Ready to Start Your Career?

How To Prepare For The CISM Exam

Cybrary Staff's profile image

By: Cybrary Staff

September 10, 2021

Before taking a CISM exam, candidates must have acquired in-depth knowledge of modern information security programs and broader business goals.

Summary: Becoming a Certified Information Security Manager (CISM) demonstrates the ability of candidates to develop and manage cybersecurity strategies and systems and the enterprise level. However, earning the certification requires at least five years of professional experience and ample training and preparation.

The Certified Information Security Manager (CISM) accreditation is granted by the US-based nonprofit organization ISACA. It is often compared to the certified information systems security professional granted by (ISC)2, but some key differences exist. While CISSP encompasses information security management, technology, and design, CISM is all about governance and management. To that end, they complement, rather than compete with, one another.

Given the rapidly changing technology and cybersecurity landscape, getting into the industry is no easy feat. It demands dedication, experience, and an ample amount of training. However, earning the CISM certification makes candidates highly sought-after, with salaries well into the six figures in North America. CISM, in particular, is a valuable certification for those interested in positions like Chief Information Security Officer since it demonstrates a deep understanding of the relationship between information security and broader business goals and priorities.

The exam itself consists of 200 questions, and candidates are given four hours to complete it. There is an exam fee of $575 for ISACA members or $760 for non-members. The format is similar to most other information security certifications, consisting of multiple-choice questions.

The exam covers four domains:

  • Domain 1: Information Security Governance (24%)
  • Domain 2: Information Risk Management (30%)
  • Domain 3: Information Security Program Development and Management (27%)
  • Domain 4: Information Security Incident Management (19%)

While candidates can take the exam any time they want, a pass by itself does not mean they will automatically earn a certification. Candidates will also need to have at least five years of full-time work experience in the job roles defined by ISACA.

Training study solutions for the CISM exam

Since it costs at least $575 to take the exam and can only be retaken a limited number of times, candidates should ensure they are adequately prepared. There are many ways that candidates can prepare for exam day, and the most suitable method largely depends on the personal preferences and availability of the candidate. Options include self-paced online learning, in-person training, or online expert instruction.

Self-paced online learning is the best choice for most people, particularly those already in full-time employment. This approach works better for most employers since it is cheaper and more flexible than sending employees to in-person boot camps and seminars. It offers a cost-effective way to upskill employees while filling the global information security skills gap instead of finding and hiring accredited professionals from scratch.

Before committing to the exam, candidates should also take the free self-assessment exam available on the ISACA website. Moreover, during the weeks leading up to the exam, it is highly advisable to take several practice tests to get accustomed to the exam structure and familiar with the types of use cases, and questions candidates can expect in the real thing.

Understanding the CISM domains

Although the CISM framework only consists of half of the number of domains of CISSP, that does not mean it requires any less studying. Unlike the CISSP, the CISM focuses exclusively on management and governance rather than the technicalities of things like asset security or software development. Candidates will need in-depth knowledge across all the domains.

Information security governance (ISG)

Comprising 24% of the exam scope, this domain concerns the relationship between security and business priorities. It focuses heavily on value delivery, aligning it with business leadership. For example, it considers whether the cost of a security solution is proportional to the value of an asset. To that end, it covers components like performance metrics, business strategy, and the development of business cases to support investments in information security.

Information risk management (IRM)

Comprising 30% of the exam, this is the largest domain in the CISM framework. Candidates will learn how an organization’s risk-management strategy relates to its IT infrastructure, which means they will also need to understand how business priorities are related to security. Two of the main concepts covered in this domain include defining recovery point objectives (RPOs) and recovery time objectives (RTO) to determine how much data a company can afford to lose and how much downtime it can tolerate.

Information security program development and management (ISPDM)

Comprising 27% of the exam content, this domain covers the direction, documentation, and monitoring of activities related to information security in support of broader business priorities. Candidates will learn how to develop and maintain information security programs that align with business goals. Unlike the other domains, this one caters more towards the technical side of things, such as access control, encryption, and configuration management.

Information security incident management (ISM)

Although the fourth and final domain only comprises 19% of the exam content, it is considered by many experts to be the most important. This domain focuses on mitigating security incidents to minimize their impact on a business. As such, it covers disaster recovery planning, incident response planning, and business continuity. Candidates will also learn about the pros and cons of the various types of recovery sites and methods.

How long does a CISM exam preparation training course take?

It is strongly recommended that candidates first take an exam preparation training course to refresh their knowledge of the CISM certification domains. Depending on the training study solution chosen, this should take a few weeks, with a view to completion a week or two before the scheduled exam date.

Cybrary for Teams is an all-one-one workforce development platform that helps organizations develop stronger cybersecurity skills, prepare for new certifications, and track team progress. Enroll your team in our CISM course today!

Schedule Demo