ISACA CISM

CISM certification cost and requirements (2024): Your complete preparation guide

Jeff Peters
September 16, 2024 by
Jeff Peters

The Certified Information Security Manager (CISM) is one of the most popular management-level cybersecurity certifications. It validates the skills and experience of information security managers and offers a slew of potential benefits, including higher pay, on-the-job improvements and promotions or career advancement. 

The CISM is not an entry-level certification, and costs can range from under $600 to several thousand dollars, depending on your membership level within ISACA and any CISM training materials or support.  

We explore the CISM costs and requirements in more detail below. 

$150,040 average salary

$150,040 average salary

ISACA CISM is one of the industry's highest-paying cybersecurity certifications. Take your information security management career to new heights and enroll now to claim your Exam Pass Guarantee!

Understanding CISM certification 

The CISM certification is an advanced exam that assesses your ability to assess risks, implement governance policies and respond to incidents and threats. New updates to the CISM also include leveraging securities around artificial intelligence and blockchain. Continuous updates to the CISM exam from ISACA keep this exam modern and relevant even as cybersecurity incidents and attacks get more sophisticated and advanced.

The CISM covers four specific domains, including security governance, risk management, information security program development and management and incident management. 


Infosec instructor Leighton Johnson explains the most recent update to the CISM certification exam. 

The CISM was created by the ISACA, an independent governing non-profit for IT professionals that creates and distributes globally recognized accreditation systems. This well-known organization provides critical knowledge, training and exams to validate real-world experience and other forms of education. According to ISACA, 90% of certification holders renew, and they’ve awarded 300,000 certifications to date.  

For an overview of other popular management and ISACA certifications, download our free ebook, Cybersecurity certifications and skills: A roadmap for mid-career professionals.

Prerequisites for CISM certification 

The CISM is an advanced certification for IT security professionals with several years of experience. However, even if you don’t meet the experience requirements, you can still take the exam without obtaining the official certification. You have five years to gain this experience and apply for the official certification. 

The CISM requires at least five years of professional work experience within the distinct CISM job practice areas. It must be completed within 10 years before your application date for certification. Also, three of those years must be management experience. Candidates can augment these years of experience with other non-cybersecurity professional knowledge or some post-graduate degrees. However, double-check this before you sign up for the exam! 

While there are several CISM certification requirements, meeting these prerequisites improves the likelihood that you’ll pass the CISM exam on the first try, and it properly sets you up for future job promotions and career development. The CISM is valuable foundational knowledge, especially if you want to specialize in a specific vendor like Amazon Web Services or a specific cybersecurity role like an application security engineer or a cyber insider threat analyst. 

Breakdown of CISM certification costs 

The CISM certification costs include: 

  • An application fee of $50 (for both members and non-members) 
  • An exam fee of $575 (for members) or $760 (for non-members) 
  • An annual maintenance fee of $45 (for members) or $85 (for non-members) 
  • Optional chapter dues (~$145 but varies based on location) 

In addition, you might want to purchase on-demand or live training boot camps, study guides, practice exams and more to help you prepare for the exam. Infosec is an ISACA Accredited Elite+ Training Partner and works closely with them to provide up-to-date and approved CISM training courses throughout the year. 

Maintaining your CISM certification 

CISM certification holders need to maintain their official certification status. This includes going through the formal CISM renewal process every three years and paying the renewal fee. 

You also must attain and report a minimum of 120 Continuing Professional Development (CPE) hours within the three-year reporting period. 

$150,040 average salary

$150,040 average salary

ISACA CISM is one of the industry's highest-paying cybersecurity certifications. Take your information security management career to new heights and enroll now to claim your Exam Pass Guarantee!

Preparing for the CISM exam 

Proper preparation for the CISM is critical to passing. Depending on your learning style, you may utilize a combination of self-study materials, ISACA partner training boot camps, exam prep guides, question banks and more. 

Your CISM certification is a significant investment of time and resources, so it’s good to plan how you will prepare for and pass the exam. 

Value of CISM certification 

According to ISACA, 70% of certified security managers experienced on-the-job improvements, and 42% received a pay boost. When analyzing the data of Infosec students, CISM certification holders were much more likely to receive a promotion than holders of other certifications.  

