How long should I study for the CISM exam?

Study time varies significantly by background. Experienced security managers or CISSP holders typically need 4-6 weeks of focused study. IT security professionals transitioning to management roles should budget 8-10 weeks. Those new to security management should plan for 12-14 weeks. Regardless of background, plan to complete at least 500 practice questions and two full-length mock exams before scheduling your exam date.

Can I pass the CISM exam using only free resources?

It is possible but challenging. Free resources like the ISACA exam content outline, NIST frameworks, and free practice questions on this site cover the knowledge base. However, the official ISACA QAE database ($299 for members) is strongly recommended because ISACA questions have a unique style that emphasizes management thinking. If you can budget for only one paid resource, make it the QAE database. The exam tests judgment and perspective more than factual recall, so practicing with ISACA-style questions is critical.

What is the passing score for the CISM exam?

You need a scaled score of 450 out of 800 to pass. The scoring is scaled, so the exact number of raw correct answers needed varies by exam form. There is no penalty for wrong answers, so you should always answer every question. Aim for approximately 65-70% raw accuracy to ensure you pass after scaling.

Is the CISM exam difficult?

CISM is considered one of the more challenging information security certifications, with a pass rate historically around 50-60%. The difficulty is not in the technical complexity but in the management mindset ISACA requires. Many experienced security professionals fail because they answer from a technical perspective. The key to passing is learning to think like a security manager: prioritize business alignment, recommend rather than decide, and focus on governance and process rather than technical implementation.

What are the experience requirements for CISM certification?

You need 5 years of information security work experience, with at least 3 years in information security management across 3 or more CISM domains. Up to 2 years can be waived for holding CISA/CISSP or a postgraduate degree in information security. However, the 3-year management experience requirement cannot be waived. Importantly, you can take the exam before meeting the experience requirements — you have 5 years from passing to apply for certification.

How does CISM compare to CISSP?

CISM and CISSP are complementary but different. CISSP is broader and more technical, covering 8 domains including cryptography, software security, and network security. CISM is narrower and management-focused, covering 4 domains centered on governance, risk management, program development, and incident management. CISSP validates that you understand security technology; CISM validates that you can manage a security program. Many professionals hold both, with CISSP demonstrating technical breadth and CISM demonstrating management capability.

What types of questions are on the CISM exam?

All 150 questions are multiple-choice with four answer options. Questions are scenario-based, presenting realistic business situations where you must choose the BEST course of action from a management perspective. Many questions have multiple technically correct answers, but only one reflects the management approach ISACA expects. Pay close attention to qualifiers like FIRST, MOST, BEST, and PRIMARY, as they change the correct answer significantly.

Should I join ISACA to save on exam fees?

ISACA membership costs approximately $175/year, and the exam fee is $575 for members vs $760 for non-members, saving $185. Combined with member discounts on study materials (the QAE database is $299 for members vs $399 for non-members), joining ISACA before registering typically saves $200-300 total. You also gain access to the ISACA community forums, which serve as a global study group. For most candidates, membership pays for itself in exam and study material discounts alone.

What is the biggest mistake people make studying for CISM?

The biggest mistake is studying CISM like a technical exam. Candidates memorize security controls, technologies, and protocols, then choose the most technically secure answer on the exam — and fail. ISACA wants to see that you can think like a senior security manager: align security with business objectives, communicate risk in business terms, recommend rather than decide unilaterally, and focus on governance and process over technology. Every study session should reinforce this mindset shift.

How often can I retake the CISM exam if I fail?

ISACA allows retakes with a waiting period. You can retake the exam starting 30 days after a failed attempt. There is no limit on the number of retakes, but you must pay the full exam fee each time. Given the cost ($575-760 per attempt), investing in thorough preparation and achieving consistent 75%+ on practice exams before scheduling is far more cost-effective than multiple attempts.

Is CISM worth the investment for career advancement?

