How long is the CISM exam?

The CISM exam is 4 hours (240 minutes) long. This gives you approximately 1 minute and 36 seconds per question. Most candidates find the time sufficient if they manage it actively — use a first pass/second pass strategy.

Can I take the CISM exam online?

Yes. ISACA offers the CISM exam through both PSI testing centers worldwide and via remote online proctoring. Remote proctoring requires a stable internet connection, a webcam and microphone, and a private room. Both methods deliver the same exam content.

How hard is the CISM exam?

The CISM is considered moderately to highly difficult. Industry estimates suggest first-attempt pass rates of 50–60%. The challenge isn't memorizing facts — it's applying management-level judgment in ambiguous scenarios. Technical practitioners often struggle because CISM rewards governance thinking over technical problem-solving.

How many times can I retake the CISM exam if I fail?

ISACA allows up to three exam attempts within a 12-month period. A minimum of 30 days must pass between attempts. Each retake requires paying the full exam registration fee again ($575 for members, $760 for non-members).

Do I need work experience before taking the CISM exam?

No. You can sit for the CISM exam before meeting the experience requirement. However, you must have 5 years of information security management experience (across at least 3 of the 4 domains) to apply for the certification after passing. You have 5 years from your exam pass date to submit your application.

Is the CISM a CAT (computer adaptive test)?

No. Unlike CISSP and CCSP, the CISM exam is a fixed-format test — all candidates receive 150 questions regardless of performance. There is no adaptive scoring mechanism. You can skip and return to questions within the exam.

CISM Exam Format 2026: 150 Questions, 4 Domains & November 3 Update

Q: How many questions are on the CISM exam?

The CISM exam contains 150 questions. All are multiple-choice with four answer options. Some questions are unscored pilot items used by ISACA for future exam development, but you won't know which ones — treat every question as scored.

Q: What is the CISM passing score?

The CISM passing score is 450 on a scale of 200 to 800. This is a scaled score, not a raw percentage. ISACA uses psychometric scaling to account for question difficulty, so 450 doesn't correspond directly to a fixed number of correct answers.

If you're planning to take the Certified Information Security Manager (CISM) exam in 2026, understanding the exact format is one of the most important things you can do before you start studying. Knowing how the exam is structured — how many questions, how much time, what domains are weighted most heavily — lets you allocate your study time intelligently and avoid surprises on test day.

This guide covers everything you need to know about the current CISM exam format, including recent changes, domain breakdowns, scoring, and practical tips from candidates who've passed.

CISM Exam Overview

The CISM certification is administered by ISACA and is widely recognized as one of the top credentials for information security management professionals. Unlike more technical certifications, CISM focuses on governance, risk management, and program leadership — it tests whether you can think and act like a security manager, not whether you can configure a firewall.

Quick Facts: CISM Exam 2026

Number of questions: 150 (scored and unscored)
Question format: Multiple choice (4 options, 1 best answer)
Time limit: 4 hours (240 minutes)
Passing score: 450 out of 800
Exam delivery: Computer-based at PSI testing centers or remote proctored
Cost: $575 USD (ISACA members) / $760 USD (non-members)
Languages: English, Spanish, Japanese, Chinese (Simplified), and others
Domains: 4

The 4 CISM Domains and Their Weights

The CISM exam covers four domains. The weight of each domain determines how many questions you'll see from that area. These weights shifted in recent job practice analyses, so make sure you're studying with up-to-date materials.

Domain	Weight	~Questions
1. Information Security Governance	17%	~25
2. Information Security Risk Management	20%	~30
3. Information Security Program	33%	~50
4. Incident Management	30%	~45

The approximate question counts above are based on the 150 total items. Note that some questions are unscored pilot items that ISACA uses to develop future exams — you won't know which ones are scored and which aren't, so treat every question seriously.

Domain 1: Information Security Governance (17%)

This domain covers establishing and maintaining an information security governance framework aligned with organizational goals. You'll face questions about:

Developing and maintaining an information security strategy aligned with business objectives
Establishing governance structures — roles, responsibilities, and reporting lines
Integrating security governance into corporate governance
Developing security policies, standards, and procedures
Monitoring regulatory and legal compliance requirements
Building a business case for security investments

Key mindset: think like a board advisor. ISACA wants to see that you understand how security supports business objectives, not just technical controls.

