AAISM logo
Focused certification exam prep
Start practice
Home / Study Resources / Core Study Guides / AAISM Exam Prerequisites: CISM and CISSP

AAISM Exam Prerequisites: CISM and CISSP Requirements

Updated 11 min read AAISM Exam Prep
Table of Contents
TL;DR
  • You must hold an active CISM or CISSP before applying; neither can lapse during your AAISM lifecycle.
  • Domain 3 (AI Technologies and Controls) carries 38% of the exam - it is the single heaviest domain and must anchor your preparation.
  • The exam is 90 scenario-based multiple-choice questions in 150 minutes, with a passing scaled score of 450 out of 800.
  • Exam fees are $459 for ISACA members or $599 for non-members, plus a $50 one-time post-pass processing fee.

What AAISM Actually Requires Before You Register

The Advanced in AI Security Management (AAISM) certification, governed by ISACA and launched on August 19, 2025, has an entry gate that sets it apart from most specialty credentials: you cannot sit for the exam unless you already hold an active Certified Information Security Manager (CISM) or Certified Information Systems Security Professional (CISSP). This is not a soft recommendation or a waivable condition - it is a hard prerequisite enforced at the application stage.

ISACA designed AAISM to operate as an advanced-layer credential. It assumes you have already demonstrated professional-level competency in information security governance or security architecture. If your CISM or CISSP lapses at any point - whether before the exam or after you earn AAISM - your AAISM certification is also at risk. The two credentials are structurally linked throughout the entire AAISM lifecycle, not just at registration.

Active Status Is Non-Negotiable: ISACA requires that your CISM or CISSP remain in good standing continuously. A lapsed prerequisite credential does not just affect your renewal - it can invalidate the AAISM itself. Build your prerequisite renewal dates into your professional calendar before you even register for AAISM.

This also means that any candidate who has passed the CISM or CISSP exam but has not yet formally maintained it through CPE submissions and fees is not eligible. Passing the exam is not the same as holding an active certification. Confirm your certification status through ISACA's certification portal or ISC2's member portal before you apply.

CISM vs. CISSP as a Prerequisite: Does It Matter Which One You Hold?

Either credential satisfies the prerequisite - you do not need both. But the credential you hold will shape how intuitively certain AAISM domains come to you.

CISM is an ISACA credential focused on information security management, governance, risk, and incident response. If you are a CISM holder, Domain 1 (AI Governance and Program Management) and Domain 2 (AI Risk Management) will feel like a familiar extension of what you already know. Both of those domains together account for 62% of the exam, so this overlap is meaningful for your preparation timeline.

CISSP is an ISC2 credential covering eight security domains with particular depth in security architecture, engineering, and systems thinking. CISSP holders will find Domain 3 (AI Technologies and Controls) more intuitive - the security controls, testing methodologies, and architecture discussions in that domain map closely to CISSP's technical emphasis. And Domain 3, at 38% of the exam, is the single heaviest domain on the entire test.

How Your Prerequisite Shapes Your Gap Analysis

Neither credential perfectly prepares you for all three AAISM domains. Use this as a starting point:

  • CISM holders: Prioritize Domain 3 early. AI architecture, algorithm security controls, and model monitoring are likely your largest knowledge gap.
  • CISSP holders: Spend extra time on Domain 1's governance program structures and Domain 2's AI-specific risk frameworks. The governance vocabulary in AAISM reflects ISACA's conventions, which differ from ISC2's framing.
  • Both groups: AI-specific content - bias in models, explainability requirements, adversarial machine learning - is new territory regardless of your background.

Why ISACA Built These Prerequisites Into AAISM

ISACA's decision to require an active CISM or CISSP is a deliberate positioning choice. AAISM is not an entry-level AI awareness badge. It is a credential for security professionals who are being asked - or who want to be asked - to take operational responsibility for AI security programs within their organizations.

The 90 scenario-based questions on the exam are written to reflect real-world AI security management decisions. A question might present a scenario where a company's AI-powered fraud detection model begins producing unexpectedly biased outputs after a data pipeline change. You are not asked to identify the concept - you are asked to choose the most appropriate managerial or technical response. That kind of judgment requires a foundation in security management that the CISM and CISSP are designed to build.

ISACA also enforces adherence to its Code of Professional Ethics for all AAISM holders - the same ethics framework that governs CISM. This creates a consistent professional accountability layer across its credential ecosystem.

For a full picture of how the testing environment is structured, including where you can and cannot use remote proctoring, see the AAISM Remote Proctoring: Rules and Testing Center Guide. Candidates in India, Mainland China, and Hong Kong must attend a physical PSI testing center - remote proctoring is not available in those regions regardless of preference.

What the Exam Domains Demand From You

Understanding the prerequisite is only the beginning. The harder question is what the exam actually tests. AAISM is organized into three domains, and knowing their content at a conceptual level is not enough - the scenario-based format requires you to apply knowledge to situations you have not seen before.

