How much does the CISM exam cost in 2026?

The 2026 CISM exam costs $575 for ISACA members and $760 for non-members. ISACA membership is $135 per year plus a $50 one-time application fee, so joining exactly breaks even on the exam discount ($185 savings). Members also receive discounted pricing on the CISM Review Manual, QAE Database, conferences, and CPE resources, which make membership worthwhile for anyone pursuing multiple ISACA credentials. A separate $50 CISM application processing fee applies when you submit your experience verification after passing.

What is the passing score for CISM?

CISM uses a scaled scoring system from 200 to 800, with 450 as the passing score. ISACA uses equated scaling across exam forms, so there is no fixed percentage of correct answers that guarantees a pass — but training providers consistently estimate that 65-70% correct answers is approximately equivalent to a 450 scaled score. You receive a preliminary pass/fail result immediately after finishing the exam, with the official score released within 10 business days.

How many questions are on the CISM exam and how long is it?

The CISM exam has 150 multiple-choice questions with a 4-hour (240-minute) time limit — roughly 1 minute 36 seconds per question. All questions count equally, and unlike CISSP the CISM uses linear-on-the-fly delivery, meaning you CAN navigate back, flag questions, and change answers within the 4-hour window. The exam is delivered by PSI Services either at a PSI test center or online-proctored from your home with strict environment controls.

What are the 4 CISM domains and their weights?

The 4 CISM domains effective since the 2022 Job Practice Analysis and current for 2026 are: Domain 1 Information Security Governance (17%), Domain 2 Information Security Risk Management (20%), Domain 3 Information Security Program (33%), and Domain 4 Incident Management (30%). Domain 3 and Domain 4 together make up 63% of the exam and should get the most study time — they are where most candidates lose points by under-preparing on security program operations and incident response leadership.

What is the CISM experience requirement?

CISM requires 5 years of verified information security work experience with at least 3 years in information security management spanning 3 or more of the 4 CISM domains. Experience must be gained within the 10-year period before application or within 5 years after passing. Up to 2 years of the general information security experience can be waived with a CISA, CISSP, post-graduate degree, or certain management certifications — but the 3 years of management experience cannot be waived. You can sit the exam at any time; the experience only matters when you apply for certification.

Is CISM harder than CISSP?

CISM and CISSP test different skill sets. CISSP is broader and more technical across 8 domains; CISM is narrower and more managerial across 4 domains. Most candidates find CISSP harder to prepare for because of its scope and technical depth. CISM is typically considered easier to study but harder to answer on exam day — every question is a judgment call between plausible managerial options, and you must consistently pick the risk-based, business-aligned answer. Pass rates for both hover around 50-60% for first-time takers.

Is CISM or CISA better for my career?

CISA is for auditors — people who independently evaluate controls. CISM is for managers — people who build and run security programs. If your career goal is CISO, Information Security Manager, or Director of Security, CISM is the direct match. If your career goal is Big 4 IT audit, SOX compliance, or internal audit leadership, CISA is the direct match. Many senior security professionals eventually hold both. If you must pick one in 2026, let the job titles you target on LinkedIn decide — search your target roles and count which cert appears more in the requirements.

What is the CISM pass rate in 2026?

ISACA does not publish official CISM pass rates. Candidate surveys, Reddit r/CISM reports, and training provider data consistently suggest first-time pass rates of 50-60%, with candidates who use the official ISACA CISM Review Manual (16th edition) plus the QAE Database of 1,000+ practice questions reporting 75%+ success. The exam is considered moderately difficult — not because the content is obscure, but because the questions force a risk-and-governance mindset that experienced technical practitioners often lack.

How long should I study for the CISM?

Most candidates need 100-150 hours of focused study, typically spread over 10-14 weeks. Experienced security managers with 5+ years leading security programs can prepare in 8 weeks at 10 hours/week. Technical security engineers pivoting into management usually need 14-16 weeks to internalize the risk-based, governance-first way of answering CISM questions. Plan to spend the final 2-3 weeks exclusively on practice questions and full-length mock exams scored under timed conditions.

How do I maintain my CISM certification?

CISM is valid for 3 years. To maintain it, you must complete 120 Continuing Professional Education (CPE) hours during each 3-year cycle with a minimum of 20 CPEs per year — you cannot back-load into year 3. You must also pay an annual maintenance fee of $45 for ISACA members or $85 for non-members, adhere to the ISACA Code of Professional Ethics, and comply with ISACA’s Information Security Management Standards. CPEs can come from ISACA webinars, chapter meetings, conferences, university courses, self-study, teaching, and writing. ISACA audits approximately 10% of certificants yearly, so document every CPE with a certificate or agenda.

Is the CISM worth it in 2026?

For security managers, directors, and CISO-track professionals, CISM remains one of the highest-ROI certifications in 2026. ISACA’s 2024 State of Cybersecurity reports CISM holders average $148,000 in base salary — the highest of any ISACA credential. CISM appears in roughly 17% of US CISO/Security Manager job postings as preferred or required, and the growth of AI governance, zero-trust programs, privacy regulation, and board-level cyber oversight has increased demand for certified security managers. The total first-year cost of about $895 typically pays back within 3-6 months through a raise, promotion, or higher-paying role.

What is the difference between CISM and CRISC?

CISM and CRISC are both ISACA management-track certifications, but they target different roles. CISM is the information security management credential — focused on building, running, and leading an information security program end-to-end (governance, risk, program, incident response). CRISC is the IT risk management credential — focused specifically on identifying, assessing, responding to, and monitoring IT and information security risk, plus designing and implementing information systems controls. CISM is broader (includes risk as one of four domains). CRISC is deeper on risk methodology. Many risk leaders hold both; if you must pick one, CISM is more commonly required for CISO and security manager roles, while CRISC is more commonly required for dedicated IT risk officer roles.

