CISM by ISACA | FAQ's

What is the CISM certification and who is it for?

The CISM or 'Certified Information Security Manager' certification by ISACA is a globally recognised qualification for professionals who manage and oversee enterprise-level information security.

Designed by ISACA specifically for information security managers, CISM is ideal for individuals in leadership roles who are responsible for governance, risk, compliance, and strategic alignment of security with business goals.

What is the difference between CISM and CISSP?

While both are respected certifications, ISACA's CISM is focused on information security management and business alignment, making it ideal for decision-makers and policy leaders. CISSP, on the other hand, is offered by ISC² and is more technical in scope. CISM by ISACA is perfect for professionals leading security strategy, whereas CISSP is suited to those working hands-on in security operations and engineering.

What is the difference between CISM and CISA?

CISM and CISA are both certifications offered by ISACA, but they serve different roles. The CISM certification is designed for professionals managing information security programmes, while CISA (Certified Information Systems Auditor) is tailored for IT auditors who assess and control information systems. CISM focuses on leadership and security governance, whereas CISA focuses on assurance and audit. Both are part of ISACA’s globally trusted certification portfolio.

Should I take CISM or CISSP?

If you’re currently in or transitioning to a management or governance role, then CISM by ISACA is a great starting point. It demonstrates your ability to align security with business objectives. If you’re earlier in your career or more involved in technical tasks, CISSP may be a better foundation before moving on to CISM. Many professionals pursue both, with CISM enhancing leadership credibility.

How many years of experience do I need to become CISM certified?

To earn the CISM certification from ISACA, you need at least five years of professional experience in information security, with at least three years in information security management across three or more of the four ISACA-defined CISM domains. This experience must be gained within ten years before or five years after passing the exam. ISACA also allows certain substitutions based on qualifications and credentials.

What are the CISM exam requirements and format?

The CISM exam by ISACA is a four-hour, computer-based test with 150 multiple-choice questions. It is scored on a scale of 200 to 800, and you need a score of at least 450 to pass. In addition to passing the exam, candidates must meet ISACA’s professional experience requirements and apply for certification within five years.

What is covered under each of the four domains on the CISM exam?

The CISM exam from ISACA is based on four domains that reflect the key responsibilities of an information security manager:

• Information Security Governance – aligning security with business objectives, frameworks, and policy creation

• Information Security Risk Management – identifying, assessing, and mitigating risks

• Information Security Programme Development and Management – building and overseeing an effective security programme

• Information Security Incident Management – preparing for, detecting, and responding to security incidents

  
  

What are the continuing requirements for the CISM certification?

Maintaining your CISM certification through ISACA requires earning 120 Continuing Professional Education (CPE) credits over three years, with at least 20 earned annually. You must also comply with ISACA’s Code of Professional Ethics, adhere to their CPE reporting process, and pay an annual maintenance fee to keep your CISM certification in good standing.

Where can I take the CISM exam and how is it scored?

The CISM exam is administered by ISACA and delivered via PSI testing centres or through remote proctoring. After completing the exam, you receive a preliminary result immediately, with official confirmation from ISACA typically sent within 10 business days. The CISM exam uses a scaled scoring system, and a score of 450 or higher is required to pass.

How can I take CISM training?

You can prepare for the CISM exam through official training offered by ISACA-accredited partner, MENA Executive Training. As an authorised ISACA training partner, we provide CISM courses delivered in person across the Middle East and through live, instructor-led sessions online for global participants. All our CISM training programmes follow ISACA’s official syllabus and are designed to fully prepare you for the certification exam.