The complete CISM certification training guide

The ISACA Certified Information Security Manager (CISM) certification training prepares senior-level professionals to transition into leadership roles in information security management. CISM certification training provides comprehensive education on strategic security program development, governance, risk management and incident response while meeting ISO 17024 and DoD 8140/8570.01-M standards.

  • Master the four domains of CISM through structured training
  • Learn to strategically design, oversee and assess enterprise information security programs
  • Gain the management skills needed to advance into strategic leadership positions
Get Certified

Key facts

Start your journey to becoming a certified information security manager with Infosec's comprehensive CISM training options.

CISM exam overview

The CISM exam is updated to include the latest job practice areas across four domains. The exam includes the following topics in each domain.

The CISM exam evaluates your ability to manage and govern a company's information security program across four essential domains. The CISM exam domains were updated in June 2022 to include the latest job practice areas.

 

Domain 1: Information security governance (17%)
  • Enterprise governance
  • Information security strategy development
  • Organizational culture and structure
  • Regulatory and legal requirements
  • Governance frameworks
  • Strategic planning
Domain 2: Information security risk management (20%)
  • Risk assessment, analysis and response
  • Emerging threat landscape
  • Risk and control ownership
  • Risk monitoring and reporting
Domain 3: Information security program (33%)
  • Information security program development and management
  • Resources (people, tools and technologies)
  • External services (suppliers and third and fourth parties)
  • Awareness training
  • Policies and procedures
  • Program metrics
  • Security control design, selection, implementation and testing
  • Communications and reporting
Domain 4: Incident management (30%)
  • Readiness and operations
  • Business impact analysis (BIA)
  • Business continuity plan (BCP)
  • Disaster recovery plan (DRP)
  • Incident classification
  • Training, testing and evaluation
  • Investigative tools and techniques
  • Containment methods
  • Reporting and escalation
  • Post-incident review

Learn more about the CISM domains.

CISM exam details

Evaluates your ability to manage and govern a company’s information security program. It covers four main domains: Information Security Governance, Information Risk Management, Information Security Program Development and Management, and Information Security Incident Management.

Launch date: 2002 Last update: June 2022
Number of questions: 150 Type of questions: Multiple-choice
Length of test: 4 hours Passing score: 450 (out of scaled score of 200-800)
Recommended experience: 5+ years of work experience in at least three domains (up to 3 years in experience waivers available) Languages:

English, Chinese Simplified, Japanese, Spanish
Validity duration:  Three years CPEs needed for renewal: 120 (at least 20 annually)
Exam cost: $575 for members, $760 for non-members    

Additional CISM exam resources

Prepare for your CISM exam with these essential study materials and resources designed for comprehensive security management learning.

 

CISM study guides and books

Quality CISM training materials are essential for exam success. You can find great options at your local library, bookstore or online. Highly rated titles include:

  • CISM Certified Information Security Manager All-in-One Exam Guide by Peter H. Gregory
  • CISM Certified Information Security Manager Study Guide by Mike Chapple
  • Complete Guide to CISM Certification by Thomas R. Peltier

CISM practice questions and exams

Test your knowledge with practice materials designed to assess your readiness and improve your CISM preparation. Some solid sources include:

  • ISACA's free CISM practice quiz
  • CISM Review Questions, Answers & Explanations (QAE) Manual, 10th edition (published by ISACA and also available as a 12-month subscription to the QAE Database)
  • CISM Certified Information Security Manager Practice Exams by Peter H. Gregory (published by McGraw Hill)

Professional CISM training courses, like Infosec's CISM Boot Camp, offer unlimited practice exam attempts and access to the ISACA Official Question, Answer & Explanation (QAE) Database as part of their comprehensive virtual CISM training package.

 

Other free CISM training resources

There are a number of other free CISM training materials being produced and shared by the community:

  • Forums: TechExamsReddit and similar forums include posts by people preparing for the CEH exam or who have already taken it. 
  • Podcasts: Learn more about changes to CISM and more on podcasts like Cyber Work.
  • Other social media: CISM is a popular exam, and many people have created free training videos on YouTube, TikTok, Twitch and other platforms.

