Certified Information Security Manager (CISM)

  1. Home
  2. Certified Information Security Manager (CISM)
Certified Information Security Manager (CISM)

Certified Information Security Manager (CISM) Certification Exam demonstrates in-depth knowledge and understanding of the relationship between information security programs and broader business goals and objectives. The CISM certification promotes international security practices and CISM-certified employees provide enterprises with an information security management certification recognized by organizations and clients around the globe.

Who should take the exam?

The exam is designed for candidates who are able to manage, design, oversee, and assess an enterprise’s information security function. The CISM exam requirements are:

  • Five (5) or more years of experience in information security management.
  • Experience waivers are available for a maximum of two (2) years.

Solid Reasons to take the certification

Are you wondering Is CISM certification worth it? Then read on to find out!

  • The CISM certification demonstrates your understanding of the relationship between an information security program and broader business goals and objectives.
  • It distinguishes you as having not only information security expertise but also knowledge in the development of an information security program.
  • This particular certification holds the potential to put you in an elite peer network.
  • It is considered essential to ongoing education, career progression, and value delivery to enterprises.

CISM Exam Format

The Certified Information Security Manager (CISM) exam consists of 150 multiple-choice questions. Candidates have to score at least 450 or more points to pass the exam. Moreover, the CISM exam duration is 4 hours. The CISM exam costs $575 USD for members and $760 for non-members which includes additional taxes. Also, the CISM exam questions are available in 4 languages, namely Chinese Simplified, English, Japanese, and Spanish.

Exam Details of CISM

How to schedule the exam?

ISACA’s Certified Information Security Manager (CISM) certification indicates expertise in information security governance, program development and management, incident management and risk management. Candidates must select either online remote proctoring or an in-person testing center. 

Candidates can schedule their exam at www.isaca.org/MYISACA.

Check out the Certified Information Security Manager Interview Questions to prepare for the interview.

Certified Information Security Manager Interview Questions

Course Outline

Domains of CISM

First Domain: Information Security Governance

  • Establish and maintain an information security strategy in alignment with organizational goals and objectives to guide the establishment and ongoing management of the information security program (ISACA Reference: Developing an Information Security and Risk Management Strategy)
  • Establish and maintain an information security governance framework to guide activities that support the information security strategy
  • Integrate information security governance into corporate governance to ensure that organizational goals and objectives are supported by the information security program (ISACA Reference: How to Measure Security From a Governance Perspective)
  • Establish and maintain information security policies to communicate management’s directives and guide the development of standards, procedures and guidelines (ISACA Reference: Checking the Maturity of Security Policies for Information and Communication)
  • Develop business cases to support investments in information security (ISACA Reference: Return on Security Investment)
  • Identify internal and external influences to the organization (for example, technology, business environment, risk tolerance, geographic location, legal and regulatory requirements) to ensure that these factors are addressed by the information security strategy (ISACA Reference: Strengthening Internal Audits Influence and Impact)
  • Obtain commitment from senior management and support from other stakeholders to maximize the probability of successful implementation of the information security strategy
  • Define and communicate the roles and responsibilities of information security throughout the organization to establish clear accountabilities and lines of authority (ISACA Reference: Accountability for Information Security Roles and Responsibilities)
  • Establish, monitor, evaluate and report metrics (key goal indicators [KGIs], key performance indicators [KPIs], key risk indicators [KRIs]) to provide management with accurate information regarding the effectiveness of the information security strategy (ISACA Reference: Integrating KRIs and KPIs for Effective Technology Risk Management)

(ISACA Reference: Information Security Governance: Guidance for Information Security Managers)

Second Domain: Managing Information Risk

  • Establish and maintain a process for information asset classification to ensure that measures taken to protect assets are proportional to their business value (ISACA Reference: Framework for Protecting Your Valuable IT Assets)
  • Identify legal, regulatory, organizational and other applicable requirements to manage the risk of noncompliance to acceptable levels (ISACA Reference: Risk Management Process)
  • Ensure that risk assessments, vulnerability assessments and threat analyses are conducted periodically and consistently to identify risk to the organization’s information (ISACA Reference: Vulnerability Assessment)
  • Determine appropriate risk treatment options to manage risk to acceptable levels (ISACA Reference: Enterprise Risk Monitoring Methodology)
  • Evaluate information security controls to determine whether they are appropriate and effectively mitigate risk to an acceptable level (ISACA Reference: Info Security Chiefs: Communications Is Key to Mitigate Risk)
  • Identify the gap between current and desired risk levels to manage risk to an acceptable level (ISACA Reference: Information Security Architecture: Gap Assessment and Prioritization)
  • Integrate information risk management into business and IT processes (for example, development, procurement, project management, mergers and acquisitions) to promote a consistent and comprehensive information risk management process across the organization
  • Monitor existing risk to ensure that changes are identified and managed appropriately (ISACA Reference: Enterprise Risk Monitoring Methodology)
  • Report noncompliance and other changes in information risk to appropriate management to assist in the risk management decision-making process (ISACA Reference: Nonsense Compliance)

