The increase in cyber security issues in the press seems relentless. Organizational leaders in all types of industries are looking for capable security managers to navigate them safely through the dangers of this highly connected world.
The CISM certification from ISACA is considered one of the key certifications to demonstrate knowledge of cyber security management concepts and processes within an enterprise. The CISM strength is its focus on aligning a cyber security program with business goals.
In this study guide, we will share with you how to prepare and pass the official CISM (Certified Information Security Manager) exam by ISACA successfully and become a strategic enterprise security leader.
In This Article
Information Security (IS) is making a serious contribution to business development by ensuring not only reliable operations but also new opportunities for qualitative differentiation. It is increasingly seen as a value creator or facilitator of operations in new business models.
As the cloud comes into the picture, this raises new questions to the board of directors, is our data secure? do we have control? I heard that if we move to the cloud we are secure, is that true? What about privacy, compliance, and data regulation? Cloud security is a shared responsibility, what does that mean? the list of questions goes on and on… For this reason, it is imperative that before adopting any IT project, organizations must first understand the security considerations that are inherited by adopting any emerging technology. These considerations must be revised before adopting—ideally during the planning process.
Companies continue to rapidly migrate workloads from datacenters to the cloud, utilizing new technologies such as serverless, containers, and machine learning to benefit from increased efficiency, better scalability, and faster deployments. IT and cloud security concerns remain high as the adoption of public cloud continues to surge, especially in the wake of the 2020 COVID crisis and the resulting accelerated shift to remote work environments.
Security in the realm of information technology has been fascinating to me for many years. After passing the Swiss federal exam as an ICT Security Expert with an academic diploma, I decided to invest and get more experience with Cloud and Information Security.
Starting this journey, I decided to go with neutral vendor certifications for Cloud and Information Security which is the Certificate of Cloud Security Knowledge (CCSK) by Cloud Security Alliance (CSA), the Certified Cloud Security Professional (CCSP) certification by the International Information System Security Certification Consortium (ISC)², and the Certified Information Security Manager (CISM) by Information Systems Audit and Control Association (ISACA). These are the most highly regarded certifications for cybersecurity leaders and practitioners. However, it is not that easy to get any of these certifications as you need to invest a lot of time and money during the certification process.
I believe in vendor-neutral certifications, and I don’t trust marketing. The good news is, the knowledge that you acquire by attaining any of these certifications will help you to apply and secure your information and IT/Cloud environment whether the data is located on Microsoft Azure, Google GCP, Amazon AWS, hybrid, or complete on-premises.
From my experience, I took the CCSP certification in early 2021 before taking the CISM exam by the end of 2021. There are many common topics between the two that make it easy for me to read and understand the CISM material.
After 4 months of intense preparation, I am so happy and grateful now that I passed the CISM exam on the first attempt.
In this study guide, we will share with you how to prepare and pass the Certified Information Security Manager (CISM) exam by ISACA successfully.
ISACA is an international professional association focused on IT governance and Information Security. ISACA is an independent, nonprofit, global association that engages in the development, adoption, and use of globally accepted information system (IS) knowledge and practices. Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only. Today, ISACA serves more than 140,000 professionals in 180 countries.
ISACA is well-known for its COBIT governance framework and many information certifications like:
Of the above eight certifications, CISA and CISM are the most popular ones, and each of these certifications targets different job roles. CISM is targeted at information security managers while CISA is for auditors.
About the CISM Certification
The Certified Information Security Manager (CISM) credential caters to a very specific niche, those who manage teams of cybersecurity professionals and those who wish to lead security teams. It’s not a deeply technical certification and while it does include some technology topics, it has much more of an emphasis on issues of leadership and governance.
The CISM is designed to help evaluate your ability to lead a cybersecurity team. When you review the CISM curriculum you’ll find that the exam covers four major topic areas or domains. They’re not quite equally weighted on the exam (more on this in the next section), but each is an important focus.
