risk governance, program development, incident management, and continuous improvement. The current exam version reflects the 2025 ISACA Job Practice.
Who should take this exam
Certified Information Security Manager (CISM) certification targets:
- Information security managers and aspiring managers who lead enterprise security programs
- IT and cybersecurity professionals advancing from technical roles into management
- Governance, risk, and compliance (GRC) specialists
- Security consultants and auditors advising enterprise clients
Typical candidates have 5+ years of information security work, including 3+ years in security management, and are moving into or already in mid- to senior-level roles.
Prerequisites and recommendations
Official requirement
- Five years of professional information security experience (with at least three in information security management) within the past ten years.
- Up to two years can be waived with qualifying certifications (e.g., CISA, CISSP) or a degree in information security.
Practical recommendations
- Experience leading teams or projects gives a big advantage.
- Prior certifications such as CISSP or CompTIA Security+ help.
- Strong background in risk management, incident response, and IT governance is ideal.
Exam objectives and domains
ISACA structures the exam around four core domains:
- Information Security Governance
- Information Security Risk Management
- Information Security Program
- Incident Management
Objective details by domain
1. Information Security Governance
- Align security strategy with business goals
- Establish and maintain governance frameworks
- Integrate security policies into enterprise governance
- Define metrics and reporting structures
2. Information Security Risk Management
- Identify and evaluate risk scenarios
- Determine risk appetite and tolerance
- Recommend risk treatment options
- Monitor and report risk metrics
3. Information Security Program
- Build and maintain the security program
- Integrate lifecycle processes and controls
- Manage resources and budgets
- Ensure training and awareness
4. Incident Management
- Drive continual improvement
- Establish and test incident response plans
- Coordinate communication and escalation
- Conduct post-incident reviews
What changed in this version
The 2025 CISM refresh aligns with evolving enterprise security needs:
- Minor weighting shifts: Risk Management slightly increased; Program and Governance slightly reduced.
- Greater emphasis on cloud security governance
- New objectives on third-party risk and supply chain security
- More focus on metrics, dashboards, and board-level reporting
Registration and scheduling
- Register directly through ISACA.org at any time.
- Exams are delivered year-round via PSI testing centers or online remote proctoring.
- Candidates may reschedule within their 12-month eligibility window.
Pricing and vouchers
ISACA members: about $575 USD
Non-members: about $760 USD
Pricing varies by region (local taxes may apply).
Discounts: student memberships, group or corporate vouchers, and occasional ISACA promotions can lower costs.
Policies you should know
- You can reschedule or cancel up to 48 hours before the appointment.
- No open books or electronics allowed.
- Name on ID must exactly match registration.
- Retake policy: up to four attempts in a rolling 12-month period.
Scoring and results
Scale: 200–800 points
Passing score: 450
Partial credit: granted for each correct response (no penalty for wrong answers).
Result delivery: unofficial pass/fail immediately; detailed score report in about 10 working days.
Exam day and test experience
Proctoring options: on-site test center or secure online session.
Check-in: bring government ID, allow at least 30 minutes.
Allowed items: none except approved medical items.
Breaks: unscheduled; clock keeps running.
Interface tips: flag questions, review marked items, watch the countdown timer.
Study plan and resources
Beginner Plan (12 Weeks)
- Weeks 1–4: Read ISACA CISM Review Manual and outline each domain.
- Weeks 5–8: Tackle official question bank; take short quizzes twice a week.
- Weeks 9–11: Attempt full-length timed practice tests; review weak areas.
- Week 12: Light review, quick notes, mental readiness.
Experienced Professional Plan (6 Weeks)
- Weeks 1–2: Quick domain refresh using official manual and job practice areas.
- Weeks 3–4: Daily mixed-domain practice questions; focus on risk and incident management.
- Weeks 5–6: Two full mock exams per week and targeted gap review.
Recommended resources:
- Study groups and reputable online communities
- ISACA CISM Review Manual and Questions, Answers & Explanations (QAE)
- ISACA virtual instructor-led courses
Certification validity and renewal
Validity: 3 years
Renewal: earn 120 Continuing Professional Education (CPE) hours over three years (minimum 20 per year) and pay the annual maintenance fee.
Renewal can also involve higher-level ISACA certifications or approved training.
Career outcomes
CISM holders commonly work as:
- Information Security Manager
- Security Architect or Consultant
- Governance, Risk & Compliance (GRC) Manager
- IT Audit Manager
According to industry surveys, average salaries range from USD $130,000 to $170,000 in North America, with strong demand globally.
| Job Title (Typical for CISM Holders) | Average Annual Salary (USD) | Typical Experience Level |
|---|---|---|
| Information Security Manager | $135,000 – $165,000 | 5–10+ years |
| IT Security Consultant / Advisor | $110,000 – $145,000 | 5–8 years |
| Governance, Risk & Compliance (GRC) Manager | $120,000 – $150,000 | 6–10+ years |
| Security Operations Center (SOC) Manager | $115,000 – $145,000 | 5–8 years |
| Chief Information Security Officer (CISO) | $180,000 – $250,000+ | 10+ years |
| Senior IT Auditor / IS Auditor | $105,000 – $135,000 | 5–8 years |
| Security Program Lead / Project Manager | $115,000 – $140,000 | 5–9 years |
Related or next-step certifications
CISSP (ISC²): for deeper technical breadth
CRISC (ISACA): focused on IT risk and control
CISA (ISACA): ideal for auditing professionals
CGEIT (ISACA): for IT governance at the executive level
How this exam compares to similar certifications
CISM vs CISSP: CISSP covers broad technical security; CISM is management-oriented and risk-focused.
CISM vs CRISC: CRISC targets risk and controls only; CISM blends governance, program building, and incident management.
Ready to feel confident on exam day?
Visit Cert Empire and check out our CISM practice kit, built around the official exam objectives and updated for 2025. Our CISM PDF practice questions provide realistic scenarios and detailed explanations so you can test your knowledge before the real exam. Start practicing today and give yourself the best chance of earning the Certified Information Security Manager credential on your first try.
Frequently Asked Questions (FAQs)
How long does it take to prepare?
Beginners typically need 3 months; experienced managers may be ready in 6–8 weeks.
Can I take the exam without five years of experience?
Yes, but you must earn the experience within five years after passing to get certified.
Is CISM suitable for technical engineers?
It’s designed for management, but senior engineers planning to move into leadership benefit greatly.
What if I fail the exam?
You may retake it up to four times in a 12-month period. Use the score report to focus on weak domains.
