ISACAProfessional Level2026 Updated

Certified Information Security Manager

Updated May 1, 202612 min readWritten by Certsqill experts

Quick facts — CISM

Exam cost

$575 USD (ISACA members $415)

Questions

150 items

Time limit

4 hours

Passing score

450/800

Valid for

3 years

Testing

PSI

Who this exam is for

The Certified Information Security Manager certification is designed for professionals who work with or want to work with ISACA technologies in a professional capacity. It is taken by cloud engineers, DevOps practitioners, IT administrators, and technical professionals looking to validate their expertise.

You do not need extensive prior experience to attempt it, but you will benefit from hands-on familiarity with the subject matter. The exam tests applied knowledge and architectural judgment, not just memorization. If you can reason about trade-offs and real-world scenarios, structured practice will handle the rest.

Domain breakdown

The CISM exam is built around official domains, each with a fixed percentage of the question pool. This distribution should directly inform how you allocate your study time.

Domain

Weight

Focus areas

Information Security Governance

17%

Establishing and maintaining an information security governance framework aligned with organizational goals, security strategy, and senior management responsibilities.

Information Security Risk Management

20%

Identifying and managing information security risks to achieve business objectives, including risk assessment methodologies, risk response options, and risk monitoring.

Information Security Program Development & Management

33%

Developing and managing an information security program that supports the security strategy and aligns with business goals, standards, and architectures.

Incident Management

30%

Planning, establishing, and managing the capability to detect, investigate, respond to, and recover from information security incidents to minimize business impact.

Note the domain with the highest weight — many candidates under-invest here because it feels conceptual. In practice, this is where the exam is most precise, with scenario-based questions that test specifics.

What the exam actually tests

This is not a memorization exam. Questions require applied judgment under constraints. Almost every question includes a scenario with explicit requirements and asks you to select the most appropriate solution.

Here are examples of the question types you will encounter:

Security Manager Judgment

A recently hired security analyst reports that a critical system has a high-severity vulnerability. The system owner refuses to patch it. What should the security manager do FIRST?

CISM tests whether you escalate through governance channels, not whether you fix it yourself. Correct answer: escalate to risk management process or senior management — not patch the system.

Risk Response Selection

A risk assessment identifies a low-likelihood, high-impact risk. The cost to mitigate exceeds the estimated annual loss expectancy. Which risk response is MOST appropriate?

Know the four risk responses: accept, avoid, transfer, mitigate. When cost of mitigation exceeds EAL, risk acceptance or transfer (insurance) is usually the correct CISM answer.

Incident Response Lifecycle

During a security incident, the team has contained the malware spread. What is the NEXT step in the incident response process?

CISM tests the NIST incident response lifecycle: Preparation → Detection & Analysis → Containment → Eradication → Recovery → Post-Incident Activity. Know each phase purpose.

How to prepare — 4-week study plan

This plan assumes one hour per weekday and roughly 30 minutes of lighter review on weekends. It is calibrated for someone with some relevant experience. If you are starting from zero, add an extra week before Week 1 to familiarise yourself with the basics.

Week 1: Security Governance & Strategy

Study Domain 1: information security governance frameworks, security strategy alignment with business objectives
Understand the role of the security manager vs. CISO vs. board responsibilities in governance
Review key governance concepts: policies, standards, procedures, guidelines hierarchy
Complete 100 practice questions focused on governance scenarios and security strategy decisions

Week 2: Risk Management

Master Domain 2: risk assessment methodologies (qualitative vs quantitative), risk register management
Study risk terminology: inherent risk, residual risk, risk appetite, risk tolerance, risk capacity
Learn risk response options and when each is appropriate based on cost-benefit analysis
Practice 120 questions on risk identification, assessment, and treatment scenarios

Week 3: Security Program & Incident Management

Study Domain 3: building a security program, security roadmaps, metrics and KPIs for security
Cover Domain 4 thoroughly: incident detection, containment, eradication, recovery, and post-incident review
Map incident response phases to both NIST SP 800-61 and ISACA definitions — small differences matter
Practice 150 questions combining program management and incident management scenarios

Week 4: Mock Exams & Final Review

Complete 2 full 150-question mock exams under 4-hour timed conditions
Review all incorrect answers with focus on why the managerial answer beats the technical answer
Study ISACA CISM Review Manual terminology — exam questions use very specific ISACA language
Focus on business continuity vs disaster recovery distinctions and their relationship to incident management

Common mistakes candidates make

These patterns appear repeatedly among candidates who resit this exam. Knowing them in advance is worth several percentage points.

Answering as a technical implementer

CISM candidates who come from technical backgrounds frequently choose answers that involve implementing a technical control. CISM tests what a security manager does: assess, govern, communicate, and manage — not technically fix.

Weak on incident response lifecycle sequencing

A common trap is picking the wrong next step in incident response. Containment always comes before eradication. Eradication before recovery. Recovery before post-incident review. Know the NIST lifecycle cold.

Confusing risk appetite with risk tolerance

Risk appetite is the amount of risk an organization is willing to accept to achieve objectives. Risk tolerance is the acceptable variation around that appetite. ISACA exams test this distinction explicitly.

Using CISSP study material as a CISM substitute

While topics overlap, CISSP is security professional judgment and CISM is security manager/governance judgment. CISM questions are more governance-heavy. Use ISACA official materials — the terminology is distinct.

Is Certsqill right for you?

Honestly: Certsqill is built for candidates who have already done some studying and want to convert knowledge into exam performance. If you have never touched the subject, start with a foundational course first — then come to Certsqill when you are ready to practice.

Where Certsqill is strong: question depth, AI-powered explanations, and domain analytics. Every question is mapped to the exam blueprint. When you get something wrong, the AI tutor explains why the right answer is right and why each wrong answer fails under the specific constraints in the question.

Where Certsqill is not a replacement: video courses and hands-on labs. Use Certsqill to test and sharpen — not as your first exposure to a topic you have never encountered.

Ready to start practicing?

920 CISM questions. AI tutor. 6 mock exams. 7-day free trial.