The first domain, Information Security Governance, covers how security leaders put the structures in place that they need to better run their security programs. Governance efforts ensure that an organization is aligning security with business objectives, rather than simply doing security for security’s sake.
The second domain, Information Risk Management, covers the sources of risk to an organization and the tools and techniques that cybersecurity managers use to manage risk to acceptable levels. Security leaders are constantly called upon to make trade-off decisions and this is where they do so.
The third domain, Information Security Program Development, and Management are where you get into the nitty-gritty of security. Security managers don’t need to be deep technical experts on all areas of cybersecurity, but they do need a working knowledge of the types of controls used to protect information and systems. This is where you’ll gain that knowledge.
And finally, the fourth domain, Information Security Incident Management, helps you understand what to do when things go wrong and your organization experiences a security incident. Incidents are stressful times for security teams and a stable guiding hand can help ensure that the organization makes it through those times successfully.
To become a CISM professional, you are required to pay the exam fee, pass the exam, prove that you have the required experience and education (more on this in the next section), and agree to uphold ethics and standards.
To remain CISM certified, you must pay CPE maintenance fees each year. These fees are (as of 2018) $45 for members and $85 for nonmembers each year. These fees are in addition to ISACA membership and local chapter dues (neither of which is required to maintain your CISM certification).
The certification cycle is 3 years. For new CISM, the annual and three-year certification period begins January 1st of the year following certification. Therefore, should you get certified in January, you will have until the following January to accumulate CPEs and will not have to report them until you report the totals for the following year, which will be in October or November. This is known as the renewal period. During this time, you will receive an e-mail directing you to the website to enter CPEs earned over the course of the year.
Alternatively, the renewal will be mailed to you, and then CPEs can be recorded on the hard-copy invoice and sent with your maintenance fee payment. CPEs and maintenance fees must be received by January 15 to retain certification.
Notification of compliance from the certification department is sent after all the information has been received and processed. Should ISACA have any questions about the information you have submitted, it will contact you directly.
CISM Certification Required Experience
The experience required for the CISM credential is summarized below.
The CISM certification is designed to demonstrate that an individual is a qualified information security manager. That requires more than just passing a test. It also requires real hands-on work experience managing cybersecurity teams.
The CISM work experience requirement has two different components:
1) First, you must have five years of information security work experience.
2) Second, you must have at least three years of information security management work experience, and that work experience must come from at least three of the four CISM domains (more on this in the next section).
If you’re a current information security manager, you may find it easy to meet these requirements. If you’ve been in the field for five years and have been a manager for at least three of those years, you’re probably good to go because your time as an information security manager also counts towards your general information security experience requirement.
There are some waivers available that can knock off one or two years of your experience requirement. All of these waivers apply only to the general information security work experience requirement, but NOT the management experience requirement.
In summary, if you have five years of experience leading a security team and your experience crosses at least three of the domains of the CISM exam, you’re ready to certify. If you don’t have that five years of information security management experience, you may still qualify if you have at least three years of information security management experience. If you don’t have that three years of experience, you’ll need to obtain it before you receive certification.
In the case where you have at least three years of information security management experience but less than five years. And if you have two other years of non-management experience in information security, then you’re ready to certify. If you don’t, but you have the Certified Information Systems Security Professional (CISSP) or Certified Information Systems Auditor (CISA) credential, you’re also ready to certify.
If you have an MBA or a master’s degree in information security, you’re ready. If you don’t have any of those credentials but you have one year of non-management security experience, you may still qualify. If you don’t have that extra year of security experience, you’ll need to develop it before certifying.
If you have three years of information security management experience and one year of other information security experience, you may qualify for CISM certification if you have one year of IT management experience in a field other than information security or you have one year of experience managing a general security function, such as physical security, or if you have the Security+ certification or another skill-based security certification or a bachelor’s degree in information security. Otherwise, you’ll need to develop your experience.
As noted above, there are many different ways to satisfy the CISM experience requirement. Just check to find your own path through it, and see if you’re ready to earn your CISM certification. And remember, if you’re not ready today, you can still take the exam now. You’ll have five years after passing the exam to accumulate the required experience.
