ISACA
Expert
CISM
Certified Information Security Manager
The CISM (Certified Information Security Manager) certification is designed for experienced information security management professionals. Established by ISACA, CISM validates expertise in information security governance, risk management, program development, incident management, and security operations. CISM-certified professionals are equipped to design, build, and manage enterprise information security programs.
The exam covers five domains: Information Security Governance (17%), Information Risk Management (20%), Information Security Program Development and Management (33%), Incident Management (19%), and Information Security Operations (11%). Candidates must demonstrate expertise in establishing security governance frameworks, conducting risk assessments, developing security strategies and policies, leading incident response teams, and managing security operations.
CISM is ideal for information security managers, IT directors, security consultants, and CISOs. The exam features 150 multiple-choice questions administered over 4 hours, with a scaled passing score of 450 out of 800 (approximately 56%). CISM certification requires a minimum of five years of information security management work experience, with up to two years waivable for related certifications or degrees.
Updated 2024
Cybersecurity
150
Questions
6
Practice Tests
56%
Pass Score
58
Views
0
Total Attempts
0%
Avg. Score
0%
Pass Rate
0
Discussions
CISM Practice Exam 1
Comprehensive 50-question practice exam covering all five CISM domains: Information Security Governance, Information Risk Management, Information Security Program Development, Incident Management, and Information Security Operations.
50 Q
120 minutes
70%
CISM Practice Exam 2
Comprehensive 50-question practice exam covering information security governance frameworks, risk management methodologies, security program development lifecycle, incident management processes, and operational security controls across all CISM domains.
50 Q
120 minutes
70%
CISM Practice Exam 3
Comprehensive 50-question practice exam covering information security governance alignment, enterprise risk quantification, security program lifecycle management, incident containment strategies, and day-to-day security operations across all five CISM domains.
50 Q
120 minutes
35%
CISM Practice Exam 4
Comprehensive 50-question practice exam covering enterprise security governance frameworks, quantitative and qualitative risk assessment methodologies, security program maturity modeling, incident forensics and evidence handling, and operational security monitoring across all CISM domains.
50 Q
120 minutes
70%
CISM Practice Exam 5
Comprehensive 50-question practice exam covering security governance charter development, board-level security reporting frameworks, risk appetite quantification methodologies, third-party risk assessment integration, security architecture maturity models, security operations center optimization, incident forensics chain of custody, crisis communication protocols, vulnerability management lifecycle, and security metrics program design across all CISM domains.
50 Q
120 minutes
70%
CISM Practice Exam 6
Final comprehensive 50-question practice exam covering advanced information security governance strategies, enterprise risk quantification methodologies, security program maturity optimization, incident response orchestration, and security operations continuous improvement across all five CISM domains.
50 Q
120 minutes
70%
Unlock All Content for CISM
6 Practice Test(s) + Flash Cards — 3 months access
€39.99
€26.99
Save 30%
or included with Monthly subscription / Content Bundle
Preview (10 / 120)
What is information security governance?
Information security governance is the set of responsibilities and practices exercised by the board and executive management to provide strategic direction, ensure objectives are achieved, manage risks appropriately, and verify that the organization's information assets are adequately protected in alignment with business goals.
Why must information security governance align with corporate governance?
Security governance must align with corporate governance because security investments and controls should directly support business objectives. Misalignment leads to either excessive spending that hampers operations or insufficient protection that exposes the organization to unacceptable risk and regulatory penalties.
What are the key outcomes of effective information security governance?
Key outcomes include strategic alignment of security with business objectives, risk management that reduces impacts to acceptable levels, resource management that optimizes security investments, value delivery that supports business operations, and performance measurement that ensures objectives are met.
What role does the board of directors play in information security governance?
The board provides strategic oversight, sets the tone at the top, approves the security strategy and policies, ensures adequate resources are allocated, and holds management accountable. The board must understand the organization's risk appetite and verify that security governance structures are effective.
