SecProve
LeadershipVendor-neutralISO 17024ISACA· issued from US

CISM

Certified Information Security Manager

Security program management, risk, governance, and incident governance. The manager / CISO-track signal.

Official page at ISACA↔ Compare with another cert
Exam fee
$760
Ongoing
$45/yr AMF · 40 CPE/yr
Study time
100–200 hrs
Delivery
Test center
Validity
3 yrs (renewal cycle)

› Quality score

27.5 / 40

Four-axis SecProve rubric, each 0–10. SecProve editorial assessment — each axis carries a written justification so you can push back on any single call without dismissing the whole score.

Blueprint rigor
How well-defined and rigorous the exam blueprint is.
Four practice areas with detailed task statements, ISO 17024, refreshed regularly.
9.0/10
Practical evidence
Hands-on labs / written reports vs pure MCQ.
Pure MCQ. No tabletop, no playbook artefact — the management focus shows.
1.0/10
Currency & upkeep
How aggressively content is kept current with the field.
Job-practice areas refreshed in 2022 with continuous CPE-driven updates.
8.5/10
Market recognition
How often this signal actually moves a hiring decision.
The default manager / CISO-track signal; appears on most security-leadership listings. [Holders: 70k, 2024-12] [DoD 8140 listed]
9.0/10

› Market signals

public, citable inputs to the recognition score
Holders worldwide
70,000
as of 2024-12 · source
DoD 8140 baseline
Listed
IAM-II, IAM-III, CSSP-Manager

› Built for these roles

Information Security ManagerCISO / Deputy CISOSecurity Program ManagerIT Risk Manager

› Exam format

150 multiple-choice questions over 4 hours, English plus several other languages. Pearson VUE proctored. Application requires verified work-experience attestation in addition to passing the exam.

Passing score
450/800 (scaled)
Retake policy
Fee: $575 per attempt
Wait: 30d between attempts
Cap: 4 attempts/year

ISACA member $575 / non-member $760. 4 attempts per rolling 12-month window.

› Recertification

120 CPE hours over the three-year cycle (avg 40/yr, minimum 20/yr) plus the $45/yr maintenance fee for ISACA members ($85/yr non-members). Late renewal triggers a one-year suspension before reinstatement.

› 3-year cost of ownership

Exam (1×)
$760
AMF (3×)
$135@$45/yr
Total
$895

Excludes study materials, training, retake risk, and lost-wage opportunity. Use as a floor estimate.

› NICE Framework work roles

The NIST NICE work-role IDs this cert maps to. NICCS lookup.

OG-WRL-007OG-WRL-010OG-WRL-014
Recognition
GlobalUSEUUKDACH
Exam languages
enjazhes

› Core domains covered

The 3 domains this cert is centrally about. Passing the exam demonstrates working knowledge of each.

A1Governance, Risk & Compliance

Risk frameworks (NIST RMF, ISO 31000, FAIR), policy development, audit, regulatory compliance, third-party risk.

A18Security Leadership

Cyber risk quantification, board communication, security program development, budget & ROI.

A7Incident Response & Forensics

IR playbooks, memory/disk/network forensics, chain of custody, malware analysis.

› Also touched

Present in the blueprint but not the primary focus — you’ll be introduced but shouldn’t expect depth.

A12Data Security, Privacy & Protection

Data classification, encryption-at-rest/in-transit, DLP, tokenization, privacy-by-design, plus the regulatory stack (GDPR, CCPA, HIPAA) that sets the bar.

A13Supply Chain Security

SBOM, vendor risk assessment, software supply chain attacks, dependency management.

A25Security Architecture & Engineering

Reference architectures, control frameworks (NIST SP 800-53, CIS Controls), secure-by-design patterns, threat modeling, trust-boundary design, technology standards.

› Known coverage gaps

Domains this cert does not meaningfully address. Plan follow-up learning here if your role touches any of them.

A4Application SecurityA5Cloud SecurityA9Penetration Testing & Red TeamingA11Detection Engineering & Threat HuntingB1AI-Powered Threat DetectionC1Adversarial Machine Learning

› Prerequisites

Experience

Five years of information-security management experience, with at least three years across the CISM job practice areas.

Knowledge assumed
  • Security governance and program management
  • Risk management frameworks
  • Incident management governance

› Progression

requiredrecommended

Where this cert fits in the typical learning path. Required edges are vendor-gated; recommended edges reflect de facto industry progression.

Required prereqs (0)

No vendor-gated prereqs.

Recommended priors (2)
CISSPISC2Security+CompTIA
CISM
ISACA
Required by (0)

No certs require this one.

Recommended next (3)
AAISMISACACGEITISACACCISOEC-Council

› Study materials

Curated starting points. Not exhaustive — vet each against your learning style and the current exam version.

Official guides
Training providers
Practice tests
Free / community

› Version & lifecycle

Current version
2022 job-practice analysis
Released
2022-06

Four domains: governance, risk management, program development, incident management.

› Salary signal

Information security manager / director, US, 5+ years.

$130K$190K
median $155K
+11% reported cert premium

ISACA Salary Survey + Robert Half Salary Guide · 2024 · US base only · p25–p75 range

› How it compares

vs
CISSP

Broader senior-IC + architecture coverage vs CISM's narrower security-management focus.

↔ Compare side-by-side
vs
CGEIT

IT-governance scope (CGEIT) vs CISM's tighter security-program scope.

↔ Compare side-by-side

› Careers that commonly pursue this cert

GRC / Compliance Analyst

Manage risk, ensure regulatory compliance, and build governance frameworks. Where security meets business strategy.

CISO / Security Leader

Lead security strategy, communicate risk to the board, and build security programs. Executive-level cybersecurity leadership.

See this cert’s domains highlighted on the interactive map, or compare it against the rest of the catalog.

Highlight on the domain mapBrowse all certifications