CISM exam details and process

July 5, 2019 by Graeme Messina

Corporations have vast amounts of sensitive information and confidential data such as customer data, banking information and financial records, which need to be monitored closely to ensure data integrity and safety. The Certified Information Security Manager (CISM) certification has been designed for information security managers, supervisors, and any other employees that have information security management responsibilities and need to ensure the continued safety of this data’s storage and security.

The CISM certification is for anyone who manages, creates and monitors an organization’s information security systems. It is focused primarily on security management related to IS roles, and professionals that are involved in this sphere are guaranteed to find exceptional value in pursuing this certification. The strengths of this certification come from the fact that it promotes international best practice and industry standards, meaning that the same objectives that are tested in this exam are the same ones that are highly sought after by potential employers.

What’s more, the CISM is ANSI certified, meaning that it complies with the highest standards in the industry. Earning this certification will elevate prospective candidates to a higher rung that only a select few are a part of. These professionals are qualified to handle the information security related functions of a company or organization, and are responsible for monitoring and managing these systems as well.

What is the goal of the CISM exam?

 Earning your CISM certification encompasses a great deal of different disciplines within the realm of information security, and achieving this certification will open up new avenues for career-minded security professionals that need to showcase their skills as an information security specialist. There are 4 Domains that need to be understood by potential candidates:

  • Information Security Governance (24%)
  • Information Risk Management and Compliance (30%)
  • Information Security Program Development and Management (27%)
  • Information Security Incident Management (19%)

It is important for candidates to understand the question methodology of the CISM, as it is not simply a multiple choice exam with one correct answer per question. Instead, the exam has been constructed with some questions requiring a most likely or best answer. To gain a better understanding of how the questions are developed, be sure to visit to read how these test items are formulated.

To view representations of the CISM exam questions as they may appear in the examination, check out, here you will find some sample exam questions to see for yourself how they might appear in the exam. This is a valuable practice step when preparing to write your CISM. Candidates are also given the opportunity to run through a tutorial of the exam taking process after they login to their testing station at the exam center just prior to writing the exam. It is strongly advised that candidates pay close attention to this tutorial so that any important information relating the exam taking process is not missed.

Once a candidate has shown proficiency in these areas of competence by obtaining the CISM certification, they will have little trouble showing prospective employers how much value they can add to the organization.

CISM exam schedule, duration and format

 2017 has been an exciting time of transition for the CISM, CISA, CGEDIT and CRISC examinations, as they have now moved over to a digital, Computer Based Testing method of delivery. This means that candidates can now expect an even more enhanced candidate experience that provides a secure, consistent and enhanced examination experience. This is a departure from the traditionally encountered examination method of paper and pencil that was previously employed by ISACA for the CISM, the last of which was administered in December of 2016. The format of the CISM remains unchanged, and is a multiple choice examination and questions are delivered one at a time, with the option of flagging answers for later review.

The duration of the exam is around 4 hours, and consists of 150 questions. If a candidate feels that they have completed all of the tasks that are required of them earlier, then they are able to complete the exam before the allotted time elapses. It is important for candidates to understand that while the examination uses a multiple choice format, there are some caveats that they need to be aware of. The primary of which is the fact that some questions will have more than one correct answer associated with the question. The candidate must then assess which answer is the most correct, based on their knowledge of the examination requirements. The CISM is currently available in the following languages: Chinese Simplified, English, Japanese, Korean, and Spanish. Check here for the latest candidate guide for 2017 to find all of the information that we are going to discuss in our CISM Exam Overview of 2017.

Booking and taking the exam

To book the exam, candidates must follow a few easy steps and make sure that they satisfy all of the requirements.

  1. The candidate must make sure that they verify that there is a test site available to them and in their area and on the date that they plan on taking the exam before they go ahead and make the booking. Compare Exam Experiences Check the Exam Schedule
  2. Once verified that the testing site is available on the date and in the desired location, then the prospective examinee can go ahead and register for the exam. Registration Tutorial
  3. Paying for the exam can be done at the same time as registration, or payment can be made at a later date. Payment must be made prior to scheduling the exam, however.
  4. Once site availability has been confirmed, registration has been completed, and payment has been made, then candidates can go ahead and schedule the exam. Schedule your Exam here, or view the Tutorial.

