📋 Table of Contents
- The CISM Certification Process at a Glance
- Step 1: Verify Your Eligibility
- Step 2: Register and Schedule the Exam
- Step 3: Study the Four CISM Domains
- Step 4: Pass the Exam
- Step 5: Submit Your Application
- Step 6: Maintain Your Certification
- Realistic Timeline from Start to Finish
- Frequently Asked Questions
The CISM Certification Process at a Glance
The Certified Information Security Manager (CISM) is an ISACA credential designed for security professionals who manage, design, or oversee enterprise information security programs. It is not a technical certification - it tests management judgment, governance frameworks, risk strategy, and program leadership. That focus is exactly why the credential commands a significant salary premium and appears as a hard requirement on many senior security job postings.
The full process has six discrete steps:
- Confirm you meet the experience requirements (or will meet them within 5 years of passing)
- Create an ISACA account and register for the exam
- Study the four domains - typically 100-200 hours of preparation
- Pass the exam (scaled score of 450/800)
- Submit your application with verified work experience
- Maintain certification with 120 CPE hours every 3 years
Steps 1-4 can happen in either order for steps 1 and 2 (you can register before your experience is complete), but most candidates confirm eligibility first so they understand what experience documentation they will need later. The exam itself can be taken before your experience requirement is fully met - you have 5 years from your exam pass date to submit a complete application.
Step 1: Verify Your Eligibility
CISM has real experience requirements - this is not a certification you can test into straight out of school. Before spending time or money on exam prep, confirm where you stand against ISACA's criteria.
The Core Requirement
To earn CISM, you need 5 years of work experience in information security, of which at least 3 years must be in information security management. "Management" is defined specifically by ISACA: it must involve managing, designing, or overseeing an information security program - not simply working within one as an individual contributor.
All experience must fall within the 10-year window immediately preceding your application date (or within 5 years after you pass the exam). Experience older than 10 years does not count, so candidates returning to security after a long absence may need to rebuild their clock.
Experience Waivers
ISACA allows up to 2 years of waiver credit to reduce the overall 5-year floor. Qualifying waivers include:
| Credential / Degree | Years Waived | Notes |
|---|---|---|
| CISSP (active) | 1 year | Most common waiver; reduces floor to 4 years total |
| CISA (active) | 1 year | Can be combined with CISSP for full 2-year waiver |
| CRISC (active) | 1 year | Can be combined with CISSP for full 2-year waiver |
| Graduate degree in IS or related field | 1 year | MBA, MS in Cybersecurity, MS in Information Assurance, etc. |
The most common combination: a CISSP plus a CISA or CRISC reduces the total experience floor to 3 years, all of which must be in IS management. If you hold CISSP alone, the floor drops to 4 years total (still needing 3 years in management). For the full breakdown, see our CISM experience waiver guide.
If you are not sure whether your experience qualifies, review ISACA's official experience requirements documentation on their website. The detailed guide on CISM experience requirements also covers edge cases and how to document borderline roles.
Step 2: Register and Schedule the Exam
Once you are confident in your eligibility (or have a clear timeline to complete it), register through ISACA's website. You do not need to have completed your experience requirement to sit the exam - you just need to complete the application within 5 years of your pass date.
ISACA Membership vs Non-Member Pricing
ISACA membership costs $135/year and reduces the exam fee by $185. Run the math before paying non-member rates:
| Fee Category | ISACA Member | Non-Member |
|---|---|---|
| ISACA Membership (annual) | $135 | N/A |
| Exam Registration | $575 | $760 |
| Application Fee | $50 | $50 |
| Total (Year 1) | ~$760 | ~$810 |
Membership also provides access to discounted study materials, ISACA chapter events, and the official QAE practice question database - which is worth the membership cost on its own for most candidates. See the full CISM certification cost breakdown to plan your total budget.
Scheduling the Exam
CISM is delivered via Prometric testing centers as a computer-based exam. It is available year-round, not in fixed testing windows. Once you register and receive your authorization to test (ATT), you schedule directly through Prometric's site. Most major metro areas have seats available within 2-4 weeks; rural areas may require more lead time or a longer drive to a center.
You can reschedule without penalty if you cancel at least 48 hours before your appointment. Same-day cancellations and no-shows forfeit the full exam fee.
