The CISM is based on four main topic areas:
             •  Information Security Governance - 24% of the exam
               questions
             •  Information Risk Management and Compliance - 33% of the
               exam questions
             •  Information Security Program Development and
               Management - 25% of the exam questions
             •  Information Security Incident Management - 18% of the
               exam questions.

            The examination is marked on a scaled score with a minimum
            mark of 200 to a maximum mark of 800. A score of 450 or
            better is required to pass the examination. Examination marks
            are sent to the candidates approximately eight weeks following
            the examination date.

            A CISM must be endorsed by another professional that can
            attest to their years of experience in the field. A CISM must be
            able to submit proof of five years of work experience in the field
            of information security, with at least three years in the role of an
            information security manager.

            A CISM is required to pay an annual fee for certification to
            ISACA and often a fee set by a local ISACA chapter. All CISM
            will be assigned to a local chapter if one is available.
            The CISM must also attain and demonstrate at least 120 hours of
            Continuing Professional Education (CPE) credit during the
            three-year cycle of their certification with a minimum of 20 CPE
            hours in any one year.