What is the role of the information security manager in governance?
The information security manager develops and implements the security strategy, establishes policies and standards, manages the security program, advises executive management on risk, ensures regulatory compliance, and reports on security posture. They serve as the bridge between technical security operations and executive leadership.
What is an information security strategy and what should it include?
An information security strategy is a long-term plan that defines how the organization will achieve its security objectives. It should include the current state assessment, desired future state, gap analysis, resource requirements, prioritized initiatives, timelines, key metrics, and alignment with the business strategy.
What is a security policy framework and what are its components?
A security policy framework is a hierarchical structure of documents governing information security. It includes policies (high-level management direction), standards (mandatory requirements), guidelines (recommended practices), and procedures (step-by-step instructions). Each layer provides increasing specificity for implementing security controls.
What is the purpose of an information security charter?
An information security charter formally establishes the authority, scope, and responsibility of the information security function within the organization. It is approved by executive management, grants the security team authority to enforce policies, and ensures organizational recognition of the security function's mandate.
How do organizational structures impact information security governance?
Organizational structures determine reporting lines, decision-making authority, and accountability for security. Placing the security function too low in the hierarchy limits its influence. An effective structure ensures the security manager has direct access to senior management and independence from IT operations to avoid conflicts of interest.
What is a security steering committee and what is its purpose?
A security steering committee is a cross-functional group of senior stakeholders that provides direction and oversight for the security program. It reviews security strategy, approves major initiatives, resolves resource conflicts, ensures business alignment, and serves as a communication channel between security and business units.
Flash Cards
cards covering key 120 concepts CISM
or included with Monthly subscription / Content Bundle
110 more cards available after unlock
Available Languages
English
Japanese
Korean
Chinese
Spanish
French
German
Exam Topics
1
26 Q
Information Security Governance
Establish and maintain an information security governance framework aligned with organizational goals and objectives.
2
30 Q
Information Risk Management
Manage information security risks to an acceptable level through risk assessment, treatment, and continuous monitoring.
3
49 Q
Information Security Program Development
Develop and manage an information security program including policies, standards, procedures, and awareness training.
4
29 Q
Incident Management
Plan, establish, and manage the capability to detect, investigate, respond to, and recover from information security incidents.
5
16 Q
Information Security Operations
Manage and monitor information security operations to ensure continued effectiveness of security controls.
CISM Cheat Sheet
Quick reference guide - 6 sections
ISACA Certified Information Security Manager (CISM)
The CISM certification is a globally recognized credential for information security management professionals. Unlike technical security certifications, CISM focuses on the management and governance aspects of information security, making it ideal for security managers, directors, and consultants who design, oversee, and assess an enterprise's information security program. CISM is issued by ISACA and demonstrates that the holder possesses the knowledge and experience to establish and manage an information security program that aligns with broader business goals and objectives. The certification validates expertise across four critical domains: Information Security Governance, Information Security Risk Management, Information Security Program, and Incident Management. CISM holders are expected to understand how to develop security strategies that support business objectives, manage risk to acceptable levels, build and maintain comprehensive security programs, and establish incident response capabilities that minimize business impact. The CISM certification requires a minimum of five years of information security management work experience, with substitutions and waivers available for certain qualifications. CISM is consistently ranked among the highest-paying IT certifications worldwide and is recognized by the U.S. Department of Defense under Directive 8570/8140 for Information Assurance Management positions.
