ISACA · Management · Governance

CISM — Certified Information Security Manager

ISACA's flagship management certification. CISM is the credential of choice for security managers, GRC leaders, and aspiring CISOs in audit-heavy industries.

// exam format
150 multiple-choice items, 4 hours, scaled score 450/800 to pass
// cost
≈ £580
// prerequisites
  • 5 years IS experience, 3 in management across 3+ CISM domains
  • Substitutions available for CISSP, CISA, MS in IS, etc.
CISM is built around four management-centric domains and is the most common 'second cert' after CISSP for leaders in financial services, audit, and regulated sectors. It assumes 5 years of information security work, including 3 years in a management role across at least three of the four domains. Where CISSP is technically broad, CISM is operationally deep on governance, risk, programme, and incident management. ## What the exam covers - Information Security Governance - Information Security Risk Management - Information Security Program - Incident Management ## Prerequisites - 5 years IS experience, 3 in management across 3+ CISM domains - Substitutions available for CISSP, CISA, MS in IS, etc. ## Study plan Plan 8–12 weeks. ISACA Review Manual + QAE database (1,000+ Qs) are non-negotiable; supplement with Hemang Doshi's CISM videos for governance fluency. Drill until you can explain ANY answer in terms of 'best aligns with business objectives'. ## Cost (UK 2026) Exam fee approx. £580 (vendor list price; bundles + corporate discounts vary). ## Format 150 multiple-choice items, 4 hours, scaled score 450/800 to pass

Frequently asked questions

CISM or CISSP for a CISO role?

Both are commonly required. CISM is preferred where the CISO reports to audit/risk; CISSP is preferred where the CISO reports to engineering or CTO. Most senior CISOs hold both within 2–3 years.

How long does CISM certification last?

3 years. Maintain via 20 CPE hours/year and 120 over 3 years, plus a £35–£70 annual maintenance fee.

Is CISM accepted in the UK?

Yes — recognised by NCSC's CCP scheme as evidence of competence and listed across UK CISO/Head of Security adverts on LinkedIn and CW Jobs.

What is the CISM pass rate?

ISACA does not publish official rates but community estimates place first-time pass around 50–60%.

Practice CISM — Certified Information Security Manager interview questions

Run AI-graded mock interviews keyed to the CISM — Certified Information Security Manager body of knowledge.

Start free
// related
cisogrc-analystsecurity-consultantincident-responderframework · iso-27001framework · nist-csf