ISACA’s Certified Information Security Manager (CISM) is a valuable certification for IT professionals in information security governance and management. It is an in-demand certificate that advances your cybersecurity career and increases your earning potential.
However, after a recent update on June 1st, 2022, with a new content outline, attending a CISM certification bootcamp with the latest update is an effective way to prepare for the CISM exam.
In this guideThe CISM bootcamp is a full-time or part-time program that prepares students for the ISACA CISM exam. Based on the latest exam guide, this short but intensive program provides the technical skills and knowledge to develop and manage enterprise information security systems.
Attending a bootcamp has several benefits. First, it is shorter than the typical degree and provides a faster route to kickstart your career with hands-on skills. You’re also more likely to get a job after graduation. For example, bootcamp providers such as Flatiron, Coding Dojo, and Fullstack report that 72-83% get a relevant job within 180 days. In addition, a CISM bootcamp connects you with like-minded professionals and leading industry experts.
CISM professionals are paid more than their non-certified peers. From 2014 to 2021, the certificate was ranked as one of the highest-paying certifications worldwide.
On average, ISACA releases a new CISM curriculum and exam every five years. The exam aims to test and validate an individual’s knowledge and experience in the four CISM domains of knowledge. Before you become CISM certified, you must fulfill two requirements:
- Pass the CISM exam
- Demonstrate a minimum required work experience
To fulfill the second requirement, you must provide verifiable evidence of five years of experience in information security management within ten years before applying for the certification or after five years from the date of passing the exam.
Some certifications such as Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP), and a post-graduate degree in information security or any other related field means two years can be waived from the initial five years.
It’s clear that this is not an entry-level certification. You must have been in the industry for a while, working in management roles before applying for the CISM certification.
For related info, be sure to check out the complete cybersecurity bootcamp guide.
CISM certificate bootcamp curriculum
Every CISM certificate bootcamp has the same goal – to prepare you for success in the exam. After the latest update in the CISM curriculum, the exam has taken on a new look. This means most bootcamp curriculum will also reflect the changes to prepare you for the exam effectively.
As such, CISM bootcamps will have the same or similar curricula. If you’re planning to register for a CISM bootcamp, the curriculum will focus on the four core work-related domains of the ISACA. These are;
- Information security governance
- Information security risk management
- Information security program
- Incident management
You’ll notice from the above that the certificate focuses on governance and management. This certificate caters to a specific niche of professionals. It is most suitable for cybersecurity managers or those who want to lead information security teams in their careers.
CISM bootcamp course outline
According to ISACA, here are the domains and topics you should expect to be tested on. As such, a typical CISM bootcamp curriculum outline will take the following shape:
Information security governance
- Enterprise governance
- Organizational culture
- Legal, regulatory, and contractual requirements
- Organizational structures, roles, and responsibilities
- Information security strategy
- Information security strategy development
- Information governance frameworks and standards
- Strategic planning (budgets, resources, business case).
Information security risk management
- Information security risk assessment
- Emerging risk and threat landscape
- Vulnerability and control deficiency analysis
- Risk assessment and analysis
- Information security risk response
- Risk treatment and risk response options
- Risk and control ownership
- Risk monitoring and reporting
Information security program
- Information security program development
- Information security program resources (people, tools, technologies)
- Information asset identification and classification
- Industry standards and frameworks for information security
- Information security policies, procedures, and guidelines
- Information security program metrics
- Information security program management
- Information security control design and selection
- Information security control implementation and integrations
- Information security control testing and evaluation
- Information security awareness and training
- Management of external services (providers, suppliers, third parties, and fourth parties)
- Information security program communications and reporting
Incident management
- Incident management readiness
- Incident response plan
- Business impact analysis (BIA)
- Business continuity plan (BCP)
- Disaster recovery plan (DRP)
- Incident classification/categorization
- Incident management training, testing, and evaluation
- Incident management operations
- Incident management tools & techniques
- Incident investigation and evaluation
- Incident containment methods
- Incident response communications (reporting, notification, and escalation)
- Incident eradication and recovery
- Post-incident review practices
Practice test
You’ll have a practice test to familiarize you with potential exam questions upon completion. However, this depends on the bootcamp provider. You may also get unlimited practice tests until you get a hold of the potential exam questions and answers.
Each instructor-led or classroom-based bootcamp provider may request minimum hardware specifications so no student is left behind during the training. You’ll need to consult the bootcamp provider. However, you may not need this for on-site training at the provider’s facility because computers are usually provided.
Timeframe for CISM certification bootcamps
Cybersecurity bootcamps typically lasts between 10 to 24 weeks or more. However, professional certification bootcamps are relatively shorter because they’re tailored to the certificate exam’s domains and outline.
Certificates that are meant for seasoned cybersecurity professionals are also much shorter. The CISM certificate bootcamp falls under this scope. Considering you need up to five years of work experience before applying for this certificate, most bootcamps assume you already know the basics. As such, the Certified Information Security Bootcamp Manager (CISM) bootcamp usually lasts between three to ten days.