Exam Details
| Exam Code | CISM |
| Duration | 240 minutes (4 hours) |
| Number of Questions | 150 multiple-choice questions |
| Passing Score | 450 / 800 (scaled score) |
| Cost | $575 USD (ISACA members) / $760 USD (non-members) |
| Validity | 3 years (requires 20 CPE hours annually, 120 CPE hours over 3 years) |
| Question Types | Multiple choice (single best answer), scenario-based |
| Experience Required | 5 years of IS management experience (waivers available for up to 2 years) |
Domain Weights
| Domain | Weight |
|---|---|
| Domain 1: Information Security Governance | 17% |
| Domain 2: Information Security Risk Management | 20% |
| Domain 3: Information Security Program | 33% |
| Domain 4: Incident Management | 30% |
Study Tips
- Domain 3 (Information Security Program) and Domain 4 (Incident Management) together account for 63% of the exam; allocate the majority of your study time to building and managing security programs and incident response capabilities
- CISM is a management-level exam; questions focus on what a security manager should do, not the technical details of how to implement a specific control or configure a tool
- When answering scenario questions, always think from the perspective of what best serves the organization's business objectives, not just what is technically correct or most secure in isolation
- Understand the relationships between governance, risk, and compliance; governance sets the direction, risk management informs decisions, the security program implements controls, and incident management handles failures
- Know the key frameworks thoroughly: COBIT for IT governance, ISO 27001/27002 for ISMS, NIST CSF for cybersecurity program structure, and NIST SP 800-53 for security controls
- Practice interpreting risk scenarios: given a business context, identify the appropriate risk response (accept, mitigate, transfer, avoid) and justify the decision based on cost-benefit analysis and risk appetite
- Pay close attention to the order of actions in incident response and BCP/DRP questions; the correct sequence of steps is frequently tested and wrong answers often swap two adjacent steps
Governance Frameworks and Standards
| Framework | Description |
|---|---|
| COBIT | ISACA's framework for IT governance and management; provides a comprehensive set of governance and management objectives organized into five domains: Evaluate, Direct and Monitor (EDM), Align, Plan and Organize (APO), Build, Acquire and Implement (BAI), Deliver, Service and Support (DSS), and Monitor, Evaluate and Assess (MEA); helps align IT goals with enterprise objectives through a cascade of goals from stakeholder needs to governance objectives to alignment goals to IT-related goals; widely used for audit and compliance purposes |
| ISO/IEC 27001 | International standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS); uses a risk-based approach with a Plan-Do-Check-Act (PDCA) cycle; requires a formal risk assessment process, statement of applicability (SoA), and management commitment; Annex A provides 93 controls organized into 4 themes (Organizational, People, Physical, Technological); certification requires external audit by an accredited body |
| ISO/IEC 27002 | Implementation guidance for the controls listed in ISO 27001 Annex A; provides detailed best practice recommendations for each control including purpose, guidance, and other information; serves as a reference for selecting and implementing security controls based on the organization's risk assessment results; not a certifiable standard itself but supports ISO 27001 certification |
| NIST Cybersecurity Framework (CSF) | Voluntary framework organized around six core functions: Govern, Identify, Protect, Detect, Respond, and Recover; each function contains categories and subcategories mapped to informative references from other standards; implementation tiers (Partial, Risk Informed, Repeatable, Adaptive) describe the degree of rigor in cybersecurity risk management practices; profiles define the current and target state of cybersecurity activities; widely adopted in both public and private sectors |
| NIST SP 800-53 | Comprehensive catalog of security and privacy controls for federal information systems; organizes controls into 20 families including Access Control, Audit and Accountability, Security Assessment, Configuration Management, Contingency Planning, Identification and Authentication, Incident Response, Risk Assessment, System and Communications Protection, and System and Information Integrity; control baselines for Low, Moderate, and High impact systems; widely adopted beyond federal government as a security controls reference |
Exam Tip: CISM questions expect you to know when to apply which framework. COBIT is for IT governance alignment, ISO 27001 is for establishing an ISMS with a certification path, NIST CSF provides a flexible risk-based approach, and NIST 800-53 offers a detailed control catalog. The information security manager must select and adapt frameworks to the organization's specific context, regulatory requirements, and maturity level.
