From the CISM Exam to the CISM Certification: An A to Z Guide


What is CISM?

The Information Systems Audit and Control Association (ISACA) Certified Information Security Manager (CISM) is the premier certification to link information security management and the business organization.

Who should pursue a CISM certification?

Benefits of a CISM certification

For employers
Employers who hire a CISM certified cybersecurity professional knows that the employee understands how information security and business work together to ensure confidentiality and integrity of the business IT network, while fully supporting the availability of the IT network to what matters most to the business – it’s mission.
For employees
The CISM certification provides an understanding that information security does not exist within a vacuum. Information security must reside within the overall business strategy and operations dealing with resource constraints and value optimization. The CISM is a critical key to opportunities across federal, military, and commercial cybersecurity professions and positions. The CISM is the gateway to a career in information security management allowing an expert and/or manager to pursue further leadership roles within information security.

How to gain a CISM certification?

The CISM candidate can pursue the certification through several means:
a. A live classroom experience, called a bootcamp, where the candidate is exposed to the 4 domains of the CISM over a 5-day period of time. Benefits of a live classroom experience is the ability to have an instructor tailor the course to the class, answer questions, and bring scenario-based experiences to better understand the concepts.
b. A virtual classroom experience where the candidate is exposed to the 4 domains of the CISM through an internet connection. Benefits of a virtual classroom experience is the ability to take the course from the comforts of where you wish to attend (at home, at a coffee shop, etc), travel and dress code are at your discretion, and breaks are when you desire. Some virtual classrooms have a live instructor to discuss and tailor the class, but the instructor is limited compared to the live classroom experience.
c. Webinar classroom experience is similar to the virtual classroom, except the instruction is normally recorded by a live instructor. Benefits of a webinar-based classroom experience is the ability of the candidate to stop and start the session when they choose depending on the time available. The webinar also allows the candidate to repeat various lessons or segments to better understand the materials.
d. Self-study is the final means to prepare for the CISM exam and is normally combined with a live, virtual, or webinar method. Benefits of a self-study experience is the availability of the ISACA Review Manual and Questions, Answers, and Explanations manual to support in-depth understanding of an Information Security Manager, and practice test questions to support the learning of the CISM exam.
1. Register for the CISM exam with ISACA. Ensure the exam is taken within 365 days of registration for the exam; otherwise, the exam fee is forfeit
2. Take and pass the CISM exam at a PSI testing center
3. Notification of passing the exam is immediate with official notification from ISACA within 10 days
4. The candidate has 5 days from passing the exam to apply for the CISM certification
5. The candidate should proceed with obtaining a sponsor who has already been certified by ISACA in one of four ISACA certification programs
6. Ensure the required experience needed for the CISM certification is current and the sponsor can attest to your knowledge in information security management as outlined by the CISM domains
7. Apply with ISACA for the CISM certification
8. Obtain the official ISACA CISM certification
The CISM exam costs $575 (member) or $760 (non-member) per attempt.

What are the prerequisites and eligibility criteria?

ISACA requires that a CISM candidate have at least 5 years of experience in information security management in at least three of the CISM domains. The experience is needed to both understand the concepts covered within the CISM and to demonstrate to employers the ability to integrate experience with knowledge.
ISACA allows the CISM candidate to waive 2 years of the experience requirement by having a degree from a higher learning institution that meets the criteria specified by ISACA, have the ISACA Certified Information Security Manager (CISA) certification, or have the (ISC)2 Certified Information Systems Security Professional (CISSP) certification.

How difficult is it to get CISM certified?

The CISM certification is a difficult certification to obtain. For some candidates, they are able to take a class, study the materials and pass the exam the first time. For other candidates, they need to retake the class, and continue to study the materials for a second exam attempt. The most important point to remember – stay focused and pursue your goals and you will obtain the CISM certification.

How to prepare for the CISM exam?

Most of the successful CISM candidates prepare for the exam in the following way:
01 Self-study – obtain the ISACA Review Manual and Questions, Answers, and Explanations Manual. Many will spend 1-2 months preparing.
02 Bootcamp – after completing a self-study exam preparation, they register for a bootcamp to maximize their ability to understand and retain the information learned. The bootcamp instructor is normally able to highlight and tailor the training materials to fully allow the CISM candidate to understand difficult areas.
03 Continue to self-study until taking the exam (normally within 1-2 weeks of completing the bootcamp)

How long does it take to get CISM certification?

1. A CISM candidate is notified at the PSI testing facility of their pass or fail qualitative score. If a passing score is obtained, you will be informed that you passed pending an ISACA review process. This means that you passed the exam and now ISACA will review the exam you took, the answers provided, and ensure no anomalies or errors are found. Rarely are there any complications in this process.
2. The CISM candidate will be notified within 10 days that they officially passed the exam.
3. The CISM candidate needs to apply for the CISM certification through ISACA within 5 days of exam completion.
4. The CISM candidate must identify an ISACA certified member (someone who is currently an ISACA certification holder) to sponsor them for the certification – the sponsor is attesting to the candidate’s experience and has met the requirements.
5. The CISM candidate applies for the CISM certification through the ISACA website portal by downloading the applications, having the experience attested by the sponsor, and uploading the completed application to the ISACA website.
6. The CISM candidate will normally receive notification from ISACA within 4-6 weeks that they are a CISM with ISACA. If the CISM candidate has an ISACA account, they can view their actual quantitative score under their badge on the ISACA website portal.

