AAISM logo
Focused certification exam prep
Start practice
Home / Study Resources / Core Study Guides / AAISM Scaled Score Explained: 200 to 800 Grading

AAISM Scaled Score Explained: 200 to 800 Grading Guide

Updated 10 min read AAISM Exam Prep
Table of Contents
TL;DR
  • AAISM uses a scaled score of 200 to 800; the passing threshold is exactly 450.
  • Domain 3 (AI Technologies and Controls) carries 38% of the exam weight - the single heaviest domain.
  • 90 multiple-choice questions must be answered within 150 minutes; not every question carries equal weight after scaling.
  • You must already hold an active CISM or CISSP before sitting for AAISM - prerequisites are non-negotiable.

What Is Scaled Scoring and Why ISACA Uses It

When ISACA launched the Advanced in AI Security Management certification on August 19, 2025, it adopted the same scaled scoring methodology used across its flagship credentials. If you have already earned your CISM or CISSP - both required prerequisites for AAISM - you likely encountered scaled scoring before. But understanding why it exists is just as important as knowing the numbers.

Scaled scoring solves a fairness problem. Every administration of a certification exam is slightly different. One cohort of candidates may receive a slightly harder distribution of questions than another. Without scaling, a candidate who sat for a harder version would be penalized compared to someone who received an easier draw. Scaling mathematically adjusts raw performance so that a score of 450 means the same thing regardless of which specific questions appeared on your exam.

Why This Matters for AAISM: Because the certification launched in August 2025, the item pool is relatively new. ISACA's psychometricians are actively calibrating question difficulty weights as more candidates complete the exam. This makes scaled scoring especially important for AAISM right now - it protects you if a question turns out to be unexpectedly difficult for the broader candidate population.

ISACA uses PSI as its testing provider, with authorized testing centers operating globally and remote proctoring available in most regions. Candidates in India, Mainland China, and Hong Kong must use physical PSI centers; remote proctoring is not permitted in those locations. This logistical detail matters because scheduling at a physical center introduces additional variables - arrival time, ID verification, and room conditions - that candidates should account for when planning their exam date.

The 200 to 800 Range: How the Numbers Work

The AAISM scaled score runs from a minimum of 200 to a maximum of 800. You cannot score below 200 even if you answer every question incorrectly, and you cannot exceed 800 even with a perfect raw score. This range is intentional: it creates a wide enough spread to meaningfully differentiate performance levels while keeping the numbers psychologically interpretable.

Scaled Score Range Performance Signal Candidate Implication
200 - 349 Significant knowledge gaps across domains Substantial additional preparation required before retake
350 - 449 Foundational understanding present but insufficient Targeted domain remediation needed; close to passing
450 Passing threshold Certification awarded upon meeting all other requirements
451 - 599 Competent performance above minimum Certified; demonstrates solid applied knowledge
600 - 800 High proficiency across domains Certified; strong signal of subject-matter expertise

One important clarification: scores in the 200-449 range do not simply mean you answered fewer than half the questions correctly. The scaling process factors in question difficulty, so a candidate who answered 40 questions correctly on a harder version might outperform a candidate who answered 45 questions correctly on an easier version. This is why obsessing over raw question counts during practice tests is less useful than understanding your performance by domain.

The 450 Passing Score: What It Actually Means

A scaled score of 450 is the line between pass and fail on the AAISM exam. It is not an arbitrary cutoff - ISACA uses a standard-setting process involving subject-matter experts who evaluate question difficulty and recommend a minimum competency threshold. For AAISM, that threshold was set at 450 out of 800.

Contextually, 450 sits at 40.9% of the way across the 200-to-800 range (since the effective range spans 600 points from 200 to 800, and 450 is 250 points above the floor). This placement reflects the reality that AAISM is designed for experienced security professionals - you are not expected to achieve perfection, but you are expected to demonstrate applied competency across AI governance, AI risk, and AI security controls.

Key Takeaway

A passing score of 450 does not mean answering exactly 56.25% of 90 questions correctly. It means your scaled performance - adjusted for question difficulty across the three domains - meets ISACA's defined minimum competency standard for AI security management professionals.

Because AAISM launched on August 19, 2025, and no public pass rate data has been released, candidates cannot benchmark themselves against historical cohort averages. This makes understanding the scoring mechanics even more critical. For structured practice that mirrors the real question format, the AAISM Exam Prep practice test platform provides scenario-based questions mapped to all three domains.

