- What the 12-Month Eligibility Window Actually Means
- Registration Mechanics: Fees, Application, and Timing
- The Prerequisites Gate: CISM or CISSP Must Stay Active
- Scheduling Within the Window: PSI Centers and Remote Proctoring
- Using Domain Weights to Plan Your 12-Month Window
- A Structured Prep Timeline for the Eligibility Period
- What Happens After You Pass: The $50 Fee and Maintenance Clock
- Common Eligibility Window Mistakes That Cost Candidates
- Frequently Asked Questions
- You have exactly 12 months from registration to sit the AAISM exam - missing this window forfeits your exam fee.
- The AAISM exam fee is $459 for ISACA members and $599 for non-members; a separate $50 application fee is charged only after you pass.
- An active CISM or CISSP is a hard prerequisite and must remain maintained throughout the entire AAISM certification lifecycle.
- Remote proctoring is unavailable in India, Mainland China, and Hong Kong - candidates there must book a physical PSI testing center.
What the 12-Month Eligibility Window Actually Means
When ISACA processes your AAISM registration, a clock starts. You have 12 months from the date of registration to schedule and sit the Advanced in AI Security Management exam. This is not a soft guideline - it is a hard cutoff enforced by ISACA and administered through PSI, the official testing provider for the AAISM credential.
Miss that window, and you lose your exam fee with no rollover. That is $459 if you are an ISACA member, or $599 if you are not. Neither amount is trivial, and neither is refundable once the eligibility period lapses. Understanding what the window covers - and what it does not - is the first step in protecting your investment.
The eligibility window covers the scheduling and sitting of the exam. It does not guarantee a specific testing slot will be available on your preferred date. PSI center availability varies by region, and remote proctoring slots can fill during high-demand periods. Waiting until month ten or eleven to schedule is a documented way candidates lose their window to availability constraints rather than their own preparedness.
Registration Mechanics: Fees, Application, and Timing
The Fee Structure You Need to Map Out Before Registering
The AAISM fee structure involves two separate financial events that candidates often conflate. The first is the exam registration fee, paid upfront at the time you register. The second is a $50 one-time application processing fee, which is only charged after you pass the exam - not before. Understanding this split matters for budgeting and for understanding what you are actually paying for at registration.
| Fee Type | ISACA Member | Non-Member | When Paid |
|---|---|---|---|
| Exam Registration Fee | $459 | $599 | At registration (starts eligibility window) |
| Application Processing Fee | $50 | $50 | One-time, after passing the exam |
| Annual Maintenance Fee | $20/year | $35/year | Each year of the 3-year certification cycle |
If you are not yet an ISACA member, the math is worth doing before you register. ISACA membership has its own annual dues, but the exam fee difference alone - $140 - often offsets a significant portion of membership costs for candidates who plan to sit the exam within the membership year. Factor in the lower $20 annual maintenance fee versus $35 for non-members, and ISACA membership becomes a financially rational choice for serious AAISM candidates.
When the Clock Starts and How to Track It
The 12-month eligibility window begins on the date ISACA processes and confirms your registration, not the date you pay or the date you intend to schedule. Candidates should screenshot or save the registration confirmation email, which will reflect the start date. PSI, as the testing provider, will honor scheduling requests within this window through its global network of authorized testing centers and its remote proctoring platform.
The Prerequisites Gate: CISM or CISSP Must Stay Active
AAISM is not an entry-level certification. ISACA requires that every candidate hold an active CISM (Certified Information Security Manager) or CISSP (Certified Information Systems Security Professional) at the time of registration, at the time of the exam, and for the entire duration of the AAISM certification lifecycle. The word "active" is critical here - a lapsed CISM or CISSP invalidates your AAISM, not just your registration.
This prerequisite reflects where AAISM sits in the credentialing ecosystem. It is designed for experienced information security professionals who are expanding their expertise into AI-specific security governance and risk management - not for candidates building foundational security knowledge for the first time.
Candidates who are currently in the renewal window for their CISM or CISSP should resolve that before registering for AAISM. Starting your 12-month AAISM eligibility window while your prerequisite certification is also expiring creates unnecessary administrative risk during your study period.
Scheduling Within the Window: PSI Centers and Remote Proctoring
Remote Proctoring and Its Geographic Restrictions
AAISM uses PSI as its testing provider, which offers candidates flexibility through both physical testing centers and remote proctoring. However, this flexibility has a notable geographic restriction that affects a significant portion of the global candidate pool.
Remote proctoring is not available in India, Mainland China, or Hong Kong. Candidates located in these regions must identify and book an authorized PSI physical testing center. Given that AAISM is a relatively new certification (launched August 19, 2025), center availability in some regions may be more limited than for longer-established ISACA credentials like CISM or CISA. Candidates in these regions should plan to schedule earlier in their 12-month window rather than later.
