AAISM logo
Focused certification exam prep
Start practice
Home / Study Resources / Core Study Guides / AAISM Study Schedule: 8-Week Preparation Plan 2026

AAISM Study Schedule: 8-Week Preparation Plan 2026

Updated 11 min read AAISM Exam Prep
Table of Contents
TL;DR
  • AAISM has 90 scenario-based multiple-choice questions in 150 minutes - time per question is tight and skimming is not viable.
  • Domain 3 (AI Technologies and Controls) carries 38% of the exam; it must anchor weeks 3 through 5 of your schedule.
  • Passing score is 450 on an 800-point scale - scaled scoring rewards consistent partial mastery across all three domains.
  • You must hold an active CISM or CISSP before applying; confirm your credential status before paying the exam fee.

Why 8 Weeks Is the Right Horizon for AAISM

The Advanced in AI Security Management (AAISM) certification is not a repackaged version of your CISM or CISSP material. ISACA designed it specifically around AI security management scenarios - the kind of nuanced, organizational-level decisions that security leaders face when deploying, governing, and auditing AI systems. That context shift matters enormously for how you plan your preparation.

Eight weeks gives you enough runway to move through all three exam domains at a deliberate pace, dedicate meaningful time to scenario-based question practice, and still have a buffer week for weak-area remediation before your test date. Shorter windows tend to collapse under the weight of Domain 3, which alone covers 38% of the exam. Longer windows often lead to early content fatigue, especially for candidates who already hold a CISM or CISSP and assume much of the material will feel familiar - a dangerous assumption with a certification this new and this AI-specific.

AAISM Is New Territory: Launched on August 19, 2025, AAISM Version 1 is the inaugural edition with no published updates as of March 2026. There is no legacy exam guide, no decade of community notes, and no informal pass-rate data in circulation. Your schedule must be structured, not improvisational.

Know the Exam Before You Open a Book

Before committing study hours, every candidate should internalize the mechanical reality of the AAISM exam. You get 150 minutes to answer 90 multiple-choice questions. That is exactly 100 seconds per question - less than two minutes each. The questions are scenario-based, meaning they describe a real-world AI security management situation and ask what a competent practitioner should do, recommend, or prioritize. These are not definition lookups.

The exam is available in English and Spanish and can be taken at authorized PSI testing centers globally or via remote proctoring. One important geographic restriction: candidates in India, Mainland China, and Hong Kong must use a physical PSI center - remote proctoring is not available in those regions.

You have a 12-month eligibility window from the date of registration to schedule and sit your exam. That window is more than enough for an 8-week study plan, but do not let the long window become an excuse to delay scheduling. Booking a specific date creates accountability that a vague intention to "take it sometime this year" simply does not.

For a complete breakdown of how the question format works in practice, see AAISM Exam Format: Question Types and Time Limits before you begin Week 1.

Domain Breakdown: Where Your Hours Must Go

The AAISM exam is built on three domains. Understanding not just their names but their content scope is what separates a candidate who passes from one who runs out of time remedying surprises.

Domain 1: AI Governance and Program Management (31%)

This domain covers how organizations establish frameworks, policies, and oversight structures for AI systems from a security perspective.

  • AI governance frameworks and accountability structures
  • Roles and responsibilities for AI security across the enterprise
  • Policy development, compliance obligations, and regulatory alignment for AI
  • AI program lifecycle management including procurement and vendor governance
  • Communicating AI security posture to executive stakeholders and boards

Domain 2: AI Risk Management (31%)

Equal in weight to Domain 1, this domain focuses on identifying, assessing, and treating risks that are unique to AI systems - not generic IT risk principles reapplied.

  • AI-specific threat modeling including adversarial inputs and data poisoning
  • Risk appetite and tolerance definitions applied to AI deployment decisions
  • Third-party and supply chain risk for AI models and training data
  • Incident response and recovery frameworks tailored to AI system failures
  • Risk communication for AI to non-technical decision makers

Domain 3: AI Technologies and Controls (38%)

The largest domain. It demands technical depth in how AI systems are architected, what controls apply to them, how they are tested for security, and how they are monitored post-deployment.

  • Machine learning pipeline security: training, validation, inference stages
  • Data security and integrity controls for AI training datasets
  • Security testing methodologies specific to AI models (red-teaming, adversarial testing)
  • Monitoring and anomaly detection in production AI environments
  • Explainability, auditability, and transparency requirements from a security lens

The 8-Week AAISM Study Schedule

This schedule is built around the actual domain weights. Domain 3 gets the most time - not because it is the most interesting, but because it carries the most exam weight and typically requires the steepest learning curve for candidates coming from governance-heavy CISM backgrounds. Domains 1 and 2 are interleaved strategically so neither goes cold before test day.