CISM is one of the highest-valued information security certifications globally. According to industry surveys, CISM holders earn a median salary of approximately $146,000-149,000, with a median salary increase of over 20% for mid-to-senior level professionals after certification. It is particularly valuable for roles like Information Security Manager, CISO, Security Director, and GRC Manager. The certification signals to employers that you can manage security programs, not just implement security tools, which is the skill gap most organizations face.

How do I maintain my CISM certification after passing?

CISM requires 20 Continuing Professional Education (CPE) hours per year, with a minimum of 120 CPE hours over the 3-year certification cycle. You must also pay an annual maintenance fee ($45 for ISACA members, $85 for non-members). CPE hours can be earned through conferences, training, university courses, publishing, mentoring, and professional volunteer activities. ISACA tracks CPE hours through its online portal, and random audits may require documentation of claimed activities.

ISACA Certified Information Security Manager (CISM) Free Study Guide 2026

You Can Pass This Exam For Free

The CISM exam is passable with free resources if you study consistently for 8-12 weeks and think like a manager, not a technician:

ISACA CISM Exam Content Outline (free download from ISACA website)
ISACA free self-assessment questions (10 free practice questions)
NIST Cybersecurity Framework documentation (free)
COBIT framework overview resources (free from ISACA)
NIST SP 800-53 security controls catalog (free)
NIST SP 800-61 Incident Handling Guide (free)
500+ free practice questions on this site

CISM is a management-focused exam. Free resources cover the technical knowledge, but success depends on learning to answer from a manager's perspective. The ISACA QAE database ($299 for members) is the single most valuable paid resource if you can budget for one purchase.

Choose Your Study Path

You have IT experience but limited information security or management experience. You need to build both security knowledge and the managerial mindset ISACA tests for.

Week 1-2Study information security governance fundamentals: governance vs management, security strategy alignment with business objectives, governance frameworks (COBIT, ISO 27001, NIST CSF), and the role of the information security manager

Week 3-4Learn information security risk management: risk identification, assessment methodologies (qualitative, quantitative, semi-quantitative), risk treatment options (mitigate, transfer, accept, avoid), risk appetite vs risk tolerance, and KRIs

Week 5-6Deep dive into Domain 3 (33% of exam): security program development, resource allocation, asset classification, control design and selection, security awareness training, and third-party risk management

Week 7-8Continue Domain 3: program metrics and reporting, maturity models (CMMI), stakeholder communication, and integrating security into system development lifecycle

Week 9-10Study Domain 4 (30% of exam): incident management readiness, BIA, BCP, DRP, incident response planning, RTO/RPO/MTD metrics, incident classification and severity levels

Week 11Continue Domain 4: incident response operations, containment strategies, forensic procedures, communication protocols, post-incident review, and lessons learned processes

Week 12Practice 300+ questions focusing on the managerial mindset. For every question, ask: What would a security MANAGER do, not a technician? Review all incorrect answers carefully

Week 13-14Take full-length practice exams (150 questions, 4 hours). Target 70%+ before scheduling. Focus on Domains 3 and 4 which together are 63% of the exam

Exam Overview

Format

150 multiple-choice questions, 240 minutes (4 hours). All questions are scenario-based and test managerial judgment.

Scoring

Scaled score 200-800. Passing: 450. No penalty for wrong answers — always answer every question. Scores are scaled, so the raw number of correct answers needed varies.

Domains & Weights

Information Security Governance17%
Information Security Risk Management20%
Information Security Program33%
Incident Management30%

Registration

$760 USD. Available year-round at PSI testing centers worldwide or online remote proctored. Exam fee is $575 for ISACA members, $760 for non-members. Appointments available 48 hours after payment, up to 90 days in advance.

Topic Priority Table

Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.

Tier 1: Must KnowYou must understand these concepts deeply, know definitions, and be able to apply them in management scenarios. These appear across multiple questions throughout the exam.

Tier 2: Should KnowUnderstand what these are and their key characteristics. May appear in 3-8 questions each across the exam.