For candidates eligible for remote proctoring, the flexibility is genuine - you can test from a compliant home or office environment. But remote proctoring slots are not unlimited, and scheduling on short notice during peak periods (such as Q4 or the weeks before annual CPE deadlines) can mean delays. If you are targeting a specific exam date, scheduling two to three months in advance is a reasonable approach.
Language Options Within the Window
The AAISM exam is available in English and Spanish. Candidates should confirm their preferred language at the time of scheduling, as switching language preferences after booking may require rescheduling with PSI. For a full breakdown of how language selection affects preparation materials and scenario interpretation, see our dedicated guide on AAISM Exam Language Options: English and Spanish Guide.
Using Domain Weights to Plan Your 12-Month Window
One of the most actionable uses of the 12-month eligibility window is structuring your preparation around the exam's domain weights. The AAISM exam covers three domains, and their weights are not equal. Understanding which domain demands the most attention - and scheduling your study time accordingly - is the difference between a well-managed window and a chaotic sprint to a scheduling deadline.
Domain 1: AI Governance and Program Management (31%)
This domain covers how organizations establish, govern, and manage AI security programs at an enterprise level. Candidates must understand AI policy frameworks, accountability structures, regulatory alignment, and program metrics relevant to AI security.
- Enterprise AI security governance structures and roles
- AI program lifecycle management and policy development
- Regulatory and compliance frameworks specific to AI deployment
- Stakeholder communication and board-level AI risk reporting
Domain 2: AI Risk Management (31%)
Equal in weight to Domain 1, this domain addresses identifying, assessing, and mitigating risks that emerge specifically from AI systems - including data integrity risks, model bias, adversarial attacks, and third-party AI vendor risk.
- AI-specific risk identification and categorization methodologies
- Threat modeling for machine learning pipelines and inference systems
- Third-party and supply chain risk in AI environments
- Risk treatment strategies for generative AI and autonomous systems
Domain 3: AI Technologies and Controls (38%)
The highest-weighted domain on the AAISM exam. Candidates must demonstrate deep technical understanding of AI architecture, security controls specific to AI systems, testing methodologies, and continuous monitoring practices.
- AI and ML architecture components and their security implications
- Security controls for model training, validation, and deployment
- AI system testing methodologies including adversarial testing
- Monitoring and anomaly detection in production AI environments
With 38% of the exam weight, Domain 3 deserves priority in your preparation schedule. However, because Domains 1 and 2 together account for 62% of the exam, ignoring them in favor of technical depth is a common and costly error. The scenario-based, multiple-choice format of the exam means that even technical questions are framed in governance and risk management contexts - you cannot isolate domains in practice the way a simple weighting table might suggest.
Preparing with realistic practice questions is one of the most effective ways to develop the scenario interpretation skills this format demands. Our AAISM practice test platform offers scenario-based questions modeled on the real exam format across all three domains, allowing you to identify which domain requires more of your remaining window.
A Structured Prep Timeline for the Eligibility Period
For candidates with a full 12-month window and existing CISM or CISSP experience, a phased preparation approach tends to outperform unstructured self-study. The following timeline assumes approximately 8 months of active preparation, leaving months 9 and 10 for intensive review and practice exams, and months 11 and 12 as buffer for scheduling and final readiness.
Foundation: Domain 1 - AI Governance and Program Management
- Map existing CISM or CISSP governance knowledge onto AI-specific frameworks
- Study enterprise AI program structure, policy development, and regulatory alignment
- Begin light practice questions to calibrate familiarity with scenario-based format
Depth: Domain 2 - AI Risk Management
- Focus on AI-specific threat modeling and risk treatment frameworks
- Study adversarial attack vectors and model integrity risks in depth
- Run domain-specific practice tests to measure Domain 2 comprehension
Priority: Domain 3 - AI Technologies and Controls (38% weight)
- Dedicate the longest block to this highest-weighted domain
- Study ML pipeline architecture, deployment security, and monitoring controls
- Practice adversarial testing scenarios and control selection questions
- Revisit Domains 1 and 2 in integration - many Domain 3 scenarios reference governance and risk contexts
Integration and Full-Length Practice
- Take timed, full-length 90-question practice exams under 150-minute conditions
- Analyze weak areas by domain and return to targeted study
- Schedule your PSI exam date no later than the end of month 10
The 90-question exam with a 150-minute time limit works out to an average of 100 seconds per question. Scenario-based questions require careful reading, and candidates who have not practiced under timed conditions frequently run short on time in the final section of the exam. Simulating exam conditions using full-length AAISM practice tests during months 8 through 10 builds the pacing discipline the real exam requires.
