CISM exam domains
The CISM exam is weighted across 4 domains. Pick any domain below to drill it — or read the full breakdown in the FAQ.
| Exam domain | Exam weight | Practice |
|---|---|---|
| Information Security Governance | 17% | Practice this topic |
| Information Security Risk Management | 20% | Practice this topic |
| Information Security Program | 33% | Practice this topic |
| Incident Management | 30% | Practice this topic |
Sample CISM questions
A sample of the CISM questions on this hub. Each links through to the full question, the correct answer, and an explanation of why every other option is wrong.
- A manufacturing enterprise is acquiring a smaller competitor. The acquiring company follows ISO/IEC 27001, while the target has an informal, undocumen…View question
- An information security manager compiles monthly KRI data showing that failed patch-deployment rates have steadily risen over three consecutive report…View question
- An information security manager notices that several individually low-rated risks across different business units all stem from the same unpatched leg…View question
- A newly appointed information security manager at a mid-sized financial services firm discovers that the organization's information security policies…View question
- A newly appointed information security manager at a manufacturing firm finds that a technically sound security strategy approved two years ago has bee…View question
- An information security manager is developing the security program for a large enterprise and must ensure that protection levels applied to data are a…View question
- An information security manager is developing handling requirements for a newly classified dataset that feeds an automated financial trading algorithm…View question
- An information security manager finds that an organization has a documented data classification policy with four sensitivity levels, but a recent revi…View question
- During the rollout of a new information security program, the security manager discovers that many critical data assets have been classified inconsist…View question
- An information security manager discovers that customer datasets originally classified as 'Confidential' three years ago are now aggregated into analy…View question
Key CISM terms
Start with these terms, then explore the full glossary. Each links to a plain-English definition written for the CISM exam.
CISM frequently asked questions
What is the CISM certification?+
CISM is widely regarded as the leading certification for information security management and is common in job listings for security managers and CISOs.
It emphasizes aligning security with business objectives, so success rewards management judgment and governance thinking rather than tool-specific knowledge.
What topics are on the CISM exam?+
The CISM exam is organised into four weighted domains. The percentages below are ISACA’s official weightings for the current exam content outline, so bias your study toward the heavier domains — Information Security Program and Incident Management together are well over half the exam. Note that ISACA has announced an updated CISM outline effective 3 November 2026; verify the current outline on the ISACA site before you book.
Information Security Governance (17%)
Covers enterprise governance and organizational culture, aligning the security strategy to business goals, legal and regulatory requirements, governance frameworks and roles, and building the business case for security investment.
Information Security Risk Management (20%)
Covers risk identification (threat landscape, vulnerabilities, control deficiencies), risk assessment and analysis (qualitative and quantitative), risk response options, risk ownership, and ongoing risk monitoring and reporting with KRIs. (Business impact analysis is covered under Incident Management readiness.)
Information Security Program (33%)
The largest domain. Covers developing and resourcing the security program, control frameworks and baselines, program metrics, security awareness and culture, integrating security into processes (SDLC, change, procurement), and managing third-party and vendor risk.
Incident Management (30%)
Covers incident response planning and its integration with business continuity and disaster recovery, incident classification and the response lifecycle, detection, investigation, containment, eradication and recovery, post-incident review, evidence handling, and testing plans (RTO/RPO).
Is the CISM hard?+
CISM is challenging because it demands a manager’s perspective: you must often choose the best of several defensible answers based on business risk and governance, not the most technical option.
The four domains span the whole discipline of security management, and the heavy weighting on the program and incident-management domains rewards judgment built from real experience.
How many questions are on the CISM exam and how long is it?+
The CISM exam consists of 150 multiple-choice questions to be completed in 4 hours (240 minutes).
Our full-length practice mock uses a 100-question, 180-minute session so you can rehearse pacing and management-style reasoning across all four domains before test day.
What score do you need to pass the CISM?+
ISACA scores CISM on a scaled range of 200 to 800, and you need a scaled score of 450 to pass. Your raw performance is converted to this scaled score, and there is no penalty for guessing, so answer everything. Our practice mock uses a 70% threshold as a study checkpoint; aim comfortably beyond it before test day.
How much does the CISM exam cost?+
The CISM exam fee is set by ISACA and differs for members and non-members — check the ISACA site for current pricing. Certification also requires meeting the work-experience requirement and paying annual maintenance fees with continuing professional education (CPE). Everything on this hub is free.
Who should take the CISM?+
CISM is aimed at experienced security professionals moving into or already in management — security managers, information security officers, and aspiring CISOs.
ISACA requires five years of information security work experience, with defined waivers, to certify. You can pass the exam first and claim the experience within five years.
What jobs and salaries can the CISM lead to?+
CISM maps to roles such as information security manager, security program manager, IT risk manager, and CISO.
How much any certification affects pay depends heavily on geography, seniority, and experience, so treat any single salary figure with caution. CISM is best viewed as validation of security-management and governance competence.
How long does it take to study for the CISM?+
Experienced candidates often need two to three months of steady study, focused on adopting the manager’s mindset the exam rewards.
Review every explanation, including for questions you answered correctly, because CISM distractors are built from plausible but sub-optimal management choices. Use the per-domain results here to find your weakest area, then finish with full-length timed mocks.
How should you prepare for the CISM?+
Study the four domains above, giving the heaviest weight to the Information Security Program and Incident Management domains, then drill scenario questions domain by domain. Every MockAPI question reveals a full explanation and tells you why each wrong answer is wrong.
When you can reason to the best management answer comfortably, move to full-length timed mocks. Use the glossary to keep concepts like risk appetite, residual risk, BIA, and RTO/RPO straight, and aim to score consistently above the checkpoint before you book.
Can you take the CISM exam online?+
Yes. ISACA offers CISM through remote online proctoring as well as at in-person test centers, so you can choose the option that suits you. The online exam requires a private, quiet room, a clear workspace, a webcam and microphone, a stable connection, and government-issued photo ID, with a proctor monitoring you and a room scan before you start.
If you do not pass, ISACA lets you retake the exam, with a limited number of attempts allowed per rolling twelve-month period — check the current policy before rebooking.
What certification should you take after the CISM?+
After CISM, common next steps include ISACA’s CRISC for risk focus or CISA for audit, or CISSP for a broader technical-plus-management security profile.
For many, the real next step is leading a security program end to end. Pairing CISM with hands-on management experience is what turns the certificate into a career.