CISM — Certified Information Security Manager

What is the CISM certification?

The Certified Information Security Manager (CISM) is a certification geared toward senior-level professionals pursuing a career in information security management and governance. The credential is ideal for you if you’re seeking high-level jobs like information security manager, information privacy or risk consultant, or information system security officer. With a strong employment outlook and competitive salary, it’s no surprise that the CISM is in high-demand among cybersecurity leaders. The CISM is administered by ISACA (Information Systems Council Audit and Control Association) and meets ISO 17024 standards and U.S. DoD directive 8140/8570.01-M requirements. To learn more about CISM and other ISACA certifications, download your free ISACA Career Kit.

 

How do I get the CISM certification?

While Certified Information Systems Auditor (CISA) remains the most popular ISACA certification, CISM is the fastest-growing, says Chris DeMale, Director, Channel Business Development at ISACA.

“It’s designed for technical experts looking to move into strategic management positions such as architect, security analyst, data security managers and other titles,” says DeMale. “We also see many C-level executives pursue the CISM because it is such a capable certification.”

The CISM certification requirements include five or more years of experience related to the CISM domains, although up to two years can be waived if you meet certain experiment requirement waivers.

How technical do CISM holders need to be?

There are two main career tracks in technology and cybersecurity management, says Infosec Skills author Cicero Chimbanda:

  • Build depth as a subject matter expert in a few areas
  • Gain a wide range of knowledge and understand how all the security components work together

“You can move from a track as a subject matter expert and become a manager and have those one or two things that give you a competitive advantage or influence,”  says Chimbanda. “Or you can be somebody who has breadth [and can] connect the dots. That’s the most important thing.” And you should have good managerial and people skills.

 

CISM exam FAQs

The newest version of the CISM exam goes into effect on June 1, 2022 (see the detailed CISM exam objectives). ISACA updates the CISM job practice areas every five years at the minimum, so the current version will likely be active until 2027.  Here’s what you should know about the current CISM exam:

  • How many questions are on the CISM exam? How long is the CISM exam?

    The CISM exam is a 150-question, multiple-choice exam that lasts up to four hours. To pass the test, you’ll have to earn 450 points or higher. Your score is calculated using a 200-800 scaled scoring method.

    Questions cover the four main CISM domains:

    • Information security governance (17%)
    • Information risk management (20%)
    • Information security program (33%)
    • Incident management (30%)

    If you aren’t able to pass the CISM exam the first time, you can retake the exam up to four times per year.

    Read our CISM exam details and process article for more information on scheduling and taking the CISM exam.

  • How hard is CISM exam?

    The CISM is a management-level certification, so test-takers should expect the content to be rigorous and challenging. A CISM passing score is 450 out of 800 points. Test-takers should set themselves up for success by preparing for the level of CISM difficulty with practice tests, study guides and classes. Practice tests can be especially helpful to benchmark your knowledge of the four core domains and determine which areas need more attention.

    Some training providers like Infosec provide an Exam Pass Guarantee with their CISM Boot Camp. This means if you do not pass the exam on your first attempt, you’ll receive a second exam voucher to retake the exam at no cost.

    For more advice on passing the exam, check out our 9 tips for CISM exam success article.

  • How to pass the CISM exam?

    CISM is an advanced, management-level certification that is aimed at cybersecurity professionals with at least five years of experience. But experience enough will likely not be enough to pass the exam without targeted preparation.

    Pass rates vary depending on an individual’s experience, study habits and test-taking strategies. For example, Infosec partners with ISACA to offer a CISM Boot Camp that comes with an Exam Pass Guarantee, which means if you don’t pass the exam on your first attempt, you’ll get a second attempt at no cost to you.

  • How much does CISM exam cost?

    The CISM exam cost is different for ISACA members and non-ISACA members.

    Non-members will pay $760 for the test. Members can sign up for a discounted rate of $575. If you decide to go the membership route, keep in mind that you’ll have to pay an upfront fee to your local chapter and $130 per year to upkeep your membership.

    The most up-to-date pricing for ISACA exams can be found on the ISACA website. You can download ISACA’s Exam Candidate Information Guide (English) in multiple languages to get the most up-to-date information about costs and other exam details.

  • Where do I take the CISM exam?

    The CISM exam is administered by PSI. You can take the exam online with remote proctoring or in-person at a PSI testing center. For more information, see the “Register for the Exam” section on the ISACA CISM page.