Tier 3: Recognize OnlyKnow what these are at a high level. Rarely more than 1-2 questions each.

Domain 117% of exam

Information Security Governance

This domain focuses on establishing and maintaining an information security governance framework aligned with organizational goals. You must understand how to develop security strategy, establish governance structures, define roles and responsibilities, and ensure compliance with legal and regulatory requirements. Think of governance as the 'what and why' of security, not the 'how'.

Key Topics

COBITISO/IEC 27001NIST CSFSecurity StrategyGovernance FrameworksPolicy DevelopmentSteering CommitteesBoard Reporting

Must-Know Concepts

Security strategy must align with and support business objectives — security exists to enable the business, not restrict it
Governance frameworks (COBIT, ISO 27001, NIST CSF 2.0) provide structured approaches to security management — know how to select and adapt them. NIST CSF 2.0 has six functions: Govern, Identify, Protect, Detect, Respond, Recover
Information security governance is the responsibility of the board of directors and senior management, not the IT department alone
The information security manager's role includes developing strategy, establishing policies, building the business case for security investments, and reporting to senior management
Policies, standards, procedures, and guidelines form a hierarchy: policies are mandatory high-level statements; standards define specific requirements; procedures are step-by-step instructions; guidelines are recommended practices
Security governance must address legal, regulatory, and contractual compliance requirements (GDPR, HIPAA, PCI DSS, SOX, etc.)
Information security steering committees provide cross-functional oversight and strategic direction for the security program
Metrics reported to the board should be business-focused (risk reduction, compliance status) not technical (patches applied, vulnerabilities found)

Common Exam Traps

Governance sets DIRECTION and POLICY. Management EXECUTES. When a question asks about governance activities, choose the strategic answer, not the operational one

The board does not make day-to-day security decisions. The board sets risk appetite and provides oversight. The security manager recommends; senior management decides

Security policies must be approved by senior management or the board, not by the information security manager alone

Framework selection should be based on organizational needs, industry requirements, and regulatory environment — there is no universally 'best' framework

Risk appetite is set at the governance level by the board. The security manager advises on risk appetite but does not set it unilaterally

Quick Check: Information Security Governance

Question 1 of 3

What is the PRIMARY reason for developing an information security strategy?

Domain 220% of exam

Information Security Risk Management

This domain covers the systematic identification, assessment, evaluation, and treatment of information security risks. You must understand risk assessment methodologies (qualitative, quantitative, semi-quantitative), risk treatment options, risk monitoring through KRIs, and how to communicate risk findings to senior management in business terms. Risk management translates governance strategy into actionable decisions.

Key Topics

Risk AssessmentRisk TreatmentRisk RegistersKRIsALE/SLE/AROFAIR FrameworkThreat ModelingVulnerability Management

Must-Know Concepts

Four risk treatment options: mitigate (reduce risk to acceptable levels), transfer (shift risk via insurance or outsourcing), accept (acknowledge and monitor within risk appetite), avoid (eliminate the risk-generating activity)
Quantitative risk formulas: ALE (Annual Loss Expectancy) = SLE (Single Loss Expectancy) x ARO (Annual Rate of Occurrence). ALE helps justify security investments in financial terms
Qualitative risk assessment uses category-based scales (High/Medium/Low) and is faster but subjective. Quantitative uses dollar values and is more precise but requires reliable data
Risk appetite is set by the board. Risk tolerance is the acceptable variation for specific risks. The security manager ensures risks stay within tolerance
Risk registers document identified risks, their assessments, treatment decisions, owners, and status. They are living documents updated regularly
Key Risk Indicators (KRIs) provide early warning of increasing risk. They are predictive and forward-looking, unlike KPIs which are evaluative
Emerging threats (cloud, AI, supply chain, ransomware) must be continuously monitored and incorporated into risk assessments
Risk ownership must be assigned to specific individuals or roles. The risk owner is responsible for managing the risk within approved tolerance levels
Residual risk is the risk remaining after controls are applied. It must be within the organization's risk appetite to be accepted