Week 1

Foundation and Exam Mechanics

Week 2

Domain 1: AI Governance and Program Management

  • Map existing CISM or CISSP governance knowledge to AI-specific governance gaps
  • Focus on AI policy frameworks, regulatory requirements (EU AI Act concepts, NIST AI RMF)
  • Study board-level AI security communication - this surfaces in scenario questions regularly
  • End-of-week: 20 Domain 1 practice questions, review all wrong answers in writing
Week 3

Domain 3 First Pass: AI Architecture and Data Controls

  • ML pipeline stages: data ingestion, preprocessing, training, validation, inference - and the security surface at each stage
  • Training data integrity: poisoning attacks, provenance controls, access governance for datasets
  • Model storage and version control security
  • End-of-week: 25 Domain 3 practice questions focusing on architecture topics
Week 4

Domain 2: AI Risk Management

  • AI-specific threat taxonomy: adversarial examples, model inversion, membership inference attacks
  • Risk assessment frameworks applied to AI deployment decisions
  • Third-party AI model risk: open-source models, API-based AI services, vendor audits
  • AI incident classification and response - what constitutes an AI security incident versus an IT incident
  • End-of-week: 20 Domain 2 practice questions
Week 5

Domain 3 Deep Dive: Security Testing and Monitoring

  • Adversarial testing methodologies: red-teaming AI systems, robustness evaluation
  • Production monitoring: model drift detection, output anomaly alerting, audit logging for AI decisions
  • Explainability requirements and how they intersect with security audit trails
  • End-of-week: 30 Domain 3 practice questions covering testing and monitoring topics
Week 6

Integration and Cross-Domain Scenarios

  • Work through full 90-question timed mock exams - simulate real conditions (150 minutes, no breaks)
  • Identify questions that cross domain lines (governance decisions with technical consequences)
  • Review ISACA's Code of Professional Ethics - ethics questions appear in scenario form
  • Target: complete two full mock exams this week
Week 7

Weak Area Remediation

  • Rank your three lowest-performing sub-topics from mock exam review
  • Dedicate focused study blocks to each, then re-test specifically on those topics
  • Revisit Domain 1 and 2 material that may have faded since weeks 2 and 4
  • Run one additional full mock exam at end of week
Week 8

Consolidation and Exam Readiness

  • Light review only - no new material after Wednesday
  • Confirm test center location or remote proctoring setup and technical requirements
  • Review your written wrong-answer notes from weeks 1 through 6
  • Rest the day before your exam - fatigue destroys scenario-question reasoning more than any knowledge gap

Mastering Domain 3: AI Technologies and Controls

At 38%, Domain 3 is not just the largest section - it is the one most likely to contain content that feels genuinely unfamiliar to candidates whose experience sits primarily in traditional security management. A CISM holder may be exceptionally strong on governance and risk frameworks but have limited direct exposure to how adversarial machine learning attacks work or what monitoring an inference endpoint actually requires.

The Domain 3 Mindset Shift: AAISM does not ask you to be a data scientist. It asks you to be a security manager who can evaluate whether an AI system's controls are adequate, identify gaps in testing coverage, and make sound decisions about production monitoring. The question framing is managerial, but the correct answers require technical grounding.

Specific technical areas that require investment in weeks 3 and 5 of this schedule include:

  • Adversarial machine learning: Understand evasion attacks, poisoning attacks, and model extraction attacks well enough to evaluate whether a proposed control addresses the right threat.
  • Secure ML pipeline design: Know the security considerations at each stage - from raw data collection through model inference - and which controls apply at each stage.
  • AI-specific monitoring: Understand that monitoring an AI system involves both traditional security telemetry and AI-specific signals like model drift, output distribution shifts, and decision audit logs.
  • Testing methodologies: Red-teaming an AI system differs from penetration testing a web application. AAISM candidates need to understand the mechanics and limitations of AI red-teaming.

The best way to consolidate Domain 3 content is through scenario-based practice questions, not passive reading. Use the AAISM practice test platform specifically to drill Domain 3 scenarios until the question patterns become recognizable.

Practice Testing Strategy for Scenario-Based Questions

AAISM questions are scenario-based. This means the correct answer is not always the most technically sophisticated option - it is the option that reflects sound AI security management judgment in the described context. Understanding this distinction is critical to your practice routine.

Wrong Practice Approach Right Practice Approach
Memorizing definitions and hoping scenarios match Reading each scenario and identifying the management decision being tested
Skipping wrong-answer review when pressed for time Writing out in one sentence why each wrong answer is wrong
Taking practice tests without timing yourself Running every full mock under 150-minute conditions from Week 6 onward
Treating all three domains as equal priority Weighting Domain 3 practice at roughly 38% of total practice question volume
Reviewing only missed questions Reviewing all questions where you were uncertain, even if you guessed correctly

The written wrong-answer review habit, introduced in Week 2, is the single highest-leverage technique for scenario-based exams. Articulating why an answer is wrong forces you to engage with the logic of the question rather than pattern-match to a surface feature.