Step 3: Study the Four CISM Domains
The CISM exam is organized around four domains. Understanding the weight of each domain is the first step to allocating your study time efficiently:
| Domain | Exam Weight | Approx. Questions |
|---|---|---|
| Domain 1: Information Security Governance | 17% | ~25 |
| Domain 2: Information Security Risk Management | 20% | ~30 |
| Domain 3: Information Security Program Development | 33% | ~50 |
| Domain 4: Incident Management | 30% | ~45 |
Domains 3 and 4 together account for 63% of the exam. If your study time is constrained, weight those first. Domain 1 - Governance - is also heavily tested in terms of conceptual difficulty, even though its weight is lowest. See our complete CISM domains guide for a breakdown of every subtopic and key concept within each domain.
How Long to Study
Candidates with strong IS management backgrounds typically need 100-150 hours of focused preparation. Those transitioning from technical roles (engineer, analyst) to a management-framework mindset often need 150-220 hours. On a 10-hour-per-week schedule, that translates to 10-22 weeks of preparation.
The critical skill the exam tests is not memorization - it is applying ISACA's management-first decision framework to scenario-based questions. The right answer is almost always the one a security manager would take to inform leadership, quantify risk, or protect the business - not the technically correct action at the keyboard level.
What to Study With
Three core resources cover the majority of what you need:
- ISACA CISM Review Manual - authoritative but dense; best used as a reference rather than a cover-to-cover read
- A readable third-party guide - Mike Chapple's McGraw-Hill All-in-One or the Sybex CISM Study Guide provide more digestible explanations of the same material
- A quality practice question bank - ISACA's official QAE database (Questions, Answers & Explanations) is the gold standard; third-party platforms like cissp.app provide additional scenario practice
The CISM 12-week study plan maps a week-by-week schedule across all four domains with built-in review and practice exam phases. Use it as a starting template and adjust based on your domain assessment scores.
Practice the Way ISACA Tests
Thousands of CISM-style scenario questions with detailed explanations, AI-powered gap analysis, and domain-level scoring. Built by the same team behind CISSP Study Group.
Start Free 7-Day Trial →Step 4: Pass the Exam
The CISM exam is 150 questions delivered over 4 hours. All questions are multiple-choice (one best answer from four options). There is no penalty for guessing - unanswered questions score zero, so answer every question even if uncertain.
Scoring
ISACA uses scaled scoring. The passing score is 450 out of 800. This is not 450/800 = 56% of raw questions correct. ISACA's Rasch psychometric model converts raw correct answers to a scaled score based on question difficulty weighting. In practice, most candidates who pass are answering roughly 65-75% of questions correctly on the raw count. You receive a domain-level score breakdown with your result, which is the most valuable data if you need to retake.
See the CISM passing score guide for a full explanation of how scaled scoring works and what the domain breakdowns mean for your preparation.
Exam Day Tips
- Arrive 30 minutes early for ID verification and check-in
- Read every question stem fully before looking at answer choices - the scenario context is often the key to the right answer
- When two answers seem correct, ask: which option best aligns with the manager's perspective and the business's interests?
- Flag and return to uncertain questions; the 4-hour window allows time to revisit
- Do not change answers without a clear reason - first instincts on scenario questions are often correct
Results are shown at the testing center immediately after you finish. If you pass, you will see a provisional pass result on screen - the official score report arrives by email within a few business days.
Step 5: Submit Your Application
Passing the exam is necessary but not sufficient. You must submit a complete application - including verified work experience - before ISACA will grant you the CISM designation. You have 5 years from your exam pass date to submit this application.
The Application Process
- Complete the online application through ISACA's certification portal. You will document each work experience position separately, including dates, employer, job title, and a description of your IS management responsibilities.
- Verify your experience. ISACA requires that each experience claim be verified by your direct supervisor or an HR representative. Verifiers receive an email from ISACA asking them to confirm your described responsibilities. This is the most common bottleneck - follow up with verifiers promptly.
- Pay the application fee. Currently $50 for both members and non-members.
- Agree to the ISACA Code of Professional Ethics and the CISM Continuing Education Policy.
ISACA processes most complete applications within 10 business days. Once approved, your CISM designation is granted and you appear in ISACA's global certification registry. Your official certificate arrives by mail 4-6 weeks later.
Step 6: Maintain Your Certification
CISM is a living certification, not a lifetime credential. To keep it active you must:
- Earn 120 CPE (Continuing Professional Education) hours over each 3-year certification period
- Earn a minimum of 20 CPE hours per year
- Pay an annual certification maintenance fee ($45 for ISACA members / $85 for non-members)
- Remain in compliance with the ISACA Code of Professional Ethics
CPE hours can come from a wide range of activities: attending security conferences, completing online training, watching webinars, writing security-related content, teaching, ISACA chapter volunteer work, and self-study with documented reading. ISACA classifies CPE hours into Group A (direct IS/audit work) and Group B (general management and business skills); the majority must fall in Group A.