Domain 1: AI Governance and Program Management (31%)

This domain covers the organizational structures, policies, and program frameworks needed to govern AI security at scale. Candidates must understand how to establish AI security governance aligned with broader enterprise risk posture.

  • AI security policy development and program charter design
  • Roles and responsibilities within AI security governance
  • Regulatory and compliance obligations affecting AI deployment
  • Communicating AI security risk to executive and board stakeholders
  • Integrating AI security programs with existing ISMS frameworks

Domain 2: AI Risk Management (31%)

This domain focuses on identifying, assessing, and treating the risk landscape specific to AI systems - which differs substantially from traditional IT risk in its speed, opacity, and feedback dynamics.

  • AI-specific threat modeling, including data poisoning and model inversion attacks
  • Risk assessment methodologies adapted for machine learning systems
  • Third-party and supply chain risk in AI development pipelines
  • Residual risk acceptance and treatment planning for AI deployments
  • Incident classification and response frameworks for AI-related failures

Domain 3: AI Technologies and Controls (38%)

The highest-weighted domain by a significant margin. This is where technical depth meets security architecture. Candidates must understand not just what controls exist, but why specific controls are appropriate for specific AI environments.

  • AI system architecture and its security implications (training vs. inference environments)
  • Security controls for model development, deployment, and retraining pipelines
  • Adversarial machine learning: attack categories and defensive countermeasures
  • AI testing methodologies including red-teaming and robustness evaluation
  • Monitoring and observability for AI systems in production
  • Explainability, transparency, and auditability requirements for regulated AI

Because Domain 3 carries 38% of the exam weight, underinvesting in it is the most likely path to a failing score. Candidates who rely heavily on their prerequisite credential's coverage and assume the governance domains will carry them are taking a significant risk. Practice with realistic scenario-based questions early - our AAISM practice tests are built around all three domain areas and will help you identify where your gaps actually are, not where you assume they are.

Registration, Fees, and the 12-Month Eligibility Window

Once you have confirmed your CISM or CISSP is active, the registration process runs through ISACA. The exam is delivered by PSI, ISACA's testing provider, either at authorized PSI testing centers globally or via remote proctoring where available.

Fee Item ISACA Member Non-Member
Exam Registration Fee $459 $599
One-Time Application Processing (post-pass) $50 $50
Annual Maintenance Fee $20/year $35/year
Exam Language Options English and Spanish
Eligibility Window After Registration 12 months

The 12-month eligibility window is important to plan around. From the date you register, you have one year to schedule and complete the exam. This window gives you flexibility to prepare thoroughly, but it also creates a deadline. Candidates who register too early without a preparation plan sometimes find themselves rushing toward the end of the window. Given the scenario-based format and the technical depth of Domain 3, most candidates will benefit from at least eight to twelve weeks of structured preparation before scheduling the exam date.

ISACA Membership Math: At the current fee gap of $140 between member and non-member pricing, ISACA membership may be worth evaluating on its own terms before you register. If you plan to sit for AAISM and are not already an ISACA member, the membership dues versus the exam fee differential is a straightforward calculation to run.

The exam itself is 90 multiple-choice questions with a 150-minute time limit - that works out to approximately 100 seconds per question. Given that questions are scenario-based and may require reading a paragraph of context before evaluating four answer choices, time management during the exam is a skill worth practicing explicitly. Timed practice under realistic conditions will help you build the pacing muscle you need. Start with full-length AAISM practice tests well before your exam date.

Maintaining AAISM, CISM, and CISSP Simultaneously

Earning AAISM adds a third credential to your maintenance portfolio if you hold both CISM and CISSP. Understanding what ongoing compliance looks like across all three is essential before you commit.

AAISM requires a minimum of 10 CPE hours per year in AI-specialized topics, with 30 CPE hours total over the three-year certification cycle. This is not general security CPE - the hours must be demonstrably AI-relevant. Industry conferences on AI security, vendor-neutral AI risk training, and published research contributions in AI governance are all potential CPE sources. The certification is valid for three years, after which renewal requires meeting the CPE threshold and paying the maintenance fee.

Critically, you must also keep your CISM or CISSP active throughout this entire period. If either prerequisite lapses, your AAISM standing is affected. For professionals who hold both CISM and CISSP, this means managing at minimum two different renewal cycles with ISACA and ISC2 respectively, while also tracking AAISM's AI-specific CPE requirements.

Key Takeaway

Build a single master renewal calendar that includes CISM renewal dates, CISSP renewal dates, and AAISM CPE milestones. Missing any one of these can cascade into a credential status problem across all three. Treat AI-focused CPE activities as primary professional development investments, not afterthoughts.

Scheduling Your Preparation Around Domain Weights

With a clear understanding of the three domains and their weights, you can build a preparation schedule that reflects the actual exam - rather than treating all content equally.