We highly recommend checking the official ISACA CISM requirement details below:
1) Get CISM Certified – Apply for Certification.
2) Applications for CISM Exam Passers 2017 and Later.
CISM exam overview
In this exam, you will receive 150 multiple-choice questions, and the total time for this exam is 240 minutes (4 hours), you might think that you have enough time to finish it. However, this is not the case, the exam is long and tough, you need to read the questions and answers multiple times to choose the BEST answer!
You really want to answer the questions with the mentality of a security manager and always keep in mind that your job is to align your security strategy and goals to the business goals.
I finished the exam in 3h.45min to go quietly over all the 150 questions. The minimum passing score for this exam is 450 on a scale ranging from 200 to 800. This score doesn’t correspond to any specific percentage of correct answers. Instead, it uses a scoring formula based on the experience of other test-takers.
The current exam fee is $575 for ISACA members and $760 for non-members. Once ISACA processes your payment, you’ll receive an email message with further instructions.
After you receive your voucher, you can register for a specific exam time slot. You’ll be able to choose the testing facility in your local area as well as a time that is convenient for your schedule. And with this new way of remote working during the pandemic period, you can take the exam at your home/office with the virtual supervision of a live proctor.
You are allowed to reschedule your exam if something comes up, but you must do so at least 48 hours prior to the time of your exam. If you don’t cancel in time and fail to show up for your exam, you’re out of luck and you’ll need to register again and pay a new exam fee.
If you don’t pass the exam on your first (attempt 1), you may retake the exam as follows:
> Retake 1, (attempt 2): You must wait 30 days from the date of the first attempt.
> Retake 2, (attempt 3): You must wait 90 days after the date of the second attempt.
> Retake 3, (attempt 4): You must wait 90 days after the date of the third attempt.
We highly recommend preparing very well before taking the real exam!!!
After completing the CISM preparation and passing the exam, you will be able to:
1) Identify and construct plausible threat scenarios. Explain the purpose of information security governance. Knowledge of techniques to achieve and maintain trust for the security team. Understand the need for business alignment. Be able to describe information security roles and responsibilities. Understand the need for an information security strategy. Be aware of common pitfalls in establishing a strategy.
2) Understand the fundamentals of enterprise information security risk management. Be able to communicate information security risks within an organization. Identify appropriate risk management frameworks. Understand the need for a gap analysis. Perform risk analysis by rating the likelihood and impact of information security risk. Be aware of quantitative and qualitative risk analysis methods.
3) Understand the fundamentals of delivering an information security program. Be able to construct scope and charter documents. Identify appropriate technologies to implement in an information security program. Develop an information security program roadmap. Identify effective controls and countermeasures. Establish useful metrics for monitoring the information security program.
4) Articulate the need for an incident response plan. Provide guidance in the event of a cyber security incident. Construct an effective incident response plan. Be able to derive short and long-term recommendations from an incident. Perform a post-incident review. Understand the fundamentals of business continuity and disaster recovery.
Skills measured on this exam
This exam measures your ability to know and understand the 4 domains listed below based on the latest updates from the (ISACA) CISM, Review Manual (15th Edition).
As a side note, the CISM exam changing on the 1st of June 2022. The last date to take the current exam is 31 May 2022.