CISM Exam Guide 2026: FREE ISACA Practice + Study Plan

CISM in 2026: The Only Guide You Need

The ISACA CISM (Certified Information Security Manager) is the most recognized management-level information security credential on the planet. More than 70,000 professionals hold it, and in 2026 it is more valuable than ever — every large enterprise needs security leaders who can build programs, communicate risk to the board, and run incident response when things go wrong. That is the CISM mandate, and this guide is built to beat every other CISM resource on the web.

This guide covers the 2026 exam at full depth: cost, format, eligibility, the 4 Job Practice Domains (Governance 17%, Risk 20%, Program 33%, Incident 30%), a 12-week study plan, pass rates, salary data, and the management-mindset coaching that separates candidates who pass on the first try from those who retake. Every detail was cross-referenced against isaca.org/credentialing/cism and the 16th edition CISM Review Manual.

free CISM practice questionsPractice questions with detailed explanations

CISM Exam At-a-Glance (2026)

Detail	Information
Certification Body	ISACA (Information Systems Audit and Control Association)
Exam Delivery	PSI Services — online proctored OR PSI test center
Questions	150 multiple-choice
Duration	4 hours (240 minutes)
Format	Linear on-the-fly — back-navigation and answer changes allowed
Passing Score	450 on a 200-800 scaled scale
Cost	$575 ISACA member / $760 non-member
Application Fee	$50 one-time (after passing)
Languages	English, Chinese (Simplified), Japanese, Korean, Spanish
Experience Requirement	5 years InfoSec work + 3 years in InfoSec management spanning 3 of 4 domains
Experience Window	5 years from passing to verify and certify
Validity	3 years, renewable
CPE Requirement	120 CPE hours every 3 years (minimum 20/year)
Annual Maintenance Fee	$45 member / $85 non-member
Exam Windows	Continuous testing, any day of the year
Retake Policy	90-day cooling-off, max 4 attempts per 12 months
Job Practice Analysis Effective	2022 (4-domain structure, current through 3 November 2026; new Exam Content Outline effective 3 November 2026)

FREE CISM Prep: Practice Before You Pay

Before committing to the $760 non-member fee, prove to yourself that you can actually pass. The biggest mistake CISM candidates make is buying a $500 bootcamp, studying for 3 months, and then failing because they never consistently scored 75%+ on timed practice exams beforehand.

Our free CISM practice question bank covers all 4 domains with ISACA-style "best answer" questions that emphasize management judgment — the defining characteristic of the CISM exam. Every question includes a detailed explanation of why the correct answer is the most business-aligned choice, why the distractors look plausible but miss the management frame, and which domain concept the question tests.

Start CISM practice questions nowPractice questions with detailed explanations

What CISM Actually Is — And Why It Is Not CISSP or CISA

CISM was created by ISACA in 2002 for people who manage information security programs. The certification validates your ability to govern, assess risk for, build, and respond to incidents in an enterprise security program — in other words, the CISO job description, boiled down to 4 domains and 150 questions.

Here is the single most important thing to internalize before you open the Review Manual:

CISM is a management exam, not a technical exam.

Every question on the CISM is answered by asking: What would a security manager — one who reports to executive leadership, works with the business, and is accountable for program outcomes — do here? It is not: What is the most secure technical configuration? That is CISSP territory. It is not: What would an independent auditor evaluate? That is CISA territory.

If you are a brilliant security engineer who has never sat in a CISO’s chair, you will find CISM counterintuitive. You will want to say "encrypt more," "add MFA," "deploy a WAF." The CISM correct answer is almost always: "understand the business risk, present options and costs to leadership, and let the business accept, modify, transfer, or avoid the risk." Learn that rhythm and you pass. Miss it and you retake.

The 2026 CISM Market

Three forces have made 2026 the best year yet to earn CISM:

1. CISO role has exploded. SEC 2023 Cybersecurity Disclosure Rule (10-K / 4-day 8-K) is in full effect. Every large organization needs a qualified security manager to own the program, and CISM is the most recognized management credential for that role.

2. Privacy and AI governance merged with security leadership. EU AI Act, NIST AI RMF 1.0, ISO/IEC 42001:2023, GDPR, CCPA/CPRA, and state privacy laws have piled onto the security manager’s plate. CISM’s risk-and-governance-first framing is the mindset this work requires.

3. Talent shortage is acute. ISACA’s 2024 State of Cybersecurity reports 60% of organizations have understaffed cyber teams and 61% say security management roles take 3-6+ months to fill. CISM appears in ~17% of US security manager / CISO postings as preferred or required — more than any other management-specific credential.

Who Should Take CISM

CISM is the right credential for people who make — or will soon make — program-level security decisions. Sweet spot: 3-7 years of security experience with management exposure.

Role	Why CISM Fits
Information Security Manager	Canonical CISM role — literally in the name.
CISO / Deputy CISO / VP Security	Most cited management credential on CISO job postings.
Security Program Manager	Running zero-trust, identity, DLP, vuln mgmt programs.
GRC / Security Governance Lead	Policy, exception management, risk registers, committee reporting.
Senior Security Architect moving to leadership	Management framing for technical seniors.
Security Consultants / vCISO / Big 4 advisory	Standard at Manager level.
Military / Government Security Officers (ISSO/ISSM)	DoD 8140.03 approved IAT/IAM credential.

CISM is not the right first cert for technical specialists (OSCP, GCIH instead), entry-level analysts (Security+ first), IT auditors (CISA), or pure risk specialists (CRISC is deeper).

Eligibility & the CISM Experience Rule

Here is where most candidates get confused: you do NOT need 5 years of experience to sit the exam. You need it to become certified after you pass, and you have 5 years from the pass date to submit the paperwork.

The Experience Requirement

To earn the CISM, you need:

5 years of professional information security work experience, AND
At least 3 of those 5 years must be in information security management, AND
Your management experience must span 3 or more of the 4 CISM domains (Governance, Risk, Program, Incident Management).

Experience must be gained within the 10-year period preceding application OR within 5 years after passing the exam.

