ISACA Certification

CISM

Certified Information Security Manager

ISACA | 4 domains · 47 modules | Ready

This track is built to help you think like a security manager — the way ISACA expects on the CISM exam. Not memorization. Not checklists. Decision-driven reasoning across governance, risk, program management, and incident response.

Exam Details

Detail CISM
Format 150 multiple-choice questions
Time 4 hours
Cost $575 USD (ISACA member) / $760 USD (non-member)
Passing Score 450 out of 800
Experience 5 years in information security management (waivers for up to 2 years with relevant experience or certs)
Renewal 20 CPE hours/year, annual fee $45 (member) / $85 (non-member)

What You’ll Learn

  • Understand information security governance from a management perspective
  • Build decision frameworks for risk management scenarios under uncertainty
  • Learn what ISACA expects when evaluating security programs and incident response
  • Develop structured readiness self-assessments to know when you’re exam-ready
Let's Get Started →
Domain 1 — Information Security Governance

Enterprise governance, organizational culture, legal and regulatory requirements, and information security strategy development.

Section A — Enterprise Governance

  1. 1 Organizational Culture
  2. 2 Legal, Regulatory, and Contractual Requirements
  3. 3 Organizational Structures, Roles, and Responsibilities
  4. Section A Review: Enterprise Governance

Section B — Information Security Strategy

  1. 4 Information Security Strategy Development
  2. 5 Information Governance Frameworks and Standards
  3. 6 Strategic Planning
  4. Section B Review: Information Security Strategy

Domain 1 Review

  1. Capstone Review: INFORMATION SECURITY GOVERNANCE
Domain 2 — Information Security Risk Management

Risk identification, assessment, response, and monitoring aligned to organizational objectives and risk appetite.

Section A — Information Security Risk Assessment

  1. 7 Emerging Risk and Threat Landscape
  2. 8 Vulnerability and Control Deficiency Analysis
  3. 9 Risk Assessment and Analysis
  4. Section A Review: Information Security Risk Assessment

Section B — Information Security Risk Response

  1. 10 Risk Treatment / Risk Response Options
  2. 11 Risk and Control Ownership
  3. 12 Risk Monitoring and Reporting
  4. Section B Review: Information Security Risk Response

Domain 2 Review

  1. Capstone Review: INFORMATION SECURITY RISK MANAGEMENT
Domain 3 — Information Security Program

Program development, resource management, control design and implementation, awareness training, and external service management.

Section A — Information Security Program Development

  1. 13 Information Security Program Resources
  2. 14 Information Asset Identification and Classification
  3. 15 Industry Standards and Frameworks for Information Security
  4. 16 Information Security Policies, Procedures, and Guidelines
  5. 17 Information Security Program Metrics
  6. Section A Review: Information Security Program Development

Section B — Information Security Program Management

  1. 18 Information Security Control Design and Selection
  2. 19 Information Security Control Implementation and Integrations
  3. 20 Information Security Control Testing and Evaluation
  4. 21 Information Security Awareness and Training
  5. 22 Management of External Services
  6. 23 Information Security Program Communications and Reporting
  7. Section B Review: Information Security Program Management

Domain 3 Review

  1. Capstone Review: INFORMATION SECURITY PROGRAM
Domain 4 — Incident Management

Incident management readiness, response planning, business continuity, disaster recovery, and post-incident review.

Section A — Incident Management Readiness

  1. 24 Incident Response Plan
  2. 25 Business Impact Analysis (BIA)
  3. 26 Business Continuity Plan (BCP)
  4. 27 Disaster Recovery Plan (DRP)
  5. 28 Incident Classification/Categorization
  6. 29 Incident Management Training, Testing, and Evaluation
  7. Section A Review: Incident Management Readiness

Section B — Incident Management Operations

  1. 30 Incident Management Tools and Techniques
  2. 31 Incident Investigation and Evaluation
  3. 32 Incident Containment Methods
  4. 33 Incident Response Communications
  5. 34 Incident Eradication and Recovery
  6. 35 Post-Incident Review Practices
  7. Section B Review: Incident Management Operations

Domain 4 Review

  1. Capstone Review: INCIDENT MANAGEMENT

Career Benefits

  • Average salary: $110,000–$162,000 (varies by region and experience)
  • Globally recognized for information security management expertise
  • DoD 8570.01-M / 8140 compliance for IAM Level II/III
  • Required or preferred for CISO, Security Director, Security Manager roles

How It Compares

CISM focuses on managing and overseeing an enterprise's information security program, while CRISC zeroes in on IT risk. If your career path leads toward security leadership and program management, CISM is the right choice. If you're more focused on risk assessment and mitigation, consider CRISC. See the full comparison →

Head-to-head comparisons: CRISC vs CISM · CISSP vs CISM · Security+ vs CISM