CISM frequently asked questions (FAQ)

Jennifer Jeffers
July 6, 2019 by
Jennifer Jeffers

Given the importance of your CISM exam results, it’s no wonder you have concerns. If you are planning to take CISM certification test in the future, here are some things you may want to know.

$150,040 average salary

$150,040 average salary

ISACA CISM is one of the industry's highest-paying cybersecurity certifications for 2023. Take your information security management career to new heights and enroll now to claim your Exam Pass Guarantee!

1. When does registration begin for the 2018 exams?

 If you are ready to register for the 2018 CISM exam, you’re in luck. The next key exam registration dates are February 1st through May 24th of this year. All you need to do is create a login for an ISACA account at and set up a membership and profile. Once this step is complete, you can complete the simple online registration process.

2. How much does it cost to take the CISM exam?

 If you register early for the CISM exam, the cost is $525 for members and $710 for non-members. Final registration is $575 for members and $760 for non-members.

3. Where can I find the locations for the 2018 exams?

 All CISM exams are administered at PSI testing locations and kiosks. For a listing of current testing sites, visit but remember the list is constantly being expanded to include more locations for candidates. These changes will be reflected on the site throughout the year. Those planning to take the exam are encouraged to watch a brief video about the different locations and what to expect on the big day.

PSI Test Center:

PSI Kiosks:

4. How is the exam scored?

Similar to the SAT and GRE exams, the CISM test does not rely on percentages but rather, uses a 200-800 scaled scoring method allowing for performance comparison among candidates. The passing score of 450 is determined by the Certification Working Group through a process known as “cut score.” Using the review and input of global professionals, a passing point for the exam is established through exercises and simulations. They then establish a passing score as the minimum number of questions answered correctly while demonstrating both knowledge and skills. If this minimum number of correct answers were 140 out of 20 total questions, the raw score of 140 would then equate the passing score of 450.

A score of 450 represents a minimum consistent standard of knowledge as established by the respective ISACA Certification Committee. Although the scoring scale can change slightly, the raw score always has the same result and ultimately dictates whether the candidate has passed. Because there are four domains on the CISM exam—all with different applied weights—your score will also be broken down to reflect performance in each area.

A candidate who who receives a score of less than 450 has not passed the exam and can schedule a retake in the next testing window by registering again and paying through the automated system. In an effort to improve future scores, ISACA will provide a results letter analyzing the overall score and areas of particular weakness.

5. When will I receive my exam results?

Once you finish the exam, you will receive a preliminary pass/fail score at the testing center. You will then receive an official documentations of your results within 10 days of your exam date via the email address you provided. Due to confidentiality issues, your results cannot be issued over telephone or fax. To keep email notifications out of the spam folder, you are encouraged to add to your address book or sender list. If your ISACA profile changes during the time you are waiting for your results, you should notify ISACA immediate with your new information. This will ensure you receive your final score without delay or interruption.

6. How do I provide comments on testing conditions?

 If you have any comments or concerns regarding how the exam was administered, including site conditions or certification content, you should contact ISACA international headquarters at with 48 hours of your test date. Although no scores will be reissued based on these queries, all comments are taken into consideration for future exams. ISACA will, however, review comments about exam day issues and site concerns before releasing the official score report. Make sure to include your exam ID number, testing site location, date of exam, and other other pertinent information. Any cost incurred as a result of an appeal must be assumed by the exam taker or applicant. 

7. Can I take the CISA, CISM, CGEIT, and CRISC exams in the same exam window?

Yes, you can take each of these exams within the same window; however, you will not be allowed to retake the same exam more than once within that time. For example, the CISM test can only be taken once during each administration window.

8. Why should I take the CISM certification?

 Once you have completed the CISM certification process, you enter an elite group of professionals recognized by governmental agencies and businesses alike. Through your expertise, you bring credibility to the workplace by demonstrating your extensive knowledge of information systems and security. Your credential will be well-respected by multinational clients and enterprises, which can have a profound effect on your future success as an infosec professional. Not only does completion validate your skills, but it gives you a clear advantage when looking for work in the field. Along with accelerating your career, the CISM certificate enhances your value as an employee and sets you on a path of continued education and success. As the infosec field continues to grow, anyone who understands the inner-workings of the industry stands to benefit as a result. Although the exam itself is not easy, taking the CISM exam will is well worth all the hours spent studying and preparing for the challenge.

 9. What is covered under each of the four domains on the CISM exam?

 The CISM exam cover four different infosec management areas. While each of these area headings typically remain the same, how they are weighted within the test does shift periodically.

Domain I: Information Security Governance / Weighted 24 %

  • This section focuses on supporting the alignment between the infosec strategy and certain organizational goals and objectives. As a system, it directs and controls IT security by determining who is authorized to make certain decisions. Governance species the accountability framework and proves oversight to ensure risks are successfully mitigated. This includes making sure an IT governance framework adheres to business objectives as well as all applicable laws and regulations.

Domain II: Information Risk Management / Weighted 30 %

  • This section is based on the amount of accepted risk an organization is willing to take in order to meet their goals and objectives. Questions focus on the policies, procedures, and technology one must know in order to reduce threats around unprotected data and increase security. The ability to understand and evaluate the risk equation of threat, vulnerability, and consequence, of the workplace is emphasized in this domain.

Domain III: Information Security Program Development and Management / Weighted 27 %

  • This section focuses on the development and maintenance of an infosec program which can identify, manage, and protect an organization’s assets while supporting effective security. In many ways, this is the foundation of a security manager’s daily work and outlines the fundamentals of all related objectives, concepts, and tasks. Understanding of areas like chain of command, corporate culture, existing functions, current state of security, and industry standards for infosec are all explored in this domain.

Domain IV: Information Security Incident Management / Weight 19 %

Earn a $150,040 Salary with an ISACA CISM

Earn a $150,040 Salary with an ISACA CISM

The employment of information systems managers is projected to grow 16% by 2031. Get your ISACA CISM to launch into the field — backed with an Exam Pass Guarantee.

  • This section tests your knowledge around how to detect, investigate, respond to, and recover from infosec incidents and security breaches. In an effort to minimize impact, a CISM must be able to address and eradicate various threats like malware, fail in service, and authentication issues. Given that infosec incidents are bound to happen, the ability to manage these situations in a confident and capable way is mandatory. This may include detecting and correcting problem areas, gathering forensic evidence, or improving the overall strength of risk treatments. Key areas addressed are how a security manager prepares, identifies, assesses, responds to, and learns from work-related incidents and situations.

10. What are the continuing requirements for the CISM exam?

 Once you pass the CISM exam, you will need to adhere to the ISACA code of professional ethics, which includes both personal and professional behavioral expectations. Failure to honor this code can result in investigation and even revocation of a member’s certification. Newly minted CISMs are expected to uphold all infosec compliance, perform duties objectively, serve stakeholders with integrity, maintain information confidentiality, display competency, model transparency, and support any educational efforts. Certification holders must also pay the continuing education maintenance fee; provide evidence of at least five years experience in the infosec field; and complete a minimum of 120 CPE hours earned within the fixed three-year certification cycle.

Jennifer Jeffers
Jennifer Jeffers

Jen Jeffers is a freelance writer who creates educational and historical content for the internet as well as InfoSec narratives for the deep web. Her work blends the creative with the factual to offer readers articles that are both entertaining and edifying. Although she has a strong aversion to mathematics, she is willing to research and learn about almost anything in the name of continuing education. Follow her blog The Raven Report, a history collection for the dark romantic at