Domain Weighting and Its Direct Impact on Your Score

AAISM's 90 questions are not distributed equally across domains. Understanding the weighting is arguably the most actionable piece of scoring intelligence available to candidates.

Domain 1: AI Governance and Program Management (31%)

Approximately 28 of the 90 questions draw from this domain. Candidates must understand AI governance frameworks, policy development, organizational roles and responsibilities for AI oversight, program lifecycle management, and compliance alignment with applicable regulations and standards.

  • AI governance structures and accountability models
  • AI security program development and metrics
  • Stakeholder communication and board-level reporting
  • Regulatory and standards landscape (NIST AI RMF, EU AI Act concepts, ISO/IEC 42001)

Domain 2: AI Risk Management (31%)

Also approximately 28 questions. This domain tests applied risk thinking - how to identify, assess, treat, and monitor risks introduced by AI systems across their full lifecycle, including third-party AI dependencies and supply chain considerations.

  • AI-specific threat modeling and risk quantification
  • Data poisoning, model inversion, and adversarial attack concepts
  • Third-party AI vendor risk and procurement controls
  • Risk treatment decisions: mitigate, transfer, accept, avoid

Domain 3: AI Technologies and Controls (38%)

The heaviest domain at approximately 34 questions. This is where the exam distinguishes AAISM from generalist security certifications. Candidates must demonstrate technical fluency in AI architecture, security control design, model testing methodologies, and continuous monitoring of AI systems in production.

  • Machine learning architectures and their security implications
  • Secure model development and MLOps security controls
  • AI system testing: adversarial robustness, bias assessment, explainability
  • Runtime monitoring, anomaly detection in model outputs, and incident response for AI systems

The practical implication: every percentage point of Domain 3 proficiency has a larger impact on your scaled score than equivalent proficiency in Domains 1 or 2. Candidates who treat all three domains identically in their preparation are leaving scaled points on the table. To understand exactly how these domain topics manifest as scenario-based questions, review the AAISM Exam Questions: Format, Scenarios and Structure 2026 guide.

How Raw Questions Become Scaled Points

The transformation from raw correct answers to a scaled score involves several steps that happen behind the scenes after you submit your exam.

Step 1: Raw Score Calculation

ISACA's multiple-choice format does not penalize incorrect answers - there is no negative marking. Your raw score is simply the count of questions you answered correctly. This means leaving no question unanswered is essential; a guess carries upside with no downside.

Step 2: Item Difficulty Weighting

Not all 90 questions contribute equally to your scaled score. During exam development, each question is assigned a difficulty parameter based on how candidate populations have historically performed on that item. A question that most candidates answer correctly is worth less scaled weight than a question that challenges even well-prepared candidates. AAISM questions are scenario-based, meaning many of them require multi-step reasoning - these tend to carry higher difficulty weights.

Step 3: Equating Across Exam Forms

ISACA maintains multiple versions of the exam. A statistical equating process ensures that a 450 on one version reflects the same knowledge level as a 450 on any other version. This is the core purpose of scaling.

Practical Implication for Preparation: Because harder scenario questions carry more scaled weight, candidates who master complex AI security scenarios - multi-stakeholder governance decisions, adversarial ML attack countermeasures, integrated risk treatment recommendations - are positioned to earn disproportionately higher scaled scores than candidates who focus only on definitional recall.

Reading Your Score Report After the Exam

When you complete the AAISM exam through PSI, you receive an immediate on-screen indication of pass or fail. Your official score report from ISACA provides your total scaled score plus a domain-level performance breakdown. The domain breakdown does not show a scaled sub-score for each domain; instead, it typically shows a performance band (below target, at target, above target) that tells you where your relative strengths and weaknesses lie.

If you do not pass, the domain performance bands become your remediation roadmap. A candidate who scores below target in Domain 3 but at or above target in Domains 1 and 2 has a clear signal: additional time must be invested in AI architecture security controls, model testing methodologies, and runtime monitoring - the specific topics within the 38% domain.

For a deeper understanding of how individual questions are constructed and what scenario structures appear most frequently, the AAISM Exam Questions: Format, Scenarios and Structure 2026 article provides detailed analysis of the question format.

Scoring Strategy Tied to Each Domain

Given the domain weights, an effective preparation schedule should allocate time proportionally - and front-load the heaviest domain. The following timeline is designed specifically for AAISM candidates who have already earned their CISM or CISSP and are building on that existing foundation.

