The CISM certification guide
Key facts
- Number of CISM certification holders since its inception in 2002: 45,000
- Average U.S. salary for CISM certification holders as of September 2022: $156,420
- Recommended experience: 5+ years
Start your journey to becoming a certified CISM professional with Infosec.
CISM exam overview
The CISM exam is updated to include the latest job practice areas across four domains. The exam includes the following topics in each domain.
Domain 1: Information security governance (17%)
- Enterprise governance
- Information security strategy development
- Organizational culture and structure
- Regulatory and legal requirements
- Governance frameworks
- Strategic planning
Domain 2: Information security risk management (20%)
- Risk assessment, analysis and response
- Emerging threat landscape
- Risk and control ownership
- Risk monitoring and reporting
Domain 3: Information security program (33%)
- Information security program development and management
- Resources (people, tools and technologies)
- External services (suppliers and third and fourth parties)
- Awareness training
- Policies and procedures
- Program metrics
- Security control design, selection, implementation and testing
- Communications and reporting
Domain 4: Incident management (30%)
- Readiness and operations
- Business impact analysis (BIA)
- Business continuity plan (BCP)
- Disaster recovery plan (DRP)
- Incident classification
- Training, testing and evaluation
- Investigative tools and techniques
- Containment methods
- Reporting and escalation
- Post-incident review
Learn more about the CISM domains.
CISM exam details
Evaluates your ability to manage and govern a company’s information security program. It covers four main domains: Information Security Governance, Information Risk Management, Information Security Program Development and Management, and Information Security Incident Management.
| Launch date: | 2002 | Last update: | June 2022 |
| Number of questions: | 150 | Type of questions: | Multiple-choice |
| Length of test: | 4 hours | Passing score: | 450 (out of scaled score of 200-800) |
| Recommended experience: | 5+ years of work experience in at least three domains (up to 3 years in experience waivers available) | Languages: |
English, Chinese Simplified, Japanese, Spanish |
| Validity duration: | Three years | CPEs needed for renewal: | 120 (at least 20 annually) |
| Exam cost: | $575 for members, $760 for non-members |
Additional CISM exam resources
Prepare for your CISM exam with books, practice exams and other resources.
CISM study guides and books
There is no shortage of books and guides to help you prepare for the CISM exam. Make sure to find ones created specifically for this topic. You can find great options at your local library, bookstore or online. Highly rated titles include:
- CISM Certified Information Security Manager All-in-One Exam Guide by Peter H. Gregory
- CISM Certified Information Security Manager Study Guide by Mike Chapple
- Complete Guide to CISM Certification by Thomas R. Peltier
CISM practice questions and exams
Test your knowledge pre-exam with practice materials. These are designed to help you assess your readiness and study progress. Some solid sources include:
- ISACA's free CISM practice quiz
- CISM Review Questions, Answers & Explanations (QAE) Manual, 10th edition (published by ISACA and also available as a 12-month subscription to the QAE Database)
- CISM Certified Information Security Manager Practice Exams by Peter H. Gregory (published by McGraw Hill)
CISM training courses, like the Infosec CISM Boot Camp, offer unlimited practice exam attempts and access to the ISACA Official Question, Answer & Explanation (QAE) Database.
Other free CISM training resources
There are a number of other free CISM training materials being produced and shared by the community:
- Forums: TechExams, Reddit and similar forums include posts by people preparing for the CEH exam or who have already taken it.
- Podcasts: Learn more about changes to CISM and more on podcasts like Cyber Work.
- Other social media: CISM is a popular exam, and many people have created free training videos on YouTube, TikTok, Twitch and other platforms.
CISM jobs and careers
The CISM credential is ideal if you’re a senior-level professional pursuing an information security management and governance career. The ISACA CISM certification opens opportunities to some of the highest-paying jobs in the industry. CISM job titles vary from technical to managerial to executive levels.
Common CISM job titles
- Information security manager
- IT governance manager
- Risk manager or risk consultant
- Chief information security officer (CISO)
- Security consultant or security analyst
- IT audit manager or IT auditor
- Information systems security manager
- Business continuity manager
- Compliance officer
CISM live boot camps and self-paced training
One of the best ways to prepare and ensure exam success is through training programs designed by ISACA-accredited organizations. Whether you want to get certified quickly or need expert assistance mastering the exam domains, paid training is a prime path to certification.
Live CISM Boot Camp
Live online or in-person boot camps are often the quickest route to certification. The Infosec CISM Boot Camp, for example, is five days of intensive training that helps you pass the exam on your first attempt.
Advantages of enrolling in a boot camp include:
- Live instruction: Boot camps provide the opportunity to interact with instructors and peers who have useful industry or exam experience to share.
- Complete certification package: Search for a boot camp provider that includes training materials, exam vouchers or other resources and look out for additional costs.
- Higher pass rates: Boot camps prepare you to pass the exam on your first attempt, and providers like Infosec back their training with an Exam Pass Guarantee.
Learn more about the live CISM Boot Camp.
Self-paced CISM training
If you can’t take designated time off for boot camps, many providers offer self-paced CISM training and learning resources.
The benefits of self-pace CISM training include:
- Train at your own pace: Train when it’s convenient for you — whether that’s 30 minutes over your lunch or a few hours on the weekend. It’s a great alternative if you can’t set aside dedicated hours for a week of live instruction.
- Test on your schedule: With a self-study approach, you can take the exam when you feel ready or when the material is freshest in your mind.
- Accredited training partner: Be sure to train with an ISACA-accredited partner to get the most up-to-date training materials.
Learn more about the self-paced CISM training.
CISM certification comparisons and alternatives
The best certification for you depends on your career goals, current role and experience. Each certification is designed to serve different functions, and the CISM is just one of several prestigious information security certifications. Here's a comparison between CISM and some other well-known certifications:
CISM vs. CISSP
Both CISM by ISACA and CISSP by (ISC)² are aimed at seasoned security professionals and are recognized globally. While they have an overlap in some content, CISSP has a broader technical focus covering eight domains of security, whereas CISM is more managerial and revolves around information security governance and management. CISSP is ideal for those who are hands-on in security implementation and day-to-day operations, while CISM is for those managing and governing a company's information security program. Both require significant work experience in their respective fields.
CISM vs. CISA
CISM and CISA (Certified Information Systems Auditor) are both offered by ISACA and are often seen in tandem in the job market. While CISM focuses on security management and governance, CISA centers around IT auditing, control and assurance. Someone with CISA would be looking at the controls and systems in place and ensuring they're compliant, whereas a CISM professional would be overseeing and establishing the company's information security posture.
CISM vs. CRISC
Both certifications are under ISACA's umbrella. CISM is centered around information security management, while CRISC (Certified in Risk and Information Systems Control) zeroes in on IT risk management and its business implications. If you're a professional whose main task is to identify and manage risks, then CRISC might be the better fit. On the other hand, if you're into the broader spectrum of information security management and governance, then CISM would be more appropriate.
CISM vs. CompTIA Security+
While CISM is an advanced certification focusing on governance and management, Security+ by CompTIA is more foundational. Security+ is often an entry point for many into the cybersecurity field, covering a broad range of introductory topics. With its managerial slant and prerequisites, CISM is typically pursued by those who have been in the field for some time and are looking at higher-tier managerial roles in information security.
Explore Infosec certifications to find the best fit for your career goals.