Below is the information that how I received the examination questions across these domains, but of course, this may vary slightly case by case. The questions do pretty much match the list of domains and skills measured below with their weights:
Domain 1: Information Security Governance (24%)
- Establish an information security governance framework
- Governance roles and responsibilities
- Security strategy development
- Information security balanced scorecard
- Align security strategy with organizational goals
- Information security governance metrics
Domain 2: Information Risk Management (30%)
- Benefits and outcomes from an information risk management perspective
- Risk assessment and risk management frameworks
- Developing a risk management strategy
- The risk management life-cycle process
- Integrating risk management into an organization’s practices and culture
- The components of a risk assessment: asset value, vulnerabilities, threats, and probability and impact of occurrence
- Risk treatment options: mitigate, accept, transfer, avoid
- The risk register
- Monitoring and reporting risk
Domain 3: Information Security Program Development and Management (27%)
- Security program frameworks, scope, and charter
- Security program alignment with business processes and objectives
- Information security frameworks
- Security program management administrative activities
- Security operations
- Internal and external audits and assessments
- Metrics that tell the security management story
- Security Controls
Domain 4: Information Security Incident Management (19%)
- Establish an incident response plan and recovery process
- Recover from security incidents in a consistent and timely manner
- Post-incident reviews
- Business continuity and disaster recovery planning
CISM Certification Audience
There’s one key question that you need to ask yourself to determine whether the CISM certification is right for you. Do you want to be a cybersecurity leader? Now, this question is a little nuanced. You might already be leading a cybersecurity team, or perhaps you’re in a consulting role.
Let’s talk about the different categories of people who normally pursue the CISM credential:
1) Current CyberSecuirty Managers: The first, and most obvious group, are people who are currently serving in cybersecurity management roles. If you lead a group of cybersecurity professionals, the CISM program will help you better understand your job and the role of cybersecurity in the enterprise. Whether you’re an incident response team leader or a chief information security officer, there’s plenty in the CISM curriculum that you can learn.
2) Aspiring CyberSecurity Managers: Many people also pursue CISM certification when they’re hoping to move into a cybersecurity leadership position. This includes cybersecurity professionals who want to make the move into management, as well as managers of other IT functions who would like to cross over into the field of cybersecurity. Chances are that people in this category won’t be immediately eligible for certification, but there’s nothing stopping them from preparing for and taking the CISM exam.
3) Senior IT Leaders: The third group of people who often seek the CISM credential is senior IT leaders such as chief information officers (CIO), chief technology officers (CTO), and others who find themselves in a position where they supervise cybersecurity leaders. The CISM program offers these individuals a chance to gain an in-depth understanding of cybersecurity’s role in the IT organization.
4) Security Consultants: Consultants like me also pursue CISM certification, especially those who work in management and governance consulting. The CISM demonstrates to current and potential clients, that a consultant has the breadth of knowledge and the experience to back their work.
Is the CISM for you? If you fit into one of the four categories noted above, it’s likely that you’ll learn a lot during the CISM process that will benefit your career, and the credential will better position you for your next career opportunity.
To prepare and pass this exam successfully on the first attempt, we highly recommend the following approach based on my experience in passing this exam.
The first choice that we highly recommend is to get instructor-led training if possible, you can find the list of all accredited (ISACA) training partners here.
If you can’t afford in-person training or the training center is far from your location, then check the self-study section below.
If you prefer self-study training, then you can choose one of the premium quality resources listed in this section. I have used the self-study resources noted here to complement my knowledge.
CISM on Cybrary
Cybrary learning offers the following complete CISM preparation paid course over 14 hours:
1) Instructed by Kelly Handerhan: Certified Information Security Manager (CISM).
CISM on LinkedIn Learning
LinkedIn Learning offers the following complete CISM certification preparation paid course over 13 hours:
1) Instructed by Mike Chapple: CISM Cert Prep: The Basics.
2) Instructed by Mike Chapple: CISM Cert Prep: 1 Information Security Governance.
3) Instructed by Mike Chapple: CISM Cert Prep: 2 Information Risk Management.
4) Instructed by Mike Chapple: CISM Cert Prep: 3 Information Security Program Development and Management.
5) Instructed by Mike Chapple: CISM Cert Prep: 4 Information Security Incident Management.
CISM on Pluralsight
Pluralsight offers the following complete CISM certification preparation paid course over 16 hours:
1) Instructed by Kevin Henry: Preparing for an ISACA Certification Examination.
2) Instructed by Bobby Rogers: Information Security Manager: Information Security Governance.
3) Instructed by Bobby Rogers: Information Security Manager: Information Risk Management.
4) Instructed by Bobby Rogers: Information Security Manager: Information Security Program Management.