If your certification lapses due to missed fees or CPE shortfalls, you can apply for reinstatement - but it requires back-payment and, in some cases, re-examination. The CISM renewal requirements guide covers every qualifying activity and documents what you need to retain for potential CPE audits.
Realistic Timeline from Start to Finish
The table below shows three representative candidate paths:
| Candidate Profile | Experience Status | Study Time | Total Time to Certification |
|---|---|---|---|
| Senior IS Manager with 6+ years | Fully eligible now | 8-12 weeks | 3-4 months |
| Security Manager with CISSP, 4 years experience | Eligible (waiver reduces floor to 4 years) | 10-14 weeks | 4-6 months |
| Technical Security Professional, 3 years management exposure | Needs 1-2 more years in management roles | 12-20 weeks | 12-24 months (experience-gated) |
The most common "stuck" scenario is candidates who pass the exam but then delay submitting their application because they underestimate how long the verifier step takes. Build 2-4 weeks into your timeline after the exam just for application processing and verifier follow-up.
For a complete view of what the credential is worth once earned, see the CISM salary guide and the CISM ROI analysis.
Frequently Asked Questions
Can I take the CISM exam before I have all 5 years of experience?
Yes. ISACA allows you to sit the exam at any time and grants you 5 years from your pass date to complete the experience requirement and submit your application. Many candidates pass the exam first and then accumulate the remaining experience, particularly those who are 2-3 years into a management role when they start studying.
Do I need ISACA membership to take the CISM exam?
No, membership is optional. Non-members pay $760 for the exam versus $575 for members. If you plan to also pursue CISA, CRISC, or other ISACA certifications, or if you will buy official study materials, membership typically pays for itself. You also need membership to access the member discount on the annual maintenance fee.
How many times can I take the CISM exam if I fail?
ISACA allows up to 3 exam attempts per rolling 12-month period. There is no mandatory cooling-off period between attempts - you can reschedule as soon as a Prometric seat is available. Each retake costs the full exam fee. If you fail, your domain-level score report is the most valuable tool for diagnosing where to focus your preparation before the next attempt.
How long does it take to study for the CISM exam?
Most candidates need 100-200 hours of focused preparation over 10-20 weeks, depending on their background in IS management. Those with deep governance and risk management experience tend toward the lower end; those coming primarily from technical roles typically need more time to internalize the management-first decision framework ISACA tests. See our full CISM study timeline guide for a breakdown by experience level.
What happens if I let my CISM lapse?
If you miss CPE requirements or fail to pay the annual maintenance fee, ISACA places your certification in a "suspended" status. You have a grace period to cure the deficiency. If the suspension is not resolved, the certification lapses entirely and reinstatement requires an application and possible re-examination. The best approach is to track CPE hours continuously throughout the year rather than scrambling to hit minimums at renewal time.
Is CISM recognized internationally?
Yes. CISM is recognized globally across the US, UK, Canada, Australia, Western Europe, and the Middle East. ISACA reports over 70,000 active CISM holders worldwide, and the credential appears in job postings across regulated industries in most major markets. The experience verification and maintenance requirements are the same regardless of geography.
CISM or CISSP - which should I get first?
For security professionals primarily on a management track, CISM is the more directly relevant credential. For those in hybrid technical-management roles, CISSP often comes first because its experience requirements are slightly broader and it opens more doors at the individual contributor-to-manager transition point. Getting CISSP first also earns you a 1-year CISM experience waiver. For a full comparison, see the CISM vs CISSP guide.
Related Guides
CISM Experience Requirements
Exactly what counts toward the 5-year requirement, how to document it, and edge cases explained.
CISM 12-Week Study Plan
A structured week-by-week schedule for working professionals preparing for the exam.
CISM Certification Cost
Full cost breakdown: exam fees, membership, study materials, renewal, and what employers typically reimburse.
CISM Renewal & CPE Guide
Everything you need to maintain your CISM: CPE categories, annual minimums, fees, and efficient ways to earn hours.
CISM Passing Score Explained
How ISACA's scaled scoring works, what 450/800 really means, and strategies to hit the threshold.
CISM Salary 2026
Median total compensation by experience, job title, and metro area - with 5 steps to convert the cert into a real raise.