What are the identification requirements for testing?

Candidates will only be admitted into the test center if they have a valid form of identification with them. This identification must be current and valid, with the candidate’s name and a photo present as it appears on the Notification of Schedule email.
Acceptable forms of identification are the following:

  • Driver’s license
  • State identity card (non-driver’s license)
  • Passport
  • Passport card
  • Military ID
  • Green card, alien registration, permanent resident card
  • National identification card

The testing center reserves the right to ask for additional identification if they are not satisfied with the ID provided, so it is a good idea to take 2 forms of ID with you just in case there are any problems with your first ID documentation. If your ID is rejected, you will be considered as a ‘no-show’ and you will forfeit your exam fees, and you will be required to pay again if you wish to retake the exam.

Arrival time for the exam

Candidates that fail to show up, arrive more than 15 minutes late for their exam, or have ID issues and are denied entry, will be considered as absent, and will forfeit their examination fees and will lose their seat in the examination. It is highly recommended that any person that wishes to take the CISM exam should familiarize themselves with the location of their preferred examination center. Candidates are also advised to be aware of potential traffic issues on their preferred route, and to plan their journey accordingly. Candidates are encouraged to look at the Candidates Guide, and it can be downloaded from here.

Policies on rescheduling, late arrivals and cancellations

All cancellations and rescheduling must be done a minimum of 48 hours prior to the originally scheduled examination session. After this point, candidates must either write the exam or forfeit their registration fees. Arriving more than 15 minutes late may result in the candidate not being able to write the exam, thereby forfeiting their examination fee.

Always arrive at least 30 minutes before your exam is set to start, and give yourself plenty of time to make your way into the examination center. Remember, it is always better to be early, especially when writing an exam such as your CISM.

Scheduling your exam: When to do it

Candidates must ensure that they are thoroughly prepared before registering, paying for, and then scheduling the exam. As such, candidates should then schedule well in advance so that there is sufficient time for them to prepare for exam day. Some successful candidates have reported that they gave themselves as many as 3 months to prepare for the exam, and then stuck to their originally scheduled date so that they could remain focused and prepared for the big day.

You failed the test – When can you retake it?

Candidates that are unsuccessful are only allowed to take the exam once per testing window. The 2017 calendar only has 3 exam windows available for the year. Candidates that wish to retake the CISM must complete all of the steps as they did before: registering, paying for and then scheduling the exam in the approaching exam window.

What is the current cost of taking the CISM exam?

The below rates are correct as of June 2017, and may be subject to change. Please consult with ISACA if you have any queries with regard to the examination fees.

Early registration
ISACA Member: US $525
Non-member: US $710

Final registration
ISACA Member: US $575
Non-member: US $760

Further details regarding the May/June 2017 exam can be found by clicking here.

Exam scoring: What does it take to pass the CISM exam?

The CISM exam is based on 200 questions and the maximum allotted time for candidates to complete it is 4 hours. ISACA uses what is known as a 200 to 800-point scale, with scaled score of 450 being the lowest passing score. This is basically a converted raw score that is aligned to a scale and not to a percentage or arithmetic average, which shows a more accurate picture of the candidate’s understanding of the course material. This is achieved in large part by having questions that have multiple correct answers, however some answers will be fractionally more correct than others. This added layer of complexity is what makes this certification so valuable.


The CISM is a vital certification for anyone that is looking to prove that they have what it takes to get into the managerial end of information security, and that they are able to take all of their employer’s security concerns into consideration, and build policies and protocols around them. Technical knowledge in this field is therefore essential, and the examination does a great job of separating the good from the great.

CISM resources

Posted: July 5, 2019
Graeme Messina
View Profile

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.

Leave a Reply

Your email address will not be published.