Week 1-2

Domain 3 Deep Dive: AI Technologies and Controls (38%)

  • Map your existing security knowledge to ML-specific attack surfaces
  • Study adversarial ML: data poisoning, model inversion, membership inference
  • Practice MLOps security control scenarios using the AAISM practice test platform
  • Focus on runtime monitoring and AI incident response procedures
Week 3

Domain 2: AI Risk Management (31%)

  • Build AI-specific threat models starting from your existing risk management frameworks
  • Study third-party AI vendor risk scenarios - a frequent exam scenario type
  • Practice applying risk treatment decisions to AI deployment contexts
Week 4

Domain 1: AI Governance and Program Management (31%)

  • Review AI governance frameworks including NIST AI RMF and ISO/IEC 42001 concepts
  • Study AI program lifecycle from strategy through decommissioning
  • Practice board-level and stakeholder communication scenarios
Week 5-6

Integrated Practice and Weak Domain Remediation

  • Take full 90-question timed practice exams simulating 150-minute conditions
  • Analyze domain-level performance bands from practice results
  • Revisit Domain 3 scenarios if practice scores indicate weakness
  • Use spaced repetition specifically for AI terminology and control frameworks

Registration, Fees, and Scheduling Context

Understanding the financial and logistical structure around the exam helps candidates make strategic decisions about when to sit and how to interpret their score in context.

The exam fee is $459 for ISACA members and $599 for non-members. After passing, a one-time application processing fee of $50 applies. Annual maintenance costs $20 per year for ISACA members and $35 per year for non-members, with the certification valid for three years and requiring a minimum of 10 CPE hours per year focused on AI-specialized topics (30 hours total per 3-year cycle).

Prerequisite Checkpoint: You must hold an active CISM or CISSP at the time of application and maintain that underlying certification throughout the AAISM lifecycle. If your CISM or CISSP lapses, your AAISM certification is also at risk. Plan your CPE hours for both credentials simultaneously.

Once registered, you have a 12-month eligibility window to schedule and sit for the exam. The exam is available in English and Spanish. Given that this is Version 1 of the AAISM exam with no published updates as of March 2026, the current domain structure and scoring methodology described in this article reflect the active exam. The AAISM Scaled Score Explained: 200 to 800 Grading Guide will be updated if ISACA revises scoring parameters in future versions.

Candidates seeking additional practice before their eligibility window closes can access full-length scenario-based practice exams through the AAISM Exam Prep platform, which structures questions across all three weighted domains.

Frequently Asked Questions

What is the minimum scaled score to pass the AAISM exam?

The passing scaled score is 450 on a scale of 200 to 800. This threshold was established by ISACA through a standard-setting process and applies uniformly across all exam administrations, regardless of which specific questions appear in a given session.

Does answering more questions correctly always result in a higher scaled score?

Generally yes, but the relationship is not linear. The scaling process weights questions by difficulty, meaning correctly answering harder scenario-based questions - particularly in Domain 3 - contributes more to your scaled score than correctly answering straightforward recall questions. This is why practicing complex AI security scenarios matters more than drilling basic definitions.

Can I see my score immediately after finishing the exam?

You receive an immediate on-screen pass or fail indication upon completing the exam through PSI. Your official score report, which includes your total scaled score and domain-level performance bands, is provided by ISACA and delivered separately. The domain breakdown helps candidates who need to retake the exam identify specific remediation targets.

How many times can I retake the AAISM exam if I do not pass?

ISACA's standard retake policies apply to AAISM. You must remain within your 12-month eligibility window from original registration. Each retake requires payment of the applicable exam fee. Review the domain performance bands from your score report to focus remediation before scheduling a retake rather than simply repeating the same preparation approach.

Does Domain 3's higher weighting mean I should ignore Domains 1 and 2?

No. Domains 1 and 2 together represent 62% of the exam - more than Domain 3 alone. A candidate who masters Domain 3 but performs poorly in AI Governance and AI Risk Management can still fail. The weighting signals where to invest proportionally more time, not where to focus exclusively. A balanced approach with Domain 3 prioritized is the correct strategy.

Ready to Start Practicing?

Test your understanding of all three AAISM domains with scenario-based practice questions designed to mirror the 150-minute, 90-question format. Track your performance by domain so you know exactly where your scaled score stands before exam day.

Start Free Practice Test
Continue reading:

Ready to pass your AAISM exam?

Put this into practice with free AAISM questions across every exam domain.