Common Exam Traps

The security manager RECOMMENDS risk acceptance — senior management or the risk owner APPROVES it. If you see an answer where the security manager accepts risk unilaterally, it is wrong

Risk can never be completely eliminated. ISACA expects you to understand that risk management is about reduction to acceptable levels, not elimination

ALE is used to justify security investments: if the control costs less than the ALE it prevents, the investment is justified. But do not forget qualitative factors like reputation

Risk assessment is an ongoing process, not a one-time activity. The exam tests whether you understand continuous risk monitoring

Transferring risk (insurance/outsourcing) does not transfer accountability. The organization remains accountable even when risk is transferred to a third party

Quick Check: Information Security Risk Management

Question 1 of 3

After conducting a risk assessment, the information security manager determines that the cost of mitigating a specific risk exceeds the potential loss. What is the BEST course of action?

Domain 333% of exam

Information Security Program

The largest domain at 33%, covering approximately 50 questions. This domain tests your ability to develop, implement, and manage an information security program. Topics include resource allocation, asset management, control design and selection, security awareness training, third-party risk management, and program metrics. Master this domain because it represents one-third of the exam.

Key Topics

Control FrameworksSecurity Awareness TrainingThird-Party Risk ManagementAsset ClassificationProgram MetricsMaturity ModelsSDLC SecurityVulnerability Management

Must-Know Concepts

Security program must be aligned with the security strategy (Domain 1) and informed by risk assessment (Domain 2). The program operationalizes governance directives
Resource allocation includes people, technology, budget, and time. The security manager must justify resource requests with business cases tied to risk reduction
Asset identification and classification determine the level of protection required. Data classification schemes (public, internal, confidential, restricted) drive control selection
Control design follows a hierarchy: preventive (stop incidents), detective (find incidents), corrective (fix after incidents), compensating (alternatives when primary controls are infeasible)
Security awareness training must be role-based, regularly updated, and measured for effectiveness. Metrics include completion rates, phishing simulation results, and incident reduction
Third-party risk management covers the entire vendor lifecycle: due diligence, contract requirements, ongoing monitoring, SLA compliance, and exit planning
Program metrics must be meaningful, actionable, and audience-appropriate. Board-level metrics focus on risk and business impact; operational metrics focus on technical performance
Maturity models (CMMI) provide a structured way to assess program maturity across five levels: Initial, Managed, Defined, Quantitatively Managed, Optimizing
Security must be integrated into the System Development Life Cycle (SDLC) at every phase, not added at the end. This includes requirements, design, development, testing, and deployment
Control testing methods include vulnerability assessments, penetration testing, security audits, and control self-assessments. Regular testing validates control effectiveness

Common Exam Traps

When asked about the FIRST step in developing a security program, the answer is usually understanding the organization's business objectives and risk environment, not selecting technology or controls

Third-party risk is increasingly tested. Do not assume that outsourcing eliminates the need for security oversight — the organization must monitor vendors continuously

Security awareness is about changing BEHAVIOR, not just delivering training. Questions test whether you understand the difference between awareness, training, and education

Program metrics must be reported in business terms to senior management. Technical metrics (patches applied, scans completed) are for operational teams, not the board

Control selection should be based on risk assessment results and cost-benefit analysis, not industry trends or vendor recommendations

Quick Check: Information Security Program

Question 1 of 4

An organization's security awareness training program has high completion rates, but phishing simulation click rates remain unchanged. What should the security manager do FIRST?

Domain 430% of exam

Incident Management

The second-largest domain at 30%, covering approximately 45 questions. This domain was significantly increased in weight in the 2022 exam update, reflecting the growing importance of incident response. It covers two phases: readiness (BIA, BCP, DRP, IRP, testing) and operations (detection, containment, investigation, recovery, post-incident review). BIA-related questions are among the most heavily tested.

