The CISM certification from ISACA is a globally accepted standard of achievement in cybersecurity management, conveying that certification holders adapt technology to their enterprise and industry.


Exam Details

Certification  CISM
Performance-based Questions No
Exam Length 4 Hours, 150 Questions
Experience Level Manager
Pre-requisites 5 years experience
Exam Price  $575 member/ $760 non-member
Passing Score  450 (out of 800)

1. General CISM Exam FAQs

  • The CISM exam has a time limit of 4 hours.

  • Exams are administered at PSI testing locations worldwide. Visit for a listing of the current exam sites. Please note that this list is subject to change as ISACA and its testing vendor (PSI) continue to identify and develop additional testing sites to further increase the network available to candidates.

  • Yes. You can review answers and flag questions you want to review before your time is completed.

  • Candidates will receive a preliminary score on screen at the conclusion of their exam. Candidates do not receive a printout of these results on site. Official results are emailed to candidates within 10 working days of the exam. To ensure the confidentiality of scores, exam results will not be released by telephone or fax.

  • Yes, but you will not need to go through the eligibility application process again.

  • The requirements for the CISM certification are listed on ISACA’s website here:

  • Qualifying for CISM requires a combination of four “e’s”: experience, ethics, education and exam. Specifically, the requirements are:

    1. Earn a passing score on the CISM exam
    2. Adhere to the ISACA Code of Professional Ethics
    3. Commit to abide by the Continuing Professional Education Policy
    4. Submission of verified evidence of a minimum of five years of information security work experience, with a minimum of three years of information security management work experience in three or more of the job practice areas. Waivers for general information security work experience are available, if certain education or certification requirements are met.
  • CISM is unique in the information security credential marketplace because it is designed specifically and exclusively for individuals who have experience managing an information security program. Experience requirements and the CISM exam are based on the experience required to competently perform the duties and responsibilities of an information security manager. These requirements and the tasks and knowledge that are tested were developed by information security leaders and later validated by subject matter experts and information security managers. The requirements are designed to measure an individual’s management experience in information security situations, not general practitioner skills.

  • The retail price of the CISM exam voucher is $575 for ISACA members and $760 for non-members. We provide the CISM exam voucher for an additional $500 with every course registration, regardless of ISACA membership. 

  • The exam voucher is valid for 1 year from date of voucher release.

  • ISACA uses a 200-800 point scale with 450 as the passing mark for the exams. A scaled score is a conversion of the raw score on an exam to a common scale. It is important to note that the exam score is not based on an arithmetic or percent average. For example, the scaled score of 800 represents a perfect score with all 150 questions answered correctly; a scaled score of 200 is the lowest score possible and signifies that only a small number of questions were answered correctly.

    A candidate must receive a scaled score of 450 or higher to pass the exam. A score of 450 represents a minimum consistent standard of knowledge as established for the exam by the respective ISACA Certification Committee. The passing score of 450 represents the minimum number of questions that must be answered correctly by the candidate in order to demonstrate practical application of the job task and knowledge statements. A candidate receiving a passing score may then apply for certification if all other requirements are met.

  • The application processing fee of US $50 will be required to apply for certification. Payment for the CISM application processing fee can be made online at

  • Yes you may take one each of CISA, CRISC, CISM and CGEIT within the same window. You may NOT take the same certification exam more than one time within a window. For example, you may take both the CISA and CRISC in the same window, but you would not be allowed to take the CISA exam more than one time in the same window.

  • CISM applications are located on ISACA’s website here:

  • In order to become and remain a CISM an individual must agree to comply with the CISM continuing professional education policy. This policy requires an individual to earn a minimum of twenty (20) continuing professional education hours annually and one hundred and twenty (120) continuing professional education hours for every three year cycle. In addition, an annual maintenance fee of US $45 ISACA member and US $80 nonmember is required.

  • The CISM certification program recognizes the achievement of the CISA credential as a baseline representation that an individual has gained general information security skill and knowledge. As such, CISAs receive a two-year general information security waiver. However, CISAs will not be eligible to earn a CISM unless they have the required experience and can demonstrate proficiency and practical knowledge in the role of an information security manager.

