How Many Questions Are on the CISM Exam? A Complete 2026 Guide

The ISACA Certified Information Security Manager (CISM) exam contains 150 multiple-choice questions with a 240-minute (4-hour) time limit and a passing score of 450 on ISACA's 200-800 scale. CISM is specifically designed for professionals who manage, design, and oversee enterprise information security programs — distinguishing it from purely technical or hands-on certifications.

CISM is consistently ranked among the top 3 highest-paying certifications in cybersecurity, with holders earning an average of $148,000-$162,000 annually. The certification's tremendous value comes from its exclusive focus on security management, governance, risk management, and strategic alignment — skills essential for CISO, VP of Security, and Director of Information Security roles. Unlike technical tests, the CISM exam challenges you to think like an executive.

150
Questions
240 min
Time Limit
450/800
Passing Score
$148K+
Avg Salary

CISM Domain Breakdown (4 Domains)

Unlike the CISSP which covers 8 broad domains, CISM focuses deeply on just four areas of security management:

Domain% of Exam~QuestionsKey Topics
1. Information Security Governance17%~26Security strategy alignment with business goals, steering committees, metrics, board reporting
2. Information Security Risk Management20%~30Risk identification, qualitative/quantitative assessment, risk response, continuous monitoring
3. Information Security Program33%~50Program development, budgeting, resource management, security awareness, vendor risk
4. Incident Management30%~45Incident response planning, detection, BCP/DR integration, post-incident review, forensic prep
Critical Insight: Domain 3 (33%) and Domain 4 (30%) together represent 63% of the exam (approx 95 questions). Mastering security program development and incident response planning covers nearly two-thirds of the test. Ensure you heavily prioritize these areas during study.

The Management Perspective: Key to Passing

The single most important concept to grasp before taking the CISM is thinking like a security manager, not a security engineer. Technical answers are almost always incorrect on the CISM exam.

ScenarioTechnical Answer (Usually Wrong)Management Answer (Correct)
New critical vulnerability discoveredImmediately patch all systems to stop exploitAssess business risk, prioritize by impact, follow change management
Requesting a new security budgetList all technical tools and firewalls neededAlign investment request with business objectives and risk appetite
Data breach detected on a serverIsolate the affected system from the network immediatelyActivate incident response plan, notify stakeholders per policy
Vendor security concern identifiedRun a vulnerability scan on the vendor's networkReview vendor risk assessment, check SLA compliance, enforce contract

ISACA's Question Style

ISACA exams are notorious for their tricky wording. Pay close attention to these modifiers:

Time Management Strategy

With 240 minutes for 150 questions, you have 1 minute and 36 seconds per question. This is extremely generous, and most candidates finish with plenty of time remaining.

  1. First pass (150 min): Go through all 150 questions at a comfortable pace. Flag complex scenarios or questions where you are torn between two options.
  2. Break (10-15 min): Take a mental reset. Reading 150 scenario-based questions causes decision fatigue.
  3. Second pass (60 min): Review your flagged questions with a fresh perspective. Often, reading it a second time reveals a keyword you missed.
  4. Final review (15-30 min): Verify all questions are answered (no penalty for guessing).

CISM vs. CISSP vs. CISA

Professionals often debate which senior certification to pursue. Here is how they compare:

FactorCISM (ISACA)CISSP (ISC)²CISA (ISACA)
FocusSecurity management & strategySecurity engineering + managementIS auditing & control evaluation
Domains485
Questions150125-175 (Adaptive)150
Experience5 yrs (3 in management)5 yrs (2+ domains)5 yrs (IS audit)
Avg Salary$148K-$162K$131K-$152K$134K-$149K
Best ForCISO/VP trackSecurity architect/consultantIT auditor/compliance

Career advice: If you want to manage teams and budgets, pursue CISM. If you want broad, highly respected security knowledge, pursue CISSP. If you audit systems, pursue CISA. CISM + CISSP is considered the most powerful combination for reaching the CISO level.

Exam Cost and Retake Policy

How to Prepare for the CISM

Most candidates need 8-12 weeks studying 2-3 hours daily. Preparation requires a shift in mindset as much as learning new material.

Frequently Asked Questions

How many questions are on the CISM exam?

150 multiple-choice questions in 240 minutes (4 hours), testing information security management decisions.

What is the CISM passing score?

450 on ISACA's 200-800 scaled score. It is not a straight percentage; harder questions are weighted differently.

Is CISM harder than CISSP?

Most candidates find CISSP harder because it covers 8 broad domains including deep technical concepts. CISM is narrower (4 domains) but requires a strict management mindset.

What experience does CISM require?

5 years of information security work experience, with at least 3 years in management roles. Substitutions (up to 2 years) are available for certain degrees or certifications like CISSP or CISA.

How is CISM different from CISA?

CISM is for security managers who build programs; CISA is for auditors who evaluate them. CISM asks how to manage security; CISA asks how to audit it.

Does CISM have hands-on questions or PBQs?

No. The exam is entirely multiple-choice with scenario-based management judgment questions. There are no simulations.

Does CISM expire?

Yes. You must earn 20 CPE (Continuing Professional Education) hours annually, and 120 hours over a 3-year cycle, plus pay an annual maintenance fee.

Practice CISM Questions

Develop your security management thinking with adaptive practice questions covering all four CISM domains.

Start Free Practice Test →

Related Resources