ExpertISACAMultiple-choice (judgement-led)~180 prep hrs$760 exam

CISM — Certified Information Security Manager

CISM is the cert auditors and boards reach for when they want evidence the security function is being managed, not just operated. ISACA's framing — governance, risk, programme, incident — maps cleanly onto how a CISO presents to an audit committee. CISM is especially valued in financial services, regulated industries and audit-heavy environments where COBIT and ISACA frameworks already drive the conversation.

Operator difficulty3/5

Narrower than CISSP and slightly easier at the question level, but every item demands management judgement — 'what would the security manager do first' — which trips up purely technical candidates.

Fast facts

Cost, hours and exam shape.

Vendor: ISACA
Level: Expert
Exam style: Multiple-choice (judgement-led)
Prep hours (median): ~180 hours
Exam cost (USD): $760
Difficulty: 3/5

Who it's for

Pursue this if…

Your career is heading toward CISO, deputy CISO or GRC leadership.
You work in financial services or a regulated, audit-heavy environment built on ISACA/COBIT.
You think in business risk and programme metrics, not tools and exploits.
You have audit, PMO or governance experience and want a management-focused credential.

Exam format

What you actually sit.

150 multiple-choice questions, 4 hours, scaled scoring with a 450/800 pass mark. Delivered via PSI test centres or online proctoring. Questions emphasise judgement and management decision-making across four governance-heavy domains.

Prerequisites

Where you should be before you book.

→Five years of information-security work experience with at least three in the four CISM domains (waivers available for related certs and degrees)
→Adherence to the ISACA Code of Professional Ethics
→Continuing Professional Education compliance after certification

Syllabus

What is on the exam.

01Domain 1 — Information Security Governance (strategy, organisational structure, metrics)

02Domain 2 — Information Security Risk Management (asset identification, risk assessment, treatment)

03Domain 3 — Information Security Program Development & Management (architecture, controls, awareness)

04Domain 4 — Information Security Incident Management (planning, detection, response, recovery)

Prep roadmap

A study plan you can actually follow.

Internalise the four domains
Use the ISACA CISM Review Manual as your spine. Governance, risk, programme and incident management are the only four buckets — know which one each question lives in.
Train the management mindset
Practise answering as a security manager balancing business risk and cost, not as an engineer. ISACA's question logic rewards the governance-first choice.
Drill the ISACA-style question bank
Work the official ISACA QAE database plus a third-party bank until your judgement matches ISACA's. Review the rationale for every option, right or wrong.
Verify experience and apply
Pass the exam, then submit verified experience (three years in-domain minimum, up to two waivable) within five years to be certified.

Job roles unlocked

Where this cert opens doors.

Information Security ManagerCISO / Deputy CISOGRC LeadIT Audit ManagerCompliance Consultant

How AxVeil's team uses this cert

From the operator side of the desk.

Our virtual CISO and security-programme retainers are led by CISM-holding consultants. The cert forces you to think in terms of business risk and programme metrics rather than tools and exploits — exactly the lens we need when we are translating a pentest finding into a board-level decision. We pair CISM-led strategy with OSCP-led delivery on every retainer.

FAQ

Questions people ask before booking.

CISM vs CISSP — pick one+

CISSP is broader (eight technical and governance domains) and more globally recognised across both technical and management roles. CISM is narrower and laser-focused on the management of an information-security programme. If your career is heading toward CISO / GRC leadership in a regulated industry, CISM has the edge. If you want maximum optionality, CISSP. Many senior leaders hold both.

What is the experience-waiver path?+

Up to two years can be waived: one year for a related cert (CISSP, CISA, MCSE, GIAC) or a postgraduate degree in information security, and another year for two years of general information-system management experience. You still need at least three years in the CISM domains and the experience must be verified before certification.

How hard is the exam compared to CISSP?+

CISM is generally considered slightly easier than CISSP at the question level but heavier on management judgement. Where CISSP asks 'which control', CISM asks 'what would the security manager do first'. Candidates with audit, GRC or PMO backgrounds tend to find CISM more natural; engineers tend to find CISSP more natural.

Is CISM useful outside large enterprises?+

Yes — it scales down. The governance, risk and incident-management framing applies just as well to a 50-person SaaS preparing for SOC 2 as to a global bank. The vocabulary aligns with what auditors expect, which speeds up evidence conversations regardless of company size.

What is the maintenance cost?+

USD 45 annual maintenance fee for ISACA members (USD 85 non-members) plus 120 CPE credits per three-year cycle with a 20-credit annual minimum. CPEs come from ISACA chapter activity, training, conferences and authorship.

Where this maps in our practice

Relevant AxVeil services and field notes.

Services

Sibling certifications worth comparing.

ExpertISC2

CISSP — Certified Information Systems Security Professional

ProfessionalGIAC (SANS)

GPEN — GIAC Penetration Tester

4/5 · ~200h

Need a qualified team to deliver the engagement?

We can field operators with CISM (and the rest of the stack — OSCP, OSEP, CISSP, CISM) on engagements in 5 to 10 working days. Letter of Attestation includes the lead-tester credentials so your auditor can verify.

Contact AxVeil →Back to All Certifications