ISACA · CISM
Validates expertise in information security governance, risk management, program development, and incident management for experienced security professionals.
Questions
1196
Duration
240 minutes
Passing Score
450/800
Difficulty
ProfessionalLast Updated
Jan 2026
Use this CISM practice exam to prepare for Certified Information Security Manager (CISM) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 1,196 questions for ISACA CISM, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to recurring topics such as Information Security Governance, Information Security Risk Management, Information Security Program, and Incident Management. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The Certified Information Security Manager (CISM) is a globally recognized credential awarded by ISACA that validates expertise in managing, designing, and overseeing enterprise information security programs. First introduced in 2002, the certification has been earned by more than 107,000 professionals worldwide and was recognized as the 2025 Best Professional Certification Program. CISM is distinguished from technical certifications by its emphasis on governance, strategic alignment, and business outcomes — validating a practitioner's ability to bridge the gap between information security and organizational objectives.
The credential covers four core practice domains: Information Security Governance, Information Security Risk Management, Information Security Program, and Incident Management. Together, these domains assess a candidate's ability to establish security frameworks aligned with business goals, identify and manage information risk, develop and oversee a security program from inception through continuous improvement, and lead effective incident response and recovery operations. A forthcoming content outline update effective November 3, 2026 will reflect evolving job practice areas, with updated preparation materials available in September 2026.
CISM is designed for experienced information security professionals who have transitioned — or are seeking to transition — from purely technical roles into management and leadership positions. Ideal candidates include information security managers, IT directors, risk managers, security consultants, and compliance officers who are responsible for overseeing enterprise security strategy rather than executing day-to-day technical tasks.
Candidates typically have at least five years of professional information security work experience, with at least three years in security management roles across the CISM domains. The certification is particularly well-suited for professionals in financial services, healthcare, government, and technology sectors where security governance and risk oversight are critical organizational functions.
ISACA does not impose formal prerequisites for sitting the CISM exam — candidates may register and take the exam at any time. However, to apply for the full certification after passing, candidates must demonstrate a minimum of five years of professional information security management work experience within the CISM job practice domains. At least three of those five years must be in information security management. This experience must have been gained within the ten-year period preceding the certification application date, and candidates have five years from their exam passing date to submit their application.
While no specific prior certifications are required, a solid foundation in information security concepts, IT governance frameworks (such as COBIT or ISO/IEC 27001), risk management methodologies, and incident response principles is strongly recommended. Familiarity with regulatory and compliance environments relevant to one's industry will also be beneficial given the governance-heavy nature of the exam.
The CISM exam consists of 150 multiple-choice questions, all of which are scored. The exam is administered over a four-hour time limit. It is delivered as a computer-based test, available either at authorized PSI testing centers worldwide or via remote proctoring, giving candidates flexible delivery options. Registration is continuous — there are no fixed testing windows — and candidates can schedule an appointment as early as 48 hours after payment of the exam registration fee, up to 90 days in advance.
Scoring is reported on a scale of 200 to 800, with a passing score of 450. Questions are designed to assess practical, job-relevant judgment rather than rote memorization, drawing on real-world information security management scenarios. Exam fees are $575 USD for ISACA members and $760 USD for non-members, plus a $50 certification application fee upon passing.
CISM holders command some of the highest salaries in the information security field. U.S.-based professionals with the certification earn an average of approximately $140,000–$150,000 annually, with total compensation averaging above $165,000 when bonuses and benefits are included. Professionals who advance to CISO-level positions — a common trajectory for CISM holders — report average total compensation exceeding $300,000 at large enterprises. Most newly certified professionals report salary increases of $15,000 to $30,000 within their first year, and combining CISM with CISSP can command an additional 10–20% premium in many markets.
The certification opens doors to senior leadership roles including Information Security Manager, Security Director, Chief Information Security Officer, Risk Manager, and IT Compliance Manager across virtually every industry vertical. Government agencies and defense contractors frequently list CISM as a required or preferred credential for security management positions. With the U.S. Bureau of Labor Statistics projecting 33% job growth for information security analysts through 2033 and cybercrime costs projected at $10.5 trillion globally in 2025, demand for credentialed security managers remains strong. CISM's emphasis on business alignment and governance makes it particularly compelling to executive hiring managers who need security leaders who can communicate risk in terms of business impact.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 1196 questions.
Preview — answers shown1. A financial services organization is migrating critical banking applications to a multi-cloud environment using a combination of IaaS virtual machines, PaaS database services, and SaaS collaboration tools. The CISO must brief the board on security responsibilities that remain with the organization regardless of which cloud service model is deployed. According to the shared responsibility model, which three security responsibilities always remain with the customer organization across IaaS, PaaS, and SaaS deployments? (Select three!)