  • Information security management is a broad field, and encompasses many specialties within the security profession. ISACA categorizes these management activities into four areas, as defined in the most recent Job Task Analysis. Each area is broken into discrete tasks, and each task is further broken down into the supporting knowledge required to perform each task. In order to qualify for the CISM certification, the CISM candidate must have a minimum of five years of information security experience, of which three or more years must be information security management work. Note that the requirement does not dictate that the individual must have a specific position that designates them as a CISO or any other specific security management title. However, for those that do not have this designation, the role that they perform must clearly map to tasks within 3 of the 4 management areas as defined in the CISM Job Task Analysis. While less common these days, there are still organizations that have individuals in hybrid roles that include duties of an information security manager along with other unrelated responsibilities. This is particularly true in smaller organizations that do not have sufficient staff for an information security department or dedicated role. Note that audits, reviews, gap analysis, or other activities that assess the effectiveness of an information security program that is managed by others do not fully meet the standard for information security management. For more information, see the question below regarding audit experience.

  • The minimum acceptable time is 1 year of experience in each of at least 3 of the 4 areas (and an additional two years general information security experience or a combination of time and qualifying educational or certification substitutions that are listed on the CISM Application).

  • The CISM certification program recognizes the achievement of the CISSP credential as a baseline representation that an individual has gained general information security skill and knowledge, just as it does with individuals who have earned a CISA. As such, CISSPs receive a two-year general information security experience waiver.

  • To earn the CISM credential you need five years of information security work experience, with a minimum of three years of information security management work experience in three or more of the job practice analysis areas. The work experience must be gained within the ten-year period preceding the application date for certification or within five years from the date of originally passing the exam.

    There are exceptions and substitutions allowed for the 5-year requirement as follows:

    Two Years:

    • Certified Information Systems Auditor (CISA) in good standing
    • Certified Information Systems Security Professional (CISSP) in good standing
    • Post-graduate degree in information security or a related field (e.g., business administration, information systems, information assurance)

    One Year

    • One full year of information systems management experience
    • One full year of general security management experience
    • Skill-based security certifications (e.g., SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security +, Disaster Recovery Institute Certified Business Continuity Professional (CBCP), ESL IT Security Manager)
    • Completion of an information security management program at an institution aligned with the Model Curriculum
    • The experience substitutions will not satisfy any portion of the three-year information security management work experience requirement.

    Exception: Two years as a full-time university instructor teaching the management of information security can be substituted for every one year of information security experience.

  • In order to be a CISM “in good standing”, the following must be achieved:

    • Certification granted from the corresponding Board, resulting from an approved application
    • Continuing professional education is current and up-to-date
    • All renewal fees/maintenance payments are current
    • Continued compliance with the ISACA’s Code of Professional Ethics

2. CISM Course FAQs

  • The course length depends largely upon your personal preference. The On-Demand course can take anywhere from just a few weeks on an accelerated schedule to the full six months of access we provide to the course.  In short, this course is designed to fit around your busy schedule.

  • CyberVista instructors are ISACA authorized and CISM certified.  Our instructors, working cybersecurity practitioners, deliver over dozens of hours of live and on-demand videos throughout the duration of the course.

  • Light board technology uses an illuminated glass pane between the instructor and the camera that allows the instructor to illustrate concepts while remaining face-to-face with students. We use a light board during our instruction so you can follow along in real time while your instructor demonstrates important topics in cybersecurity. Though we do use PowerPoint in our lessons, there is no “death by PowerPoint” in our course.

  • There are more than 1,000 practice questions available to those who enroll in the live online CISM training course. Students can use both the supplied question banks as part of the course pack as well as the digital question bank in the learning management system to prepare for the exam.

  • You will receive login credentials for the LMS and your diagnostic exam the week prior to the start of the course.

  • You will have unlimited access to content-specific videos addressing all domains for up to 6 months following your registration. There are no time limits on daily use and you are able to review previously reviewed content at any time.
  • The diagnostic exam is a 100 question online, multiple-choice practice test that will help you to uncover what you already know and where you should focus your efforts in order to perform well on CISM exam.  We use the results of your diagnostic exam to deliver you a personalized and efficient study plan for the duration of the course. In addition to the questions of the exam, we also include a short survey to learn more about you and how you study.

    You will take this diagnostic in the week prior to your first live online class. You can self-administer the diagnostic exam as soon as your instructor has delivered your credentials to access the learning management system (LMS).

  • Please note sessions are defined as usage of online resources including the diagnostic, or proctored exams.

    • Cancellation before any session, 100% fees are refunded (less shipping & handling fee).
    • Cancellation before two sessions, 75% fees are refunded (less shipping & handling fee).
    • Cancellation before three sessions, 50% fees are refunded (less shipping & handling fee).
    • Cancellation after third session, there will be no refund.

    A refund will be processed after all student materials are returned to CyberVista.