📋 Table of Contents
ISACA's Official CISM Retake Policy
ISACA governs retake eligibility through its Candidate Management System. The core rules have been stable for several years and apply uniformly to all ISACA certification exams, including CISM, CISA, CRISC, and CGEIT.
Key policy points as of 2026:
- Attempt cap: Candidates may attempt the CISM exam a maximum of 3 times within any rolling 12-month window.
- No automatic lockout between attempts: ISACA does not impose a mandatory waiting period of days or weeks between failed attempts. You can reschedule as soon as availability exists at a Prometric center -- typically within days to a few weeks depending on your location.
- Full fee applies each time: Each attempt is treated as a new exam registration. There is no discounted retake fee.
- Score report provided: A domain-level score report is issued after every failed attempt, allowing candidates to identify weak areas before studying for a retake.
- Passing score unchanged: The passing threshold remains 450 on a scale of 200-800 regardless of attempt number. See our CISM passing score guide for how scaled scoring works.
The retake policy applies to your certification exam attempt, not to your application status. If you have already passed the exam but are still completing the experience verification process, retake rules do not apply -- that is a separate track. Passed candidates have 5 years from the date they pass the exam to submit their application and complete the certification.
How Long Must You Wait Between Attempts?
This is the question most candidates have immediately after receiving a failing score. The direct answer: ISACA does not impose a mandatory waiting period between CISM exam attempts beyond the general 3-attempts-per-12-months cap.
In practice, the shortest realistic gap between attempts is determined by two factors:
- Prometric seat availability: The CISM is offered year-round at Prometric test centers globally. In most metro areas, the next available appointment is typically 1-3 weeks out. In lower-demand markets, same-week seats sometimes appear.
- Your registration processing time: Once you submit a new registration through ISACA's candidate portal and pay the fee, you receive a new Authorization to Test (ATT) number. Scheduling at Prometric then requires that number. The ATT typically arrives within a few business days.
So the practical minimum between attempts -- assuming you wanted to rush back -- is roughly 2-4 weeks from the day you fail to the day you could sit again. That assumes immediate re-registration and favorable Prometric availability.
However, most candidates who fail the CISM benefit from waiting 6-10 weeks before retaking. This allows time to review the domain-level feedback from your score report, address genuine knowledge gaps, and complete a focused second round of practice questions. Rushing back without substantive additional preparation rarely produces a different result -- the CISM passing rate data suggests that underprepared repeat attempts fail at similar rates to first attempts.
| Scenario | Practical Timeline to Retake |
|---|---|
| Minimum possible (rush re-register + first available seat) | 2-4 weeks |
| Recommended for most candidates (study gap + seat scheduling) | 6-10 weeks |
| Candidates with major domain gaps (near-failure in 2+ domains) | 10-16 weeks |
Retake Fees and Total Cost
ISACA does not offer a discounted retake fee. Every attempt -- whether your first, second, or third -- costs the same:
| Registration Type | Exam Fee per Attempt |
|---|---|
| ISACA member | $575 |
| Non-member | $760 |
If you are not already an ISACA member, it is almost always worth joining before registering. Annual ISACA membership costs approximately $135-$175 depending on your chapter, which saves you $185 per exam attempt. If you expect to retake even once, membership pays for itself on retake fees alone -- before accounting for the member discounts on study materials, the QAE practice question database, and CPE resources.
The total financial exposure if you use all three attempts within a 12-month period:
| ISACA Member (3 attempts) | Non-Member (3 attempts) | |
|---|---|---|
| Exam fees only | $1,725 | $2,280 |
| With ISACA membership (1 year) | $1,875 - $1,900 | N/A |
| Prometric scheduling fees (if rescheduling within 2-30 days of appointment) | $50-$100 per change | $50-$100 per change |
For a full breakdown of CISM costs -- including study materials and annual maintenance -- see the CISM certification cost guide.
How Many Times Can You Take the CISM Exam?
The hard cap is 3 attempts per rolling 12-month period. ISACA's Candidate Management System tracks this automatically.
What happens if you exhaust all 3 attempts without passing?
- You must wait until your 12-month window resets (measured from the date of your first attempt in the current window) before registering for another attempt.
- There is no permanent ban on retaking the CISM. Once the 12-month window expires, you can register again and your attempt count resets.
- Your exam application (and any associated fees) does not carry over -- you will register fresh.
In practice, very few candidates need to track this limit carefully. The more common constraint is financial: at $575 per attempt for members, three failed attempts within a year represents $1,725 in exam fees, plus study materials. Most candidates who fail once or twice substantially change their preparation strategy rather than immediately re-registering.
There is no limit on total lifetime attempts. A candidate who failed 3 times in 2024, waited for the window to reset, then failed again in 2025, and eventually passed in 2026, would hold a valid CISM certification with no asterisk. ISACA does not track or disclose how many attempts a certified professional took.
Score Reports: What You Learn After a Failed Attempt
This section matters more than most candidates realize. Your score report is the single most useful input for a retake strategy.
