🥳🥳Launch week sale🥳🥳75% off all exams for a limited time celebrating our launch!!
75% off$39 $9.75Shop the sale
ISACA

Certified Information Security Manager

The Certified Information Security Manager (CISM) is ISACA's management-focused certification for professionals who design and manage an enterprise information security program. The 2022 job practice spans four domains: information security governance, risk management, security program, and incident management.

Practice

Learn at your own pace. Answer questions one at a time with instant feedback and explanations.

Start practice

Mock exam

Simulate the real thing. Take a timed, full-length test and review your score and weak areas.

Sign up to start
Get full access Unlimited practice and timed mock exams for 90 days. Create your account at checkout.
$39 You save $29.25 today

Study your way: beyond Practice and Mock exam, choose adaptive, hard mode, ready review, objective coverage, or retry-your-misses — and set your own question count, timer, and pass mark.

About this exam

CISM is the leading credential for information security management, validating the ability to govern, design, and manage an enterprise security program aligned to business goals. Aligned to ISACA's 2022 CISM job practice, it covers four domains: Information Security Governance (17%), Information Security Risk Management (20%), Information Security Program (33%), and Incident Management (30%).

Who should take this exam

Information security managers, aspiring managers, IT consultants, and security leaders responsible for managing, designing, or overseeing enterprise information security. CISM requires five years of information security work experience, including three years in information security management across three or more job practice areas (with possible waivers).

Career benefits

CISM is highly valued for security management and leadership roles and commands strong salaries. It demonstrates the ability to bridge security and business objectives and to lead a security program and incident response.

How to prepare

Study the ISACA CISM Review Manual and job practice, and practice scenario-based questions emphasizing the manager's perspective across governance, risk, program management, and incident response. Focus on aligning security with business goals, risk treatment, program metrics, and incident response lifecycle.

Quick facts

Exam costUSD 575 for ISACA members, USD 760 for non-members.
Valid forMaintained through ISACA's CPE program: 20 CPE hours annually and 120 over a three-year cycle, plus the annual maintenance fee.
Length240 minutes
Questions on exam150
Passing scoreA scaled score of 450 or higher (on a scale of 200 to 800) is required to pass.
Format150 multiple-choice questions over 4 hours (240 minutes). Delivered at PSI test centers or via remote online proctoring.
Practice questions150
Objectives4
Official pageView

What's covered

1. Information Security Governance

17%
  • 1a Enterprise governance, culture, and security strategy
  • 1b Legal, regulatory, and contractual requirements
  • 1c Security roles, responsibilities, and reporting
  • 1d Security policies, standards, and frameworks
  • 1e Business case, resources, and governance metrics

2. Information Security Risk Management

20%
  • 2a Risk identification and emerging threats
  • 2b Risk assessment, analysis, and risk appetite
  • 2c Risk response and treatment options
  • 2d Control ownership and risk monitoring and reporting
  • 2e Third-party and supply chain risk management

3. Information Security Program

33%
  • 3a Security program development and resources
  • 3b Security architecture and control design
  • 3c Security awareness, training, and culture
  • 3d Security program metrics, monitoring, and reporting
  • 3e Integration of security into business processes and SDLC
  • 3f Vendor, asset, and security operations management

4. Incident Management

30%
  • 4a Incident response planning and readiness
  • 4b Incident classification, detection, and analysis
  • 4c Containment, eradication, and recovery
  • 4d Incident communication, escalation, and reporting
  • 4e Business continuity and disaster recovery integration
  • 4f Post-incident review, forensics, and lessons learned

Frequently asked questions

Are these real exam questions?

No. These are original practice questions written to match the exam objectives, each with an explanation so you actually learn the material — not exam dumps.

How does practice mode work?

You answer questions one at a time with instant feedback and explanations. Over time the app adapts, prioritizing the objectives and questions you struggle with most.

What is a mock exam?

A timed, full-length simulation that holds feedback until the end, then shows your score, pass/fail result, and a breakdown by objective.

Can I customize how I study?

Yes. Pick the study mode that fits — adaptive practice, hard mode, ready-for-review, objective coverage, or retrying questions you've missed — and set your own question count, timer, and passing score for each session.

Do I need an account?

You can try free questions for this exam without signing in. Create a free account to save your progress, track weak objectives, and unlock the full question bank.

Study resources

Your bundle 2 of 3
Microsoft Azure Security Technologies ×Certified Information Security Manager ×
An unhandled error has occurred. Reload 🗙

Rejoining the server...

Rejoin failed... trying again in seconds.

Failed to rejoin.
Please retry or reload the page.

The session has been paused by the server.

Failed to resume the session.
Please retry or reload the page.