How many questions are on the CISM exam?

The CISM certification from ISACA is a globally accepted standard of achievement in cybersecurity management, conveying that certification holders adapt technology to their enterprise and industry.

Exam Details

Certification CISMPerformance-based QuestionsNoExam Length4 Hours, 150 QuestionsExperience LevelManagerPre-requisites5 years experienceExam Price $575 member/ $760 non-memberPassing Score 450 (out of 800)

1. General CISM Exam FAQs

• How long is the CISM exam?

  The CISM exam has a time limit of 4 hours.

• Where can I take the CISM exam?

  Exams are administered at PSI testing locations worldwide. Visit www.isaca.org/examlocations for a listing of the current exam sites. Please note that this list is subject to change as ISACA and its testing vendor (PSI) continue to identify and develop additional testing sites to further increase the network available to candidates.

• Can I review answers before the end of the test?

  Yes. You can review answers and flag questions you want to review before your time is completed.

• When will I receive my exam results?

  Candidates will receive a preliminary score on screen at the conclusion of their exam. Candidates do not receive a printout of these results on site. Official results are emailed to candidates within 10 working days of the exam. To ensure the confidentiality of scores, exam results will not be released by telephone or fax.

• Do I need to apply for another exam voucher if I need to retake the exam?

  Yes, but you will not need to go through the eligibility application process again.

• What are the eligibility requirements for CISM certification?

  The requirements for the CISM certification are listed on ISACA’s website here: https://www.isaca.org/

• What qualifications are required to earn the CISM certification?

  Qualifying for CISM requires a combination of four “e’s”: experience, ethics, education and exam. Specifically, the requirements are:

  1. Earn a passing score on the CISM exam
  2. Adhere to the ISACA Code of Professional Ethics
  3. Commit to abide by the Continuing Professional Education Policy
  4. Submission of verified evidence of a minimum of five years of information security work experience, with a minimum of three years of information security management work experience in three or more of the job practice areas. Waivers for general information security work experience are available, if certain education or certification requirements are met.

• Who is eligible to become CISM certified and what makes CISM unique?

  CISM is unique in the information security credential marketplace because it is designed specifically and exclusively for individuals who have experience managing an information security program. Experience requirements and the CISM exam are based on the experience required to competently perform the duties and responsibilities of an information security manager. These requirements and the tasks and knowledge that are tested were developed by information security leaders and later validated by subject matter experts and information security managers. The requirements are designed to measure an individual’s management experience in information security situations, not general practitioner skills.

• How much is the exam voucher?

  The retail price of the CISM exam voucher is $575 for ISACA members and $760 for non-members. We provide the CISM exam voucher for an additional $500 with every course registration, regardless of ISACA membership. 

• How long is the exam voucher valid?

  The exam voucher is valid for 1 year from date of voucher release.

• How is the CISM exam scored?

  ISACA uses a 200-800 point scale with 450 as the passing mark for the exams. A scaled score is a conversion of the raw score on an exam to a common scale. It is important to note that the exam score is not based on an arithmetic or percent average. For example, the scaled score of 800 represents a perfect score with all 150 questions answered correctly; a scaled score of 200 is the lowest score possible and signifies that only a small number of questions were answered correctly.

  A candidate must receive a scaled score of 450 or higher to pass the exam. A score of 450 represents a minimum consistent standard of knowledge as established for the exam by the respective ISACA Certification Committee. The passing score of 450 represents the minimum number of questions that must be answered correctly by the candidate in order to demonstrate practical application of the job task and knowledge statements. A candidate receiving a passing score may then apply for certification if all other requirements are met.

• Are there any fees to apply for certification?

  The application processing fee of US $50 will be required to apply for certification. Payment for the CISM application processing fee can be made online at https://www.isaca.org/cismpay.

• Can I take the CISA, CRISC, CISM and CGEIT and exams in the same exam window?