CISM jobs and careers

The CISM credential is ideal if you’re a senior-level professional pursuing an information security management and governance career.  The ISACA CISM certification opens opportunities to some of the highest-paying jobs in the industry, with CISM job titles spanning technical, managerial, and executive levels.

 

Common CISM job titles 

  • Information security manager
  • IT governance manager
  • Risk manager or risk consultant
  • Chief information security officer (CISO)
  • Security consultant or security analyst
  • IT audit manager or IT auditor
  • Information systems security manager
  • Business continuity manager
  • Compliance officer

CISM live boot camps and self-paced training

One of the best ways to prepare and ensure exam success is through training programs designed by ISACA-accredited organizations. Infosec offers multiple CISM training options to match your learning style and schedule requirements.

Live CISM Boot Camp

Live online or in-person boot camps are often the quickest route to certification. For example, the Infosec CISM Boot Camp provides five days of intensive training that helps you pass the exam on your first attempt. 

Advantages of enrolling in a boot camp include: 

  • Live instruction: Boot camps provide the opportunity to interact with instructors and peers who have valuable industry or exam experience to share. 
  • Complete certification package: Search for a boot camp provider that includes training materials, exam vouchers or other resources with no hidden costs. 
  • Higher pass rates:Boot camps prepare you to pass the exam on your first attempt, and providers like Infosec back their training with anExam Pass Guarantee

Learn more about the live CISM Boot Camp.

Self-paced CISM training

Many providers offer self-paced CISM training and learning resources if you can’t take designated time off for boot camps.

The benefits of self-paced CISM training include:

  • Train at your own pace: Train when it’s convenient for you — whether that’s 30 minutes over your lunch or a few hours on the weekend. It’s a great alternative if you can’t set aside dedicated hours for a week of live instruction. 
  • Test on your schedule: With a self-study approach, you can take the exam when you feel ready or when the material is freshest in your mind. 
  • Accredited training partner: Be sure to train with an ISACA-accredited partner to get the most up-to-date CISM training materials.

Learn more about the self-paced CISM training.

CISM certification comparisons and alternatives

The best certification for you depends on your career goals, current role and experience. CISM is just one of several prestigious information security certifications on the security certification pathway. Here's how CISM compares to other well-known credentials:

CISM vs. CISSP

Both CISM by ISACA and CISSP by (ISC)² are aimed at seasoned security professionals and are recognized globally. While they have an overlap in some content, CISSP has a broader technical focus covering eight domains of security, whereas CISM is more managerial and revolves around information security governance and management. CISSP is ideal for those who are hands-on in security implementation and day-to-day operations, while CISM is for those managing and governing a company's information security program. Both require significant work experience in their respective fields.

CISM vs. CISA

CISM and CISA (Certified Information Systems Auditor) are both offered by ISACA and are often seen together in the job market. While CISM focuses on security management and governance, CISA centers around IT auditing, control and assurance. Someone with CISA would be looking at the controls and systems in place and ensuring they're compliant, whereas a CISM professional would be overseeing and establishing the company's information security posture.

CISM vs. CRISC

Both certifications are under ISACA's umbrella. CISM is centered around information security management, while CRISC (Certified in Risk and Information Systems Control) focuses on IT risk management and its business implications. If you're a professional whose main task is to identify and manage risks, then CRISC might be the better fit. On the other hand, if you're into the broader spectrum of information security management and governance, then CISM would be more appropriate.

CISM vs. CompTIA Security+

While CISM is an advanced certification focusing on governance and management, Security+ by CompTIA is more foundational. Security+ is often an entry point for many into the cybersecurity field, covering a broad range of introductory topics. With its managerial slant and prerequisites, CISM is typically pursued by those who have been in the field for some time and are looking at higher-tier managerial roles in information security.

Explore Infosec certifications to find the best fit for your career goals.

Most recent CISM articles

Stay up on the latest trends and insights with Infosec's blog.