(ISACA Reference: Developing an Information Security and Risk Management Strategy)

Third Domain: Information Security Program Development & Management

  • Integrate information security requirements into organizational processes (for example, change control, mergers and acquisitions, development, business continuity, disaster recovery) to maintain the organization’s security baseline (ISACA Reference: Security Monitoring as Part of the InfoSec Playbook)
  • Integrate information security requirements into contracts and activities of third parties (for example, joint ventures, outsourced providers, business partners, customers) to maintain the organization’s security baseline (ISACA Reference: A Risk-Based Management Approach to Third-Party Data Security, Risk and Compliance)
  • Establish, monitor and periodically report program management and operational metrics to evaluate the effectiveness and efficiency of the information security program

Fourth Domain: Information Security Incident Management

  • Establish and maintain an organizational definition of, and severity hierarchy for, information security incidents to allow accurate identification of and response to incidents (ISACA Reference: ISACA Launches New Audit Program for Security Incident Management)
  • Establish and maintain an incident response plan to ensure an effective and timely response to information security incidents (ISACA Reference: Incident Management and Response)
  • Develop and implement processes to ensure the timely identification of information security incidents (ISACA Reference: Evaluating Security Incident Management Programs)
  • Establish and maintain processes to investigate and document information security incidents to be able to respond appropriately and determine their causes while adhering to legal, regulatory and organizational requirements (ISACA Reference: An Introduction to Information Security Incident Management)
  • Establish and maintain incident escalation and notification processes to ensure that the appropriate stakeholders are involved in incident response management (ISACA Reference: Internal Control – Key to Delivering Stakeholder Value)
  • Organize, train and equip teams to effectively respond to information security incidents in a timely manner
  • Test and review the incident response plan periodically to ensure an effective response to information security incidents and to improve response capabilities (ISACA Reference: A Business-integrated Approach to Incident Response)
  • Establish and maintain communication plans and processes to manage communication with internal and external entities
  • Conduct post-incident reviews to determine the root cause of information security incidents, develop corrective actions, reassess risk, evaluate response effectiveness and take appropriate remedial actions (ISACA Reference: Code of Professional Ethics)
  • Establish and maintain integration among the incident response plan, disaster recovery plan and business continuity plan

(ISACA Reference: Incident Management and Response)

Exam Policies

CISM is one of the most sought after information security certification, ensuring that the potential aspirants for the exam are well aware of the exam policies. These exam policies provide various required and relevant exam details, along with the certification exam procedures.


For More Queries Visit : Certified Information Security Manager (CISM) FAQs

CISM Exam Preparation Guide

 We will be providing the learning resources to get the most from your efforts in the exam preparation with our CISM certification guide

Preparatory Guide for CISM

Step 1: Create a Study Plan

Before you begin your preparation process, it becomes highly important to create a study plan. Make your study plan in accordance to your exam objectives and be realistic about your work and obligations. For example, how much can you spend on preparation material, is there a need to take a training course, and what CISM exam training method best suits you. Creating a study plan can help you save your study time and boost your preparation process.

Learning Resource 2: Read ISACA Guide

Every year, ISACA issues an updated version of its candidate guide with a view to providing practical information for the CISM exam. This particular CISM exam guide aims to make candidates familiar with what to expect on the day of the exam. The ISACA guide contains valuable information such as the exam domains, number of exam questions, exam length, and CISM exam pattern. Remember, no candidate should take the CISM exam without reading this guide that offers the CISM exam overview.

Learning Resource 3: Join Online Forums

ISACA sponsors online forums for its candidates which is quite easy to obtain. Online forums allow the sharing of questions study methods and tips for the exam. They are an amazing place for learning what to expect the day of the exam. Besides this, it costs nothing and allows candidates to ask and answer questions. Besides this, it allows direct contact with other like-minded professionals to solve a problem.

Learning Resource 4: Practice Tests

Practice tests are one of the efficient ways to prepare for the exam and there exists no substitute for practice questions when preparing for the CISM exam. CISM exam sample questions in practice tests are not actual exam questions. However, the type, structure, and level of difficulty fully represent what is expected of candidates during the real test. They help candidates to focus study efforts accordingly.

Practice tests allow aspirants to measure themselves anywhere with an internet connection.

Get ready to Practice and Prepare for Certified Information Security Manager (CISM) Exam

Free Practice Test