The November 2026 Outline Change

The November 2026 Outline Change

ISACA periodically refreshes the CISM Job Practice -- the survey-driven analysis of what security managers actually do -- and rebuilds the Exam Content Outline (ECO) to match. The next refresh takes effect 3 November 2026. Any exam delivered on or after that date reflects the new outline; any exam before it follows the current four-domain outline. This is the single most important scheduling fact in 2026, because it determines which study materials are correct for your test date.

What ISACA has confirmed is changing

Based on ISACA's published Job Practice Update for 2026:

• New content on architecture. The outline adds enterprise architecture and information security architecture, reflecting the expectation that a security manager understands the technologies under their purview -- cloud, zero trust, identity -- well enough to govern them.
• Greater emphasis on strategy and program development. More weight shifts toward building and evolving the security strategy and program, the manager-level work that distinguishes CISM from operational roles.
• Updated preparation materials for the new outline begin launching 1 September 2026 and become available to purchase in September 2026, roughly two months ahead of the change.

What stays the same

The exam mechanics are not changing on this date: still 150 multiple-choice questions, still a 4-hour (240-minute) window, still a scaled passing score of 450 on the 200-800 range, and still the same registration and certification process. Only the content blueprint moves.

Decide which blueprint you are studying

Why ISACA refreshes the outline

The CISM Job Practice is rebuilt from a global survey of practicing security managers, so each refresh follows how the role is actually changing. The 2026 update tracks the spread of cloud, zero-trust, and identity-centric architectures: boards now expect a security manager to govern those technologies, so the exam expects you to reason about architecture decisions -- where controls live, how trust boundaries are drawn, how a security architecture supports the business strategy -- rather than to implement them.

Expect more scenario items asking how a manager evaluates an architecture proposal against risk appetite and strategy, and fewer that test isolated definitions.

What this does not mean

The shift toward architecture does not turn CISM into a technical exam. You will not be asked to write firewall rules or design a network diagram. "Information security architecture" on CISM means understanding the managerial implications -- cost, risk, ownership, alignment, and lifecycle -- of architecture choices. The four current domains do not simply vanish either: governance, risk, program, and incident concepts remain the backbone and are folded into the refreshed structure with adjusted emphasis.

A reasonable way to picture it is that architecture becomes a lens applied across the domains rather than a fifth silo, with strategy and program work absorbing the largest share of the added emphasis.

The trap here is mixing blueprints. A practice bank built for the current outline weights and an outline summary written for the new one will disagree on domain percentages and on whether "security architecture" is a first-class topic. If you cannot confirm an item's source, default to ISACA's official ECO PDF for your date. Practical rule: if you are taking the exam in 2026, lock your test date first, then buy or trust materials -- not the reverse. A candidate who schedules late in the year but studies an old guide can walk into questions on architecture that their materials never covered.

If you have already started with current materials and your date slips past 3 November, plan a focused top-up on the new architecture and strategy content rather than re-studying everything. Treat the transition like a controlled change: confirm scope (your date), assess impact (which topics moved), and update only what the change requires. Building in a one-to-two-week buffer before any late-2026 date also protects you if you must reschedule across the boundary.

How to source-check a study material against the right outline

The cleanest defense against blueprint confusion is to validate the materials you buy against ISACA's official Exam Content Outline PDF for your date. Use this quick checklist before trusting any third-party bank or course:

• Does it state an effective date or edition? Reputable 2026 materials will say whether they map to the current four-domain outline or the post-3-November outline. Silence is a warning sign.
• Do the domain weights match? If a guide lists Governance, Risk, Program, and Incident at 17/20/33/30, it is the current outline. A guide that elevates architecture or restructures the domains is targeting the new one.
• Does it claim to contain real exam questions? ISACA's items are protected. Any product promising "actual exam questions" or "brain dumps" is both a quality risk and an ethics violation under the ISACA Code of Professional Ethics.

A migration scenario

Consider a candidate who began studying in July 2026 with the current CRM and books an exam for 5 November because earlier slots filled up. Their date now falls under the new outline. The disciplined response is not panic or a full restart: it is a gap analysis. Keep the governance, risk, program, and incident foundations -- they carry forward -- and add focused study on the new enterprise-architecture and information-security-architecture material once the September 2026 updated resources are available. Alternatively, the candidate could move the exam earlier to stay under the current outline.

Either path is fine; the failure mode is leaving the date and the materials mismatched and discovering the gap only in the exam room. Treating the outline boundary as a known project constraint -- not a surprise -- is exactly the planning behavior CISM rewards.