  Yes you may take one each of CISA, CRISC, CISM and CGEIT within the same window. You may NOT take the same certification exam more than one time within a window. For example, you may take both the CISA and CRISC in the same window, but you would not be allowed to take the CISA exam more than one time in the same window.

• Where can I find the application for CISM certification?

  CISM applications are located on ISACA’s website here: https://www.isaca.org/.

• What does the CISM continuing professional education policy require?

  In order to become and remain a CISM an individual must agree to comply with the CISM continuing professional education policy. This policy requires an individual to earn a minimum of twenty (20) continuing professional education hours annually and one hundred and twenty (120) continuing professional education hours for every three year cycle. In addition, an annual maintenance fee of US $45 ISACA member and US $80 nonmember is required.

• Will CISAs qualify for CISM?

  The CISM certification program recognizes the achievement of the CISA credential as a baseline representation that an individual has gained general information security skill and knowledge. As such, CISAs receive a two-year general information security waiver. However, CISAs will not be eligible to earn a CISM unless they have the required experience and can demonstrate proficiency and practical knowledge in the role of an information security manager.

• What constitutes information security management experience for CISM Certification?

  Information security management is a broad field, and encompasses many specialties within the security profession. ISACA categorizes these management activities into four areas, as defined in the most recent Job Task Analysis. Each area is broken into discrete tasks, and each task is further broken down into the supporting knowledge required to perform each task. In order to qualify for the CISM certification, the CISM candidate must have a minimum of five years of information security experience, of which three or more years must be information security management work. Note that the requirement does not dictate that the individual must have a specific position that designates them as a CISO or any other specific security management title. However, for those that do not have this designation, the role that they perform must clearly map to tasks within 3 of the 4 management areas as defined in the CISM Job Task Analysis. While less common these days, there are still organizations that have individuals in hybrid roles that include duties of an information security manager along with other unrelated responsibilities. This is particularly true in smaller organizations that do not have sufficient staff for an information security department or dedicated role. Note that audits, reviews, gap analysis, or other activities that assess the effectiveness of an information security program that is managed by others do not fully meet the standard for information security management. For more information, see the question below regarding audit experience.

• Regarding the three (3) years of required information security management experience needed for certification, must I have 3 years of experience in each of three or more areas, or can I have one year in each of three different areas?

  The minimum acceptable time is 1 year of experience in each of at least 3 of the 4 areas (and an additional two years general information security experience or a combination of time and qualifying educational or certification substitutions that are listed on the CISM Application).

• Will CISSPs and other security credential holders qualify for CISM?

  The CISM certification program recognizes the achievement of the CISSP credential as a baseline representation that an individual has gained general information security skill and knowledge, just as it does with individuals who have earned a CISA. As such, CISSPs receive a two-year general information security experience waiver.

• What are the prerequisites and are there any exceptions to the 5 year requirement?

  To earn the CISM credential you need five years of information security work experience, with a minimum of three years of information security management work experience in three or more of the job practice analysis areas. The work experience must be gained within the ten-year period preceding the application date for certification or within five years from the date of originally passing the exam.

  There are exceptions and substitutions allowed for the 5-year requirement as follows:

  Two Years:

  • Certified Information Systems Auditor (CISA) in good standing
  • Certified Information Systems Security Professional (CISSP) in good standing
  • Post-graduate degree in information security or a related field (e.g., business administration, information systems, information assurance)

  One Year

  • One full year of information systems management experience
  • One full year of general security management experience
  • Skill-based security certifications (e.g., SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security +, Disaster Recovery Institute Certified Business Continuity Professional (CBCP), ESL IT Security Manager)
  • Completion of an information security management program at an institution aligned with the Model Curriculum
  • The experience substitutions will not satisfy any portion of the three-year information security management work experience requirement.

  Exception: Two years as a full-time university instructor teaching the management of information security can be substituted for every one year of information security experience.

• What does a CISM “in good standing” mean?

