Certoga

ISACA

ISACA CISM

Information security governance, risk management, program development, operations, and incident management.

CISM
150Official questions
240 minOfficial duration
70%Practice target

Exam coverage

Skills you will practice

    Practice exam

    Build your session

    Quick start
    Custom setup
    Questions10
    1150
    Timer30 min
    Off240 min

    Difficulty

    How to use this practice bank

    Start with mixed, untimed sessions to identify weak areas. Then use focused difficulty sessions and gradually increase the question count and timer until you can sustain the pace of the official exam.

    2026 Exam Guide

    ISACA CISM Study Guide

    Current exam coverage, candidate guidance, important topics, and practical preparation advice for the CISM exam.

    What Is ISACA CISM?

    ISACA CISM is a management-focused information security certification for professionals who govern, build, and manage security programs. It emphasizes aligning security with business objectives, managing information risk, developing security programs, and responding to incidents.

    Unlike technical operations exams, CISM questions often ask what a security manager should do first, who should own a decision, how risk should be communicated, or how a program should be measured. In 2026, candidates should understand governance, enterprise risk, policy, metrics, third parties, incident management, and executive reporting.

    Who Should Take This Exam?

    CISM is intended for security managers, risk leaders, governance professionals, consultants, auditors, and experienced security practitioners moving into leadership.

    Candidates should be comfortable with risk language, business alignment, policy ownership, program development, and incident governance. It is not primarily a hands-on technical configuration exam.

    Exam Domains

    Information Security Governance

    Core

    Strategy, policies, roles, metrics, and alignment with enterprise objectives.

    Information Security Risk Management

    Core

    Risk identification, assessment, treatment, ownership, and communication.

    Information Security Program

    Core

    Program development, resources, controls, architecture, and third-party integration.

    Incident Management

    Core

    Readiness, response, escalation, communication, recovery, and lessons learned.

    Common Topics Covered

    • Governance
    • Risk appetite
    • Risk treatment
    • Security strategy
    • Policy framework
    • Metrics
    • Third-party risk
    • Incident response
    • Program management
    • Executive reporting

    Study Tips

    Answer from the perspective of an information security manager. The best answer often involves governance, risk ownership, communication, or process before a specific tool.

    Practice identifying stakeholders, escalation paths, and risk decisions. Know the difference between accepting, mitigating, transferring, and avoiding risk, and who has authority to choose each path.

    Practice Questions Overview

    Certoga's CISM questions focus on governance and management judgment. Use them to practice choosing the action that best supports business risk management and security program maturity.

    CISM Practice Exam & 2026 Study Guide | Certoga