Substitutions (Up to 2 Years General InfoSec Experience)

Unlike CISA (which allows up to 3 years of waivers), CISM allows a maximum of 2 years of substitution, and only against the general 5-year InfoSec requirement — the 3-year management requirement cannot be waived.

Substitution	Years Waived
CISA or CISSP in good standing	1 year
Post-graduate degree in info sec or related field	1 year
One full year of general InfoSec management experience	1 year
Certain ISACA-recognized skill-based InfoSec certifications	1 year

Maximum combined substitution: 2 years. Every CISM candidate therefore needs at least 3 years of direct information security management experience spanning 3 of 4 domains.

What Counts as "Management Experience"

ISACA defines information security management experience as work that involves at least one of the following program-level responsibilities:

Developing, maintaining, or influencing information security strategy, policy, or standards
Leading or co-leading an information security risk management program
Building or operating the components of an information security program (identity, vulnerability, DLP, SOC, etc.)
Leading or co-leading incident response for information security events

Hands-on technical work (patching, firewall rule writing, code review, tool administration) does not count as management experience on its own.

The Experience Verification Process

After you pass the exam, you have 5 years to:

Complete the CISM application through your ISACA account.
Pay the $50 application processing fee.
List relevant experience with employer, dates, responsibilities, and a verifier (usually your supervisor).
Wait 4-8 weeks for ISACA to review and verify with your listed contacts.
Receive your certification number and digital badge.

If you do not apply within 5 years, your passing score expires and you must retake the exam.

The 4 CISM Domains (2022 Job Practice Analysis, Current 2026)

ISACA refreshed the CISM Job Practice Analysis in 2022, moving from the previous 2017 structure to the current 4-domain layout. This structure is in effect through 3 November 2026 and is what every candidate preparing today is tested on. ISACA has announced an updated CISM Exam Content Outline effective 3 November 2026 — if you plan to sit the exam in late 2026 or beyond, check isaca.org/credentialing/cism for the new outline before finalizing your study plan.

#	Domain	Weight	Approx. Question Count
1	Information Security Governance	17%	26
2	Information Security Risk Management	20%	30
3	Information Security Program	33%	50
4	Incident Management	30%	44
	Total	100%	150

Domains 3 and 4 together are 63% of the exam. If you prioritize study time incorrectly, this is where you lose points.

Domain 1 — Information Security Governance (17%)

Domain 1 is the philosophical foundation of CISM. You cannot pass without internalizing that governance is the process by which the organization directs and controls the information security program — separate from, and above, management.

Core Topics

Topic	What You Must Know
InfoSec Strategy	Alignment with business strategy; strategic plan structure (current state, future state, gap analysis, roadmap)
Governance Frameworks	COBIT 2019 (EDM domain), ISO/IEC 27001:2022, NIST CSF 2.0 (incl. new Govern function), CIS Controls v8
Roles & Responsibilities	Board, executive management, CISO, CIO, CRO, CCO, data owners, custodians, users
Organizational Structure	CISO reporting line (CEO vs CIO vs CFO vs CRO), independence, separation of duties
Policies, Standards, Procedures, Guidelines	Policy hierarchy, approval authorities, exception management
Business Case Development	Cost-benefit, ROI, NPV — board-ready language
Regulatory and Legal	GDPR, CCPA/CPRA, HIPAA, PCI-DSS 4.0, GLBA, SOX, NYDFS Part 500, SEC cyber disclosure, EU AI Act
Metrics and Reporting	KPIs vs KRIs vs KGIs; business-outcome metrics (not activity counts)
Culture, Awareness, Ethics	Tone at the top; ISACA Code of Professional Ethics (directly tested)

High-Yield: Governance vs Management

This distinction (straight from COBIT 2019) appears repeatedly on CISM:

Governance (EDM — Evaluate, Direct, Monitor): The board and executive management set direction, evaluate performance against that direction, and monitor compliance. Governance is about oversight.
Management (PBRM — Plan, Build, Run, Monitor): The security manager and team execute against the direction set by governance. Management is about operation.

When a CISM question asks "who owns X," apply this frame:

Setting risk appetite → governance (board / executive)
Approving strategy → governance (executive)
Implementing controls → management (security team)
Accepting a specific risk → the business process owner (a management role, but specifically the one with budget authority for the process — not the security manager)

Domain 2 — Information Security Risk Management (20%)

Domain 2 is where CISM’s management mindset is hammered home. Every question is, at its core, about risk-based decision-making.

Core Topics

Topic	What You Must Know
Risk Management Frameworks	ISO 31000, NIST RMF (SP 800-37), FAIR (Factor Analysis of Information Risk), OCTAVE
Risk Identification	Asset identification, threat modeling (STRIDE, PASTA), vulnerability identification
Risk Assessment	Qualitative (heat maps, matrices), quantitative (ALE = SLE × ARO), semi-quantitative; likelihood and impact scales
Risk Analysis	Inherent risk vs residual risk; risk aggregation; risk scenarios
Risk Evaluation	Comparing risk against risk appetite and tolerance; prioritization
Risk Treatment / Response	Mitigate, Accept, Transfer, Avoid (ISO 31000 terminology) — plus modify/retain/share/avoid
Risk Monitoring	Key Risk Indicators (KRIs), risk registers, risk reporting cadence
Risk Appetite vs Tolerance	Appetite = broad, strategic; tolerance = specific, tactical bounds
Third-Party / Supply Chain Risk	Vendor risk management, due diligence, SOC 2 Type II reports, continuous monitoring
Business Impact Analysis (BIA)	Identifying critical processes, quantifying impact over time (RPO, RTO, MTD, WRT)
Emerging Risk	AI risk, cloud risk, quantum risk, cyber-physical risk

The Quantitative Risk Formulas (Memorize These)

ALE (Annual Loss Expectancy) = SLE × ARO
SLE (Single Loss Expectancy) = Asset Value × Exposure Factor
ARO (Annual Rate of Occurrence) = expected incidents per year
ROSI (Return on Security Investment) = (ALE before control − ALE after control − Control Cost) / Control Cost

Example: An asset worth $500,000 has a 20% exposure factor per incident and an expected 3 incidents per year. SLE = $100,000. ALE = $300,000. A $200,000 annual control reduces ARO to 0.5. New ALE = $50,000. ROSI = ($300,000 − $50,000 − $200,000) / $200,000 = 25%.