Key Topics

Business Impact AnalysisIncident Response PlanBusiness Continuity PlanDisaster Recovery PlanForensic InvestigationPost-Incident ReviewCommunication ProtocolsTabletop Exercises

Must-Know Concepts

BIA identifies critical business functions, assesses disruption impact, and establishes recovery priorities. BIA must be completed BEFORE developing BCP and DRP
Recovery metrics: RTO (maximum recovery time), RPO (maximum data loss), MTD (maximum tolerable downtime), MTTR (mean time to recover). MTD >= RTO always
Incident classification and severity levels determine the response procedures, resource allocation, and escalation requirements for each incident
Incident response lifecycle: Preparation, Detection/Analysis, Containment, Eradication, Recovery, Post-Incident Review (lessons learned)
Containment strategies must balance security needs with business continuity. Complete isolation may cause more damage than the incident itself
Chain of custody must be maintained for digital evidence to ensure legal admissibility. Evidence must be collected, preserved, and documented properly
Communication protocols define who communicates what to whom during an incident — including internal stakeholders, legal, law enforcement, regulators, media, and customers
Post-incident reviews identify root causes, lessons learned, and process improvements. Findings should be incorporated back into the security program and governance
BCP/DRP must be tested regularly (at least annually) through tabletop exercises, walkthroughs, simulations, and full interruption tests. Untested plans provide false confidence
Incident management feeds back into governance: post-incident findings may require policy updates, risk reassessment, or program changes, creating a continuous improvement cycle

Common Exam Traps

BIA comes FIRST, before BCP and DRP development. If a question asks about the first step in continuity planning, the answer is almost always BIA

MTD must be greater than or equal to RTO. If a question gives an MTD of 4 hours and asks about RTO, it must be 4 hours or less

The security manager does not make public communication decisions alone during an incident. Legal, PR, and senior management must be involved in external communications

Post-incident review should focus on process improvement, not blame assignment. The goal is to prevent recurrence, not punish individuals

Containment is not always about immediately shutting everything down. The exam tests whether you understand proportional response that considers business impact

Quick Check: Incident Management

Question 1 of 4

What should be the FIRST step when developing an organization's business continuity strategy?

Concepts You Must Not Confuse

These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.

Risk Appetite vs Risk Tolerance

Use Risk Appetite when…

The overall level and type of risk an organization is willing to accept in pursuit of its business objectives. Set by the board and senior leadership as a strategic direction.

Use Risk Tolerance when…

The acceptable variation from the risk appetite for specific risks or objectives. A more granular, operational measure of how much deviation from appetite is acceptable.

Exam trap

Risk appetite is the STRATEGIC level set by leadership (how much risk overall). Risk tolerance is the OPERATIONAL acceptable range for specific risks. Appetite is broad; tolerance is specific. The exam tests this distinction repeatedly.

Governance vs Management

Use Governance when…

Setting direction, establishing policies, and ensuring accountability. The board and senior leadership govern by defining objectives and monitoring outcomes.

Use Management when…

Executing, implementing, and operating. Security managers manage by carrying out the governance directives, implementing controls, and running day-to-day operations.

Exam trap

Governance is WHAT should be done and WHY. Management is HOW it gets done. CISM tests your ability to distinguish between governance activities (setting policy, defining strategy) and management activities (implementing controls, running operations).

BCP (Business Continuity Plan) vs DRP (Disaster Recovery Plan)

Use BCP (Business Continuity Plan) when…

Comprehensive plan for maintaining or resuming all critical business operations during disruptions, including people, processes, facilities, and technology.

Use DRP (Disaster Recovery Plan) when…

A subset of BCP focused specifically on restoring IT systems, infrastructure, and data. Technical recovery of computing and communication capabilities.

Exam trap

BCP is BUSINESS-focused and broader in scope. DRP is IT/TECHNOLOGY-focused and is a component of BCP. The exam tests whether you understand that DRP is part of BCP, not a separate parallel activity.

