Information Security

CISM Certification Guide 2026: Exam, Cost & Salary

Standarity Editorial Team·CISM-Certified Information Security Managers
··9 min read

The CISM certification (Certified Information Security Manager) is ISACA’s flagship credential for professionals who manage, design and govern an enterprise information security program rather than operate the tooling day to day. It validates that you can align security with business objectives, run risk management, build a security program and lead incident response. In 2026 the exam is 150 multiple-choice questions delivered over 240 minutes, and it is aimed squarely at security managers, program leads and aspiring CISOs (ISACA, 2026).

What is the CISM certification and who is it for?

CISM sits at the management layer of the security profession. Where hands-on certifications prove that you can configure firewalls or hunt threats, CISM proves that you can decide which risks the business accepts, justify a security budget to executives and make sure controls actually serve strategy. That management framing is why so many hiring managers use it as a shorthand for “this person can run a security function.”

We generally recommend CISM to people who are already in, or moving toward, roles such as information security manager, security program manager, GRC lead, cyber risk consultant or CISO. If you are earlier in your career and still deep in technical delivery, a control- or audit-focused path may fit better first — our guide to cissp-vs-cism-vs-cisa-major-credentials breaks down where each credential lands, and our choosing-grc-certification-cgrc-crisc-cism comparison helps if you are weighing CISM against other governance and risk options.

The four CISM domains and their weightings

The current CISM job practice is built on four domains. The weightings tell you where to spend your study time — program development and incident management together make up nearly two-thirds of the exam (ISACA, 2026):

  • Domain 1 – Information Security Governance: 17%. Strategy, governance frameworks, roles and aligning security with business goals.
  • Domain 2 – Information Security Risk Management: 20%. Risk identification, assessment, treatment and reporting to the business.
  • Domain 3 – Information Security Program Development and Management: 33%. Building, resourcing and running the security program and its controls.
  • Domain 4 – Information Security Incident Management: 30%. Preparing for, detecting, responding to and recovering from security incidents.

Note: ISACA has scheduled a job-practice update that takes effect for exams from November 3, 2026, with refreshed study materials available from September 2026. If you test before that date, the domain outline above applies; if you test after, confirm the current weightings on ISACA’s site before you build your study plan (ISACA, 2026).

CISM exam format and passing score

The CISM exam is 150 multiple-choice questions with a 240-minute (four-hour) time limit, which works out to a little under 100 seconds per question. It is scored on a scaled range of 200 to 800, and the passing score is 450. Your scaled score is a statistical conversion of the number of questions you answer correctly, not a raw percentage, so a fixed number of correct answers does not map neatly to a single percentage (ISACA, 2026).

The difficulty is less about memorizing facts and more about judgment. Many questions describe a scenario and ask what a security manager should do first or next, and more than one answer will look defensible. The trick is to answer from the perspective of a manager who thinks in terms of risk, business alignment and governance — not the perspective of the engineer who wants to fix the technical problem immediately.

How much does CISM cost in 2026?

The headline number is the exam fee, but the true cost of holding CISM includes application and ongoing maintenance. Here is the 2026 breakdown (ISACA, 2026):

  • Exam registration: 575 USD for ISACA members, 760 USD for non-members.
  • One-time certification application fee: 50 USD after you pass and meet the experience requirement.
  • Annual maintenance fee: 45 USD for members, 85 USD for non-members.
  • ISACA professional membership (optional but usually cost-effective): around 145 USD per year plus local chapter dues.
  • CPE requirement: a minimum of 20 continuing professional education hours per year and 120 hours over each rolling three-year cycle.

For most candidates it is cheaper overall to join ISACA before registering, because the member exam discount typically exceeds the membership fee. Factoring in study materials and the maintenance and CPE obligations, the realistic first-cycle investment lands in the low four figures rather than just the exam price.

The CISM experience requirement

CISM is not an entry-level exam you can simply pass and claim. To be certified you must document five years of professional information security work experience, including at least three years in information security management spanning three or more of the four domains. That management minimum is the part candidates most often underestimate (ISACA, 2026).

There is flexibility on the general experience, though. ISACA lets you waive up to two years of the five-year total — for example by holding a credential such as CISSP or CISA, or a relevant postgraduate degree. You can claim only one waiver, up to a maximum of two years, and no waiver can reduce the three-year management requirement. Experience must be earned within the ten years before you apply, or within five years after you pass. Crucially, you are allowed to sit the exam first and submit your experience afterward, giving you up to five years after passing to complete certification.

