ISACA · 2026 Edition
A complete preparation guide written by ISACA-certified engineers. Covers the exam format,all 4 blueprint domains, a week-by-week study plan, and proven tips for passing first time.
4–6 months
Prep time
Advanced
Difficulty
150
Exam questions
450/1000
Pass mark
Exam code
CISM
Full name
CISM
Vendor
ISACA
Duration
240 minutes
Questions
150 items
Passing score
450/1000 (scaled)
Domains covered
4 blueprint domains
Recommended experience
5 years of IS/IT security work experience with minimum 3 years in information security management required
Typical prep time
4–6 months
CISM is the leading credential for information security managers. It is consistently ranked among the highest-paying IT certifications and is the required or preferred credential for CISO and security management roles at mid-to-large enterprises.
Job roles this opens
Domain percentage weights are not currently available for this exam. The checklist below is still useful for planning your study.
Month 1
Information Security Governance: strategy, frameworks, organisational structures, metrics
Tip: CISM is a management exam, not a technical one. Every question should be answered from the perspective of a manager whose job is to align security with business objectives, not a technician who configures controls. When two answers are both technically valid, choose the one with better business alignment.
Month 2
Information Risk Management: risk assessment, risk appetite, risk treatment, third-party risk
Tip: CISM risk management questions focus on process, not tools. Know the ISO 31000 risk management framework steps: establish context → identify risks → analyse risks → evaluate risks → treat risks → monitor and review. Know the difference between risk tolerance (amount of risk an organisation will accept) and risk appetite (amount of risk it is willing to pursue for reward).
Month 3–4
Information Security Programme Development and Management (33% of exam)
Tip: The programme domain is the heaviest on CISM. Focus on security programme lifecycle: assess current state → define target state → develop roadmap → implement controls → monitor effectiveness. Know how to present a security programme to the board (business risk language, not technical language).
Month 4–6
Incident Management: IR planning, detection, response, recovery, post-incident review
Tip: CISM incident management questions focus on the manager's role: escalation decisions, communications to executives, regulatory notification obligations, and crisis communications. Know when an incident must be reported to regulators (GDPR: 72-hour breach notification) and what information must be included.
CISM requires 5 years of IS work experience with at least 3 in security management. Experience must be in at least 3 of the 4 CISM domains. Experience can be substituted (up to 2 years) with certain certifications or education — check the ISACA experience requirements before applying.
CISM questions often present a scenario where two answers are both correct in isolation — the distinguishing factor is usually sequence (what should you do FIRST?) or stakeholder (who should be involved in this decision?). The FIRST action is almost always an assessment or communication step, not an implementation step.
Business impact analysis (BIA) is the foundation of both the risk management and incident management domains. Know that BIA identifies critical business processes, their dependencies, and the financial and operational impact of disruption — this drives the prioritisation of recovery efforts.
Security metrics and KPIs are tested on CISM. Know the difference between KPIs (Key Performance Indicators — measure how well you are executing your security programme, e.g. % of vulnerabilities remediated within SLA) and KRIs (Key Risk Indicators — leading indicators that a risk may be increasing, e.g. increase in failed login attempts).
CISM is valid for 3 years and requires 120 CPE credits over the 3-year period (minimum 20 per year). Annual maintenance fees apply. ISACA offers CPE through conferences, webcasts, and contributions to the IS profession.
Apply everything in this guide with adaptive practice questions, detailed answer explanations, and domain analytics.
Deep-dive explanations of the key topics tested on CISM — with exam key points and common misconceptions.