After a failed CISM attempt, ISACA provides:
- Total scaled score (200-800 range; 450 is passing)
- Domain-level performance breakdown: your scaled subscores for each of the 4 domains (Governance, Risk Management, Information Security Program, Incident Management)
- Domain weights reminder: so you can contextualize which subscores had the most leverage on your total
What the report does NOT provide:
- Specific questions you got wrong
- The correct answers to questions you missed
- A percentage correct (only scaled scores, not raw scores)
The domain breakdown is where your retake prep should start. CISM's domain weights are not equal -- the exam format breakdown explains how the four domains currently weight out. Information Security Program Management (Domain 3) represents the largest share of questions. If your subscore there is significantly below passing, that domain deserves the most study time before a retake.
A common mistake is treating the retake as a repeat of the same preparation. If that approach produced a failing score once, it will likely produce one again. The score report points you toward the specific domain gaps to address.
Practice Before Your Retake
Thousands of CISM-style questions with domain-level analytics to show exactly where your gaps are. Built by the team behind CISSP Study Group.
Start Free 7-Day Trial →How to Study Smarter for Your Retake
The most common reason CISM candidates fail -- including on a retake -- is not lack of knowledge. It is applying technical or operational thinking to a management-perspective exam. ISACA writes questions that reward the answer a seasoned security manager would choose, not what an analyst or engineer would instinctively pick.
Step 1: Audit Your Score Report Honestly
Map your domain subscores against the domain weights. If you scored below 400 in Information Security Program Management (the highest-weight domain), that is a priority-one problem. If you scored 470 in Governance (the lowest-weight domain) but 380 in Incident Management, the Incident Management gap has more total-score impact to recover.
Step 2: Shift Your Question Practice to Scenario-Based Items
Many candidates over-rely on questions that test definitions and frameworks. The CISM exam is scenario-heavy -- most questions present a situation and ask what the information security manager should do first, next, or instead. Practice resources that mirror this format (ISACA's QAE database is the gold standard) train the right decision-making reflex.
Step 3: Review ISACA's Official Materials, Not Just Third-Party Books
Third-party CISM books are useful, but they sometimes explain concepts using industry-standard frameworks that don't align precisely with how ISACA frames the same concepts in exam questions. Cross-reference answers against the ISACA CISM Review Manual and the exam content outline to make sure you're learning ISACA's perspective, not just security best practices generally.
Step 4: Timed Full-Length Practice Exams
The CISM is 150 questions in 4 hours. At 90 seconds per question average, time pressure is real for candidates who read slowly or overthink items. Full-length timed simulations force you to practice pacing, not just knowledge recall. Aim for at least 2-3 complete practice exams before your retake.
Step 5: Focus on the Manager Mindset
Before reading any answer choice, mentally prepend: "As the information security manager, what is the MOST appropriate action?" This framing filters out technically correct answers that reflect the wrong role (auditor, analyst, technician) or the wrong timing (reactive when the question calls for proactive).
Frequently Asked Questions
How many times can you retake the CISM exam?
ISACA allows a maximum of 3 attempts within any rolling 12-month period. Once the 12-month window resets, you can attempt again. There is no lifetime cap on total attempts.
Is there a waiting period after failing the CISM?
No mandatory waiting period beyond Prometric seat availability. You can re-register and schedule a retake as soon as you receive your score report and submit a new registration. Practical lead time from failing to sitting again is typically 2-4 weeks minimum, though most candidates benefit from waiting 6-10 weeks to adequately re-prepare.
How much does it cost to retake the CISM?
The retake fee is the same as the initial exam: $575 for ISACA members and $760 for non-members. There is no discounted retake rate. ISACA membership (~$135-$175/year) saves $185 per attempt, so it pays for itself if you sit the exam twice.
Does ISACA tell you which questions you got wrong?
No. ISACA provides a domain-level score breakdown but does not disclose specific questions, your answers, or the correct answers. This protects exam integrity. Your score report will show scaled subscores for each of the 4 domains, which is enough to diagnose where to focus study effort.
Can I reschedule my CISM exam after registering?
Yes. You can reschedule your Prometric appointment without penalty if you do so more than 30 days before your scheduled date. Rescheduling within 30 days incurs a Prometric rescheduling fee (typically around $50). No-shows forfeit the exam fee entirely. Check your specific registration terms at the time of booking, as Prometric policies can change.
Does failing the CISM affect your ISACA membership or application status?
No. A failed exam attempt has no impact on your ISACA membership status, any prior certifications you hold (CISA, CRISC, etc.), or your ability to register for future attempts. Your application record simply reflects the attempt without affecting standing.
How long do you have to pass after registering?
Once you receive your Authorization to Test (ATT), you have one year to schedule and sit the exam. If you do not sit within that window, your registration expires and you would need to re-register (and pay again) to continue pursuing the certification. Your ATT is separate from the 3-attempts-per-12-months limit -- expiration is about scheduling, not attempt counts.
What changes with the November 2026 exam update?
ISACA is updating the CISM Exam Content Outline effective November 3, 2026, which will change domain weights. The retake policy itself (attempt limits, fees, wait times) is not expected to change, but check isaca.org for any updates closer to the transition date. If you fail in October 2026 and retake in December 2026, you will test against the new content outline on your retake.
Related Guides
CISM Exam Format (2026)
Question types, time limits, domain weights, and what to expect at the Prometric center.
CISM Passing Score
How the 450 scaled score works, how many questions you actually need correct, and domain-by-domain strategy.
CISM Certification Cost
Full cost breakdown including exam fees, membership, study materials, and 3-year total.
CISM 12-Week Study Plan
A structured retake prep plan covering all 4 domains while working full-time.