What are the 2026 CISM Exam changes?

For security professionals in the UK, staying abreast of industry standards is essential. ISACA has confirmed that the Certified Information Security Manager (CISM) exam changes will be updated on 3rd November 2026.

This update reflects the expectations placed on security leaders, who are increasingly required to act as strategic business enablers. Here is a detailed look at the changes coming to the exam.

1. New Content Areas:

Architecture

The most significant addition to the CISM syllabus is the introduction of technical management frameworks. The new exam adds two vital content areas:

Enterprise Architecture

Candidates will be assessed on their understanding of how business capabilities, data flows, and applications integrate across an organisation.

Information Security Architecture

This reflects the requirement for managers to understand the technologies under their remit—specifically how identity models, segmentation, and control layers integrate across hybrid and cloud environments.

2. A Shift in Strategic Emphasis

While the four core domains remain, their focus is being refined. The 2026 update will place greater emphasis on Information Security Strategy, moving beyond following a roadmap to building one that aligns with board-level business objectives.

Heavier weight on Programme Development, ensuring that security is a continuous, integrated business function rather than a siloed project.

3. Revised Domain Weightings.

The weighting of a domain determines the proportion of questions dedicated to that topic. The 2026 update moves towards Governance and Risk as the primary pillars of the qualification.

Domain

1. Information Security Governance | Current Focus, Frameworks & Alignment | 2026 Direction, Increased focus on Strategy

2. Information Risk Management | Current Focus, Assessment & Treatment | 2026 Direction, Increased focus on Risk Appetite

3. Security Programme Development | Current Focus, Operational Controls | 2026 Direction, Inclusion of Architecture

4. Incident Management | Current Focus, Response & Recovery | 2026 Direction, Consolidated focus on Resilience

4. Why is the Syllabus Changing?

The update reflects a shift in the British cybersecurity landscape. Security leaders are now expected to ensure that Enterprise Architecture is resilient enough to support an organisation’s digital transformation. You are increasingly seen as the bridge between technical controls and executive-level decision-making.

Key Dates for Your Calendar:

11th September 2026: Updated CISM Exam Prep materials (including the new Review Manual and QAE Database)become available for purchase.

2nd November 2026: The final day to sit the current version of the exam.

3rd November 2026: The new Exam Content Outline (ECO) comes into effect.

Advice for Candidates: Introduction of Architecture and a heavier focus on Strategy means the 2026 exam will cover a broader range of topics. If you have already begun your preparation using current materials, we recommend sitting the exam before 3 November.

By passing now, you can qualify under the established structure and avoid the need to revise entirely new technical domains.

For further information about the exam changes, please visit ISACAs website Certification: CISM Job Practice Update 2026