CISM frequently asked questions (FAQ)

Preparing for your CISM certification? This comprehensive CISM certification FAQ addresses the most common questions about this prestigious information security credential. From registration details to exam preparation, find answers to your CISM common questions below.

$150,040 average salary

ISACA CISM is one of the industry's highest-paying cybersecurity certifications. Take your information security management career to new heights and enroll now to claim your Exam Pass Guarantee!

View Pricing

1. When does registration begin for the 2025 exams?

If you are ready to register for the CISM exam, you're in luck. Exam registration for CISM is continuous, allowing candidates to register at any time without restrictions. All you need to do is create a login for an ISACA account and set up a membership and profile. Once this step is complete, you can complete the simple online registration process.

2. How much does it cost to take the CISM exam?

The CISM exam cost is $575 for ISACA members and $760 for non-members. Many professionals find that the ISACA membership provides additional benefits beyond just the exam discount, including networking events, free CPE opportunities and discounts on study materials.

3. Where can I find the locations for the 2025 exams?

All CISM exams are administered at authorized PSI testing centers or as remotely proctored exams. Find your nearest testing location through ISACA's PSI page or view the ISACA exam scheduling guide. This flexibility in testing options helps accommodate different preferences and situations for certification candidates.

4. How is the exam scored?

Similar to the SAT and GRE exams, the CISM test does not rely on percentages but rather uses a 200 to 800 scaled scoring method, allowing for performance comparison among candidates. A score of 450 or higher is required to pass. This passing threshold represents the minimum knowledge standard established by ISACA's certification working groups, while 800 indicates a perfect score, and 200 represents the lowest possible score with few correct answers.

Your results include a domain breakdown to highlight your strengths and areas needing development. The percentage shown for each domain only indicates the relative number of test questions in that area and isn't used for scoring purposes. Domain weightings don't factor into your overall score calculation, as total scores are based solely on the number of correctly answered questions across all domains.

5. When will I receive my exam results?

Once you finish the exam, you will receive a preliminary pass/fail score at the testing center. You will then receive official documentation of your results within 10 business days of your exam date via the email address you provided. Alternatively, you can check your results online at www.isaca.org/myisaca by logging into your account.

Due to confidentiality issues, your results cannot be issued over the telephone or by fax. To keep email notifications out of the spam folder, you are encouraged to add exam@isaca.org to your address book or sender list. If your ISACA profile changes during the time you are waiting for your results, you should notify ISACA immediately with your new information. This will ensure you receive your final score without delay or interruption.

$150,040 average salary

ISACA CISM is one of the industry's highest-paying cybersecurity certifications. Take your information security management career to new heights and enroll now to claim your Exam Pass Guarantee!

View Pricing

6. How do I provide comments on testing conditions?

If you have any comments or concerns regarding how the exam was administered, including site conditions or certification content, you should contact ISACA international headquarters at https://support.isaca.org/ within 48 hours of your test date. Although no scores will be reissued based on these queries, all comments are considered for future exams.

ISACA will, however, review comments about exam day issues and site concerns before releasing the official score report. Make sure to include your exam ID number, testing site location, date of exam, and other pertinent information. The exam taker or applicant must assume any cost incurred due to an appeal.

7. Can I take the CISA, CISM, CGEIT and CRISC exams in the same exam window?

Yes, you can take each of these exams within the same 12-month window. Candidates can take any of these exams four times in a rolling year; however, they must wait 30 days after the first attempt and 90 days after both the second and third attempts.

Considering which exam is right for your career goals? Understanding the CISM vs. CISA differences can help you determine which certification path best suits your career goals or whether pursuing multiple certifications simultaneously aligns with your professional development strategy.

8. Why should I take the CISM certification?

Earning your CISM certification establishes you among distinguished information security professionals respected by government agencies and corporations worldwide. This credential validates your expertise in security governance while bringing immediate credibility to your organization.

CISM demonstrates your ability to align security programs with business objectives — a skill increasingly valued by multinational organizations. The professional recognition and career advancement opportunities make CISM a worthwhile investment for information security leaders.

The average CISM salary reflects the high value organizations place on professionals who have mastered this security management certification, making it an excellent investment for your career trajectory.

 9. What is covered under each of the four domains on the CISM exam?

The CISM exam domains cover four different information security management areas. While the domain headings typically remain consistent, their weightings within the test may shift periodically. These CISM domain explanations can help with your exam preparation:

Domain I: Information Security Governance (17%)

• Domain 1 focuses on aligning information security strategy with organizational goals and establishing effective governance frameworks. Professionals must understand legal requirements, develop business cases for security investments and integrate security governance into corporate governance structures. The domain tests the ability to analyze and implement security strategies while navigating regulatory requirements and frameworks like NIST and ISO 27001.

Domain II: Information Security Risk Management (20%)

• Domain 2 covers identifying security, threats and vulnerabilities. Professionals must develop appropriate risk responses, define ownership, and implement continuous monitoring processes. The domain emphasizes periodic risk evaluations to address emerging threats from changing business environments and technology landscapes.

Domain III: Information Security Program (33%)

• Domain 3 addresses the resources, asset classifications, and frameworks needed to manage comprehensive security programs, including controls, testing and implementation. Professionals must demonstrate the ability to design and maintain security programs with appropriate policies and procedures that support business objectives while protecting information assets.

Domain IV: Incident Management (30%)

• Domain 4 covers establishing effective incident response plans and management processes. Professionals must outline incident categorization methodologies and testing approaches while understanding connections between incident response and business continuity. The focus includes identifying, containing, and addressing root causes of security incidents, and incorporating lessons learned into future response capabilities.

Understanding these domains thoroughly is essential for addressing the CISM exam questions you'll encounter during the test. A comprehensive CISM certification overview can provide further guidance on preparing for each domain.

Earn a $150,040 Salary with an ISACA CISM

The employment of information systems managers is projected to grow 16% by 2031. Get your ISACA CISM to launch into the field — backed with an Exam Pass Guarantee.

Learn More

10. What are the continuing requirements for the CISM exam?

Once you pass the CISM exam, you must adhere to the ISACA code of professional ethics, which includes personal and professional behavioral expectations. Some requirements include maintaining information confidentiality, objectively performing duties in accordance with professional standards and displaying competency. Failure to honor this code can result in investigation and even revocation of a member's certification.

Certification holders must also pay the continuing education maintenance fee, provide evidence of at least five years of experience in the infosec field, and complete a minimum of 120 CPE hours earned within the fixed three-year certification cycle.

Understanding the CISM certification requirements and maintaining your credential through CISM CPE credits ensures your certification remains valid and continues to benefit your career progression.

CISM certification help resources

For additional certification process clarification or CISM application questions, ISACA provides comprehensive resources through its website. Infosec also offers training programs designed to help candidates navigate the information security credential questions and prepare effectively for the exam.

For more information on the CISM exam, visit our ISACA CISM hub.