The average CISM salary was also among the highest of those we analyzed, coming in at $156,420 (get our free Cybersecurity salary guide for more details). However, salary figures vary quite a bit based on location, industry and experience. CISM remains of the most in-demand certifications — and that demand has continued to grow over the past few years. 

The CISM is a critical pillar of professional development and can help lead to the highest levels of leadership, like the Chief Information Security Officer (CISO) or Chief Information Officers (CIOs). 

Comparing CISM with other cybersecurity certifications 

In the cybersecurity world, there are dozens of certification exams, from broad knowledge assessment to specialized, vendor-specific training. As you advance in your career, here are how a few certifications stack up against the CISM. 

CISM vs. CISSP 

The Certified Information Systems Security Professional (CISSP) is another advanced-level certification often considered as an alternative, or in addition to, the CISM. The CISSP assesses more day-to-day security operations, while the CISM is more ideal for leadership positions and IT governance. In terms of pay impact, the average CISSP salary came in at $151,860. 

CISM vs. CEH 

The Certified Ethical Hacker (CEH) assesses more practical skills around penetration testing, security consulting and hacking versus management. Plus, the CEH exam prerequisites are much simpler, only requiring two years of work experience in information security or completing an EC-Council-approved training course, like the Infosec Ethical Hacking Boot Camp. This can lead to a job as a penetration tester, with an average salary of $134,217, according to our analysis. 

CISM vs. CompTIA Security+ 

The CompTIA Security+ is the most popular entry-level cybersecurity certification available. It covers broader topics like identity management, cryptography and threat management. It also requires significantly fewer prerequisites and work experience than the CISM, so it is excellent for job titles like network administrator or security specialist. The most common job role for a Security+ holder is a security administrator, with an average salary of $99,446. 

CISM vs. CRISC 

The Certified in Risk and Information Systems Control (CRISC) is more specialized than the CISM, honing in on everything related to risk management. It dives deep into risk assessment, response and monitoring and is ideal for job titles like risk control manager or security risk manager. The CRISC is associated with some of the highest-paying roles and has an average salary of $160,083. 

CISM certification guide 

The CISM certification demonstrates a high level of expertise and real-world practical experience with information security. Ideal for those focusing on career development and promotion, the CISM is an excellent secondary certification for senior-level professionals. 

Not only is it one of the highest-paying IT certifications, but CISM-certified professionals are in high demand and will only keep growing with the changing security landscape. The CISM certification process is a time and money commitment, so ensure you have adequate time to prepare and study. Check out the CISM certification hub for more details on the exam, domains, prerequisites, changes, study materials and more. 

$150,040 average salary

$150,040 average salary

ISACA CISM is one of the industry's highest-paying cybersecurity certifications. Take your information security management career to new heights and enroll now to claim your Exam Pass Guarantee!

FAQs 

Look at a few frequently asked questions about the CISM exam below. 

What are the ongoing maintenance requirements and costs for keeping the CISM certification active? 

The CISM certification cost includes your initial application, exam and annual membership fee ($45 or $85, depending on membership status). Maintenance requirements include 120 continuous learning hours and a formal recertification process every three years. The annual fee is reduced for those holding multiple ISACA certifications. 

How does CISM certification compare to other cybersecurity certifications in terms of ROI? 

In terms of return on your investment, the CISM is one of the most globally recognized and valuable cybersecurity certifications. It even offers one of the top-paying average salaries of $156,420 annually. In most cases, the ROI is well worth the training investment. 

Can work experience in non-cybersecurity roles count towards the CISM prerequisites? 

Non-cybersecurity roles can count towards the CISM prerequisites, but they must reside in one of the four job practice domain areas, like risk management. Other security certifications, like the Certified Information Systems Auditor (CISA) or a post-graduate degree in information security, can also count towards the prerequisites. 

Jeff Peters
Jeff Peters

Jeff Peters is a communications professional with more than a decade of experience creating cybersecurity-related content. As the Director of Content and Brand Marketing at Infosec, he oversees the Infosec Resources website, the Cyber Work Podcast and Cyber Work Hacks series, and a variety of other content aimed at answering security awareness and technical cybersecurity training questions. His focus is on developing materials to help cybersecurity practitioners and leaders improve their skills, level up their careers and build stronger teams.