5) Instructed by Bobby Rogers: Information Security Manager: Information Security Incident Management.
CISM with IT Masters Charles Sturt University (CSU)
IT Masters Charles Sturt University (CSU) offers the following short preparation CISM course for free:
1) CISM Prep – Module 1 – Information security governance
2) CISM Prep – Module 2 – Information security risk management and compliance
3) CISM Prep – Module 3 – Information security program development and management
4) CISM Prep – Module 4 – Information security incident management
CISM with Thor Pedersen
ThorTeaches offers the following complete CISM certification preparation paid course over 23 hours:
1) Instructed by Thor Pedersen: CISM – All videos and practice questions from ThorTeaches.
ThorTeaches offers 25+ hours of CISM videos, 150 practice questions, a 180+ page study guide, 300 CISM links, and a customizable CISM study plan.
CISM on ISACA
ISACA offers online self-paced paid training over 17 hours which is a great companion to prepare you for the CISM exam.
1) ISACA: CISM Online Review Course.
Tools and Readings you need
In addition to all the resources and the preparation that we mentioned above, you also need some additional materials you want to be familiar with. There is no magic formula for passing this exam, and no single particular book or source with all the answers to the exam exists. I recommend the following professional resources (free or paid) that you should be familiar with while preparing for this exam:
- ISACA: Exam Candidate Information Guide.
- ISACA: CISM Exam Terminology List.
- ISACA: Cybersecurity Fundamentals Glossary.
- ISACA: Code of Professional Ethics.
- ISACA: A Strategic Lifecycle for Information Security.
- ISACA: Building a Security Transformation Program in Our New Information Security World.
- ISACA: The Optimal Risk Management Framework.
- ISACA: Holistic IT Governance, Risk Management, Security and Privacy.
- ISACA: Building a Strong Security Posture Begins With Assessment.
- ISACA: The Cyberresilient Enterprise: What the Board of Directors Needs to Ask.
- Quizlet: CISM Exam Prep Flashcards.
We highly recommend getting the following books to supplement your knowledge and help you prepare for this exam:
- CISM Certified Information Security Manager All-in-One Exam Guide.
- ISACA: CISM Review Manual, 15th Edition.
We highly recommend practicing a large number of questions to get a sense of how the questions might show up during the actual exam. I practiced more than 2,000 questions. Here is the list of exam practice resources that I used to prepare for this exam:
- ISACA: CISM Review Questions, Answers & Explanations (QAE) Manual, 9th Edition – Totally worth it.
- ISACA: CISM Review Questions, Answers & Explanations Database (online).
- Peter H. Gregory: CISM Certified Information Security Manager Practice Exams 1st Edition.
- Exam Topics: Certified Information Security Manager.
It’s not allowed to share information about the real exam – the below points were very relevant in the courseware and the test practice exams – the real exam is not that different in style or approach compare to test exams:
1) First of all there are no negative grades for a wrong answer – please answer all the questions.
2) The passing grade is greater or equal to 450/800 – This is a weighted score based on the difficulty of the questions (if you get 75%-80% on good practice exams that you didn’t do before, then you are good to go and take the real exam).
3) Think like a manager (alignment is good, Security is there to support the business, understand business objectives, senior management needs to be committed, start with the business case, look at business loss in case of downtime, culture is very important, ethics and human life are first priority).
4) Measure and know what you are up to (start with inventory, compliance is good, optimize the performance, regular re-alignment is needed).
5) You can use compensating controls if other controls are not feasible.
6) Understand the difference between a threat, vulnerability, and risk.
7) Use common sense, understand how ISACA wants you to think but use your experience (just think as a manager, technical solutions are not always the best option, other controls may be more relevant).
8) The business owns the data, the business is responsible for access management, security is there for the sole purpose of bringing business value (increase income or reduce risks).
In case you want to receive some extra tips, you can send me a direct message on this page.
