CISM Passing Score 2026: What Score Do You Need to Pass?

The CISM Passing Score: 450 Out of 800

To pass the CISM (Certified Information Security Manager) exam, you must achieve a scaled score of at least 450 out of 800. This requirement has remained consistent across exam updates and is applied uniformly to all candidates worldwide, regardless of testing location or the specific exam version they receive.

The scale runs from 200 to 800. A score of 800 means a perfect exam. A score of 200 represents the fewest correct answers possible. The midpoint of the scale is 500 — which means passing at 450 is actually slightly below the scale midpoint, but well above what would represent random guessing.

How Scaled Scoring Works (It's Not a Percentage)

This is the part that trips up most candidates: the 450 passing score is not 450 out of 800 as a percentage. That would be 56.25% — and the math doesn't work that simply.

ISACA uses scaled scoring, which is an industry-standard psychometric method used by certification bodies to maintain consistency across different exam forms. Here's the core logic:

• ISACA maintains a large pool of exam questions at varying difficulty levels.
• Different candidates receive different sets of 150 questions, drawn from that pool.
• Some exam versions are slightly harder than others due to the mix of questions included.
• Scaled scoring adjusts for this variation — so a harder exam version requires fewer raw correct answers to achieve the same scaled score.
• The result: a 450 scaled score represents the same level of competency, no matter which exam form a candidate took.

ISACA's Certification Committee, working with psychometricians and active security management professionals, determines that a scaled score of 450 represents the minimum competency level required for an information security manager.

Why the Scale Starts at 200

You might wonder why the lowest possible score is 200 instead of 0. This is a deliberate psychometric design choice. Starting the scale at 200 prevents candidates from seeing a score of "0" or a very low number, which could be misleading. The floor of 200 simply represents the baseline outcome for a candidate who answers the fewest questions correctly — it is not meaningful beyond that.

How Many Questions Do You Need to Get Right?

This is the practical question every CISM candidate wants answered. The honest response: ISACA does not publish this number. But based on candidate reports and industry analysis, the consensus estimate is that you need approximately 105–113 questions correct out of 150 — roughly 70–75%.

Note: These scaled score ranges are estimates based on community data and psychometric principles. Actual conversions vary by exam form difficulty. This table should guide your prep targets, not be treated as exact.

The practical implication: aim for 80%+ on your practice exams. This gives you a comfortable buffer above the 70–75% threshold and accounts for the fact that real exam questions may differ slightly from practice material in difficulty or framing.

Domain Weights & Their Impact on Your Score

The CISM exam's 150 questions are distributed across 4 domains. The number of questions per domain is determined by each domain's weight. Understanding this distribution helps you allocate study time strategically — not all domains are equal.

The current CISM domain weights (pre-November 2026) are:

The key insight here: Domain 3 (Program Development) and Domain 4 (Incident Management) together represent 63% of the exam. A candidate who masters these two domains and passes at minimum in Domains 1 and 2 can achieve a passing scaled score.

Conversely, a candidate who over-focuses on Domain 1 (Governance, only 17% of questions) while struggling with Domain 3 will find it very difficult to reach 450. Your study plan should reflect these weights. See the full breakdown in our CISM Domains Explained guide.

November 2026 Exam Update: New Domain Weights

This is critical if you're deciding when to take the exam. ISACA is updating the CISM Exam Content Outline effective November 3, 2026. The new domain weights will shift significantly:

The most dramatic shift: Risk Management nearly doubles in weight (20% → 33%), while Incident Management drops from 30% to 17%. ISACA is also adding two new content areas — enterprise architecture and information security architecture — to reflect evolving security manager responsibilities. Updated study materials for the new outline will be available for purchase in September 2026.

Importantly: the passing score of 450 will remain the same after the November 3 update. ISACA has confirmed that the minimum scaled score requirement will not change. Only the content distribution changes.

What Your Score Report Looks Like

On Exam Day: Immediate Provisional Results

When you finish the computer-based CISM exam at a Pearson VUE testing center, you will receive immediate provisional pass/fail feedback on screen before you leave the testing center. This result is provisional — meaning it is subject to final verification by ISACA — but in practice, provisional results are almost always confirmed.

You will not see your scaled score on exam day. The screen will simply show "Pass" or "Fail."

The Official Score Report: 10 Business Days Later

ISACA sends an official score report to the email address on your ISACA account within approximately 10 business days after your exam date. This report includes:

• Your total scaled score (the number out of 800)
• Pass/Fail designation
• Domain-level performance indicators for all 4 domains — shown as Below Competency, Near Competency, or Above Competency

If you pass, you'll also receive instructions for submitting your work experience documentation and completing the CISM certification application. Note: passing the exam is only one step — you still need to demonstrate the required 5 years of information security management experience.

