The CISM certification guide

The Certified Information Security Manager, or CISM certification, is offred by ISACA and is made for senior-level professionals in information security management. It’s ideal for high-level roles and meets ISO 17024 and DoD 8140/8570.01-M standards.

  • Master the four domains of CISM
  • Learn to oversee, design or assess information security programs
  • Gain the skills to move into strategic management titles

Key facts

Start your journey to becoming a certified CISM professional with Infosec.

CISM exam overview

The CISM exam is updated to include the latest job practice areas across four domains. The exam includes the following topics in each domain.

Domain 1: Information security governance (17%)
  • Enterprise governance
  • Information security strategy development
  • Organizational culture and structure
  • Regulatory and legal requirements
  • Governance frameworks
  • Strategic planning
Domain 2: Information security risk management (20%)
  • Risk assessment, analysis and response
  • Emerging threat landscape
  • Risk and control ownership
  • Risk monitoring and reporting
Domain 3: Information security program (33%)
  • Information security program development and management
  • Resources (people, tools and technologies)
  • External services (suppliers and third and fourth parties)
  • Awareness training
  • Policies and procedures
  • Program metrics
  • Security control design, selection, implementation and testing
  • Communications and reporting
Domain 4: Incident management (30%)
  • Readiness and operations
  • Business impact analysis (BIA)
  • Business continuity plan (BCP)
  • Disaster recovery plan (DRP)
  • Incident classification
  • Training, testing and evaluation
  • Investigative tools and techniques
  • Containment methods
  • Reporting and escalation
  • Post-incident review

Learn more about the CISM domains.

CISM exam details

Evaluates your ability to manage and govern a company’s information security program. It covers four main domains: Information Security Governance, Information Risk Management, Information Security Program Development and Management, and Information Security Incident Management.

Launch date: 2002 Last update: June 2022
Number of questions: 150 Type of questions: Multiple-choice
Length of test: 4 hours Passing score: 450 (out of scaled score of 200-800)
Recommended experience: 5+ years of work experience in at least three domains (up to 3 years in experience waivers available) Languages:

English, Chinese Simplified, Japanese, Spanish

Validity duration:  Three years CPEs needed for renewal:  120 (at least 20 annually)
Exam cost: $575 for members, $760 for non-members    

Additional CISM exam resources

Prepare for your CISM exam with books, practice exams and other resources.


CISM study guides and books

There is no shortage of books and guides to help you prepare for the CISM exam. Make sure to find ones created specifically for this topic. You can find great options at your local library, bookstore or online. Highly rated titles include:

  • CISM Certified Information Security Manager All-in-One Exam Guide by Peter H. Gregory
  • CISM Certified Information Security Manager Study Guide by Mike Chapple
  • Complete Guide to CISM Certification by Thomas R. Peltier

CISM practice questions and exams

Test your knowledge pre-exam with practice materials. These are designed to help you assess your readiness and study progress. Some solid sources include:

  • ISACA's free CISM practice quiz
  • CISM Review Questions, Answers & Explanations (QAE) Manual, 10th edition (published by ISACA and also available as a 12-month subscription to the QAE Database)
  • CISM Certified Information Security Manager Practice Exams by Peter H. Gregory (published by McGraw Hill)

CISM training courses, like the Infosec CISM Boot Camp, offer unlimited practice exam attempts and access to the ISACA Official Question, Answer & Explanation (QAE) Database.


Other free CISM training resources

There are a number of other free CISM training materials being produced and shared by the community:

  • Forums: TechExamsReddit and similar forums include posts by people preparing for the CEH exam or who have already taken it. 
  • Podcasts: Learn more about changes to CISM and more on podcasts like Cyber Work.
  • Other social media: CISM is a popular exam, and many people have created free training videos on YouTube, TikTok, Twitch and other platforms.

CISM jobs and careers

The CISM credential is ideal if you’re a senior-level professional pursuing an information security management and governance career.  The ISACA CISM certification opens opportunities to some of the highest-paying jobs in the industry. CISM job titles vary from technical to managerial to executive levels.


Common CISM job titles 

  • Information security manager
  • IT governance manager
  • Risk manager or risk consultant
  • Chief information security officer (CISO)
  • Security consultant or security analyst
  • IT audit manager or IT auditor
  • Information systems security manager
  • Business continuity manager
  • Compliance officer

CISM live boot camps and self-paced training

One of the best ways to prepare and ensure exam success is through training programs designed by ISACA-accredited organizations. Whether you want to get certified quickly or need expert assistance mastering the exam domains, paid training is a prime path to certification.

CISM certification comparisons and alternatives

The best certification for you depends on your career goals, current role and experience. Each certification is designed to serve different functions, and the CISM is just one of several prestigious information security certifications. Here's a comparison between CISM and some other well-known certifications:


Both CISM by ISACA and CISSP by (ISC)² are aimed at seasoned security professionals and are recognized globally. While they have an overlap in some content, CISSP has a broader technical focus covering eight domains of security, whereas CISM is more managerial and revolves around information security governance and management. CISSP is ideal for those who are hands-on in security implementation and day-to-day operations, while CISM is for those managing and governing a company's information security program. Both require significant work experience in their respective fields.


CISM and CISA (Certified Information Systems Auditor) are both offered by ISACA and are often seen in tandem in the job market. While CISM focuses on security management and governance, CISA centers around IT auditing, control and assurance. Someone with CISA would be looking at the controls and systems in place and ensuring they're compliant, whereas a CISM professional would be overseeing and establishing the company's information security posture.


Both certifications are under ISACA's umbrella. CISM is centered around information security management, while CRISC (Certified in Risk and Information Systems Control) zeroes in on IT risk management and its business implications. If you're a professional whose main task is to identify and manage risks, then CRISC might be the better fit. On the other hand, if you're into the broader spectrum of information security management and governance, then CISM would be more appropriate.

CISM vs. CompTIA Security+

While CISM is an advanced certification focusing on governance and management, Security+ by CompTIA is more foundational. Security+ is often an entry point for many into the cybersecurity field, covering a broad range of introductory topics. With its managerial slant and prerequisites, CISM is typically pursued by those who have been in the field for some time and are looking at higher-tier managerial roles in information security.

Explore Infosec certifications to find the best fit for your career goals.