Results and Certificate
As soon as you submit your exam and pass it, you will receive provisional examination results with the following message:
Congratulations! We are pleased to inform you that you have provisionally passed the Certified Information Security Manager (CISM) examination.
The official exam results will be emailed within 10 business days of your exam date. After 10 days from the date of the exam, ISACA will verify the exam and send you the results by e-mail.
Each job practice area score will be noted in addition to the overall final score. All scores are scaled by content area. You can also download and print the results (overall score) in PDF format from the ISACA website under MyIsaca certifications.
Should you receive a passing score, you will also receive the application to start the certification process.
Those unsuccessful in passing will also be notified. These individuals will want to take a close look at the job practice area scores to determine areas for further study. They may retake the exam as many times as needed on future exam dates, as long as they have registered and paid the applicable fees. Regardless of a pass or fail, exam results will not be disclosed via telephone, or e-mail (with the exception of the consented e-mail notification).
You have now taken the first step toward achieving the CISM certification and enjoying the many opportunities and benefits that being certified as a CISM brings. To become certified as a CISM and enjoy the benefits of certification, you must earn the required job experience and submit a CISM application. The application is available on the ISACA website.
Please note that until your application is received and approved, you are NOT CISM certified and cannot use the designation anywhere, including e-mail, resumes, correspondence, or social media.
A US$50 application processing fee is required for all submissions. The application fee is a one-time, non-refundable payment.
As with the exam, after you’ve successfully mailed the application, you must wait approximately eight weeks for processing. If your application is approved, you will receive an e-mail notification, followed by a package in the mail containing your letter of certification, certificate, and a copy of the Continuing Professional Education Policy. You can then proudly display your certificate and use the “CISM” designation on your résumé, e-mail and social media profiles, and business cards.
Certification is just the beginning… To maintain your certification, you should continue your professional education (CPE).
To keep your CISM certification, you are required to take at least 20 continuing education hours each year (120 hours in three years) and pay annual maintenance fees.
These CPE activities must be completed during your certification cycle which starts on January 1st of the following year. For example, if you receive the welcome email on April 15th, your certification cycle start date will be January 1st of the following year.
You are not required to report CPE hours for the first partial year after your certification; however, the hours earned from the time of certification to December 31 can be utilized in the first certification reporting period the following year.
The goal of continuing professional education requirements is to ensure that individuals maintain CISM-related knowledge so that they can better develop and manage security management programs. To maintain CISM certification, individuals must obtain 120 continuing education hours within three years, with a minimum requirement of 20 hours per year. Each CPE hour is to account for 50 minutes of active participation in educational activities.
CPE reporting is due by the end of each calendar year and is required to renew through the following year. For example, to renew through the end of the current year, the CPE requirements of the previous year must be met.
We highly recommend checking the following CPE important resources by ISACA:
It is in your best interest to track all CPE information in a safe place or worksheet. ISACA has developed a Tracking Form for your use, which can be found in the Continuing Professional Education Policy (page 8). To make it easy on yourself, consider keeping all related records such as receipts, brochures, and certificates in the same place.
Documentation should be retained throughout the three-year certification period and for at least one additional year afterward. This is especially important, as you may someday be audited. If this happens, you would be required to submit all paperwork.
If you want to learn more about Continuing Professional Education (CPE), then I highly recommend you to download and read the ISACA CISM Continuing Professional Education (CPE) Policy.
Becoming and being a CISM professional is a lifestyle, not just a one-time event. It takes motivation, skill, good judgment, persistence, and proficiency to be a strong and effective leader in the world of information security management. The CISM was designed to help you navigate the security management world with greater ease and confidence.
If you are planning to take the CISM exam… I wish you all the best and Happy Studying!!!
Please be advised that the CISM Exam Content Outline will be updated effective 1 June 2022. Starting on that date, the CISM Exam will reflect the new Exam Content Outline. Updated preparation material for the new Exam Content Outline will be available around spring 2022. We’ll be updating the list of materials noted in this study guide to help you pass the newer version of the exam at a later date. The last date to take the current exam is 31 May 2022.
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.