What's Tested on the CISM Exam?
CISM, which stands for Certified Information Security Manager, is a certification provided by ISACA (Information Systems Council Audit and Control Association) that indicates the ability of an individual to merge information security with the business goals of a company. The CISM exam is one step in the process of becoming a fully-certified CISM.
About the CISM Exam
The CISM exam is a multiple-choice exam taken on a computer. There are 150 questions, all of which have four answer options, which must be answered in a 4-hour time block. Scores are calculated on a 200-800 point scale, and you must get at least 450/800 to pass the exam. There’s no penalty to guessing an answer, or guessing incorrectly; your score is determined by adding up the number of correct answers you get.
The exam cost is $575 for ISACA members and $760 for non-members. You’ll pay this fee when you register for the exam (see “CISM Exam Registration” below).
The CISM exam covers four fundamental areas of information security management, each area approximately weighted on the exam and defined by ISACA as follows:
- Domain 1: Information Security Governance (24%)
- ISACA describes Domain 1 as follows: “Establish and/or maintain an information security governance framework and supporting processes to ensure that the information security strategy is aligned with organizational goals and objectives.”
- Domain 2: Information Risk Management (30%)
- ISACA describes Domain 2 as follows: “Manage information risk to an acceptable level based on risk appetite in order to meet organizational goals and objectives.”
- Domain 3: Information Security Program Management and Development (27%)
- ISACA describes Domain 3 as follows: “Develop and maintain an information security program that identifies, manages and protects the organization’s assets while aligning to information security strategy and business goals, thereby supporting an effective security posture.“
- Domain 4: Information Security Incident Management (19%)
- ISACA describes Domain 4 as follows: “Plan, establish and manage the capability to detect, investigate, respond to and recover from information security incidents to minimize business impact.“
In order to prepare for the exam, consider taking a CISM exam training course.
CISM Exam Registration
You’ll take the CISM exam at a PSI testing site. Before you register for the exam, make sure there’s a testing site nearby. Once you’ve determined that you’ll be able to travel to a PSI testing site, you’ll register and pay for the exam. Only after you’ve registered and paid will you be able to schedule your actual exam time.
In order to register, you have to create an ISACA profile, which you can do here. Once you’ve set up your profile, you can register and pay for your exam. The first thing to do when you’re registering for the CISM exam is to choose a window that works for you. Windows are multi-month periods in which you can only take the exam one time. You’ll then confirm your personal information and pay for the exam. Once you’ve finished, you’ll receive confirmation emails from ISACA. You can register for the CISM exam here.
When you’ve registered for the CISM exam, you can schedule your exam time. Log into your ISACA account, and you’ll see the exam for which you’re registered, including a link to schedule your exam. This link will allow you to select a testing location and date/time.
After the CISM Exam
You’ll get a preliminary score immediately after finishing the exam, which will tell you if you passed (got 450 or more out of 800 possible points) or failed (got fewer than 450 out of the 800 possible points). Within 10 working days you’ll be emailed an official score report, complete with a score analysis by content area.
If you need to take the CISM exam again, you can re-register and pay a fee to retake the exam in a different testing window. Keep in mind that you cannot take the exam more than once in a testing window.
Passing the CISM exam doesn’t make you a CISM–you also need to complete the required job experience and submit an application to ISACA. Once you’ve passed the exam, though, you’re well on your way to proving your commitment to using information security to help accomplish the goals of your company!