Key Takeaway

On a scenario-based exam like AAISM, the candidate who understands why three options are wrong will outperform the candidate who recognizes one option as probably right. Build your practice habit around elimination reasoning, not answer recognition.

Registration, Fees, and Eligibility Mechanics

Before you invest eight weeks of study effort, confirm your administrative eligibility. The AAISM certification has two hard prerequisites that cannot be substituted: you must hold an active CISM or CISSP at the time of application, and that credential must remain active throughout your AAISM certification lifecycle. If your CISM is lapsed, renew it before registering for AAISM.

The exam fee structure breaks down as follows:

Item ISACA Member Non-Member
Exam Fee $459 $599
Application Processing (post-pass, one-time) $50 $50
Annual Maintenance $20/year $35/year

The $140 difference between member and non-member exam fees is worth factoring against the cost of ISACA membership if you are not already a member. Run those numbers before you register.

Once passed, AAISM certification is valid for 3 years. Renewal requires a minimum of 10 CPE hours per year in AI-specialized topics and 30 CPE hours total over the 3-year cycle. These must be AI-focused hours - not general security CPEs recycled from your CISM renewal. Plan your ongoing professional development accordingly from day one.

Final Week: What to Do and What to Skip

Week 8 is not the time to discover new material. It is the time to consolidate what you already know, verify your logistics, and arrive at your exam in a state of calm confidence rather than cramming-induced anxiety.

Do in the final week:

  • Review your written wrong-answer notes from all previous weeks - this is your personalized study guide
  • Confirm your testing appointment: center address and travel time, or remote proctoring technical setup
  • Do a light review of ISACA's Code of Professional Ethics, which surfaces in scenario questions across all three domains
  • Take one final timed practice session mid-week - not a full 90-question exam, just 30 targeted questions on your weakest sub-topics

Skip in the final week:

  • Reading new source material you have not previously studied
  • Taking a full 90-question mock exam after Wednesday - the fatigue is not worth the marginal data
  • Comparing notes with other candidates about what topics "will definitely appear" - AAISM is too new for reliable community intelligence

For candidates reviewing this schedule before starting Week 1, the complete AAISM Study Schedule: 8-Week Preparation Plan 2026 is the reference document to bookmark and return to each Sunday as you progress through your preparation.

On AAISM's Newness: Because AAISM launched in August 2025, there is no community-sourced brain dump culture, no unofficial question banks built from years of candidate recall, and no published pass rate. This is actually an advantage for candidates who study the official content outline thoroughly - the signal-to-noise ratio on legitimate study materials is unusually high.

Frequently Asked Questions

Can I use my existing CISM study materials for AAISM preparation?

Partially. Your CISM materials provide a useful foundation for governance and risk management concepts in Domains 1 and 2, but they do not cover the AI-specific content that differentiates AAISM. Domain 3 in particular - covering AI architectures, adversarial testing, and AI monitoring controls - requires dedicated AAISM-specific study. Do not assume CISM coverage transfers.

What happens if I fail to schedule within the 12-month eligibility window?

Your eligibility expires and you would need to re-register and pay the exam fee again. The 12-month window is generous for an 8-week study plan, but candidates who register impulsively and then deprioritize study can find the deadline approaching. Book your exam date at the start of Week 1 to prevent this.

How does the scaled scoring system affect my preparation strategy?

The passing score of 450 on a 200-to-800 scale means raw percentage correct is not the metric you can directly target. Scaled scoring adjusts for question difficulty, which incentivizes consistent performance across all three domains rather than maxing one domain while neglecting another. Weak areas in any domain carry real risk under a scaled scoring model.

Is 8 weeks realistic if I am currently working full-time?

Yes, with realistic expectations about daily time investment. Candidates with active CISM or CISSP credentials typically find the governance and risk domains approachable, which means concentrated effort on Domain 3 AI Technologies and Controls is the primary new workload. Estimate 8 to 12 hours per week of focused study, which is achievable in evenings and weekends for most working professionals.

Where can I find reliable AAISM practice questions given how new the certification is?

Because AAISM launched in August 2025, community-sourced materials are limited. The AAISM Exam Prep practice test platform is specifically designed around the three official domains and the scenario-based question format. Starting with a diagnostic test there in Week 1 gives you a meaningful baseline before your formal study begins.

Ready to Start Practicing?

Test your AAISM readiness with scenario-based practice questions mapped to all three domains. Take a free diagnostic test today and know exactly where to focus your 8 weeks of preparation.

Start Free Practice Test
Continue reading:

Ready to pass your AAISM exam?

Put this into practice with free AAISM questions across every exam domain.