    Watch this video to learn more about testing in person a PSI test center: https://psi.wistia.com/medias/3321yp1ic8.

    Watch this video to learn more about remote testing: https://psi.wistia.com/medias/5kidxdd0ry.

  • How to prepare for CISM exam?

    You have a variety of learning resources at your disposal to prepare for the CISM exam. We recommend starting out with the ISACA candidate guide (check out the ISACA CISM webpage for the most up-to-date version or to download the guide in other languages). The guide covers topics related to exam registration, important deadlines, exam domains and more. The guide is a must-read for every CISM test taker.

    A number of additional training resources are provided in the free and paid CISM training resources sections below.

  • How long is my CISM certification active? How do I earn CPEs?

    Once you receive your CISM, you will need to complete professional education activities to keep it active.

    The CISM has a three-year renewal cycle. During that three-year period, you will need to complete a total of 120 hours of continuing professional education (CPE) activities with a minimum of 20 hours each year. In other words, you’ll need to spread these activities out rather than frontloading them during the first year or saving them all for year three.

    There are many educational activities you can choose from to earn your CPEs. These options include classes, conferences, lab activities, volunteering with ISACA and more. You can find a full list of options in ISACA’s CISM CPE Policy.

    These articles are filled with a wealth of helpful information:

  • How much does it cost to renew my CISM?

    In addition to completing CPEs, you’ll need to pay an annual maintenance fee. The fee costs $45 for ISACA members and $85 for non-members. If you hold more than two ISACA certifications, the cost to renew each additional certification (3rd, 4th, etc.) is $25 for ISACA members and $50 for non-members.

    According to ISACA, “This payment is due annually by 1 January and is required to renew through the upcoming calendar year. For example, to renew through the end of the current year, the current year’s maintenance fee must be paid by 1 January of the current year.”

    For more information, read our article, Maintaining your CISM certification: Renewal requirements.

Free and self-study CISM materials

Budget-savvy test-takers will be pleased to learn that there are plenty of free CISM training resources available to help you prepare for the CISM. ISACA itself has official study materials available on its website, including a study guide and a database of exam questions. Be sure to check your local library if you’re trying to train on a budget.

CISM study guides and CISM books

Study guides and books can be one of the most effective ways to study for the CISM exam. You can find them at your local library or book store, or online at the ISACA store, Amazon or elsewhere.

  • CISM Review Manual, 16th edition (published by ISACA)
  • CISM Certified Information Security Manager Study Guide by Mike Chapple (published by Sybex)
  • CISM Certified Information Security Manager All-in-One Exam Guide by Peter H. Gregory (published by McGraw Hill)

You can also download your free ISACA Career Kit for more information from ISACA on their certifications.

CISM practice exams and simulations

Taking a CISM practice exam is an excellent way to get a preview of the real deal. Not only can you get a feel for the format and pacing of the exam, but you’ll also gain valuable insight into which domains you should focus your studies on. Official and unofficial practice exam questions are available:

  • CISM Review Questions, Answers & Explanations (QAE) Manual, 10th edition (published by ISACA and also available as a 12-month subscription to the QAE Database)
  • CISM Certified Information Security Manager Practice Exams by Peter H. Gregory (published by McGraw Hill)
  • A number of services like Boson, Pocket Prep and CertLibray also provide paid CISM practice exams

Infosec partners with ISACA to provide live online CISM boot camps that include unlimited practice exam attempts and a 12-month subscription to the ISACA QAE Database.

 

Other free CISM training resources

There are a number of other free CISM training materials being produced and shared by the community:

  • Forums like TechExams and Reddit allow you to connect directly with others who are studying for or have already taken CISM.
  • Podcasts may not help you directly study for your CISM exam, but those like the Cyber Work Podcast are a great way to learn about cybersecurity career options and your peers’ career journey.
  • Video platforms are another great place to connect with cybersecurity practitioners and learn about the CISM exam. and many people have created free CISM videos on YouTube, TikTok, Twitch and other platforms, including our webcast on ISACA career paths.

CISM jobs, careers and salary

The CISM opens new doorways for cybersecurity professionals looking to ascend into leadership roles. These jobs also tend to be some of the highest paying in the industry.

  • What are common CISM jobs?