KRI (Key Risk Indicator) vs KPI (Key Performance Indicator)

Use KRI (Key Risk Indicator) when…

Forward-looking metrics that provide early warning signals of increasing risk exposure. Used to detect potential problems before they materialize.

Use KPI (Key Performance Indicator) when…

Backward-looking metrics that measure the effectiveness and performance of security controls and programs. Used to evaluate whether objectives are being met.

Exam trap

KRIs are PREDICTIVE (early warning). KPIs are EVALUATIVE (performance measurement). The exam may describe a metric and ask you to classify it. Rising failed login attempts is a KRI; percentage of patched systems is a KPI.

Qualitative Risk Assessment vs Quantitative Risk Assessment

Use Qualitative Risk Assessment when…

Categorizes risks using descriptive scales (High/Medium/Low) based on expert judgment. Faster and easier to perform but subjective.

Use Quantitative Risk Assessment when…

Assigns numerical monetary values to risks using formulas like ALE = SLE x ARO. More objective and precise but requires reliable data and more effort.

Exam trap

Qualitative is faster and uses categories. Quantitative uses dollar values and formulas. The exam tests when each is appropriate: quantitative for financial justification to the board; qualitative for rapid initial assessment.

RTO (Recovery Time Objective) vs RPO (Recovery Point Objective)

Use RTO (Recovery Time Objective) when…

The maximum acceptable time to restore a system or process after a disruption. Answers: How quickly must we recover?

Use RPO (Recovery Point Objective) when…

The maximum acceptable amount of data loss measured in time. Answers: How much data can we afford to lose?

Exam trap

RTO measures TIME to recover. RPO measures DATA loss. Both are determined by BIA, but they drive different decisions: RTO drives recovery speed requirements; RPO drives backup frequency. MTD must always be >= RTO.

Vulnerability vs Threat

Use Vulnerability when…

A weakness or flaw in a system, process, or control that could be exploited. Examples: unpatched software, misconfigured firewall, lack of training.

Use Threat when…

Any potential cause of an unwanted incident that may exploit a vulnerability. Examples: hackers, natural disasters, insider threats, malware.

Exam trap

A vulnerability is a WEAKNESS. A threat is an ACTOR or EVENT that exploits weaknesses. Risk exists when a threat can exploit a vulnerability with business impact. The exam tests this fundamental relationship.

Preventive Controls vs Detective Controls

Use Preventive Controls when…

Controls that stop security incidents from occurring. Examples: firewalls, access controls, encryption, security awareness training.

Use Detective Controls when…

Controls that identify security incidents after they occur or while in progress. Examples: intrusion detection systems, log monitoring, audit trails.

Exam trap

Preventive controls STOP incidents. Detective controls FIND incidents. A complete security program needs both. The exam may also test corrective controls (fix after incident) and compensating controls (alternative when primary control is not feasible).

Top Mistakes to Avoid

Answering from a technical perspective instead of a management perspective — CISM tests what a MANAGER would do, not what a technician would implement

Choosing to 'accept risk' without senior management approval — the security manager recommends risk acceptance, but senior management or the risk owner must approve it

Confusing governance (setting direction and policy) with management (implementing and operating) — this distinction is fundamental to every CISM domain

Selecting the most technically secure answer instead of the most business-appropriate answer — ISACA expects cost-benefit thinking and business alignment

Mixing up BCP (business operations continuity) with DRP (IT systems recovery) — DRP is a subset of BCP, not a separate activity

Confusing risk appetite (strategic level, set by board) with risk tolerance (operational variation acceptable for specific risks)

Forgetting that BIA must come BEFORE developing BCP and DRP — BIA establishes what is critical and how quickly it must be recovered

Not understanding that accountability cannot be delegated — while tasks can be delegated, ultimate accountability stays with senior management

Confusing KRIs (forward-looking risk warning signals) with KPIs (backward-looking performance measurements)