The Risk Treatment Decision Framework

Option	When to Use	Example
Mitigate (Modify)	Risk exceeds appetite and cost-effective controls exist	Add MFA to reduce account takeover risk
Accept (Retain)	Risk is within appetite OR mitigation cost exceeds benefit	Accept a low-impact risk; document with owner sign-off
Transfer (Share)	Risk can be shifted to a third party at acceptable cost	Cyber insurance, outsourcing to SOC-2-certified vendor
Avoid	Risk is unmanageable and the activity is non-essential	Discontinue a product line with unacceptable risk

Exam tip: The security manager never accepts risk alone. The business process owner (with appropriate authority) accepts risk. The security manager identifies, assesses, and recommends.

Domain 3 — Information Security Program (33%)

Domain 3 is the largest single domain on any ISACA exam — 33% of CISM, roughly 50 questions. This is where the security manager builds, runs, and improves the program.

Core Topics

Topic	What You Must Know
Program Development & Resources	Designing the program from strategy; scope, charter, budget, staffing, outsourcing
Asset Identification & Classification	Public/internal/confidential/restricted; data owners and custodians
Industry Frameworks	ISO/IEC 27001:2022 (10 clauses, 93 Annex A controls in 4 themes), NIST CSF 2.0 (6 functions), NIST SP 800-53 Rev 5, CIS Controls v8
Access Management	Identity lifecycle, provisioning, access reviews, privileged access, SSO, federation (SAML, OIDC)
Data Protection	Classification, encryption in-transit/at-rest, key management, DLP, tokenization
Endpoint & Network Security	EDR/XDR, NAC, firewalls, IDS/IPS, SIEM, SOAR, zero-trust network architecture
Application Security	Secure SDLC, SAST/DAST/IAST/SCA, DevSecOps, API security, OWASP Top 10
Cloud Security	Shared responsibility, CASB, CSPM, CWPP, cloud IAM, configuration baselines
Physical & Environmental	Data center controls, facility access, environmental monitoring
Security Awareness & Training	Role-based training, phishing simulation, measurement
Vendor & Supply Chain	Third-party risk management, SBOM, continuous vendor monitoring
Metrics & Maturity	CMMI, ISO 21827 SSE-CMM, NIST tiers, benchmarking
Regulatory Integration	ISO 27001 as backbone with mapping overlays for GDPR, HIPAA, PCI, SOX

Program Maturity Models

CISM candidates must recognize all three common maturity models:

Model	Levels
CMMI (Capability Maturity Model Integration)	0 Incomplete, 1 Initial, 2 Managed, 3 Defined, 4 Quantitatively Managed, 5 Optimizing
NIST CSF Tiers	Tier 1 Partial, Tier 2 Risk Informed, Tier 3 Repeatable, Tier 4 Adaptive
ISO 21827 / SSE-CMM	Levels 0-5, similar to CMMI but applied to security engineering

ISO/IEC 27001:2022 — The Most Tested Framework

The 2022 revision of ISO 27001 is critical for 2026 candidates. Memorize:

10 clauses in the main standard (clauses 4-10 are auditable requirements: Context, Leadership, Planning, Support, Operation, Performance Evaluation, Improvement)
93 Annex A controls organized into 4 themes: Organizational (37), People (8), Physical (14), Technological (34)
This is a major restructuring from the 2013 version’s 14 domains and 114 controls

NIST Cybersecurity Framework 2.0 (Released February 2024)

6 core functions (up from 5 in CSF 1.1): Govern (NEW), Identify, Protect, Detect, Respond, Recover
The new Govern function covers organizational context, risk management strategy, roles and responsibilities, policy, oversight, and supply chain risk
Implementation uses Tiers 1-4 (Partial, Risk Informed, Repeatable, Adaptive) — not maturity levels
Profiles describe the current and target state of cybersecurity activities

Domain 4 — Incident Management (30%)

Domain 4 is the second-largest domain at 30% — roughly 44 questions — and covers the security manager’s role before, during, and after security incidents.

Core Topics

Topic	What You Must Know
IR Planning & Classification	IR plan structure, CSIRT roles, severity levels, event vs incident vs breach, escalation
Detection & Analysis	SIEM, SOAR, SOC operations, threat intel, detection engineering
Containment, Eradication, Recovery	Short-term vs long-term containment; malware removal; rebuild vs clean; validated return to production
Post-Incident Activity	Lessons learned, root cause analysis, plan updates
BCP & DRP	BCP plan structure, DRP as IT-focused subset, activation criteria
RTO, RPO, MTD, WRT	Recovery Time Objective, Recovery Point Objective, Max Tolerable Downtime, Work Recovery Time
High Availability	Active-active, active-passive, clustering, load balancing
Backup Strategies	Full, incremental, differential; 3-2-1 rule; immutable/air-gapped (anti-ransomware)
DR Sites	Hot, warm, cold; cloud-based DR; RTO/cost trade-offs
Testing	Checklist, walkthrough, tabletop, parallel, full interruption
Crisis Communication	Internal, customer, regulator, law enforcement, media
Digital Forensics	Chain of custody, imaging, hash validation, write blockers
Legal/Regulatory Notification	GDPR 72h, SEC 4-day material disclosure, state breach laws, NIS2

The Incident Response Lifecycle (NIST SP 800-61r2 — 4 Phases)

Preparation — policies, team, tools, training
Detection and Analysis — detect, validate, classify, prioritize
Containment, Eradication, and Recovery — contain the incident, remove the cause, restore services
Post-Incident Activity — lessons learned, metrics, process improvement

ISACA’s CISM Review Manual also discusses the SANS 6-step model (Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned). Both are testable — memorize both.

