Retake, Rescore, and Post-Exam Feedback

Retake, Rescore, and Post-Exam Feedback

Knowing the retake and results process keeps a single bad sitting from becoming a panic. The CISM exam allows up to four attempts within a rolling 12-month period, with enforced waiting periods between them, and each attempt costs the full exam fee — there is no discounted retake.

Retake limits and waiting periods

The 2026 fee is USD $575 for ISACA members and USD $760 for non-members. Because the member fee plus annual membership is often cheaper than the non-member fee, many candidates join ISACA before registering, and membership also unlocks discounted study materials. The roughly $185 gap between the $760 non-member and $575 member fee frequently exceeds the cost of an ISACA membership, which is why running the membership-first math is the standard money-saving move.

Budget for the possibility of a second attempt rather than assuming one-and-done; if there is any realistic chance you re-sit, the second full fee dwarfs the membership savings, so plan it into your total cost from the start.

Note also that the exam fee and the certification application fee are separate line items. The exam fee buys you the sitting; the $50 application processing fee comes later, only after you pass and apply. Confounding the two leads candidates to under-budget the true cost of becoming certified. The full cost stack therefore includes the exam fee per attempt, optional ISACA membership, study materials, the $50 application processing fee on passing, and the recurring annual maintenance fee plus continuing-education commitment once certified. Treating only the headline exam fee as 'the cost' is the most common budgeting error candidates make.

The results process

1. Preliminary result — At the end of the exam you receive an unofficial pass/fail indication on screen at the test center. It has no score number attached.
2. Official scaled score — ISACA emails the official result, reported on the 200-800 scale (450 to pass), typically within about ten business days.
3. Failing-candidate feedback — A failing report shows performance by domain, not by individual question. Use it exactly like practice domain feedback: find the heaviest weak domain and remediate there first, weighting each domain gap by its 17/20/33/30 blueprint share before deciding where the retake-prep hours go.

ISACA does not release the specific questions you missed or your answers, so there is no item-level review. A formal rescore is generally not part of CISM scoring — results are computer-scored against the standard, so plan your remediation around the domain breakdown rather than expecting a manual rescore to flip a result. In practice this means a failing score is a study signal, not a clerical dispute; the lever you control is preparation for the next attempt, not an appeal of the current one.

After you pass the exam

Passing the exam is not the same as being certified. You must then:

• Submit the CISM certification application with a USD $50 application processing fee.
• Demonstrate the required information security management work experience (five years, with allowable substitutions/waivers up to a limit), verified independently.
• Agree to the ISACA Code of Professional Ethics and the Continuing Professional Education (CPE) policy to maintain the credential after certification.

You have a window (commonly five years from passing) to claim the certification before the passing result expires and you would have to re-sit. So do not let a passed exam lapse while you accumulate experience documentation.

Common post-exam traps

1. Assuming a passed exam equals certification — the application and $50 fee are separate steps.
2. Forgetting the 30/90/90-day waits when planning a retake date around a job deadline.
3. Budgeting for one attempt only, then being blocked by the full retake fee.
4. Expecting an item-level score report or a manual rescore to overturn a fail.
5. Letting the passing result expire while gathering experience evidence.

Turn a failing report into a plan

If you fail, resist the urge to immediately re-register. Treat the by-domain failing report exactly like a mock diagnostic: identify the heaviest weak domain, label your likely cause (knowledge versus answer-strategy), and use the mandatory 30-day wait productively rather than as dead time. The 30/90/90-day waiting structure is actually an advantage here, because rushing back in two weeks with the same blind spots wastes a full fee. Schedule the retake far enough out to complete a real remediation cycle, including at least one fresh full-length timed mock, then confirm your domain trends have moved before paying again.

Finally, document your work experience as you go rather than scrambling after passing. ISACA requires independent verification of the required information security management experience, and gathering manager attestations and dated evidence can take weeks. Starting that paperwork early means the moment your official scaled score lands above 450, you can submit the application and the $50 fee without delay, and you never risk the passing result lapsing before you certify.