Home / CISM / Overview
ISACA CISM (Certified Information Security Manager)
A management-level credential for people who run security, not just configure it. CISM validates that you can build governance, manage risk, run a security program, and lead incident response — aligning all of it with business objectives. The exam rewards judgment, so the whole game is learning to "think like a manager."
New: the all-in-one Learn page. Study every objective in one place — lecture, video, cheat sheet, and a quick quiz, with your progress tracked across all 15 objectives. Includes a daily study-plan generator that schedules you to exam day.
Study tools
Learn (all-in-one)
Lecture, video, cheat sheet & quiz for every objective on one page — with completion tracking and a study-plan generator. Your primary study path.
Practice
Domain-tagged questions with instant feedback & explanations. Filter by domain, difficulty, or just your missed ones.
Exam Simulator
150 questions, 4 hours, domain-weighted like the real CISM — with a full per-domain score breakdown.
Flashcards
Spaced-repetition cards for the highest-yield terms, risk formulas, and easily-confused pairs.
Dashboard
Per-domain mastery, mock-exam history, study streak, and a weak-area recommender.
Video Lessons
Curated free Prabh Nair CISM videos, organized by domain.
Cheat Sheets
Printable high-yield quick reference for every domain.
Notes
Your own study notes, exportable to Obsidian-friendly Markdown.
Study Guide
Concept summaries for each of the four domains.
Study Plan
A ~12-week schedule that takes you to exam day.
Confirm which exam content outline applies to you. ISACA is updating the CISM Exam Content Outline (ECO) effective 3 November 2026. The current four-domain ECO described on this page applies to exams taken before that date; ISACA's updated official prep materials are expected around September 2026. Check your scheduled exam date against the changeover and study the matching outline — everything on this CISM track targets the pre-3 Nov 2026 outline.
Exam facts
| Credential | Certified Information Security Manager (CISM), issued by ISACA |
|---|---|
| Questions | 150 multiple-choice questions |
| Time | 4 hours (240 minutes) |
| Scoring | Scaled score 200–800; 450 is passing |
| Cost | US $575 (ISACA member) / US $760 (non-member) per attempt |
| Experience requirement | 5 years of information security work experience, with at least 3 years in information security management across 3 or more of the four domains. Experience must fall within the 10 years before applying or the 5 years after passing. Up to 2 years can be waived (e.g., holding CISA/CISSP, or a relevant degree). |
| Exam vs. application | You can pass the exam first and gain/submit the experience later — passing is valid while you accumulate and document your experience. |
| Format | Computer-based at a PSI test center or remotely proctored online |
| Style | Management judgment, not deep technical configuration — pick the best answer for a manager, not just a correct one |
The four domains & weightings
The exam is heavily weighted toward the program and incident-management domains — plan your study time the same way.
| # | Domain | Weight | What it's about |
|---|---|---|---|
| 1 | Information Security Governance | 17% | Aligning security with business goals: strategy, frameworks, roles, policies, and metrics that the board cares about. |
| 2 | Information Security Risk Management | 20% | Identifying, assessing, and treating risk; who owns risk, who accepts it, and how to quantify it (SLE/ALE/ARO). |
| 3 | Information Security Program | 33% | Building and running the program: resources, asset classification, controls, awareness, third-party management, and metrics. The biggest slice. |
| 4 | Incident Management | 30% | Preparing for and responding to incidents: IR/BC/DR planning, RTO/RPO/MTD, the response lifecycle, and post-incident review. |
Strategy in one line: Domain 3 (33%) and Domain 4 (30%) are together about 63% of the exam — invest there. And on every question, think like a manager: the best answer aligns with business objectives, governance, and risk-based decisions, not the most technically detailed fix.