RTO/RPO Cheat Sheet (Repeatedly Tested)

RTO (Recovery Time Objective): How fast must we restore? Drives DR site choice and backup frequency.
RPO (Recovery Point Objective): How much data can we afford to lose? Drives backup and replication strategy.
MTD (Maximum Tolerable Downtime): The business-defined absolute maximum downtime. RTO must be less than MTD.
WRT (Work Recovery Time): Time to make a system usable after the technical RTO is met (data validation, user readiness). MTD = RTO + WRT.

Breach Notification Windows (2026 Reality)

Regulation	Notification Window	To Whom
GDPR	72 hours from awareness	Supervisory authority; subjects if high risk
HIPAA Breach Notification Rule	60 days from discovery	Individuals, HHS; media if 500+ in a state
US State Breach Laws (varies)	Typically "without unreasonable delay," often 30-90 days	State AG, affected residents
NYDFS Part 500	72 hours	NYDFS Superintendent
SEC Cyber Disclosure (public co.)	4 business days of materiality determination	8-K filing
PCI-DSS (card brand contractual)	Varies — often immediate	Acquirer / card brand
EU NIS2 Directive	24-hour early warning + 72-hour incident notification + 1-month final report	National CSIRT / competent authority

Memorize these — they come up directly.

Cross-Domain High-Yield: The Concepts That Cut Across Every Question

These concepts appear in 20-30% of CISM questions regardless of labeled domain.

The Management Decision Principle

The security manager identifies, assesses, and recommends. The business process owner decides. The governance body oversees.

When a question asks "who should decide X," apply this filter:

Decision	Decider
Accept a specific residual risk	Business process owner (management)
Approve information security strategy	Executive management (governance)
Set organizational risk appetite	Board of directors (governance)
Implement a specific control	Security manager / IT team (operations)
Declare an incident	Incident commander per plan (operations)
Notify regulators	Legal + executive per plan (governance + management)
Disclose a breach publicly	Executive management per plan (governance-approved)

Control Classifications

Same as CISA — memorize the typology:

Type	Purpose	Examples
Preventive	Stop incidents before they happen	Firewalls, access controls, MFA, encryption
Detective	Identify incidents that have occurred	Logs, IDS, SIEM, CCTV
Corrective	Restore after an incident	Backups, incident response, patches
Deterrent	Discourage threats	Warning signs, visible cameras
Compensating	Alternate control when the primary one is infeasible	Manager review when automated segregation cannot be implemented

Administrative, Technical, Physical

Administrative (Managerial): Policies, procedures, training, background checks
Technical (Logical): Firewalls, encryption, ACLs, IDS
Physical: Locks, guards, cameras, fences

Metrics That Matter to the Board

Avoid the rookie mistake of reporting activity metrics to executives. Translate into business outcomes:

Avoid (Activity)	Prefer (Outcome)
"We blocked 1.2M malware events"	"Ransomware-caused downtime decreased 80% YoY"
"We patched 5,000 CVEs"	"High-severity vulnerabilities > SLA decreased from 250 to 30"
"We conducted 12 phishing simulations"	"Phishing click rate declined from 18% to 4%; credential-theft incidents reduced 60%"
"SOC monitored 24x7"	"Mean Time to Detect (MTTD) improved from 72h to 4h; MTTR from 14d to 36h"

CISM Pass Rate & Difficulty Reality Check

ISACA does not publish official pass rates. Here is what we know from candidate surveys, training providers, and community data:

Source	Reported First-Time Pass Rate
Gleim CISM customer survey (2024)	~82% (self-selected study-committed users)
Hemang Doshi course completers	~78%
Reddit r/CISM self-reports	55-65%
Industry average across all candidates	~50-60%
Candidates using official Review Manual + QAE DB	75-80%
Technical engineers who skip management-mindset coaching	30-45%

Why the range? First-time pass rates depend heavily on:

Materials used — official CISM Review Manual (16th edition) + QAE Database is the evidence-based winning stack.
Practice volume — 1,000+ practice questions correlates with 2x pass rates vs under 300.
Experience — working security managers pass at higher rates than technical engineers and career changers.
Mindset adjustment — the #1 reason candidates fail CISM is failing to shift from a "secure the system" to a "manage the program and the business" mindset.

Plan on 100-150 hours of study. Do not schedule the exam until you are consistently scoring 75%+ on full-length timed practice exams.

FREE CISM Practice, Round 2

Practice is what separates the 50% who pass from the 50% who retake. Before we get to the study plan, make sure you have your practice environment ready.

Start practicing nowPractice questions with detailed explanations

12-Week CISM Study Plan

This plan assumes 10 hours per week. Scale up or down based on your schedule. Experienced security managers can compress to 8 weeks at 12 hours/week; technical engineers pivoting to management should extend to 14-16 weeks.

Weeks 1-2: Mindset Reset + Domain 1 (Governance)

Read CISM Review Manual (16th ed) Chapter 1.
Watch Hemang Doshi’s or Mike Chapple’s Domain 1 overview (YouTube or LinkedIn Learning).
Build a one-page "CISM mindset cheat sheet": governance vs management, who decides what, risk-based thinking.
Practice: 50 Domain 1 questions. Review every wrong answer with focus on why the managerial answer is correct.

Weeks 3-4: Domain 2 — Risk Management

Read Chapter 2.
Memorize the quantitative risk formulas (SLE, ALE, ROSI) and run 5 example calculations.
Build a risk treatment decision table: mitigate/accept/transfer/avoid with example scenarios.
Practice translating business impact into risk language.
Practice: 75 Domain 2 questions.

