Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCISMStudy Guide

ISACA · 2026 Edition

CISM Study Guide — How to Pass CISM

A complete preparation guide written by ISACA-certified engineers. Covers the exam format,all 4 blueprint domains, a week-by-week study plan, and proven tips for passing first time.

4–6 months

Prep time

Advanced

Difficulty

150

Exam questions

450/1000

Pass mark

Exam OverviewPractice TestExam DomainsSample QuestionsStudy Guide

On this page

  1. 1. CISM Exam at a Glance
  2. 2. Why Earn the CISM?
  3. 3. Exam Domains & Weights
  4. 4. Study Plan
  5. 5. Exam Tips
  6. 6. Practice Questions

CISM Exam at a Glance

Exam code

CISM

Full name

CISM

Vendor

ISACA

Duration

240 minutes

Questions

150 items

Passing score

450/1000 (scaled)

Domains covered

4 blueprint domains

Recommended experience

5 years of IS/IT security work experience with minimum 3 years in information security management required

Typical prep time

4–6 months

Why Earn the CISM?

CISM is the leading credential for information security managers. It is consistently ranked among the highest-paying IT certifications and is the required or preferred credential for CISO and security management roles at mid-to-large enterprises.

Job roles this opens

CISOInformation Security ManagerSecurity DirectorIT Risk ManagerSecurity Programme Manager

CISM Exam Domains

Domain percentage weights are not currently available for this exam. The checklist below is still useful for planning your study.

Information Security Program
Information Security Risk Management
Information Security Governance
Incident Management

Detailed domain breakdown with subtopics →

CISM Study Plan

Month 1

Information Security Governance: strategy, frameworks, organisational structures, metrics

Tip: CISM is a management exam, not a technical one. Every question should be answered from the perspective of a manager whose job is to align security with business objectives, not a technician who configures controls. When two answers are both technically valid, choose the one with better business alignment.

Month 2

Information Risk Management: risk assessment, risk appetite, risk treatment, third-party risk

Tip: CISM risk management questions focus on process, not tools. Know the ISO 31000 risk management framework steps: establish context → identify risks → analyse risks → evaluate risks → treat risks → monitor and review. Know the difference between risk tolerance (amount of risk an organisation will accept) and risk appetite (amount of risk it is willing to pursue for reward).

Month 3–4

Information Security Programme Development and Management (33% of exam)

Tip: The programme domain is the heaviest on CISM. Focus on security programme lifecycle: assess current state → define target state → develop roadmap → implement controls → monitor effectiveness. Know how to present a security programme to the board (business risk language, not technical language).

Month 4–6

Incident Management: IR planning, detection, response, recovery, post-incident review

Tip: CISM incident management questions focus on the manager's role: escalation decisions, communications to executives, regulatory notification obligations, and crisis communications. Know when an incident must be reported to regulators (GDPR: 72-hour breach notification) and what information must be included.

CISM Exam Tips

CISM requires 5 years of IS work experience with at least 3 in security management. Experience must be in at least 3 of the 4 CISM domains. Experience can be substituted (up to 2 years) with certain certifications or education — check the ISACA experience requirements before applying.

CISM questions often present a scenario where two answers are both correct in isolation — the distinguishing factor is usually sequence (what should you do FIRST?) or stakeholder (who should be involved in this decision?). The FIRST action is almost always an assessment or communication step, not an implementation step.

Business impact analysis (BIA) is the foundation of both the risk management and incident management domains. Know that BIA identifies critical business processes, their dependencies, and the financial and operational impact of disruption — this drives the prioritisation of recovery efforts.

Security metrics and KPIs are tested on CISM. Know the difference between KPIs (Key Performance Indicators — measure how well you are executing your security programme, e.g. % of vulnerabilities remediated within SLA) and KRIs (Key Risk Indicators — leading indicators that a risk may be increasing, e.g. increase in failed login attempts).

CISM is valid for 3 years and requires 120 CPE credits over the 3-year period (minimum 20 per year). Annual maintenance fees apply. ISACA offers CPE through conferences, webcasts, and contributions to the IS profession.

Ready to practice CISM?

Apply everything in this guide with adaptive practice questions, detailed answer explanations, and domain analytics.

Free Practice TestStart Practising

CISM concept guides

Deep-dive explanations of the key topics tested on CISM — with exam key points and common misconceptions.

CISM Security Governance

The CISM is aimed at people who manage security programs, not people who operate firewalls.

Related Study Guides

CISSP

ISC2 CISSP

CISA

ISACA CISA

CRISC

ISACA CRISC