Cybersecurity
CISM (ISACA)
Certified Information Security Manager
Quick facts
| Provider | ISACA |
|---|---|
| Exam code | CISM |
| Level | advanced |
| Format | Multiple choice |
| Questions | 150 questions |
| Duration | 4 hours |
| Passing score | 450 / 800 (scaled) |
| Exam fee | $575–$760 (member / non-member) |
| Validity | 3 years (CPE credits) |
| Languages | EN, ES, JA, ZH |
Overview
CISM (Certified Information Security Manager) is ISACA's management-focused security certification. Where CISSP is broad and technical-leaning, CISM is squarely about governance, risk and running a security programme, which makes it popular with managers and aspiring CISOs.
It requires five years of relevant management experience to certify, though you can pass the exam first and earn the experience within five years. It is frequently paired with, or chosen instead of, CISSP for leadership tracks.
Who it is for
- Security managers and team leads
- Professionals moving from technical roles into governance and risk
- Aspiring CISOs and security programme owners
Who it is not for
- Hands-on engineers who want technical depth — CISM is management-focused.
- Early-career people without security-management exposure (five years' experience is required to certify).
- Those who want a cheap, quick cert.
Exam structure
| Information Security Governance | Establishing and maintaining a governance framework |
|---|---|
| Information Security Risk Management | Identifying and managing risk to acceptable levels |
| Information Security Program | Building and running the security programme |
| Incident Management | Planning for and responding to incidents |
How the exam is weighted
- Information Security Governance 17%
- Information Security Risk Management 20%
- Information Security Program 33%
- Incident Management 30%
Realistic study time
- Security manager (5+ yrs) 60-90 hours over 2-3 months
- Technical lead moving into management 100-150 hours
Bars show relative effort, not a guarantee. Your time depends on background and study method.
What it really costs
| Exam fee | US$575 member / US$760 non-member |
|---|---|
| Retake | Full fee again |
| Study materials | US$0-500 — ISACA review manual optional |
| ISACA maintenance | Annual fee + CPE — member/non-member rates |
Fees change and vary by region. Confirm the current amount on the official site before you register.
Is it worth it?
Worth it for people on a security-management track, where CISM is highly recognised and well paid. It is less suitable if you want to stay hands-on and technical, where CISSP or specialist certifications fit better.
What to do next
CISM suits the management track. Compare CISSP vs CISM if you are weighing technical breadth against governance focus.
FAQ
- CISM or CISSP?
- CISM is management and governance focused; CISSP is broader and more technical. Managers and aspiring CISOs often prefer CISM; technical leads often prefer CISSP. Some hold both.
- Do I need experience for CISM?
- Yes, five years in security management to certify, with some waivers. You can pass the exam first and accrue the experience within five years.
- How do I maintain it?
- Earn Continuing Professional Education (CPE) credits and pay ISACA's annual maintenance fee on a three-year cycle.
Related exams
- CISSP (ISC2)— ISC2
- CompTIA Security+ (SY0-701)— CompTIA