    CISM holders are usually found in leadership roles at a variety of organizations, from for-profit businesses to government agencies, defense contractors and the military. Two leadership roles associated with the CISM are:

    Information security manager
    Information security managers oversee an organization’s cybersecurity staff. They provide training, ongoing support, and management to information security and IT staff. They may also have a hand in developing the organization’s security strategies, addressing security breaches and recommending updates to existing systems.

    Chief Information Security Officer
    The Chief Information Security Officer (CISO) is an organization’s top information security leader. This high-ranking position entails everything from overseeing other senior-level staff to creating the information security budget and designing high-level strategies and policies to guide the company’s cybersecurity efforts. As the highest-ranking cybersecurity expert, CISOs are much more involved in the management side of the job than hands-on coding and technical work; however, it’s still greatly beneficial for CISOs to have extensive technical knowledge and training.

    Want to learn more about your job options? Take a look at our  Common CISM job titles  and CISM overview and career path articles.

  • How to become a security leader or CISO?

    Becoming a Chief Information Security Officer (CISO) requires many years of hard work and a dedication to professional development and life-long learning. CISOs typically have an average of 10 years of work experience. Many start off in entry-level jobs like computer programmer, network specialist or network and systems analyst. From there, they move to mid-career roles like security auditor, engineer, analyst or consultant. As they gain experience, they’ll be promoted into senior-level positions like security architect, security director or project manager, before ultimately rising to the role of CISO.

    CISOs are also well-educated and have a strong grasp of the technical skills required of advanced-level information security professionals. Many have a bachelor’s degree in computer science, cybersecurity or information technology, and some will go on to acquire a master’s degree. As senior-level professionals, they also have a comprehensive array of professional certifications.

    For more information, read our How to become a Chief Information Security Officer (CISO) article.

  • What does a CISM do?

    The CISM is designed to provide information security managers (or those aspiring to become one) a credential that solidifies their ability to lead an organization’s cybersecurity program. These individuals are expected to take charge of a company’s information security program by creating policies and procedures, directing the cybersecurity team, and harmonizing the security and business objectives. CISM holders often pursue careers as cybersecurity consultants, information security managers and chief information security officers (CISO).

    For more details on specific tasks, see the CISM exam outline, which includes the main job areas covered in the CISM certification as well as 37 supporting tasks.

  • Is the CISM worth it?

    The value of earning the CISM depends on your individual goals. Some benefits of earning your CISM include:

    • Deeper knowledge base: The CISM allows you to bridge your knowledge of cybersecurity with that of business practices. In practice, you’ll be able to effectively implement security programs and strategies in line with your organization’s business objectives. This hybrid skill set is in high demand among employers looking to fill in the upper echelons of their security leadership teams.
    • Competitiveness: As a senior-level certification, the CISM can give you a competitive edge when applying for leadership roles or vying for a promotion. Holding the CISM will signal to employers that you’re serious about becoming a leader and committed to your ongoing professional development.
  • What's the salary for a CISM holder?

    CISM holders earn an average base salary of around $129,000, but your expected salary may vary significantly depending on experience, location and company. Below is the salary data from various sources related to CISM or information security manager positions as of April 2022:

    • Payscale: $129,000 base salary
    • Glassdoor: 129,089 base ($150,988 total compensation)
    • Salary.com: $137,359 ($148,345 total compensation)

    Read our Average CISM salary article for more information.

  • How many people have CISA?

    The CISM was created by ISACA in 2002, and there are more than 48,000 current certification holders as of 2022, according to ISACA.

    About a third of the current ISACA members hold a CISM certification, ISACA’s Chris DeMale explained in a 2021 Infosec Edge Webcast. It’s the fastest-growing ISACA certification due to the increasing demand for cybersecurity professionals.

  • Where can I find CISM and security management jobs?

    The CISM is a popular management-level certification. It’s often listed in cybersecurity management job openings as a way to validate your knowledge and skills. To find CISM or cybersecurity management openings on general job boards like Indeed, Monster, Glassdoor, LinkedIn and CareerBuilder, search for the keywords “CISM,” “ISACA” or “security manager.”

    Security-focused job boards such as ClearedJobs and infosec-jobs.com are also good sources of roles for CISM holders. Other good sources of security job postings are cybersecurity groups like ISACA and others (ISSA, BSidesOWASPWomen in Cybersecurity and others) and cybersecurity websites.

    Before your interview, check out our free ebook of cybersecurity interview tips, “How to stand out, get hired and advance your career.”