Weeks 5-7: Domain 3 — Information Security Program (BIG DOMAIN)

Read Chapter 3 — this is the longest chapter.
Week 5: Program development, resources, classification, frameworks (ISO 27001:2022, NIST CSF 2.0).
Week 6: Access management, data protection, endpoint/network/application/cloud security.
Week 7: Vendor risk, awareness, metrics, compliance integration.
Build a framework comparison table: ISO 27001 vs NIST CSF 2.0 vs CIS Controls v8.
Practice: 150 Domain 3 questions across the three weeks.

Weeks 8-9: Domain 4 — Incident Management

Read Chapter 4.
Week 8: IR lifecycle (NIST + SANS), detection, containment, eradication, recovery.
Week 9: BCP/DRP, RTO/RPO/MTD/WRT, breach notification windows, forensics.
Memorize the notification window table (GDPR 72h, HIPAA 60d, SEC 4-day, NIS2).
Practice: 100 Domain 4 questions.

Week 10: Full-Length Practice Exams + Weakness Targeting

Take 2 full 150-question timed practice exams in 4-hour blocks.
After each, spend 6-8 hours analyzing wrong answers, grouping them by domain and by "why I got this wrong" (knowledge gap, wrong mindset, misread).
Re-study weak areas.

Week 11: Final Mock Exams + High-Yield Review

Take 2 more full mocks at the same time of day you will sit the real exam.
Target: consistent 75%+ scores.
Final review of high-yield flashcards: COBIT, ISO 27001 structure, NIST CSF 2.0 functions, ALE formulas, RTO/RPO, breach notification windows, governance vs management.

Week 12: Taper Week

Light review only — no new material.
Day 2: 1 final mock exam.
Days 3-5: targeted flashcard review.
Day 6: rest.
Day 7: exam day.

Recommended Resources (Free-First)

Free

Resource	Why
ISACA Official Exam Candidate Guide (PDF, free from isaca.org)	Authoritative source for 2026 exam policies
Prabh Nair YouTube channel	Gold standard of free CISM video content — 50+ hours of domain videos
Mike Chapple’s CISM content (LinkedIn Learning free trials, YouTube excerpts)	Clear, high-quality domain overviews
Hemang Doshi YouTube channel and blog	The CISM study community’s most-cited free resource, aligned with his Absolute Mindset approach
Luke Ahmed (Study Notes and Theory)	Known for CISSP but has strong CISM material on managerial mindset questions
OpenExamPrep free CISM practice	Free ISACA-style questions with AI tutor explanations — start here
ISACA Free Webinars	Monthly webinars count as CPE post-certification
r/CISM subreddit	Trip reports and current-week study updates

Paid (Only After Exhausting Free)

Resource	What It Is	Who Should Buy
ISACA CISM Review Manual, 16th Edition	The official prep book (~360 pages). The primary source.	Every candidate. Non-negotiable.
ISACA QAE Database (Questions, Answers, Explanations)	1,000+ official practice questions with digital analytics	Every candidate. Highest-ROI paid resource.
Hemang Doshi’s CISM Certified Information Security Manager All-In-One Exam Guide	Concise, high-yield summary with mnemonic-driven learning	Candidates who find the Review Manual dense
Mike Chapple’s CISM Study Guide (Sybex/Wiley)	Alternative textbook with different teaching style	Candidates who want a second reference
Gleim CISM Review	Complete course with question bank	Candidates who want maximum structure
Cybrary CISM Course	Video course at lower price point	Budget-conscious candidates
Pearson/Kaplan CISM Cert Guide	Alternative textbook format	Candidates who want a third reference

The lean budget stack: Official Review Manual (~~$139 member) + ISACA QAE 12-month subscription (~~$299 member) + Hemang Doshi’s All-In-One (~$50) + free practice + Prabh Nair YouTube. Total: under $550, covers everything.

Exam-Day Strategy: The CISM Stamina Game

The CISM is 150 questions in 240 minutes — roughly 1 minute 36 seconds per question. The exam is linear on-the-fly, meaning you CAN navigate back, flag questions, review, and change answers within the 4-hour window. This is a huge difference from CISSP CAT format. Use it.

Pacing

Minute 0-80: Answer questions 1-50. If a question takes more than 90 seconds, flag it and move on.
Minute 80-160: Answer questions 51-100.
Minute 160-220: Answer questions 101-150.
Minute 220-240: Revisit flagged questions. Change answers only when you have a concrete reason — first instincts are correct about 75% of the time.

The CISM Question Archetypes

Every CISM question falls into one of three archetypes. Identify which before you answer:

Archetype	Signal	Strategy
Knowledge Check	"Which of the following is defined as..."	Pick the definition. Move fast.
Scenario / Best Answer	A 3-5 sentence scenario ending in "What is the BEST action for the information security manager?"	Identify the role, apply governance vs management vs operations filter, eliminate technical-only answers
First / Next / Greatest	"What should the manager do FIRST?" / "Which presents the GREATEST risk?"	Read all options — all may be plausible. Pick based on the risk-and-governance frame.

The Elimination Engine

For hard questions, eliminate in this order:

Eliminate technical-only answers. CISM tests management judgment, not technical execution.
Eliminate answers where the security manager oversteps authority. The manager does not accept risk for the business, does not approve corporate policy on their own, does not make public disclosure decisions unilaterally.
Eliminate absolutes. "Always," "never," "all" are almost always wrong.
Eliminate answers that bypass governance. If an option skips board/executive approval for a major decision, it is wrong.
Choose the answer that an experienced, risk-aware security manager would take back to executive leadership and defend.

Working-Memory Conservation

Read the question and the final sentence first; then read the options; then re-read the scenario with the options in mind.
Do NOT re-read passages multiple times. One read, decide, flag if unsure, move on.
Hydrate. PSI allows water at test centers (check per-site rules).
If online-proctored: set up a quiet room, close all other apps, test the webcam, keep government ID ready, and clear your desk of all materials.