Domain 2: Information Security Risk Management (20%)

Risk management is the analytical core of the CISM. This domain tests your ability to identify, assess, and manage information security risks to achieve business objectives.

Establishing a risk management framework and methodology
Performing risk assessments (qualitative and quantitative)
Identifying threats, vulnerabilities, and exposures
Determining risk treatment options (accept, mitigate, transfer, avoid)
Monitoring and reporting risk to stakeholders
Integrating risk management into business processes

Expect scenario-based questions where you need to choose the best risk response given specific business constraints. There's rarely a "technically correct" answer that ignores business context.

Domain 3: Information Security Program (33%)

This is the heaviest domain on the exam, accounting for roughly one-third of all questions. It covers the development and management of the information security program itself.

Developing and managing the information security program aligned to the security strategy
Aligning the program with other assurance functions (audit, compliance, physical security)
Identifying, acquiring, and managing resources (people, budget, technology)
Designing and implementing security controls
Managing security operations (vulnerability management, access control, change management)
Establishing security awareness, training, and education programs
Defining, monitoring, and reporting program metrics (KPIs, KRIs)
Managing third-party and vendor security risk

Because this domain is so broad, it's where most candidates invest the bulk of their study time. Focus on understanding how to build, run, and measure a security program — not just individual controls.

Domain 4: Incident Management (30%)

The second-heaviest domain covers the ability to plan, establish, and manage incident response capabilities.

Developing and maintaining incident response plans and procedures
Establishing incident classification and severity frameworks
Developing escalation and notification processes
Integrating incident management with business continuity and disaster recovery
Conducting post-incident reviews and lessons learned
Testing and refining incident response through exercises and simulations
Managing communication during incidents (internal, external, regulatory)

This domain has become increasingly important in recent years. ISACA now devotes 30% of the exam to it — up from earlier versions. Expect questions about how to organize response teams, when to escalate, and how to communicate with executives during a breach.

Question Format and Style

Every CISM question is multiple choice with four answer options (A through D). You select the single best answer. There are no drag-and-drop, simulation, or fill-in-the-blank questions.

That said, "single best answer" is the key phrase. Many CISM questions present four answers that could all be correct in some context. Your job is to identify which one is most correct given the specific scenario described. This is what makes the exam challenging — it's not about memorizing facts but about applying judgment.

What the Questions Actually Look Like

CISM questions typically fall into a few patterns:

Scenario-based: "A security manager discovers that... What should be the FIRST action?" — Tests your ability to prioritize in context.
Best practice: "What is the MOST effective way to ensure..." — Tests knowledge of governance and management best practices.
Risk-based: "Which of the following represents the GREATEST risk?" — Tests your ability to evaluate and compare risks.
Management-level: "The PRIMARY reason for conducting... is to..." — Tests understanding of why things are done, not how.

Watch for qualifier words like FIRST, MOST, PRIMARY, BEST, and GREATEST. These are signals that multiple answers may be partially correct, and you need to rank them.

Scoring and Passing

The CISM exam uses a scaled scoring model ranging from 200 to 800. The passing score is 450. This is not a simple percentage — ISACA uses a psychometric scaling process that adjusts for question difficulty, so scoring 450 doesn't mean you answered exactly 56% of questions correctly.

You'll receive your preliminary pass/fail result at the testing center immediately after completing the exam. Official scores are typically available within 10 business days through your ISACA account.

If you don't pass, you can retake the exam. ISACA's retake policy allows scheduling after a waiting period, with a maximum number of attempts per year. Check ISACA's current policy as these details can change.

Time Management

With 150 questions in 240 minutes, you have approximately 1 minute and 36 seconds per question. That's more generous than some certifications, but the scenario-based nature of CISM questions means you'll need the time.

Practical time management tips:

First pass (150 min): Work through all 150 questions at roughly 1 minute each. Answer what you know, flag what you don't.
Second pass (60 min): Return to flagged questions. Re-read the scenario carefully — the answer is often in details you skimmed.
Final review (30 min): Quickly scan for any unanswered questions. Trust your first instinct unless you find a clear reason to change.

Never leave a question unanswered. There's no penalty for guessing, and a 25% chance is better than 0%.

