The ISACA Certified Information Security Manager (CISM) exam contains 150 multiple-choice questions with a 240-minute (4-hour) time limit and a passing score of 450 on ISACA's 200-800 scale. CISM is specifically designed for professionals who manage, design, and oversee enterprise information security programs — distinguishing it from purely technical or hands-on certifications.
CISM is consistently ranked among the top 3 highest-paying certifications in cybersecurity, with holders earning an average of $148,000-$162,000 annually. The certification's tremendous value comes from its exclusive focus on security management, governance, risk management, and strategic alignment — skills essential for CISO, VP of Security, and Director of Information Security roles. Unlike technical tests, the CISM exam challenges you to think like an executive.
Unlike the CISSP which covers 8 broad domains, CISM focuses deeply on just four areas of security management:
| Domain | % of Exam | ~Questions | Key Topics |
|---|---|---|---|
| 1. Information Security Governance | 17% | ~26 | Security strategy alignment with business goals, steering committees, metrics, board reporting |
| 2. Information Security Risk Management | 20% | ~30 | Risk identification, qualitative/quantitative assessment, risk response, continuous monitoring |
| 3. Information Security Program | 33% | ~50 | Program development, budgeting, resource management, security awareness, vendor risk |
| 4. Incident Management | 30% | ~45 | Incident response planning, detection, BCP/DR integration, post-incident review, forensic prep |
The single most important concept to grasp before taking the CISM is thinking like a security manager, not a security engineer. Technical answers are almost always incorrect on the CISM exam.
| Scenario | Technical Answer (Usually Wrong) | Management Answer (Correct) |
|---|---|---|
| New critical vulnerability discovered | Immediately patch all systems to stop exploit | Assess business risk, prioritize by impact, follow change management |
| Requesting a new security budget | List all technical tools and firewalls needed | Align investment request with business objectives and risk appetite |
| Data breach detected on a server | Isolate the affected system from the network immediately | Activate incident response plan, notify stakeholders per policy |
| Vendor security concern identified | Run a vulnerability scan on the vendor's network | Review vendor risk assessment, check SLA compliance, enforce contract |
ISACA exams are notorious for their tricky wording. Pay close attention to these modifiers:
With 240 minutes for 150 questions, you have 1 minute and 36 seconds per question. This is extremely generous, and most candidates finish with plenty of time remaining.
Professionals often debate which senior certification to pursue. Here is how they compare:
| Factor | CISM (ISACA) | CISSP (ISC)² | CISA (ISACA) |
|---|---|---|---|
| Focus | Security management & strategy | Security engineering + management | IS auditing & control evaluation |
| Domains | 4 | 8 | 5 |
| Questions | 150 | 125-175 (Adaptive) | 150 |
| Experience | 5 yrs (3 in management) | 5 yrs (2+ domains) | 5 yrs (IS audit) |
| Avg Salary | $148K-$162K | $131K-$152K | $134K-$149K |
| Best For | CISO/VP track | Security architect/consultant | IT auditor/compliance |
Career advice: If you want to manage teams and budgets, pursue CISM. If you want broad, highly respected security knowledge, pursue CISSP. If you audit systems, pursue CISA. CISM + CISSP is considered the most powerful combination for reaching the CISO level.
Most candidates need 8-12 weeks studying 2-3 hours daily. Preparation requires a shift in mindset as much as learning new material.
150 multiple-choice questions in 240 minutes (4 hours), testing information security management decisions.
450 on ISACA's 200-800 scaled score. It is not a straight percentage; harder questions are weighted differently.
Most candidates find CISSP harder because it covers 8 broad domains including deep technical concepts. CISM is narrower (4 domains) but requires a strict management mindset.
5 years of information security work experience, with at least 3 years in management roles. Substitutions (up to 2 years) are available for certain degrees or certifications like CISSP or CISA.
CISM is for security managers who build programs; CISA is for auditors who evaluate them. CISM asks how to manage security; CISA asks how to audit it.
No. The exam is entirely multiple-choice with scenario-based management judgment questions. There are no simulations.
Yes. You must earn 20 CPE (Continuing Professional Education) hours annually, and 120 hours over a 3-year cycle, plus pay an annual maintenance fee.
Develop your security management thinking with adaptive practice questions covering all four CISM domains.
Start Free Practice Test →