CISM bootcamps are available on-site or online, depending on the candidate’s preference. Online bootcamps are typically in two folds – either an instructor-led live online bootcamp or video recordings of the CISM bootcamp for self-paced study.
Since they’re time-bound, on-site, classroom-based, and instructor-led live online, CISM bootcamps are more immersive tasking. Candidates are generally advised to travel to the bootcamp’s location throughout the program to maintain complete focus. A typical day of training could last from 8 AM through 5 PM. Students are then expected to follow up with personal study after each class.
However, people who can’t escape their daily life demands due to work and other commitments can also leverage self-paced bootcamps. These are recorded videos of bootcamps with text-based study materials. This is a flexible option and more convenient.
Depending on the bootcamp provider, a self-paced bootcamp can last anywhere from 24 to 80 hours of video content. Completion will depend on the number of hours the student commits to the program daily.
Most bootcamp providers provide online and physical options. Some online options are Protech Training, SimpliLearn, and SecureNinja.
Regardless of the delivery format, most CISM certification bootcamp providers offer additional services along with the training. Besides preparing you for the exam, bootcamp providers may offer the following perks:
- ISACA official CISM courseware
- CISM exam voucher
- Exam pass guarantee
- Practice test
- Unlimited practice tests
- Satisfaction guarantee
- Free exam retake if needed
- Free access to the bootcamp provider’s paid services
- Access to ISACA-authorized instructors
- CPE/CEU post-class package
Some bootcamp providers also offer lodging, airfare, and meals, which attract additional payment.
Cost of CISM certification bootcamps
The CISM certification bootcamp cost depends on the training provider, delivery formats, additional perks included in the bootcamp package, and services such as airfare and hotel.
If you’re planning to register for a CISM bootcamp, the program will typically cost between $1,200 to $5,000. The higher the cost, the likelier a student gets additional perks. For example, Cprime’s 3-day CISM Exam Bootcamp costs $1595 for public classroom training with no exam voucher. ProTech Training’s 4-day lecture and lab CISM bootcamp cost $2,800.
The Knowledge Academy offers three CISM bootcamp delivery formats at different prices. The self-paced program starts at $1295; the online instructor-led will cost you at least $1,995, while you’ll need to contact them to get a quote for the on-site bootcamp.
Students looking for a more comprehensive and highly-rated bootcamp should consider Training Camp and Infosec Institute. Training Camp offers a 4-day CISM bootcamp for $3,995, but you may get a $500 discount, bringing the total cost to $3,495. The price includes one exam voucher and one practice exam.
On the other end of the scale, Infosec’s 5-day CISM bootcamp costs $4,499. This includes an exam voucher, a free 8-inch tablet (limited-time offer), unlimited practice exam attempts, and access to some of Infosec’s paid services.
You can also buy CISM courseware from the ISACA store to aid your study after classes, especially when the bootcamp provider doesn’t offer it as part of the program.
Ultimately, your overall bootcamp expenses will depend on the training provider’s bootcamp price and the study materials you buy if needed.
What happens after the CISM bootcamp?
The purpose of the CISM bootcamp is to provide sufficient knowledge and practical skills to help candidates pass their ISACA CISM exam. Although a CISM certification is highly sought-after and provides international recognition, passing the exam is not an easy task.
With a first-time pass rate of only 50 to 60 percent, it’s obvious that this is a challenging exam. The notoriously difficult exam will test your technical knowledge and hands-on skills. However, each bootcamp has different pass rates, with some providers claiming up to 93 percent.
The ISACA CISM exam is 240 minutes (4 hours) long, consisting of 150 multiple-choice questions. You’ll need to score at least 450 points from 800. While the exam includes some technical topics, it emphasizes issues related to leadership and governance in the cybersecurity industry.
The CISM exam focuses on four core domains, each carrying different weights.
| Domains | Average weight |
| Information security governance | 17 percent |
| Information security risk management | 20 percent |
| Information security program | 33 percent |
| Incident management | 30 percent |
If you’re already an ISACA member, the CISM exam costs $575. However, new applicants will pay up to $760. All applicants are also required to pay a $50 application processing fee. After passing the exam, candidates must apply for certification within five years.
Candidates who fail the CISM exam can retake it three times a year (four times in total). You must wait 30 days after the first retake and 90 days after the second and third.
You’re required to earn and report a minimum of 120 Continuing Professional Education (CPE) hours every three-year reporting cycle and at least 20 hours a year to maintain your CISM. Failure to do so will have your credential revoked. You must also pay an annual maintenance fee of $45 if you’re an ISACA member and $85 if you’re not. Maintenance cost reduces if you already have more than two ISACA certifications.
The CPE policy ensures certification holders maintain a respectable level of current knowledge and expertise in the information security field.