Planning tip: if you are close on management experience, take the exam now while the material is fresh and log the remaining months as you grow into the role. Our ciso-first-90-days guide is a useful roadmap for the kind of program-leadership work that counts toward the three-year management minimum.

CISM vs CISSP vs CISA: which should you choose?

These three credentials overlap but serve different audiences. CISM (ISACA) is management- and governance-focused: strategy, risk, program and incident leadership. CISA (ISACA) is the audit and controls credential, generally seen as the more technically detailed of the two ISACA options. CISSP (ISC2) is broader and deeper on the technical breadth, covering eight domains from cryptography to network security, and is often described as the harder exam because of its scope.

A simple way to choose: pick CISM if your trajectory is toward managing a security function or becoming a CISO; pick CISA if your work is auditing, assurance and controls testing; pick CISSP if you want the widely recognized technical-breadth benchmark. Many senior professionals eventually hold more than one. For a side-by-side view of scope, cost and audience, see our full comparison at cissp-vs-cism-vs-cisa-major-credentials.

CISM salary: what can you earn?

CISM is consistently ranked among the higher-paying security certifications because it maps to management and leadership roles. Exact figures depend heavily on your location, years of experience and whether the credential sits on top of a management job title.

As of April 2026, ZipRecruiter reports an average U.S. salary of roughly 94,926 USD per year (about 45.64 USD per hour) for CISM-associated roles, with higher-cost markets such as New York averaging closer to 103,852 USD (ZipRecruiter, 2026). Senior security-manager and CISO-track roles where CISM is a requirement typically pay well above these averages.

How to get CISM certified: step by step

  • Confirm your eligibility: map your history against the five-year experience rule and note any waiver you can claim.
  • Join ISACA (optional) to unlock the member exam price, then register for the exam within the 12-month payment window.
  • Study the four domains, prioritizing program development (33%) and incident management (30%) where the weightings are heaviest.
  • Practice with scenario-based questions to train management judgment, not just recall — this is where most candidates lose marks.
  • Sit the 150-question, 240-minute exam and aim for the scaled passing score of 450.
  • Submit your certification application with documented experience and the 50 USD fee.
  • Maintain the credential: earn at least 20 CPE hours a year (120 over three years) and pay the annual maintenance fee.

CISM rewards preparation that mirrors the job: thinking like a manager who balances risk, cost and business value. If you build your study around the domain weightings, drill scenario questions until the “manager’s first move” becomes instinct, and line up your experience evidence early, the certification is very achievable — and it opens doors to the leadership roles that make the investment pay off.

Frequently Asked Questions

Is CISM hard to pass?

CISM is challenging less because of technical depth and more because it tests management judgment. The 150-question, 240-minute exam presents scenarios where several answers look reasonable, and you must choose what a security manager — not an engineer — should do first. Candidates who study for management perspective rather than pure recall tend to pass.

How long does it take to study for CISM?

Most successful candidates study for about two to three months with a consistent schedule, though timelines range from a few weeks of intensive study to a year for part-time learners balancing a full-time job. Prioritizing the two heaviest domains — program development and incident management — makes the time you invest more efficient.

Can I take the CISM exam without the required experience?

Yes. ISACA lets you sit the exam before you meet the five-year experience requirement. You then have up to five years after passing to document your experience and complete the certification application, which makes it practical to take the exam while the material is fresh.

What is the passing score for CISM?

CISM is scored on a scaled range of 200 to 800, and you need a 450 to pass. The scaled score is a statistical conversion of how many questions you answer correctly, so it does not map to a simple percentage of correct answers.

Is CISM better than CISSP?

Neither is strictly better — they serve different goals. CISM is management- and governance-focused and suits people heading toward security-manager or CISO roles. CISSP is broader and more technical across eight domains and is often chosen as a technical-breadth benchmark. Many senior professionals eventually hold both.

How much does CISM cost in 2026?

The 2026 exam fee is 575 USD for ISACA members and 760 USD for non-members, plus a one-time 50 USD application fee. Ongoing costs include an annual maintenance fee of 45 USD (members) or 85 USD (non-members) and the CPE requirement of 120 hours over three years.

Explore Courses on Udemy

Advanced

Becoming a Chief Information Security Officer (CISO)

Intermediate

ISO 27001:2022 Cybersecurity Guidelines for Managers

Intermediate

CISM — Certified Information Security Manager Practice Tests