Weeks 1-2

Domain 3 Foundation: AI Technologies and Controls

  • Map AI system architecture concepts: training pipelines, inference environments, model registries
  • Study adversarial ML attack categories - data poisoning, model evasion, membership inference
  • Identify which controls apply at which stage of the AI development lifecycle
  • Run baseline practice questions against Domain 3 to establish your starting score
Weeks 3-4

Domain 3 Depth: Testing, Monitoring, and Explainability

  • Study AI red-teaming methodologies and robustness evaluation frameworks
  • Learn production monitoring approaches specific to ML systems (drift detection, anomaly alerting)
  • Review explainability and auditability requirements in regulated industries
Weeks 5-6

Domains 1 and 2: Governance and Risk

  • Map ISACA's governance vocabulary to AI program structures (CISM holders can move faster here)
  • Study AI-specific risk assessment frameworks and how they differ from standard IT risk approaches
  • Review third-party AI risk and supply chain considerations
  • CISSP holders: pay particular attention to ISACA's framing of governance roles and program design
Weeks 7-8

Integration and Scenario Practice

  • Run full-length timed practice exams across all three domains
  • Focus scenario review on questions you answered correctly but slowly - pacing matters
  • Revisit your weakest Domain 3 sub-topics based on practice test analytics
  • Review the AAISM Exam Prerequisites: CISM and CISSP Requirements article to confirm all administrative logistics are in order before scheduling

Who Is Hiring AAISM-Certified Professionals

AAISM launched in August 2025, which means the credential is still in its earliest hiring cycle. That said, the organizational profiles seeking this expertise are already visible based on the domains the exam covers.

Financial services firms deploying AI for credit scoring, fraud detection, or algorithmic trading are under increasing regulatory scrutiny over model governance and explainability. These organizations need professionals who can manage AI security programs at the intersection of compliance and technical controls - exactly what Domain 1 and Domain 3 address. Healthcare systems using AI for clinical decision support face similar regulatory pressure, particularly around auditability and bias detection. Large technology companies building AI-powered products need security architects who understand adversarial machine learning and can design controls for model pipelines, not just perimeter networks.

Government and defense contractors working with AI-enabled systems face procurement and compliance requirements that map directly to AI governance program management. Professional services firms - the major consulting and advisory practices - are already staffing AI security teams in anticipation of client demand as AI deployment regulations mature globally.

The prerequisite structure of AAISM (requiring an active CISM or CISSP) means hiring managers can use it as a signal of both AI security specialization and established security management credibility. For candidates already holding CISM or CISSP, AAISM is positioned as a differentiation layer in a job market where AI security expertise is increasingly expected but rarely formally credentialed.

Early-Mover Advantage: Because AAISM launched in August 2025 and no published pass rate data exists yet, the pool of certified professionals is currently small. Earning AAISM now places you among the inaugural cohort of certified AI security managers - a professional positioning advantage that will narrow as the credential matures and more candidates certify.

Frequently Asked Questions

Can I apply for AAISM if my CISM is currently in the renewal grace period?

No. ISACA requires an active certification, not one in a grace or lapsed state. Confirm your CISM or CISSP is fully current - including CPE submissions and fees paid - before submitting your AAISM application. A certification in a grace period is technically lapsed until renewal is completed.

What happens to my AAISM if my CISM lapses after I earn AAISM?

The prerequisite must remain active throughout the entire AAISM lifecycle. Allowing your CISM or CISSP to lapse after earning AAISM puts your AAISM status at risk. Treat the maintenance of your prerequisite credential as a non-negotiable component of your AAISM maintenance plan.

Is the AAISM exam available in languages other than English?

Yes. AAISM is currently available in English and Spanish. If you need to test in Spanish, confirm availability with PSI when scheduling, particularly if you intend to use a physical testing center in your region.

How does the 450 passing score relate to the number of questions I need to answer correctly?

The 450 score is a scaled score on a 200-800 scale, not a raw count of correct answers. Scaled scoring means the passing threshold accounts for question difficulty variation, so there is no simple formula to convert a raw number of correct answers into a guaranteed pass. Your safest approach is to aim for strong performance across all three domains, with particular depth in Domain 3 given its 38% weight.

Can I use remote proctoring if I am based in India?

No. Remote proctoring is not available in India, Mainland China, or Hong Kong. Candidates in these regions must attend an authorized PSI physical testing center. For detailed guidance on testing center locations and remote proctoring eligibility by region, review the AAISM Remote Proctoring: Rules and Testing Center Guide before scheduling.

Ready to Start Practicing?

The AAISM exam tests your ability to make real decisions under realistic AI security scenarios - not just recall definitions. Our practice tests are built around all three AAISM domains, including the high-weight Domain 3 content that most candidates underestimate. Start identifying your gaps now, while you still have time to close them.

Start Free Practice Test
Continue reading:

Ready to pass your AAISM exam?

Put this into practice with free AAISM questions across every exam domain.