What Happens If You Don't Pass?

If your scaled score falls below 450, you will need to retake the exam. Here's what you need to know about the CISM retake policy:

• Retake waiting period: You must wait a minimum of 30 days between exam attempts.
• Maximum attempts per year: You may take the CISM exam up to 4 times in a rolling 12-month period.
• Retake fee: You must pay the full exam fee for each attempt ($575 for ISACA members, $760 for non-members). There are no discounted retake fees.
• No penalty beyond fees: A failed attempt does not result in any suspension of your ISACA account or ability to hold other certifications.

When retaking, use your domain performance indicators strategically. If the report shows "Below Competency" in Domain 3, that's where you focus. Don't spend equal time on all domains — focus your next 30+ days specifically on the areas the report flagged.

For context on how many candidates struggle with passing, see our CISM Passing Rate analysis — the estimated first-time pass rate is 50–65%, meaning a significant minority need a second attempt.

7 Strategies to Hit 450+

Understanding the scoring system is only half the battle. Here's how to translate that knowledge into exam results:

1. Target 80% on Practice Exams, Not 75%

Because the exact conversion from raw score to scaled score is unknowable, aim higher than the estimated threshold. Consistently scoring 80%+ on full-length practice exams means you have sufficient buffer to account for variation in real exam difficulty.

2. Prioritize Domains 3 and 4 First

Domains 3 and 4 together represent 63% of the current exam (dropping to 47% after November 2026). Master these two domains before spending significant time on Domain 1. Time investment should roughly mirror domain weight. Follow a structured plan with our CISM 12-Week Study Plan.

3. Think Like a Manager, Not a Technician

The CISM is explicitly a management exam. When facing a question, the correct answer is almost always the one a security manager or CISO would choose — not what a technical security analyst would do. When in doubt, choose the answer that prioritizes risk management, governance, communication to leadership, or program alignment over technical implementation.

4. Take Domain-by-Domain Timed Quizzes

Don't only practice with full 150-question exams. Run focused 25–30 question quizzes on individual domains under timed conditions (about 45 seconds per question). This reveals domain-specific weaknesses before the real exam reveals them to you.

5. Review Wrong Answers for the "Why," Not Just the "What"

For every question you get wrong, understand the management principle ISACA is testing — not just the right answer. CISM questions often have two defensible answers, and the winner is determined by which one aligns with the governance or risk management framework best. Understanding the principle prevents you from getting tripped up by slight question variations.

6. Simulate Real Exam Conditions

Take at least 2–3 full-length 150-question exams under true exam conditions: 4-hour block, no phone, no breaks except a brief scheduled one, quiet environment. Exam fatigue is real. Many candidates who score well on short quizzes find that question quality degrades in questions 100–150. Train for the full distance.

7. Know the November 2026 Cutover Date

If you're testing after November 3, 2026, your exam follows the new domain weights where Risk Management (Domain 2) becomes the largest domain at 33%. This is a significant shift. Make sure your study materials match the content outline for the exam you're actually taking. ISACA will update its CISM Review Manual for the new outline with materials available from September 2026.

Frequently Asked Questions

Is the CISM passing score 450 out of 800 or out of 150?

It's 450 out of 800. The exam has 150 questions, but your raw number correct is converted to a scaled score on the 200–800 scale. Your pass/fail outcome is based on the scaled score of 450, not on a raw count of correct answers.

Has the CISM passing score changed recently?

No. The passing score of 450 has been ISACA's consistent standard and has not changed with recent exam updates. The November 2026 domain weight changes also do not affect the passing score requirement.

Can I see my exact scaled score if I fail?

Yes. Your official score report (emailed ~10 business days after the exam) includes your total scaled score, so you'll know exactly how far you were from 450. You'll also see domain-level performance indicators to guide your retake preparation.

What percentage of questions do I need to get right to pass the CISM?

ISACA does not publish the exact conversion. Based on candidate reports, approximately 70–75% correct answers (roughly 105–113 out of 150) typically translates to a scaled score near or above 450. For safety, target 80% on practice exams.

Do I need a passing score in each domain separately?

No. There are no individual domain passing requirements. Only your total scaled score matters for pass/fail. However, your score report does show domain-level performance indicators — these are for developmental feedback, not scoring thresholds.

How does the CISM passing score compare to CISSP?

CISSP also uses a scaled score from 100–1000, with a passing score of 700 — and CISSP uses Computer Adaptive Testing (CAT) which ends the exam early once competency is determined. CISM is a fixed 150-question exam. See how they compare overall in our CISM vs CISSP guide.

Does ISACA's November 2026 update change the number of exam questions?

No. The exam will remain 150 questions with a 4-hour time limit. Only the distribution of questions across domains changes with the new content outline effective November 3, 2026.

Related Guides