What Happens After You Pass: The $50 Fee and Maintenance Clock
Passing the AAISM exam - achieving a scaled score of 450 or above on the 200-800 scale - is not the end of the administrative process. After passing, ISACA charges a one-time $50 application processing fee to finalize your certification. This is separate from the exam fee you paid at registration and must be submitted to complete the certification award process.
Once your AAISM is active, the maintenance requirements begin immediately:
- A minimum of 10 CPE (Continuing Professional Education) hours per year, and these must be in AI-specialized topics - general information security CPEs do not satisfy this requirement.
- A total of 30 CPE hours across the full 3-year certification cycle.
- Continued adherence to the ISACA Code of Professional Ethics.
- Maintenance of your active CISM or CISSP credential for the entire 3-year AAISM lifecycle.
Key Takeaway
The 10 CPE hours required annually must be AI-specialized, not general security. Candidates who hold CISM or CISA and are accustomed to broad CPE categories should plan their CPE portfolio specifically around AI security topics to avoid a compliance gap at renewal.
The 3-year certification cycle and the CPE specificity requirement together mean that AAISM is designed for practitioners actively working in AI security - not as a one-time credential badge. Organizations hiring for AI security governance roles increasingly recognize this structure as a signal of ongoing engagement with the field.
Common Eligibility Window Mistakes That Cost Candidates
Because the AAISM is a newly launched certification - Version 1 went live on August 19, 2025 - there is not yet a large community of past candidates sharing window management lessons. The following mistakes are drawn from patterns across other ISACA certification programs and the specific structural features of AAISM:
- Registering before completing prerequisite renewal. If your CISM or CISSP is expiring in the next three to six months, resolve that first. Having both credentials in renewal limbo simultaneously creates administrative complexity and could jeopardize your AAISM registration validity.
- Waiting to schedule until late in the window. PSI center availability and remote proctoring slots are not guaranteed. Candidates in India, Mainland China, and Hong Kong face the additional constraint of physical-only testing. Schedule by month 10 at the latest.
- Underweighting Domain 3 in study planning. At 38%, AI Technologies and Controls is the single largest domain. Candidates from governance-heavy backgrounds sometimes spend the majority of their preparation on Domains 1 and 2, which feel more familiar, and arrive underconfident on technical control and architecture questions.
- Conflating the $50 application fee with the exam fee. The application processing fee is only due after passing. Candidates who budget only for the exam fee and do not expect the $50 post-pass charge occasionally delay their certification finalization.
- Not practicing in the exam's actual format. The AAISM uses scenario-based multiple-choice questions, not straightforward recall questions. Studying content without practicing scenario interpretation is insufficient preparation for the real exam format. Understanding your eligibility window timeline matters, but so does matching your practice format to what the exam actually delivers.
Frequently Asked Questions
ISACA does not publicly offer automatic extensions to the 12-month eligibility window. Candidates who believe they cannot sit within the window due to extenuating circumstances should contact ISACA directly, but there is no guaranteed extension policy. The safest approach is to schedule your exam before month 10 to retain flexibility if rescheduling becomes necessary.
The active prerequisite requirement applies throughout the AAISM certification lifecycle, which begins at registration. If your CISM or CISSP lapses before you sit the exam, your AAISM eligibility is at risk. ISACA should be contacted immediately if your prerequisite credential status changes during your registration period. Preventing this scenario is the reason experienced candidates are advised to resolve prerequisite renewals before registering for AAISM.
The AAISM uses a scaled scoring model ranging from 200 to 800. The passing score is 450. Scaled scoring means your raw number of correct answers is converted to a score on this scale, accounting for variation in question difficulty. This is the same scoring methodology ISACA uses for CISM and CISA. The 90-question exam is completed within a 150-minute time limit.
Yes. The $50 one-time application processing fee is charged to all candidates after passing, regardless of ISACA membership status. ISACA membership affects the exam registration fee ($459 versus $599) and the annual maintenance fee ($20 versus $35 per year), but the post-pass application fee is flat for all candidates.
The AAISM exam is available in both English and Spanish, and language selection is typically confirmed at the time of scheduling with PSI rather than at registration. Candidates should verify their preferred language when booking through PSI to avoid arriving at a testing center or remote session with an unexpected language setting. For a detailed look at how language selection affects preparation, see our article on AAISM Exam Language Options: English and Spanish Guide.
Ready to Start Practicing?
Make every month of your 12-month eligibility window count. Our AAISM practice tests are built around the exact scenario-based format of the real exam, covering all three domains at their actual weights - so you can measure your readiness before you sit for the real thing.
Start Free Practice Test