Paid CISM training and exam prep

When it comes to preparing for the CISM exam, you can choose to train yourself with books and free resources, or you can find a paid course. Most CISM courses fall into two categories: live online CISM camps or on-demand CISM courses where you go at your own pace.

Live CISM boot camps

Live CISM boot camps provide direct instruction where you can interact with your instructor and classmates. Live boot camps can be at a location or online. For example, Infosec partners with ISACA to provide a five-day CISM boot camp that you can take live online or in person.

The benefits of a live CISM boot camp include:

  • Live training and Q&A: CISM is an advanced certification, and interacting with a group of seasoned professionals in a live setting often provides a great learning experience.
  • Complete training package: Most CISM boot camps come with everything you need: instruction, exam vouchers, books, the ISACA QAE database and labs. Training with a live instructor is more expensive, so when shopping around, be sure you know what’s included in your purchase — and what you may have to pay extra for.
  • Improved pass rates: Boot camp providers like Infosec stand by their training with an Exam Pass Guarantee. That means if you fail your CISM exam on your first attempt, you’ll get a second attempt to pass — for free.

Self-paced CISM training

If you’re not in a hurry to earn your CISM, the go-at-your-own-pace model can be a great (and more affordable) option. These types of courses usually consist of a number of pre-recorded videos, along with practice exams and labs or exercises you can do on your own to reinforce the material.

The benefits of on-demand CISM training include:

  • Train when you want: You’re in charge of your training schedule, whether that’s daily on your lunch break or cramming all weekend long. For further motivation, you can join a study group or connect with others who are preparing for the exam.
  • Build an individual training plan: Don’t waste time learning what you already know. Since you’re not tied to a group, you can spend more time focused on the areas you need to learn most.
  • Accredited training partner: ISACA accredited partners regularly work with ISACA to ensure their training content is up to date and meets ISACA’s quality standards.

CISM comparisons and alternatives

The CISM is one of several advanced cybersecurity certifications that you can choose from. Here’s how it stacks up against the others.

  • CISM vs. CISSP

    The Certified Information Systems Security Professional (CISSP) is offered by (ISC)² and is a well-respected credential for cybersecurity leaders. In fact, some professionals choose to hold both certifications. This is because rather than competing with the CISM, the CISSP complements it. In terms of similarities, both credentials are vendor-neutral, have a prerequisite of 5 years of related professional experience and cover similar domains. However, the CISM has a stronger management focus while the CISSP is more technically focused. The CISSP is also more common — there are over 150,000 CISSP holders globally versus 48,000 CISM holders, according to (ISC)².

    For more information, read our articles, Cybersecurity manager certifications compared: CISSP vs. CIPM vs. CISM vs. GSLC and Best information security management certifications.

  • CISM vs. CISA

    These two certifications are designed for two entirely different career paths. If you’d like to go down the path of IT auditing, then CISA (Certified Information Systems Auditor) is your best choice. CISA is also considered more hands-on and better geared for practitioners than the management-focused CISM. The CISM is ideal if you see yourself as a future information security manager or risk manager.

    CISA is ISACA’s most popular certification, but CISM is second-most popular.

    For more information, read our article, The ultimate guide to ISACA certifications: Overview & career paths.

  • CISM vs. CRISC

    Like CISM, the CRISC (Certified in Risk and Information Systems Control) is also an upper-level information certification offered by ISACA. But they differ in one very important way: CRISC is focused exclusively on the area of IT risk management. That makes CISM much broader in terms of its content and breadth.

    For more information, read our article, Top 5 highest-paying infosec certifications.

  • CISM vs. Security+

    The CompTIA Security+ certification is an entry-level credential and often the first one earned by new cybersecurity professionals. For this reason, it’s not really comparable to the CISM, which is an advanced-level credential designed for managers and directors. However, if you’re at the start of your career and want to eventually earn the CISM, the Security+ is an excellent stepping stone.

    For more information, read our article, 7 top security certifications you should have.

  • CISM vs. CASP+

    The CompTIA Advanced Security Practitioner (CASP+) certification is designed for technical professionals who plan to remain in a hands-on role. With its strong practitioner focus, it’s ideal for high-level information security professionals who are not interested in pursuing management in the near future. Common job roles for CASP+ holders include technical lead analyst, security architect, security engineer and application security engineer.