Security Governance Structure and Roles
| Role / Body | Governance Responsibilities |
|---|---|
| Board of Directors | Ultimately accountable for information security; sets organizational risk appetite and tolerance levels; approves the information security strategy and policy; ensures adequate resources are allocated to the security program; receives regular reports on the state of security; fiduciary duty to protect organizational assets including information assets; cannot delegate accountability, only authority |
| Security Steering Committee | Cross-functional committee comprising senior representatives from business units, IT, legal, compliance, HR, and security; prioritizes security initiatives based on business impact; resolves conflicts between security requirements and business operations; reviews and endorses security policies before board approval; ensures security strategy alignment with business objectives; typically meets quarterly |
| CISO / Information Security Manager | Responsible for developing, implementing, and managing the information security program; reports to senior management (ideally to the CEO, COO, or board-level committee to ensure independence from IT operations); develops security strategy, policies, and standards; manages the security budget; oversees risk assessment and incident response; provides regular reporting to the board and steering committee on security posture, incidents, and program effectiveness |
| Data/Information Owner | Senior business manager accountable for specific information assets; determines classification level (confidential, internal, public) based on business value and regulatory requirements; approves access to the data; defines retention and disposal requirements; ensures compliance with applicable regulations; may delegate day-to-day custodial responsibilities to data custodians while retaining accountability |
Security Strategy and Policy Development
- Security Strategy: Long-term plan (typically 3-5 years) that defines the vision, goals, and roadmap for the information security program; must align with and support the organization's business strategy and objectives; considers the current state of security (gap analysis), desired future state, regulatory landscape, threat environment, and available resources; approved by senior management and the board; reviewed and updated annually or when significant business changes occur
- Policy Hierarchy: Policies (high-level, mandatory statements of management intent approved by senior leadership), Standards (mandatory specific requirements that support policies, e.g., minimum password length), Guidelines (recommended practices, non-mandatory), Procedures (step-by-step instructions for implementing standards); policies must be communicated to all relevant personnel and reviewed at least annually
- Policy Development Process: Identify regulatory and business requirements, draft policy with stakeholder input, review by legal and compliance, approve by appropriate authority (board for top-level policy), communicate and train, enforce through technical and administrative controls, monitor compliance, review and update periodically; exception processes must be formally documented with risk acceptance by appropriate management level
- Business Case for Security: Justify security investments using business language; demonstrate value through risk reduction, regulatory compliance, competitive advantage, and business enablement; use metrics like Return on Security Investment (ROSI), annualized loss expectancy (ALE) reduction, cost of non-compliance, and impact on business objectives; the security manager must be able to translate technical risks into business impact terms
Exam Tip: The CISM exam heavily emphasizes that information security governance is the responsibility of the board of directors and senior management, not the IT department. The information security manager advises and implements, but accountability for security rests at the top. Questions often test whether you understand the difference between accountability (cannot be delegated) and responsibility (can be delegated).
Metrics and Reporting for Governance
| Metric Type | Description and Examples |
|---|---|
| Key Performance Indicators (KPIs) | Measure how effectively the security program is achieving its objectives; examples: percentage of systems patched within SLA, percentage of employees completing security awareness training, mean time to detect (MTTD) and mean time to respond (MTTR) to incidents, number of critical vulnerabilities remediated within target timeframe, percentage uptime of security infrastructure; KPIs are backward-looking and measure past performance |