Multiple correct answersExplanation
In all cloud service models, customers always retain responsibility for data classification and encryption key management because the customer owns the data and must control its protection. Identity and access management including user authentication and authorization remains the customer's responsibility because only the customer knows who should access their resources and under what conditions. Security configuration of applications and workloads is always the customer's responsibility because the customer controls what they deploy and how it is configured. Physical security of data centers is always the cloud provider's responsibility across all service models. Hypervisor security is managed by the provider in all cloud service models. Network infrastructure including physical networking equipment is the provider's responsibility, though customers configure logical network security controls like security groups and firewall rules.
2. A security manager reviews COBIT 2019 implementation and notices confusion between governance and management functions. The organization's governing board is involved in daily security operations decisions, while IT management sets strategic security direction without board oversight. Which actions should the security manager recommend to correctly align with COBIT 2019 principles? (Select two!)
Multiple correct answersExplanation
COBIT 2019 clearly distinguishes governance from management. The board should execute EDM (Evaluate, Direct, Monitor) governance objectives that set direction and oversee results, while management executes APO, BAI, DSS, and MEA objectives including APO12 (Managed Risk) and APO13 (Managed Security). Governance focuses on what and why decisions, while management focuses on how decisions are executed. Transferring all authority to IT management eliminates necessary governance oversight. Consolidating governance and management violates COBIT's fundamental principle that governance must remain distinct from management. While steering committees can be useful, they don't address the core misalignment of governance versus management roles.
3. A security manager establishes a Security Operations Center (SOC) with tiered analyst structure. Tier 1 analysts handle initial alert triage, Tier 2 analysts perform deep investigation and correlation, and Tier 3 analysts conduct advanced analysis and threat hunting. An alert indicates potential privilege escalation requiring correlation with authentication logs and endpoint data. Which tier should handle this investigation? (Select one!)
Explanation
Tier 2 SOC analysts handle deep investigation and correlation activities that go beyond initial triage but do not require the advanced threat hunting capabilities of Tier 3. Investigating potential privilege escalation requires correlating authentication logs, endpoint data, and access patterns across multiple sources—classic Tier 2 work. Tier 1 performs initial triage and escalates to Tier 2 when correlation and deeper analysis are needed. Tier 3 focuses on advanced analysis, threat hunting, and sophisticated attack techniques beyond standard investigation. Direct escalation to the CISO bypasses the SOC structure designed to efficiently investigate and contain threats before executive notification.
4. An organization operates under a formal risk management framework where the board has established risk appetite as moderate with specific risk tolerance thresholds. A security manager identifies a critical vulnerability in customer-facing web applications with high likelihood of exploitation and severe business impact. Remediation requires significant capital investment that exceeds annual security budget by 40 percent. The calculated residual risk after available budget controls falls between risk tolerance and risk capacity thresholds. What should the security manager do FIRST? (Select one!)
Explanation
When residual risk exceeds risk tolerance but remains within risk capacity, this represents a risk that requires senior management decision and potential budget exception. The security manager must present comprehensive business impact analysis with funding requirements to enable informed executive decision-making. Accepting risk that exceeds tolerance thresholds without management approval violates governance principles. Implementing inadequate compensating controls that leave risk above tolerance is inappropriate without management awareness and formal acceptance. Risk transfer through insurance should be evaluated as part of management decision process rather than as initial response.
5. A security manager discovers that the primary control requiring all remote access to use VPN with multi-factor authentication cannot be implemented for a critical business partner integration requiring real-time API access. The security team proposes implementing enhanced network segmentation, API gateway with OAuth 2.0 authentication, continuous session monitoring, and detailed logging as alternative security measures. What type of controls is the security team proposing? (Select one!)
Explanation
The security team is proposing compensating controls, which are alternative security measures designed to meet the intent of a primary control that cannot be implemented due to technical constraints or business requirements. Compensating controls provide equivalent or comparable security through different mechanisms. In this case, the combination of segmentation, OAuth authentication, monitoring, and logging aims to achieve security objectives when the primary VPN with MFA control is not feasible. Corrective controls remediate after incidents occur, which is not the purpose here. Detective controls identify security events but don't provide the alternative protection needed. While some proposed controls have preventive elements, the overall purpose is compensation for an infeasible primary control rather than general prevention.
Certified Information Systems Auditor (CISA)
CISA · 895 questions
Certified in Risk and Information Systems Control (CRISC)
CRISC · 761 questions
Certified Data Privacy Solutions Engineer (CDPSE)
CDPSE · 749 questions
IoT Fundamentals Certificate
IoT-Fund · 630 questions
IT Audit Fundamentals Certificate
IT-Audit-Fund · 627 questions
IT Risk Fundamentals Certificate
Risk-Fund · 616 questions
$17.99
One-time access to this exam