  In order to be a CISM “in good standing”, the following must be achieved:

  • Certification granted from the corresponding Board, resulting from an approved application
  • Continuing professional education is current and up-to-date
  • All renewal fees/maintenance payments are current
  • Continued compliance with the ISACA’s Code of Professional Ethics

2. CISM Course FAQs

• The course length depends largely upon your personal preference. The On-Demand course can take anywhere from just a few weeks on an accelerated schedule to the full six months of access we provide to the course.  In short, this course is designed to fit around your busy schedule.

• Who are the instructors of the course?

  CyberVista instructors are ISACA authorized and CISM certified.  Our instructors, working cybersecurity practitioners, deliver over dozens of hours of live and on-demand videos throughout the duration of the course.

• What is light board technology?

  Light board technology uses an illuminated glass pane between the instructor and the camera that allows the instructor to illustrate concepts while remaining face-to-face with students. We use a light board during our instruction so you can follow along in real time while your instructor demonstrates important topics in cybersecurity. Though we do use PowerPoint in our lessons, there is no “death by PowerPoint” in our course.

• How many practice questions are available?

  There are more than 1,000 practice questions available to those who enroll in the live online CISM training course. Students can use both the supplied question banks as part of the course pack as well as the digital question bank in the learning management system to prepare for the exam.

• When will I receive access to the LMS following enrollment?

  You will receive login credentials for the LMS and your diagnostic exam the week prior to the start of the course.

• How long will I have access to the learning management system (LMS)?

  You will have unlimited access to content-specific videos addressing all domains for up to 6 months following your registration. There are no time limits on daily use and you are able to review previously reviewed content at any time.

• How do I receive the materials included in the study pack?

  While enrolling in the course on shop.cybervista.net you will provide a shipping address. The CyberVista team will use this address to send a package containing your books and other course materials prior to the first live class session. Electronic materials will also be available through the learning management system (LMS) the week prior to the course start date.

• What is the diagnostic exam and how does it work?

  The diagnostic exam is a 100 question online, multiple-choice practice test that will help you to uncover what you already know and where you should focus your efforts in order to perform well on CISM exam.  We use the results of your diagnostic exam to deliver you a personalized and efficient study plan for the duration of the course. In addition to the questions of the exam, we also include a short survey to learn more about you and how you study.

  You will take this diagnostic in the week prior to your first live online class. You can self-administer the diagnostic exam as soon as your instructor has delivered your credentials to access the learning management system (LMS).

• Is there a cancellation or refund policy?

  Please note sessions are defined as usage of online resources including the diagnostic, or proctored exams.

  • Cancellation before any session, 100% fees are refunded (less shipping & handling fee).
  • Cancellation before two sessions, 75% fees are refunded (less shipping & handling fee).
  • Cancellation before three sessions, 50% fees are refunded (less shipping & handling fee).
  • Cancellation after third session, there will be no refund.

  A refund will be processed after all student materials are returned to CyberVista.

• What is the Readiness Guarantee?

  The Readiness Guarantee allows for a free course re-take if life gets in the way. If you don’t feel ready to take the exam or if you do not pass your exam, then you may re-take the course.

  How many questions are on the CISM test?

  The CISM exam contains 150 questions and the maximum allotted time to complete it is four hours. ISACA uses a 200- to 800-point scale, and a scaled score of 450 is the passing score. This converted raw score is aligned to a scale and not to a percentage or arithmetic average.

  What is the pass rate for CISM?

  A CISM certification is highly sought after and provides you with international recognition. However, passing the exam is no easy task. With only a 50-60% first-time pass rate, it's clear that this is a difficult exam. The exam questions are challenging and will put your technical expertise to the test.

  Is it easy to pass CISM?

  It is not at all easy to pass the CISM exam. It's evident that this is a challenging exam with only a 50-60% first-time passing rate. The questions on the exam are difficult and will put candidates' technical and analytical knowledge to the test.

  Is CISM exam open book?

  Yes. The EXAM is “open book.” That means the person taking the exam can use whatever published CISM resources that are available. This means books, journal articles, study guides, audio and video publications can all be used as resources to assist the person in answering the EXAM questions.