| Key Risk Indicators (KRIs) | Forward-looking metrics that signal increasing risk levels and trigger management attention; examples: number of unpatched critical vulnerabilities trending upward, increase in phishing click rates, rising number of unauthorized access attempts, growth in shadow IT assets, increasing time-to-patch metrics; KRIs should have defined thresholds (green, amber, red) that trigger escalation and response actions |
| Key Goal Indicators (KGIs) | Measure whether security governance objectives have been achieved; examples: zero material security breaches in the reporting period, successful completion of ISO 27001 certification audit, full compliance with regulatory requirements, security program maturity advancement from level 2 to level 3; KGIs are outcome-focused and reported to the board and steering committee |
| Maturity Models | Assess the maturity of security processes and capabilities; common models include CMMI (Initial, Managed, Defined, Quantitatively Managed, Optimizing) and ISACA's COBIT maturity model; used to benchmark current state, set target maturity levels, and track improvement over time; helps prioritize investment in areas with the lowest maturity relative to business needs |
Risk Assessment Methodologies
| Approach | Description |
|---|---|
| Qualitative Risk Assessment | Uses descriptive scales (High/Medium/Low or 1-5) to rate likelihood and impact; relies on expert judgment, interviews, and workshops; faster and less resource-intensive than quantitative methods; results presented as risk matrices or heat maps; suitable when precise data is unavailable or when performing initial risk screening; subjective nature means results may vary between assessors; most commonly used method in practice |
| Quantitative Risk Assessment | Uses numerical values to calculate risk in financial terms; key formulas: Single Loss Expectancy (SLE) = Asset Value x Exposure Factor, Annualized Rate of Occurrence (ARO) = estimated frequency per year, Annualized Loss Expectancy (ALE) = SLE x ARO; enables cost-benefit analysis of controls by comparing control cost to ALE reduction; requires reliable historical data which is often difficult to obtain; more objective but more resource-intensive |
| Semi-Quantitative | Hybrid approach combining qualitative categories with numerical scores; assigns numeric values to qualitative ratings (e.g., High=3, Medium=2, Low=1) and calculates risk scores; provides more granularity than pure qualitative without requiring the precise financial data of quantitative methods; useful for prioritizing risks and comparing relative risk levels across different domains |
| NIST SP 800-30 | Guide for Conducting Risk Assessments; defines a four-step process: Prepare (establish context), Conduct (identify threat sources and events, identify vulnerabilities, determine likelihood, determine impact, determine risk), Communicate (share results with stakeholders), Maintain (monitor and update); supports both qualitative and semi-quantitative approaches; widely adopted as a structured risk assessment methodology |
| ISO 31000 / ISO 27005 | ISO 31000 provides general risk management principles and guidelines applicable to any type of risk; ISO 27005 specifically addresses information security risk management and aligns with ISO 27001; process includes context establishment, risk identification, risk analysis, risk evaluation, and risk treatment; emphasizes integration of risk management into organizational processes and decision-making |
Exam Tip: Know the quantitative formulas: SLE = AV x EF, ALE = SLE x ARO. If a control costs less than the ALE reduction it provides, it is cost-justified. Qualitative methods are more common in practice because reliable quantitative data is scarce, but the exam expects you to understand both approaches and know when each is appropriate.
Risk Treatment Options
| Response | Description |
|---|---|
| Risk Mitigation (Reduction) | Implement controls to reduce likelihood or impact to an acceptable level; most common risk treatment; includes preventive controls (firewalls, access controls, encryption), detective controls (IDS, log monitoring, audits), and corrective controls (incident response, backup/restore); control selection should be based on cost-benefit analysis; residual risk must be formally accepted by management after mitigation |
| Risk Transfer (Sharing) | Shift the financial impact of risk to a third party; primary methods include cyber insurance (covers breach costs, business interruption, liability), outsourcing to managed security service providers (MSSPs), service level agreements (SLAs) with penalties, and indemnification clauses in contracts; transfers financial impact but does not transfer accountability or reputational risk; the organization remains accountable for protecting customer data even when processing is outsourced |
