ISACA's CISM Certification Celebrates 20 Years with Increased Focus on Management of Security Programs and Incident Management

Schaumburg, Ill. (April 14, 2022) — In a challenging landscape marked by the global pandemic and increased threats, many businesses and boards have learned the hard way the importance of risk management, governance, business continuity planning and resilience. The Certified Information Security Manager® (CISM®) certification from ISACA, celebrating its 20th anniversary this year, has updated its exam content to reflect the changing focus areas of information security practitioners.


The enhanced CISM exam content outline reflects the changes in practitioner needs to include emerging technology, and incident containment and eradication. The main changes are related to the weighting of the domains, the format of the exam content outline itself, and the phases of incident response in the incident management domain. The updated CISM exam will launch on 1 June 2022, and the last date to take the current exam is 31 May 2022.


The domains remain the same—1) information security governance, 2) information security risk management, 3) information security program and 4) incident management. However, they are now weighted at 17 percent, 20 percent, 33 percent and 30 percent, respectively, with more emphasis placed on the information security program (both development and management), as well as incident management.


The new exam content outline format has also been revised to reflect subtopic statements as opposed to task statements, which reflect the knowledge associated with the current practice of information security professionals, as well as supporting task statements that reflect activities or actions that apply the knowledge in a given area. A key difference from the previous exam content outline can be found in the incident management domain, which now highlights phases of incident response as specific knowledge topics such as investigation, containment, eradication and recovery, and incident response communications.


"Since CISM was introduced 20 years ago, ISACA has continuously examined the evolving role of the information security practitioner and the changing dynamics and responsibilities they face as a result of new technology and security threats," said Kim Cohen, ISACA senior director, credentialing. "As the thought leader in digital trust, ISACA is committed to providing information security professionals worldwide with leading edge credentials, training and resources at every step in their career journey, and as part of that commitment, we continuously adjust the questions asked on our CISM certification exam to ensure candidates are assessed on the most relevant information security practices."


New exam prep is now available, including the CISM Review Manual, 16th Edition print edition and e-book, the CISM Online Review Course, the CISM Review, Questions, Answers and Explanations Manual, 10th Edition print version and online database, and a free CISM practice quiz. Current exam prep materials are still available for purchase through 31 May 2022, but do not grant access to the new exam prep materials at a later date.


The CISM certification celebrates its 20th anniversary this year, and more than 65,000 professionals have earned the credential since its inception. Since then, CISM has been the globally recognized credential that ensures alignment between an organization's information security program and its broader strategic goals. The management-focused CISM is also the globally accepted achievement for individuals who develop, build and manage enterprise information security programs. The CISM certification won the 2020 SC Award for "Best Professional Certification Program," marking the second time in three years that CISM received this recognition. The certification also ranks sixth on the top fifteen highest-paying IT certifications based on the 2021 IT Skills and Salary Report conducted by Global Knowledge, with an average salary in the United States of US$149,246.


"As an information security manager, I believe the guidance and resources to understand the alignment of business value and information technology strategy has helped to increase awareness of making a risk-based decision for reduced risk," says Marilyn Moux, a CISM holder and technology consultant. "This has also helped us understand the tools necessary to assist the business and its security professionals in building strategies to help organizations protect against cyber adversaries."


To learn more about CISM and to apply for certification, visit Several CISM-holders weighed in on how the profession has changed over the last two decades since the credential's inception. View their comments here.



For more than 50 years, ISACA® ( has advanced the best talent, expertise and learning in technology. ISACA equips individuals with knowledge, credentials, education and community to progress their careers and transform their organizations, and enables enterprises to train and build quality teams. ISACA is a global professional association and learning organization that leverages the expertise of its more than 150,000 members who work in information security, governance, assurance, risk and privacy to drive innovation through technology. It has a presence in 188 countries, including more than 220 chapters worldwide. In 2020, ISACA launched One In Tech, a philanthropic foundation that supports IT education and career pathways for under-resourced, under-represented populations.