Written by

Kristen Cramer

April 16, 2025

Edited by

Tara Farmer

Fact-checked by

Jennifer Carlson

CISM certification cost

The CISM exam costs $575 for ISACA members and $760 for non-members. Candidates must also pay a $50 application processing fee. CISM certification costs range from $1,000 to $3,500 total, including the exam fee, application fee, and the cost of exam prep materials or online review courses.

CISM exam cost

The CISM exam fee is $575 for ISACA members and $760 for non-members. The exam is administered via computer at testing centers worldwide and through remote proctoring options. All candidates must pay a $50 application processing fee when submitting their certification application after passing the exam.

One way to reduce your costs is by becoming an ISACA member before registering for the exam. The first-year membership fee of $145 can quickly pay for itself through the savings on the exam fee alone, plus additional discounts on study materials and continuing education opportunities.

CISM exam prep cost

Adequate preparation is crucial for success on the CISM exam, and various study options are available to fit different learning styles and budgets:

• ISACA CISM Online Review Course: This official preparation course costs $795 for members and $895 for non-members. It provides comprehensive coverage of all exam domains through interactive modules, practice questions, and instructor support.

• CISM Review Manual: The official textbook costs $109 for members and $139 for non-members. This essential resource covers all exam topics in depth.

• CISM Review Questions, Answers, & Explanations Manual: Available for $129 for members and $159 for non-members, this supplemental study book includes practice questions with detailed explanations.

• Third-party review courses: These range from affordable self-study options starting at $100 to comprehensive boot camps costing up to $2,700. CISM review courses vary in format, duration, and teaching approach.

Additional fees

Beyond the initial certification cost, CISM holders should budget for these ongoing fees:

• Annual maintenance fee: To keep your CISM certification active, you must pay $45 per year as an ISACA member or $85 per year as a non-member.

• ISACA membership renewal fee: The cost to renew your ISACA membership is $135 per year.

• Continuing Professional Education (CPE): CISM holders must earn and report 120 CPE hours every three years. While many CPE opportunities are free, others may involve costs for courses, conferences, or educational resources.

• Certification reinstatement fee: If your CISM certification lapses due to unpaid maintenance fees or insufficient CPE credits, you'll need to pay a $50 reinstatement fee in addition to any outstanding maintenance fees.

What is CISM certification?

The Certified Information Security Manager (CISM) certification is a globally recognized credential for information security professionals who manage, design, and oversee information security programs.

Established by ISACA (previously known as the Information Systems Audit and Control Association), CISM has become one of the most prestigious and sought-after certifications in the information security field.

CISM certification demonstrates to employers and clients that you have the knowledge and experience to develop and manage an enterprise information security program. Unlike more technical security certifications, CISM focuses on the management aspects of information security, making it particularly valuable for professionals looking to advance into leadership positions.

CISM exam content

The CISM exam validates your expertise in four key domains of information security management: governance, risk management, program development, and incident management.

The exam consists of 150 multiple-choice questions covering the four job practice domains and is designed to test both your theoretical knowledge and your ability to apply that knowledge in real-world scenarios.

The table below shows a breakdown of the four domains covered on the CISM exam.

CISM certification requirements

To earn your CISM certification, you must meet the following requirements:

• Pass the CISM exam with a score of 450 or higher on the 200 to 800 scale.

• Submit an application within five years of passing the exam.

• Meet the experience requirements, including at least five years of information security work experience covering at least 3 of the 4 domain areas. This experience must occur within the 10-year period preceding the application date or within five years after passing the exam.

• Adhere to the ISACA Code of Professional Ethics and agree to the Continuing Education Policy.

ISACA offers substitutions for some of the work experience requirements based on other certifications or educational degrees, which can reduce the required experience by up to two years.

CISM jobs

Earning the CISM certification can qualify you for various high-level positions in information security management. The credential is particularly valuable for professionals aiming to bridge the gap between technical security implementation and business strategy.

Some examples of jobs you can get with CISM certification include:

• Information System Security Officer (ISSO)

• Information Systems Security Engineer (ISSE)

• Information Systems Security Manager (ISSM)

• Chief Information Security Officer (CISO)

• Information Security Governance Specialist

• Risk Management Analyst

• Information Security Auditor

• Security Architect

According to industry reports, CISM-certified professionals earn higher salaries compared to their non-certified counterparts, with average salaries ranging from $80,000 to $150,000+ depending on location, experience, and industry.

Benefits of CISM certification

Earning your CISM certification offers numerous advantages for information security professionals:

• Career advancement: The certification can help you transition from technical roles to management positions.

• Salary premium: CISM-certified professionals often earn 10% to 15% more than their non-certified counterparts.

• Credibility: CISM demonstrates your commitment to the profession and your expertise in security management.

• Compliance requirement: Many regulated industries and government agencies require CISM certification for certain positions.

• Global recognition: CISM is recognized worldwide as a standard of excellence in information security management.

• Networking opportunities: Certification connects you with a global community of information security professionals.

FAQs about CISM certification

How long is the CISM exam?

The CISM exam is a 4-hour test, giving candidates sufficient time to answer all 150 multiple-choice questions. This works out to about 1.6 minutes per question. ISACA recommends that candidates pace themselves and answer all questions, as there is no penalty for incorrect answers.

How many questions are on the CISM exam?

The CISM exam consists of 150 multiple-choice questions designed to test both theoretical knowledge and practical application of information security management concepts. Some questions are scenario-based, requiring candidates to analyze a situation and determine the best course of action based on ISACA's best practices.

How hard is the CISM exam?

The CISM exam is considered difficult, with a pass rate of approximately 50% to 60%. The exam requires both theoretical knowledge and practical experience in information security management.

ISACA recommends spending around 150 hours studying for the CISM exam, which tests not just your memorization of concepts but your ability to apply those concepts in complex scenarios.

Can you retake the CISM exam?

Yes, if you don't pass the CISM exam on your first attempt, you can retake it. You must pay the full exam fee for each attempt. ISACA allows candidates to take the exam up to four times in a rolling year, subject to these waiting periods:

• Retake #1: At least 30 days after the date of the first attempt

• Retake #2: At least 90 days after the date of the second attempt

• Retake #3: At least 90 days after the date of the third attempt

Does CISM certification expire?

CISM certification does not automatically expire, but you must maintain your certification status by meeting specific requirements:

• Pay the annual maintenance fee ($45 for ISACA members or $85 for non-members).

• Earn and report a minimum of 120 Continuing Professional Education (CPE) hours every three years, with a minimum of 20 CPE hours annually.

• Comply with ISACA's Code of Professional Ethics.

• Comply with the Annual CPE Audit if you're selected.

If you fail to meet these requirements, your certification will be suspended and eventually revoked. However, ISACA does offer a reinstatement process for lapsed certifications, which involves paying a $50 reinstatement fee plus any unpaid maintenance fees.

Tips for CISM Exam Success

Follow these tips to maximize your chances of passing the CISM exam on your first attempt:

• Start with the official materials: Use the ISACA CISM Review Manual as your primary study resource.

• Take practice exams: Practice questions help you get comfortable with the exam format and identify knowledge gaps.

• Work with a CISM tutor: Get expert training and personalized lessons tailored to your needs and goals from a qualified CISM tutor.

• Join a study group: Connecting with other candidates can provide motivation and different perspectives on complex topics.

• Create a study schedule: Plan at least 12 weeks of consistent study time before your exam date.

• Focus on weak areas: After taking practice tests, concentrate your efforts on domains where you score the lowest.

• Understand the context: CISM questions often require you to think from a management perspective rather than a technical one.