| Risk Acceptance | Consciously decide to accept the risk without further treatment when the cost of mitigation exceeds the potential loss or the risk falls within the organization's risk appetite; must be formally documented with a risk acceptance statement signed by the appropriate level of management (typically the information/data owner); should include a review date and conditions under which the acceptance must be reconsidered; residual risk after mitigation must also be formally accepted |
| Risk Avoidance | Eliminate the risk by removing the threat source or the vulnerable activity; examples: discontinuing a high-risk business process, not entering a market with unacceptable regulatory risk, decommissioning a legacy system that cannot be secured; most extreme response and may result in lost business opportunity; appropriate when the risk significantly exceeds the organization's risk appetite and no cost-effective mitigation exists |
Risk Management Concepts
| Concept | Definition |
|---|---|
| Risk Appetite | The broad level of risk an organization is willing to accept in pursuit of its objectives; defined by the board of directors; expressed in qualitative terms (e.g., "the organization accepts moderate levels of information security risk in non-critical systems") or quantitative terms (e.g., "maximum acceptable annual loss from cyber incidents is $2M"); guides overall risk strategy and resource allocation |
| Risk Tolerance | The acceptable variation from the risk appetite for specific risks or risk categories; more specific and measurable than risk appetite; example: "critical systems must maintain 99.99% uptime" or "no more than 5 high-severity vulnerabilities may remain unpatched beyond 30 days"; risk tolerance levels are used by operational managers to make day-to-day risk decisions within the boundaries set by risk appetite |
| Inherent Risk vs Residual Risk | Inherent risk is the level of risk before any controls are applied; residual risk is the remaining risk after controls are implemented; the goal of risk management is to reduce residual risk to within the organization's risk tolerance; if residual risk exceeds tolerance, additional controls must be implemented, the risk must be transferred, or management must formally accept the higher risk level with documented justification |
| Risk Register | Central repository documenting all identified risks, their assessment results, treatment decisions, control owners, and status; each entry includes: risk description, threat source, vulnerability exploited, likelihood rating, impact rating, risk level, risk treatment decision, control measures, risk owner, review date, and current status; a living document that must be regularly reviewed and updated; serves as the primary input for risk reporting to management |
Asset Classification and Valuation
- Information Asset Identification: Inventory all information assets including data, applications, systems, networks, physical facilities, and personnel; identify information owners (business managers accountable for the asset) and custodians (IT staff responsible for day-to-day protection); maintain an asset register linked to the risk register; asset identification is the foundation of risk assessment because you cannot protect what you do not know exists
- Data Classification: Categorize information based on sensitivity and business value; common classification levels: Public (no impact if disclosed), Internal (limited internal distribution), Confidential (significant harm if disclosed), Restricted/Secret (severe harm if disclosed); classification determines the minimum level of security controls required; the information owner is responsible for assigning the classification level; reclassification should occur when the business context changes
- Asset Valuation: Determine the value of information assets to prioritize protection efforts; consider replacement cost, revenue generation, regulatory penalties for loss, competitive advantage, and reputational damage; valuation should account for both tangible (financial, replacement) and intangible (reputation, customer trust) factors; assets with the highest value require the strongest controls and most frequent risk assessments
- Threat and Vulnerability Analysis: Threats are potential events that could cause harm (natural disasters, malicious actors, insider threats, system failures); vulnerabilities are weaknesses that can be exploited by threats (unpatched software, misconfigured systems, untrained users, inadequate controls); risk exists at the intersection of threats, vulnerabilities, and asset value; threat intelligence feeds and vulnerability scanning inform ongoing risk assessments
Exam Tip: The information owner (a business manager, not IT) is responsible for classifying data and determining its protection requirements. The information custodian (typically IT) implements the controls specified by the owner. This distinction between ownership and custodianship is a frequently tested concept on the CISM exam.