Assuming risk transfer through outsourcing or insurance eliminates the organization's accountability — accountability always remains with the organization

Overlooking that the security manager's role is to advise and recommend to senior management, not to make final decisions unilaterally

Using pre-2022 study materials with outdated domain weights — Domain 4 (Incident Management) increased significantly from 19% to 30%

Exam-Ready Checklist

Can explain all 4 CISM domains and their relative weights (17%, 20%, 33%, 30%) and have allocated study time accordingly

Have internalized the management mindset: for every question, think about what a MANAGER would do, not a technician

Can distinguish between governance activities (setting policy, defining strategy) and management activities (implementing controls, running operations)

Know all four risk treatment options (mitigate, transfer, accept, avoid) and when each is appropriate based on business context

Can calculate ALE using the formula ALE = SLE x ARO and explain quantitative vs qualitative risk assessment trade-offs

Understand the BIA-BCP-DRP sequence: BIA first, then BCP and DRP based on BIA findings

Can define RTO, RPO, MTD, and MTTR and explain their relationships (MTD >= RTO)

Know the incident response lifecycle phases and what happens at each stage

Understand third-party risk management across the full vendor lifecycle

Can explain security program metrics appropriate for different audiences (board vs operational teams)

Know the five CMMI maturity levels and can identify which level an organization is at based on scenario descriptions

Understand that the security manager recommends and advises — senior management decides and the board sets risk appetite

Have completed 500+ practice questions and scored 75%+ on at least two full-length practice exams (150 questions)

Reviewed all incorrect answers with focus on understanding WHY the ISACA-preferred answer is correct from a management perspective

Recommended Resources

Free & Official Resources

ISACA CISM Exam Content Outline

Official exam content outline from ISACA with complete domain breakdown, task and knowledge statements, and exam structure details.

Official

ISACA CISM Free Self-Assessment Questions

Free self-assessment questions from ISACA to test your knowledge of information security management concepts before the exam.

Official

NIST Cybersecurity Framework (CSF)

The NIST CSF provides guidelines for managing cybersecurity risk. Key framework tested in Domain 1 governance questions.

Free

NIST SP 800-53 Rev. 5 Security Controls

Comprehensive catalog of security and privacy controls. Essential reference for Domain 3 control selection and implementation.

Free

NIST SP 800-61 Rev. 3 Incident Response Recommendations

Detailed guide to incident response recommendations and considerations for cybersecurity risk management, aligned with NIST CSF 2.0. Superseded Rev. 2 in April 2025. Directly relevant to Domain 4 incident management questions.

Free

ISACA COBIT Framework Overview

Overview of the COBIT governance framework from ISACA. Essential for understanding IT governance alignment in Domain 1.

Official

Paid Courses & Practice Exams

These are recommended if you prefer a structured learning path. They can save time but are not required to pass.

ISACA CISM Review Manual, 16th Edition

Official ISACA study guide covering all four domains in depth. The definitive reference for CISM exam preparation aligned to current exam content.

Official

ISACA CISM QAE Database

Official ISACA bank of 1,000 practice questions organized by domain with detailed explanations. The closest experience to actual exam questions.

Official

ISACA CISM Online Review Course

Self-paced online training from ISACA covering all four domains with interactive content, case studies, and progress tracking.

Official

CISM Study Guide

You Can Pass This Exam For Free

Choose Your Study Path

Exam Overview

Topic Priority Table

Information Security Governance

Key Topics

Must-Know Concepts

Common Exam Traps

Information Security Risk Management

Key Topics

Must-Know Concepts

Common Exam Traps

Information Security Program

Key Topics

Must-Know Concepts

Common Exam Traps

Incident Management

Key Topics

Must-Know Concepts

Common Exam Traps

Concepts You Must Not Confuse

Top Mistakes to Avoid

Exam-Ready Checklist

Recommended Resources

Free & Official Resources

Paid Courses & Practice Exams

Frequently Asked Questions