Computer-Based Testing vs. Remote Proctoring

ISACA offers the CISM exam through PSI testing centers worldwide and via remote proctoring. Both deliver the same exam content.

Testing Center

Controlled, quiet environment
Locker for personal belongings
No distractions from home environment
Must schedule in advance; limited locations in some areas

Remote Proctoring

Take the exam from home or office
Requires stable internet, webcam, and microphone
Room must be private and free of materials
Proctor monitors you via webcam throughout
Technical issues can disrupt your exam — have a backup plan

Most experienced candidates recommend testing centers for high-stakes exams. The controlled environment removes variables, and you won't lose time troubleshooting technical issues.

Eligibility Requirements

Before you sit for the exam, it's important to understand ISACA's eligibility requirements for CISM certification (not just passing the exam):

Pass the CISM exam (score of 450 or higher)
5 years of information security management experience in at least 3 of the 4 domains, within the 10 years preceding the application or within 5 years of passing
Substitutions: Up to 2 years can be waived with certain other certifications (CISA, CISSP, etc.) or a graduate degree in information security
Adhere to ISACA's Code of Professional Ethics
Comply with the CPE (Continuing Professional Education) policy — 20 hours per year, 120 hours over 3 years

You can take the exam before meeting the experience requirement. Many candidates pass the exam first and then accumulate the required experience over subsequent years.

Study Strategies That Actually Work

Knowing the exam format is step one. Here's how to use that knowledge to study effectively:

1. Weight Your Study Time by Domain

Domains 3 and 4 account for 63% of the exam. If you're limited on time, prioritize them. That doesn't mean ignoring Domains 1 and 2 — a weak domain can still sink you — but the math is clear about where most questions come from.

2. Think Like a Manager, Not an Engineer

This is the single most important mindset shift for CISM. When a question asks "what should the information security manager do," the answer is almost never "configure the firewall" or "patch the server." It's about governance, oversight, risk communication, and organizational alignment. If you're choosing between a technical action and a management action, the management answer is usually correct.

3. Practice with Scenario-Based Questions

Flashcards and memorization won't prepare you for the CISM. You need to practice with scenario-based questions that force you to evaluate options in context. The more scenarios you work through, the better you'll get at identifying what ISACA considers the "best" answer.

4. Learn the ISACA Vocabulary

ISACA has specific ways of framing concepts. For example, "risk appetite" vs. "risk tolerance" have precise meanings in ISACA's framework. "Information security governance" means something specific. Read the CISM Review Manual carefully — not just for content, but for how ISACA uses language.

5. Take Full-Length Practice Exams

Build your stamina. Sitting for 4 hours of concentrated decision-making is mentally exhausting. Take at least 2-3 full-length (150-question) practice exams under timed conditions before your real exam. This trains your pacing and reveals weak areas you might not catch with shorter quizzes.

6. Study the "Why," Not Just the "What"

For every concept, ask yourself: why does this exist? Why would an organization implement this? What problem does it solve? CISM questions frequently test whether you understand the purpose behind controls, policies, and processes — not just their definitions.

Common Mistakes to Avoid

Studying too technically: CISM is a management exam. Don't spend weeks on encryption algorithms when the exam asks about key management governance.
Ignoring Incident Management: At 30%, this domain is too large to underestimate. Many candidates from technical backgrounds assume they "know" incident response but struggle with the management-level questions.
Not reading questions carefully: The difference between "FIRST action" and "BEST action" can completely change the correct answer.
Changing answers without reason: Research consistently shows that first instincts on multiple-choice exams are more often correct. Only change an answer if you identify a specific error in your reasoning.
Underestimating the experience requirement: Passing the exam is only half the battle. Plan your career path to meet the 5-year experience requirement if you haven't already.

What's Different About CISM in 2026?

ISACA periodically updates the CISM job practice based on industry surveys and evolving threats. The current exam version reflects increased emphasis on:

Cloud security governance — managing security in multi-cloud and hybrid environments
Third-party and supply chain risk — assessing and managing vendor security posture
Privacy and regulatory compliance — GDPR, CCPA, and evolving global privacy frameworks
Incident response maturity — moving beyond basic response to proactive threat management
Metrics and reporting — demonstrating security value to the board through meaningful KPIs

If you're using study materials from 2023 or earlier, supplement them with current resources. The core concepts haven't changed, but the emphasis and scenarios reflect today's threat landscape.

