Home / CISM / Overview

ISACA CISM (Certified Information Security Manager)

A management-level credential for people who run security, not just configure it. CISM validates that you can build governance, manage risk, run a security program, and lead incident response — aligning all of it with business objectives. The exam rewards judgment, so the whole game is learning to "think like a manager."

New: the all-in-one Learn page. Study every objective in one place — lecture, video, cheat sheet, and a quick quiz, with your progress tracked across all 15 objectives. Includes a daily study-plan generator that schedules you to exam day.

Start learning →

Study tools

🎓

Learn (all-in-one)

Lecture, video, cheat sheet & quiz for every objective on one page — with completion tracking and a study-plan generator. Your primary study path.

📝

Practice

Domain-tagged questions with instant feedback & explanations. Filter by domain, difficulty, or just your missed ones.

⏱️

Exam Simulator

150 questions, 4 hours, domain-weighted like the real CISM — with a full per-domain score breakdown.

🃏

Flashcards

Spaced-repetition cards for the highest-yield terms, risk formulas, and easily-confused pairs.

📊

Dashboard

Per-domain mastery, mock-exam history, study streak, and a weak-area recommender.

🎥

Video Lessons

Curated free Prabh Nair CISM videos, organized by domain.

🧾

Cheat Sheets

Printable high-yield quick reference for every domain.

🗒️

Notes

Your own study notes, exportable to Obsidian-friendly Markdown.

📚

Study Guide

Concept summaries for each of the four domains.

🗓️

Study Plan

A ~12-week schedule that takes you to exam day.

Confirm which exam content outline applies to you. ISACA is updating the CISM Exam Content Outline (ECO) effective 3 November 2026. The current four-domain ECO described on this page applies to exams taken before that date; ISACA's updated official prep materials are expected around September 2026. Check your scheduled exam date against the changeover and study the matching outline — everything on this CISM track targets the pre-3 Nov 2026 outline.

Exam facts

CredentialCertified Information Security Manager (CISM), issued by ISACA
Questions150 multiple-choice questions
Time4 hours (240 minutes)
ScoringScaled score 200–800; 450 is passing
CostUS $575 (ISACA member) / US $760 (non-member) per attempt
Experience requirement5 years of information security work experience, with at least 3 years in information security management across 3 or more of the four domains. Experience must fall within the 10 years before applying or the 5 years after passing. Up to 2 years can be waived (e.g., holding CISA/CISSP, or a relevant degree).
Exam vs. applicationYou can pass the exam first and gain/submit the experience later — passing is valid while you accumulate and document your experience.
FormatComputer-based at a PSI test center or remotely proctored online
StyleManagement judgment, not deep technical configuration — pick the best answer for a manager, not just a correct one

The four domains & weightings

The exam is heavily weighted toward the program and incident-management domains — plan your study time the same way.

#DomainWeightWhat it's about
1Information Security Governance17%Aligning security with business goals: strategy, frameworks, roles, policies, and metrics that the board cares about.
2Information Security Risk Management20%Identifying, assessing, and treating risk; who owns risk, who accepts it, and how to quantify it (SLE/ALE/ARO).
3Information Security Program33%Building and running the program: resources, asset classification, controls, awareness, third-party management, and metrics. The biggest slice.
4Incident Management30%Preparing for and responding to incidents: IR/BC/DR planning, RTO/RPO/MTD, the response lifecycle, and post-incident review.

Strategy in one line: Domain 3 (33%) and Domain 4 (30%) are together about 63% of the exam — invest there. And on every question, think like a manager: the best answer aligns with business objectives, governance, and risk-based decisions, not the most technically detailed fix.

← Home Study Guide →