Security Program Development and Management
| Component | Description |
|---|---|
| Security Program Charter | Formal document establishing the authority, scope, objectives, and responsibilities of the information security program; approved by senior management; defines the reporting structure, resource allocation, and relationship with other organizational functions; serves as the mandate for the security team to carry out security activities; should reference the organization's security strategy and policy as the guiding documents |
| Security Architecture | Defines the structure of security controls across the enterprise; follows defense-in-depth principles with multiple layers of protection (network, host, application, data); reference architectures include SABSA (business-driven, layered approach), TOGAF (enterprise architecture with security extension), and Zachman Framework; security architecture should be integrated into the enterprise architecture, not bolted on as an afterthought; addresses people, process, and technology dimensions |
| Control Selection and Implementation | Controls are selected based on risk assessment results, regulatory requirements, and business needs; control types: Preventive (stop incidents from occurring), Detective (identify incidents during or after occurrence), Corrective (restore systems after incidents), Deterrent (discourage threat actors), Compensating (alternative controls when primary controls are infeasible); implementation must consider cost-effectiveness: the cost of a control should not exceed the value of the asset it protects or the risk it mitigates |
| Resource Management | Budget planning and allocation for security personnel, technology, training, and consulting; staffing models: in-house security team, outsourced managed security services (MSSP), or hybrid; skill gap analysis to identify training needs; security awareness program budget; technology investment in tools for vulnerability management, SIEM, endpoint protection, identity management; demonstrate ROI to justify ongoing investment to senior management |
Security Controls by Category
| Category | Administrative | Technical | Physical |
|---|---|---|---|
| Preventive | Security policies, background checks, separation of duties | Firewalls, encryption, access controls, MFA | Locks, fencing, security guards, mantraps |
| Detective | Audits, reviews, job rotation, mandatory vacations | IDS/IPS, SIEM, log monitoring, vulnerability scans | CCTV, motion sensors, intrusion alarms |
| Corrective | Incident response procedures, disciplinary actions | Backup/restore, patch management, antivirus | Fire suppression, UPS, generator failover |
| Compensating | Enhanced monitoring when separation of duties is infeasible | Additional logging when encryption cannot be applied | Security cameras when guard staffing is limited |
Security Awareness, Training, and Education
| Level | Description |
|---|---|
| Awareness | Broad program targeting all employees; covers security policies, acceptable use, phishing recognition, social engineering, password hygiene, physical security, data handling, and reporting procedures; delivered through mandatory annual training, email campaigns, posters, newsletters, and simulated phishing exercises; goal is to create a security-conscious culture where employees understand their role in protecting information assets; effectiveness measured by phishing simulation click rates and incident reporting frequency |
| Training | Role-specific skills development for personnel with security responsibilities; targeted at IT administrators, developers, security analysts, and managers; topics include secure coding practices, system hardening, incident handling procedures, forensic analysis, and security tool operation; delivered through hands-on workshops, simulations, and tabletop exercises; must be tracked and documented for compliance purposes |
| Education | In-depth study for security professionals seeking expertise; includes professional certifications (CISM, CISSP, CISA), advanced degree programs, and specialized technical certifications; contributes to career development and retention of security talent; builds the strategic and analytical capabilities needed for security leadership roles; organizations may sponsor education as part of talent development programs |
Exam Tip: Security awareness is the single most cost-effective control for reducing human-related risk. The exam emphasizes that technology alone cannot solve security problems; people are both the weakest link and the first line of defense. An effective awareness program must be continuous, engaging, and measured through behavioral metrics like phishing simulation results, not just completion rates.