⚠️ CISM Exam Update: November 3, 2026

ISACA has announced an updated CISM Exam Content Outline effective November 3, 2026. Key changes include:

Two new content areas added: Enterprise Architecture and Information Security Architecture — reflecting the expectation that security managers understand the technologies in their purview
Greater emphasis on information security strategy and program development
Domain weight shifts — updated materials from ISACA will begin launching September 1, 2026

What this means for you: If you plan to sit for the CISM before November 3, 2026, current study materials remain fully valid. If you're testing after November 3, ensure your prep materials are updated for the new outline. ISACA has stated that exam prep updates will be available from September 1, 2026.

How to Register for the CISM Exam

Registering for the CISM exam is a multi-step process that begins on the ISACA website. Here's exactly how it works:

Create or log in to your ISACA account at isaca.org. Membership is not required to sit for the exam, but members pay $185 less.
Pay the exam registration fee — $575 (member) or $760 (non-member). This is separate from the certification application fee you'll pay after passing.
Receive your Authorization to Test (ATT) email from ISACA, typically within a few business days. The ATT includes your candidate ID and is valid for 12 months.
Schedule your exam through PSI at psiexams.com using your ATT/candidate ID. You choose your preferred date, time, and delivery method (testing center or remote proctoring).
Receive your scheduling confirmation from PSI via email. Save this — you'll need it on exam day.

When to register: ISACA recommends scheduling at least 4–6 weeks before your desired exam date, especially for popular testing centers in major metro areas. Remote proctoring slots are more flexible but can still book up during peak periods (spring and fall are busiest).

Rescheduling and cancellation: You can reschedule or cancel through PSI up to 48 hours before your exam without penalty. Changes made within 48 hours may incur a rescheduling fee. If you miss your appointment without canceling, the exam fee is forfeited. ISACA's exam registration is valid for 12 months from purchase, giving you flexibility to reschedule within that window.

CISM Exam Difficulty: What to Expect

The CISM is widely considered one of the more challenging management-level security certifications. ISACA does not publish official pass rate statistics, but industry surveys and ISACA's own job practice data consistently suggest that first-attempt pass rates range from approximately 50% to 60%. Some estimates run lower depending on the candidate population surveyed.

What makes the CISM difficult isn't the volume of memorizable facts — it's the requirement to apply management judgment in ambiguous scenarios. Candidates who excel at technical exams (CompTIA, OSCP, even CISSP) often underestimate the shift required for CISM's management-first approach.

Why Experienced Professionals Sometimes Struggle

Many CISM candidates are experienced security practitioners who have spent years in technical or operational roles. Their instinct is to solve problems with technical controls. ISACA's exam consistently rewards answers that involve governance, risk communication, stakeholder management, and organizational alignment — not firewall rules.

If you find yourself choosing "implement a technical control" when the scenario involves board-level strategy, you're likely selecting the wrong answer. The "best" CISM answer almost always involves the management action that enables the right technical outcome — not the technical action itself.

How Many Attempts Do Candidates Need?

If you don't pass on the first attempt, ISACA allows retakes after a mandatory waiting period. The current policy permits up to three exam attempts within a 12-month period, with a minimum of 30 days between attempts. Each retake requires paying the full exam registration fee again.

Candidates who fail are provided a score report showing their performance by domain — not individual questions. Use this breakdown to identify which domains need the most attention before retaking. A score in the 420–449 range suggests you're close; a score below 400 typically means a more substantive study overhaul is needed.

After You Pass: The CISM Certification Application

Passing the exam is a milestone, but it doesn't automatically make you a certified CISM. You must submit a separate certification application to ISACA, which involves the following:

Step 1: Verify Your Work Experience

You need 5 years of cumulative, paid work experience in information security management, with at least 3 years in at least 3 of the 4 CISM domains. This experience must have been gained in the 10 years preceding your application date or within 5 years of passing the exam.

Up to 2 years can be waived with qualifying substitutions:

One year waived for a general security management work experience substitution (a graduate degree in information security or a related field)
One year waived for holding CISSP, CISA, or other approved ISACA or ISC2 certifications

Step 2: Submit the Application

The CISM application is submitted online through your ISACA account. The application fee is currently $50 USD, paid separately from the exam registration fee. You'll document your qualifying experience across the applicable domains, listing employers and roles.

