ISACA · Advanced

ISACA CISM — Certified Information Security Manager (CISM) practice exam & study guide

ISACA CISM (Certified Information Security Manager) is a management-focused certification for professionals who design and oversee an enterprise information security program. It validates expertise across four domains — information security governance, risk management, program development, and incident management.

CISM is a manager’s credential, not a hands-on technical exam. Questions favor governance, risk-based judgment, and the “best” management answer over deep implementation detail.

This free hub gives you everything you need to prepare: a syllabus breakdown by exam domain, realistic practice questions with teacher-style explanations, a glossary of the security-management concepts the exam relies on, and full-length timed mock exams that mirror the real testing experience.

100
Questions
180 min
Time limit
70%
Mock pass %
4
Domains

Start studying CISM

New here? Follow the three steps below in order. Everything is free and needs no account.

  1. 1
    Learn the plan

    See all 4 domains in exam-weight order.

    Open study path
  2. 2
    Drill by domain

    Practice one topic at a time with explained answers.

    Start with the first domain
  3. 3
    Sit a timed mock

    100 questions · 180 min · 70% to pass our mock.

    Take the mock exam

All CISM study resources

CISM exam domains

The CISM exam is weighted across 4 domains. Pick any domain below to drill it — or read the full breakdown in the FAQ.

Exam domainExam weightPractice
Information Security Governance17%Practice this topic
Information Security Risk Management20%Practice this topic
Information Security Program33%Practice this topic
Incident Management30%Practice this topic

Sample CISM questions

A sample of the CISM questions on this hub. Each links through to the full question, the correct answer, and an explanation of why every other option is wrong.

Key CISM terms

Start with these terms, then explore the full glossary. Each links to a plain-English definition written for the CISM exam.

CISM frequently asked questions

What is the CISM certification?+

CISM is widely regarded as the leading certification for information security management and is common in job listings for security managers and CISOs.

It emphasizes aligning security with business objectives, so success rewards management judgment and governance thinking rather than tool-specific knowledge.

What topics are on the CISM exam?+

The CISM exam is organised into four weighted domains. The percentages below are ISACA’s official weightings for the current exam content outline, so bias your study toward the heavier domains — Information Security Program and Incident Management together are well over half the exam. Note that ISACA has announced an updated CISM outline effective 3 November 2026; verify the current outline on the ISACA site before you book.

Information Security Governance (17%)

Covers enterprise governance and organizational culture, aligning the security strategy to business goals, legal and regulatory requirements, governance frameworks and roles, and building the business case for security investment.

Information Security Risk Management (20%)

Covers risk identification (threat landscape, vulnerabilities, control deficiencies), risk assessment and analysis (qualitative and quantitative), risk response options, risk ownership, and ongoing risk monitoring and reporting with KRIs. (Business impact analysis is covered under Incident Management readiness.)

Information Security Program (33%)

The largest domain. Covers developing and resourcing the security program, control frameworks and baselines, program metrics, security awareness and culture, integrating security into processes (SDLC, change, procurement), and managing third-party and vendor risk.

Incident Management (30%)

Covers incident response planning and its integration with business continuity and disaster recovery, incident classification and the response lifecycle, detection, investigation, containment, eradication and recovery, post-incident review, evidence handling, and testing plans (RTO/RPO).

Is the CISM hard?+

CISM is challenging because it demands a manager’s perspective: you must often choose the best of several defensible answers based on business risk and governance, not the most technical option.

The four domains span the whole discipline of security management, and the heavy weighting on the program and incident-management domains rewards judgment built from real experience.

How many questions are on the CISM exam and how long is it?+

The CISM exam consists of 150 multiple-choice questions to be completed in 4 hours (240 minutes).

Our full-length practice mock uses a 100-question, 180-minute session so you can rehearse pacing and management-style reasoning across all four domains before test day.

What score do you need to pass the CISM?+

ISACA scores CISM on a scaled range of 200 to 800, and you need a scaled score of 450 to pass. Your raw performance is converted to this scaled score, and there is no penalty for guessing, so answer everything. Our practice mock uses a 70% threshold as a study checkpoint; aim comfortably beyond it before test day.

How much does the CISM exam cost?+

The CISM exam fee is set by ISACA and differs for members and non-members — check the ISACA site for current pricing. Certification also requires meeting the work-experience requirement and paying annual maintenance fees with continuing professional education (CPE). Everything on this hub is free.

Who should take the CISM?+

CISM is aimed at experienced security professionals moving into or already in management — security managers, information security officers, and aspiring CISOs.

ISACA requires five years of information security work experience, with defined waivers, to certify. You can pass the exam first and claim the experience within five years.

What jobs and salaries can the CISM lead to?+

CISM maps to roles such as information security manager, security program manager, IT risk manager, and CISO.

How much any certification affects pay depends heavily on geography, seniority, and experience, so treat any single salary figure with caution. CISM is best viewed as validation of security-management and governance competence.

How long does it take to study for the CISM?+

Experienced candidates often need two to three months of steady study, focused on adopting the manager’s mindset the exam rewards.

Review every explanation, including for questions you answered correctly, because CISM distractors are built from plausible but sub-optimal management choices. Use the per-domain results here to find your weakest area, then finish with full-length timed mocks.

How should you prepare for the CISM?+

Study the four domains above, giving the heaviest weight to the Information Security Program and Incident Management domains, then drill scenario questions domain by domain. Every MockAPI question reveals a full explanation and tells you why each wrong answer is wrong.

When you can reason to the best management answer comfortably, move to full-length timed mocks. Use the glossary to keep concepts like risk appetite, residual risk, BIA, and RTO/RPO straight, and aim to score consistently above the checkpoint before you book.

Can you take the CISM exam online?+

Yes. ISACA offers CISM through remote online proctoring as well as at in-person test centers, so you can choose the option that suits you. The online exam requires a private, quiet room, a clear workspace, a webcam and microphone, a stable connection, and government-issued photo ID, with a proctor monitoring you and a room scan before you start.

If you do not pass, ISACA lets you retake the exam, with a limited number of attempts allowed per rolling twelve-month period — check the current policy before rebooking.

What certification should you take after the CISM?+

After CISM, common next steps include ISACA’s CRISC for risk focus or CISA for audit, or CISSP for a broader technical-plus-management security profile.

For many, the real next step is leading a security program end to end. Pairing CISM with hands-on management experience is what turns the certificate into a career.