How to add CISM to your resume ?

The CISM candidate may add the CISM certification to their resume, place the ‘CISM’ after their name, and download the ISACA CISM badge from the ISACA website after they have been officially notified by ISACA that they are ‘Certified’ as a CISM. Passing the exam does not constitute the ability to use CISM on a candidate’s resume.

How long is CISM valid?

The CISM is valid for 3-years and is renewable through Continuing Professional Education (CPE) units.

What is the re-certification process?

A CISM member enters into their ISACA portal the CPEs earned during a year. As long as a CISM member obtains the required CPEs each year and pays their annual CISM maintenance fee ($45/ year – member, $80/year – non-member), the CISM member is not required to retake the exam.
  • A CISM member must obtain 120 CPEs over a 3-year period of time.
  • A CISM member must obtain 20 CPEs per year.


1. The CISM exam is a 150 question, multiple-choice exam.
2. A CISM candidate has 4-hours to complete the exam.
3. The multiple-choice exam does permit the ability to flag or return to previous
questions and answers to review and/or change answers.
4. The passing score on the CISM exam is 450. The scoring range is from 200 to 800.
CISM Syllabus
The CISM syllabus consists of 4 domains, each covering subjects related to various areas within information security management.
When does the CISM exam changes
The CISM course and exam change approximately every 3-years, or when the information security management domain changes enough to warrant a curriculum and exam change.
How many questions in CISM exam
The CISM has 150 questions.
Exam Time
The CISM exam is a timed exam of a maximum of 4 hours.
Passing marks
The CISM exam has a passing score of 450 out of a scoring range from 200 to 800. The questions all have the same value towards the exam score.

Link to the practice tests

ISACA Questions, Answers, and Explanations Manual (ISACA Website)

Jobs and trends

The job market has hundreds of different titles for positions related to information systems auditing. Depending on a candidate’s experience, a candidate with a CISM can pursue Information Assurance, Security Control Assessor, Information System Security Officer (ISSO), and Information System Security Manager (ISSM) positions.
The numbers of positions demanding information systems auditing expertise is dramatically increasing with more positions needing filled than experts to fill them.

Salary with survey

Depending on where a CISM member chooses to work (location, employer, position), will have significant impacts on salary ranges.
 $60,000 CISM experts salary range in an entry-level positions.
$175,000+ For experienced, high-level positions.

Career Roadmap


CISM Expert Conversation

The need for security experts…

expert-1The world of commerce touches every aspect of life – government, military, commercial, and personal. The speed demands of our interlaced, interconnected world drive business and impact senior business leaders – creating shortages of people, time, and money to meet the myriad of daily mission requirements. Business grows or fails as a result of effectively and efficiently utilizing information technology (IT) in its pursuit of competitive growth and need to capture market share.
Business culture, strategy, vision, and operations rest on IT infrastructure to create reality, to bring to life the passion and creativity of its designers. The rapid expansion of IT within the business has also brought serious risks associated with threats to the media business relies upon. Corporate espionage, social engineering, and large-scale denial of service attacks have and will continue to cripple businesses who fail to account for the risks to their IT networks and infrastructure. Expertise in understanding the requirements of business and how securing IT integrates into a corporate risk and security management strategy is pivotal to the health and longevity of a business. Business and information security experts around the world turn to the ISACA Certified Information Security Manager (CISM) certification as a clear indicator of an information security expert who can translate and support critical business-to-information system decisions.

Why CISM certification?

Leaders and experts who attain the CISM certification have over five years of experience in information security management, business continuity, disaster recovery, risk and security management planning, and support to senior business leader decisions. CISM experts permeate the business world as Information System Security Officers (ISSO), Information System Security Managers (ISSM), Chief Information Security Officers (CISO), and even Chief Information Officers (CIO). The CISM expert understands analysis, business case creation and support, resource allocation, risk identification, and security management. Most importantly, the CISM expert knows that business strategy and operations are pivotal to the growth of a business and information system security plays a vital, supportive role.
Business leaders serving on Boards of Directors and senior executive positions seek experts who understand their language and can translate at the speed of business, critical IT and information security requirements and demands. Leaders seek CISM experts to understand, investigate, and create business case solutions integrating all aspects of the business enterprise (operations, support, and infrastructure) to meet 21st-century demands while translating threats and risks to the same business enterprise in terms senior business leaders can understand.

How to become CISM certified?

become-1The CISM certification is demanding to attain, and therefore extremely valuable to those who have reached that level of expertise. Dedication and perseverance in understanding overarching business priorities and how these priorities impact risk and security management plans is at the heart of CISM training and self-study. The key aspect of CISM training is understanding that information security is not the primary focus of the business – information security supports the business – there’s a real, tangible difference between these concepts. Identifying a training organization that understands the core requirements of a CISM, translating these requirements into an understanding that resonates with you is a monumental first step in the path to becoming a CISM expert.
When you pass the exam and obtain the CISM certification, you have a right to celebrate for you earned a pivotal, career certification. Employers are seeking you to support them and the career positions are vast and prevalent.
Remember – “Your choice. Your career.”
James R. Beamon, Colonel (ret), USAF CISSP, CAP, CISM, CISA, CRISC, CGEIT, Security+, CASP+, PMP