Step 3: Get Endorsed

Unlike some certifications, CISM does not require third-party endorsement (ISACA removed the endorser requirement in a process update). Your experience documentation is submitted directly to ISACA, which may audit a percentage of applications to verify claims.

Maintaining Your CISM: CPE Requirements

Once certified, you must maintain your CISM through Continuing Professional Education (CPE). The requirements are:

20 CPE hours per year (minimum)
120 CPE hours over the 3-year renewal period
Annual maintenance fee: $45 (ISACA member) / $85 (non-member)

CPE hours can be earned through conferences, training courses, webinars, self-study, volunteering with ISACA, writing articles, and other qualifying professional development activities. ISACA provides a CPE tracker in your online account.

Exam Day Checklist

Two forms of government-issued ID (one with photo)
Confirmation email from PSI or ISACA
Arrive 30 minutes early at the testing center
No electronics, notes, or study materials in the testing room
Bring a light snack for the break (if allowed at your center)
Get a full night's sleep — cognitive fatigue is real over 4 hours

CISM vs CISSP vs CISM vs CRISC: How the Format Compares

If you're deciding which certification to pursue — or planning a multi-cert path — understanding how the CISM exam format compares to its peers helps you sequence your preparation:

Certification	Questions	Time	Passing Score	Format
CISM	150	4 hours	450 / 800	Fixed, MCQ
CISSP	100–150 (CAT)	3 hours	700 / 1000	Adaptive (CAT)
CRISC	150	4 hours	450 / 800	Fixed, MCQ
CISA	150	4 hours	450 / 800	Fixed, MCQ
CCSP	125 (CAT)	3 hours	700 / 1000	Adaptive (CAT)

CISM, CRISC, and CISA all share the same format: 150 fixed questions, 4 hours, and a 450/800 passing threshold. This makes preparation materials and strategies somewhat transferable. CISSP and CCSP use computer-adaptive testing (CAT), which is a fundamentally different experience — the number of questions adjusts dynamically based on your performance.

If you've recently passed CISSP and are considering CISM next, note that the fixed-format CISM exam can feel longer due to the non-adaptive nature. You can't "finish early" based on performance — you'll see all 150 questions regardless.

For a detailed comparison, see our guides on CISM vs CISSP and CISM vs CRISC.

Frequently Asked Questions About the CISM Exam

How many questions are on the CISM exam?

150 questions, all multiple-choice with four answer options. Some are unscored pilot items — you can't tell which, so treat every question as scored.

What is the CISM passing score?

450 on a scaled score of 200–800. This is not a simple percentage — ISACA scales scores based on question difficulty using a psychometric model. Roughly speaking, scoring 450 requires answering approximately 60–65% of scored questions correctly, but the exact threshold varies by exam version.

Is the CISM harder than the CISSP?

They're different challenges. CISSP is broader (8 domains, CAT format, more technical depth). CISM is narrower (4 domains) but demands purer management thinking. Many candidates report that CISM's judgment-based questions feel more ambiguous than CISSP. If you've passed CISSP, CISM is achievable with focused prep — but don't assume CISSP knowledge directly transfers, especially on governance and program management nuances.

Can you take the CISM exam without experience?

Yes — you can sit for the exam before meeting the 5-year experience requirement. Many candidates take a "pass first, apply later" approach. You have 5 years from your exam pass date to submit your certification application with the required experience documentation.

How long does it take to get CISM results?

You'll receive a preliminary pass/fail result at the testing center immediately after finishing. Official scaled scores appear in your ISACA account within 10 business days. For remote proctored exams, the preliminary result is displayed on screen at the end of the test.

Final Thoughts

The CISM exam is challenging, but it's entirely passable with the right preparation and mindset. Focus on management thinking over technical details, practice with realistic scenario-based questions, and weight your study time toward the heaviest domains.

Remember: ISACA designed this exam for practicing information security managers. The questions reflect real decisions you'd face on the job. If you study with that lens — what would a competent security manager do in this situation? — you'll be well-prepared for test day.

Good luck with your CISM journey.