Cost Breakdown, Retake Policy & Recertification

Total First-Year Cost

Item	ISACA Member	Non-Member
Exam fee	$575	$760
ISACA membership (optional)	$135 + $50 one-time	n/a
Application processing fee (after passing)	$50	$50
Annual maintenance fee	$45	$85
Year 1 Total (minimum path)	~$855	~$895

Membership math: joining costs $185 first year ($50 application + $135 dues) and saves you $185 on the exam fee. You break even in year 1 and win in year 2+ via discounted resources, lower maintenance, and discounted conferences.

Retake Policy

After a failed attempt, wait 90 days before retesting.
Maximum 4 attempts per 12-month period.
You pay the full exam fee on each retake.

Recertification (3-Year Cycles)

120 CPE hours per 3-year cycle.
Minimum 20 CPE hours per year — no back-loading into year 3.
Annual maintenance fee: $45 member / $85 non-member.
Adhere to the ISACA Code of Professional Ethics and Information Security Management Standards.
ISACA audits approximately 10% of certificants each year — keep documentation of every CPE.

CPE activities include ISACA chapter meetings, webinars, conferences, vendor training, university courses, teaching, writing, serving on committees, and reading vetted cybersecurity publications. All five ISACA credentials share a single 3-year cycle, so if you stack CISM + CISA + CRISC, one CPE can count across all three.

Salary & Career: What a CISM Actually Earns

ISACA’s 2024 State of Cybersecurity and Robert Half’s 2026 Salary Guide converge on these 2026 US numbers:

Role	CISM-Certified Base Salary (US)
Information Security Manager	$130,000 - $165,000
Senior Information Security Manager	$150,000 - $190,000
Director of Information Security	$170,000 - $225,000
CISO (small-mid enterprise)	$180,000 - $260,000
CISO (large enterprise / Fortune 500)	$250,000 - $450,000+
vCISO / Fractional CISO (consulting)	$200 - $500/hour
GRC Manager	$120,000 - $160,000
Big 4 Advisory Security Manager	$145,000 - $185,000

The CISM Premium

ISACA’s 2024 survey reports CISM holders average $148,000 in base salary — the highest of any ISACA credential, roughly 15-20% above CISSP holders in comparable management roles. CISO total comp (base + bonus + equity) frequently exceeds $400,000 at large enterprises.

Career Paths

CISO track: Analyst → Manager → Director → CISO. CISM expected at Director and above.
Consulting track: Advisory Manager → Senior Manager → Partner. CISM standard at Manager.
vCISO track: Experienced manager → fractional CISO for mid-market clients.
Government track: GS-14/GS-15 security roles typically require CISM; DoD 8140.03 IAM-III qualifying.

Common Mistakes That Tank First-Time Candidates

Mistake #1: Picking "The Most Secure" Answer

CISM is a management exam, not a security-engineering exam. The right answer is the one an information security manager would take back to executive leadership and defend — usually the one that frames risk, presents options, and respects authority boundaries. Not the one that adds the most technical controls.

Wrong: "Deploy MFA everywhere immediately." Right: "Conduct a risk assessment on authentication weaknesses, present options (cost, coverage, business impact) to executive management, and implement per approved plan."

Mistake #2: The Security Manager Accepts Risk

Candidates routinely pick answers where the security manager accepts a residual risk. Wrong.

The business process owner accepts risk. The security manager identifies, assesses, and recommends. When in doubt, an answer that has the security manager unilaterally accepting, rejecting, or modifying a business-owned risk is wrong.

Mistake #3: Ignoring Governance

Major decisions (strategy, policy, public disclosure, risk appetite) require governance approval. If an answer shows the security manager making those decisions alone, it is wrong.

Mistake #4: Confusing Incident Commander Authority

The incident commander has tactical authority per the documented plan. They contain, isolate, restore. They do NOT make public disclosure decisions, regulator notifications, or legal decisions without escalation. These are governance-approved communications.

Mistake #5: Under-Practicing

100 practice questions is not enough. You need 1,000+, with the final 2 weeks spent on timed, full-length sets in a 4-hour block.

Mistake #6: Skipping the Manual for Bootcamps

Bootcamps and YouTube summarize. ISACA writes the exam from the CISM Review Manual. If you skip it, you will miss the wording nuances ("the MOST appropriate" vs "the BEST") that make the difference between a pass and a fail.

Mistake #7: Under-Studying Domains 3 and 4

Domains 3 (33%) and 4 (30%) are 63% of the exam. Candidates who over-invest in Domains 1 and 2 and under-prepare on Program and Incident Management routinely fail. Start Domain 3 by Week 5 of a 12-week plan — not Week 10.

Mistake #8: Technical Engineers Skipping Mindset Work

If you have spent 10 years as a security engineer, you have trained yourself to answer technical questions with technical answers. CISM requires an explicit mindset reset. Spend the first week of your study plan on the management mindset — not on content — and your pass rate will double.

CISM vs CISSP vs CISA vs CRISC — And How to Stack

Cert	Body	Focus	Experience	Best For
CISM	ISACA	Information security management	5 years InfoSec, 3 in mgmt	Security managers, CISOs
CISSP	ISC2	Security management + technical (8 domains)	5 years in 2+ domains	Senior security engineers, CISOs
CISA	ISACA	IT audit, control, assurance	5 years IS audit/control/security	IT auditors, compliance pros
CRISC	ISACA	IT risk management	3 years IT risk & control in 2+ of 4 domains	Risk officers, control owners
CGEIT	ISACA	Executive IT governance	5 years IT governance, 1 in leadership	CIOs, IT governance leaders
CDPSE	ISACA	Privacy engineering + assurance	3 years privacy + technical	Privacy engineers, DPOs
CCISO	EC-Council	Executive-level CISO	5 years in each of 5 CISO domains	Experienced CISOs

CISM vs CISSP: The Eternal Question

Dimension	CISM	CISSP
Body	ISACA	ISC2
Domains	4 (mgmt-focused)	8 (mgmt + technical)
Format	Linear 150 Q / 4h (back-nav)	CAT 100-150 Q / 3h (no back-nav)
Pass score	450/800 scaled	700/1000 scaled
Cost (2026)	$575 / $760	$749

Rule of thumb: If your daily work is running a security program (policy, team, program, incidents), CISM is more directly aligned. If your daily work is senior engineering plus leadership, CISSP is more directly aligned. Many CISOs hold both.

