Introduction to CISM - Part Three
Start course

This course introduces and outlines the CISM (Certified Information Security Management) certification from ISACA. You will learn a little background information about the certification, how you will be assessed, how the exams are structured and carried out, the requirements of the exam, and recommendations for passing. We will also cover how to maintain the certification and the code of ethics that holders of the certification must adhere to. You will also learn about additional resources that can help you when studying for your exams.

If you have any feedback relating to this course, feel free to contact us at

Learning Objectives

  • Outline the CISM certification and what to expect when studying for it
  • Learn how the exams are taken and structured
  • Learn some helpful tips for taking and passing the exam
  • Understand the administrative aspects of the exams (enrolment, duration, etc)

Intended Audience

The CISM is intended for those in security, supervisory, or management positions, or for anyone who wants to obtain the CISM certification.


Any experience relating to information security would be advantageous, but not essential. All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of their experience within the security field.



The ISACA certification exams are computer-based and administered at authorized PSI training centers globally. Exam registration is continuous. This means candidates can register at any time without restrictions. Candidates can schedule a testing appointment as early as 48 hours after payment of exam registration fees.

Upon registration, exam candidates will have a 12 month eligibility period to take their exam. It is important to note that the exam registration fee must be paid in full before an exam candidate can schedule and take the exam. Eligibility and registration fees will be forfeited in the event the candidate does not take the exam during the 12 month eligibility period, if the testing appointment has been missed, or if the candidate is more than 15 minutes late for a testing appointment.

Now exam registration must be completed online by following these steps. We go to exam registration, select the certification exam you wish to take, and then log in to your account or create one, if you don't have one. If you're creating an account, please ensure your name is the same as what will appear on your government-issued identification that you'll present on exam day.

Any discrepancies between the two can prevent you from being allowed to take the exam. It's always helpful to see the exam day rules in this document for acceptable forms of ID. Before you register for the exam, it's important to verify that there is a PSI test site near you. You can find these at the website you see there at the bottom of this slide.

Now there are very many books out and other resources that the candidates can use for their press test preparations. The books shown are the ones that seem to be the most popular with the best quality content. The CISM book from ISACA is of course, the most official of all of these. And it does present the material in a clear and accessible format.

The CISM all-in-one from McGraw Hill is often regarded as one of the better versions of this exam preparation tool. And the essential exam guide to the CISM there that you see on the right is also regarded very well. Candidates should be careful, however, in their selection of such materials to ensure readability and correspondence with the CBK as published by ISACA. This will at least ensure coverage of the right domains with current information.

Seeking recommendations from colleagues that have used various books and study guides written about the CISM and for any other certification for that matter would probably be one of the best and most reliable ways to help you choose the source that's right for you.

So some thoughts on studying. I strongly recommend that each candidate read and understand the ISACA exam candidate guide currently dated June of 2019. Also, you should utilize additional tools available from the Cloud Academy. You should focus on areas of weakness to help you bring those in line with your areas of strength. And being accountable for your results, which essentially means, do this with the seriousness that it requires to succeed.

So again, "What kinds of questions am I likely to see?" may be the question that comes through your mind. Candidates should always bear in mind that examination processes and exams themselves are going to evolve over time. Adding new things, deleting others. As the exam stands today, it is still presented in a static format. We do expect that the exam will move to an adaptive form at some time in the future. Should that occur, this form of exam may likely change, possibly considerably.

Here on the slide, you see different forms of questions that may present themselves to you, such as the advanced innovative questions that require drag and drop, hotspot, or the reordering of tasks.

Now, a tutorial of the exam taking experience will be provided after logging into the testing station, and prior to the start of the exam itself. You should pay close attention to the tutorial so as not to miss any important information. An exam question may require you to choose the appropriate answer based on a qualifier, commonly something like most or best.

It cannot be stressed enough that you need to read each question carefully to understand exactly what is being asked. Failing to do this is the primary factor in getting a question wrong. Now it's well-known that there should be an effort to eliminate incorrect answers, to improve your chances of getting a correct choice. These are known as distractors. Once you've identified the distractors and eliminate them, you should reread the question to make sure that you are still on the right track and still understand what you're being asked.

Once the distractors are gone, what you will have left will be one that is almost, and the actual correct answer. And there is a difference between almost and correct, and it could be a very subtle difference. It emphasizes that reading carefully and more than once, could only be very helpful. Now scores are based solely on the total number of questions answered correctly to come up with the scaled score of a minimum 450 points.

We also advise the following, you should work steadily, keeping an eye on your remaining time, after all of this is a timed exam, and you have only a limited amount of 240 minutes or four hours. But you should keep your focus on the questions and not be unduly distracted by the time factor.

Another point to bear in mind is that many wrong answers may themselves be true statements. It's important that you remember that true does not necessarily make it correct to the question before you. So be aware of that trap. As I mentioned, you should try to reduce or eliminate answer options before guessing to improve your odds. And you should, without exception, answer every question presented. Leaving a question unanswered is the same as leaving points on the table.

The better job you can do at eliminating the distractors to make your choice between two instead of four will improve your odds. But a well calculated guess at the end of the day is better than leaving it blank. It's like the old saying in basketball, 'You miss a hundred percent of the shots you don't take.' So don't fail to answer every single question, even if it's just a guess.

If you have an interest in joining an ISACA chapter, networking, and contributing to the profession on a more regular and formalized basis, you have some options here too. Most certifying organizations have member chapters in most major cities around the world. We have local chapters of ISACA of ISC squared, of the International System Security Association, ISSA, the Cloud Security Alliance or CSA and other cybersecurity organizations provide members with the opportunity to participate in an international network of peers to share knowledge, exchange resources, collaborate on projects and create new ways to earn CPE credits.

Other opportunities include these: engaging in leadership roles in these chapters, earning CPEs by participating in professional activities, participating in co-sponsored events with other industry associations, speaking at industry events or writing articles for publication, participating in local community outreach projects as part of public service to educate people about the importance and necessity of information security.

Here you see the set of certifications currently offered by ISACA. More information of course can be found about them at the website. At some stage, you may want to investigate these further to see if a combination of the CISM, and any of these others might provide you a better, more robust combination of knowledge areas.

For example, many CISMs also seek to obtain the CRISC or the CGEIT to augment their knowledge base and provide better service, more complete service to their clients and principles. When that time comes, we at Cloud Academy will hope you will return and look to us for assistance in preparing you for your next certification challenge.

As I mentioned earlier, this is very much a one-sided conversation, though I hope we're able to make it interesting enough that we don't lose your attention. Consequently, you won't be able to ask me your questions directly. But I encourage you to keep track of your questions. These represent very important points to you that you will want to ensure get answered somewhere in the course of this educational training. You will most likely want to find them getting answered in the coming modules.

Now let's pause here for a short break before leaping into the next set of slides. Thanks. This is to be continued, so stay with us.


Introduction to CISM - Part One - Introduction to CISM - Part Two - Introduction to CISM - Part Three

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.

Covered Topics