CISM vs CISA vs CRISC (Quick)

CISA: for auditors who independently evaluate controls (SOX, SOC 1/2, ISO 27001 external audit).
CISM: for managers who build and run controls (CISO, Security Manager, Director of Security).
CRISC: deeper on IT risk methodology — identification, assessment, response, monitoring.

Stacking Strategy

CISM + CISA: Management plus audit perspective. Common in mature enterprises.
CISM + CISSP: Broadest CISO-track stack.
CISM + CRISC: Security management with deep risk specialization — common in finance, healthcare.
CISM + CDPSE: Management plus privacy engineering — growing with GDPR, CCPA, AI governance.

Your Next Steps After CISM

Natural follow-ups: CISA (audit perspective), CRISC (risk depth), CGEIT (executive governance), CDPSE (privacy), CCISO (EC-Council CISO-specific), AAIA (ISACA AI audit), or ISO 27001 Lead Implementer/Auditor.

All five ISACA credentials share a single 3-year CPE cycle when held simultaneously — so CISM + CISA + CRISC maintenance is the same 120 hours as CISM alone.

Final CTA: Start Practicing Today

CISM is a pass-able exam with a clear roadmap. The candidates who fail almost always share one trait: they treated it like a technical exam. You can fix that right now.

Start practicing nowPractice questions with detailed explanations

The 2026 security-management job market has more openings than qualified candidates. CISM is the fastest credential path into those openings. The only thing between you and that CISO title is the 150-question exam — and a study plan that actually works.

Good luck. You can do this.

Official Sources

ISACA CISM program home: https://www.isaca.org/credentialing/cism
ISACA Exam Candidate Guide (PDF): available from the CISM program page
ISACA Code of Professional Ethics: https://www.isaca.org/credentialing/code-of-professional-ethics
ISACA Information Security Management Standards: available via isaca.org
COBIT 2019 Framework: https://www.isaca.org/resources/cobit
ISACA 2024 State of Cybersecurity report: https://www.isaca.org
PSI Services (delivery vendor): https://www.psionline.com
NIST Cybersecurity Framework 2.0: https://www.nist.gov/cyberframework
NIST SP 800-61 Rev. 2 (Incident Response): https://csrc.nist.gov
ISO/IEC 27001:2022: https://www.iso.org/standard/27001
SEC Cybersecurity Disclosure Rule: https://www.sec.gov

Information current as of April 2026. Always verify specific fees, dates, and eligibility details at isaca.org before applying or registering.

✓Key Facts

CISM in 2026: The Only Guide You Need

CISM Exam At-a-Glance (2026)

FREE CISM Prep: Practice Before You Pay

What CISM Actually Is — And Why It Is Not CISSP or CISA

The 2026 CISM Market

Who Should Take CISM

Eligibility & the CISM Experience Rule

The Experience Requirement

Substitutions (Up to 2 Years General InfoSec Experience)

What Counts as "Management Experience"

The Experience Verification Process

The 4 CISM Domains (2022 Job Practice Analysis, Current 2026)

Domain 1 — Information Security Governance (17%)

Core Topics

High-Yield: Governance vs Management

Domain 2 — Information Security Risk Management (20%)

Core Topics

The Quantitative Risk Formulas (Memorize These)

The Risk Treatment Decision Framework

Domain 3 — Information Security Program (33%)

Core Topics

Program Maturity Models

ISO/IEC 27001:2022 — The Most Tested Framework

NIST Cybersecurity Framework 2.0 (Released February 2024)

Domain 4 — Incident Management (30%)

Core Topics

The Incident Response Lifecycle (NIST SP 800-61r2 — 4 Phases)

RTO/RPO Cheat Sheet (Repeatedly Tested)

Breach Notification Windows (2026 Reality)

Cross-Domain High-Yield: The Concepts That Cut Across Every Question

The Management Decision Principle

Control Classifications

Administrative, Technical, Physical

Metrics That Matter to the Board

CISM Pass Rate & Difficulty Reality Check

FREE CISM Practice, Round 2

12-Week CISM Study Plan

Weeks 1-2: Mindset Reset + Domain 1 (Governance)

Weeks 3-4: Domain 2 — Risk Management

Weeks 5-7: Domain 3 — Information Security Program (BIG DOMAIN)

Weeks 8-9: Domain 4 — Incident Management

Week 10: Full-Length Practice Exams + Weakness Targeting

Week 11: Final Mock Exams + High-Yield Review

Week 12: Taper Week

Recommended Resources (Free-First)

Free

Paid (Only After Exhausting Free)

Exam-Day Strategy: The CISM Stamina Game

Pacing

The CISM Question Archetypes

The Elimination Engine

Working-Memory Conservation

Cost Breakdown, Retake Policy & Recertification

Total First-Year Cost

Retake Policy

Recertification (3-Year Cycles)

Salary & Career: What a CISM Actually Earns

The CISM Premium

Career Paths

Common Mistakes That Tank First-Time Candidates

Mistake #1: Picking "The Most Secure" Answer

Mistake #2: The Security Manager Accepts Risk

Mistake #3: Ignoring Governance

Mistake #4: Confusing Incident Commander Authority

Mistake #5: Under-Practicing

Mistake #6: Skipping the Manual for Bootcamps

Mistake #7: Under-Studying Domains 3 and 4

Mistake #8: Technical Engineers Skipping Mindset Work

CISM vs CISSP vs CISA vs CRISC — And How to Stack

CISM vs CISSP: The Eternal Question

CISM vs CISA vs CRISC (Quick)

Stacking Strategy

Your Next Steps After CISM

Final CTA: Start Practicing Today

Official Sources

Free Study Resources

CISM

Related Articles

AIGP Exam Guide 2026: FREE IAPP AI Governance Prep