Compliance and Regulatory Requirements
| Regulation / Standard | Key Requirements |
|---|---|
| GDPR | EU regulation protecting personal data; requires lawful basis for processing, data minimization, purpose limitation, consent management; mandatory Data Protection Officer (DPO) for certain organizations; 72-hour breach notification requirement to supervisory authorities; data subject rights (access, rectification, erasure, portability); fines up to 4% of annual global turnover or 20M euros |
| PCI DSS | Payment Card Industry Data Security Standard; 12 requirements organized into 6 goals: build and maintain a secure network, protect cardholder data, maintain vulnerability management, implement strong access control, monitor and test networks, maintain a security policy; applies to all entities that store, process, or transmit cardholder data; validated through self-assessment questionnaires or qualified security assessors |
| SOX (Sarbanes-Oxley) | US law requiring public companies to maintain internal controls over financial reporting; Section 302 requires CEO/CFO certification of financial statements; Section 404 requires management assessment and external audit of internal controls; IT general controls (access management, change management, backup/recovery, computer operations) are critical to SOX compliance; information security directly supports the integrity and reliability of financial data |
| HIPAA | US law protecting health information (PHI); Security Rule requires administrative, physical, and technical safeguards; Privacy Rule governs use and disclosure of PHI; Breach Notification Rule requires notification of affected individuals and HHS within 60 days for breaches affecting 500+ individuals; Business Associate Agreements (BAAs) required for third parties handling PHI; risk analysis is a core requirement |
Third-Party and Vendor Risk Management
- Due Diligence: Evaluate vendor security posture before engagement through security questionnaires, SOC 2 Type II reports, ISO 27001 certification verification, penetration test results, and financial stability assessment; due diligence must be proportional to the risk the vendor poses based on the sensitivity of data shared and the criticality of services provided
- Contractual Requirements: Include security requirements in contracts: data protection obligations, right to audit, breach notification requirements and timelines, data handling and destruction at contract end, compliance with applicable regulations, insurance requirements, SLA penalties for security failures, and subcontractor approval requirements
- Ongoing Monitoring: Continuously assess vendor risk through periodic reassessments, automated security rating services, review of SOC reports, compliance certifications, and incident reports; monitor for changes in vendor financial health or ownership that might impact security; establish vendor risk tiering (critical, high, medium, low) with corresponding monitoring frequency and depth
- Supply Chain Risk: Assess risks throughout the supply chain, not just direct vendors; include fourth-party risk (your vendor's vendors); evaluate concentration risk (dependence on a single vendor for critical services); maintain contingency plans for vendor failure including data portability and service transition plans
Incident Response Planning
| Phase | Description |
|---|---|
| 1. Preparation | Establish the incident response capability before incidents occur; develop the incident response plan (IRP) defining roles, responsibilities, communication procedures, and escalation paths; build the Computer Security Incident Response Team (CSIRT) with members from IT, security, legal, communications, HR, and management; deploy and configure detection tools (SIEM, IDS/IPS, EDR); establish relationships with external resources (law enforcement, forensic firms, CERT organizations); conduct regular training and simulations; acquire and maintain forensic tools and evidence handling kits; define incident classification and severity levels |
| 2. Detection and Analysis | Identify potential security incidents through monitoring alerts, user reports, log analysis, and threat intelligence; determine whether an event constitutes an actual security incident; perform initial triage to assess scope, severity, and potential impact; classify the incident type (malware, unauthorized access, data breach, denial of service, insider threat); document findings and initial indicators of compromise (IOCs); the most challenging phase because distinguishing actual incidents from false positives requires skilled analysts and mature detection capabilities |
| 3. Containment | Limit the damage and prevent the incident from spreading; short-term containment: immediate actions to stop the bleeding (isolate affected systems, block malicious IPs, disable compromised accounts); long-term containment: apply temporary fixes that allow business operations to continue while preparing for eradication (deploy clean systems, implement additional monitoring); critical decision: preserve evidence for forensic investigation versus rapid restoration of services; containment strategy must balance business impact with investigation needs |
| 4. Eradication | Remove the root cause of the incident from the environment; actions include removing malware, closing exploited vulnerabilities by applying patches, rebuilding compromised systems from known-good images, resetting compromised credentials, updating firewall rules and access controls; verify that the threat has been completely eliminated; address the underlying vulnerability or weakness that allowed the incident to occur; document all eradication actions for the post-incident review |
| 5. Recovery | Restore affected systems to normal operations; restore from verified clean backups; validate system integrity before reconnecting to the production network; implement enhanced monitoring to detect any recurrence; gradually return to normal operations with careful observation; verify that business processes are functioning correctly; recovery time depends on the severity and scope of the incident and should align with the organization's Recovery Time Objectives (RTOs) |
| 6. Post-Incident / Lessons Learned | Conduct a post-incident review (also called lessons learned or after-action review) within days of the incident; analyze what happened, why it happened, what worked well, and what needs improvement; document timeline of events, root cause analysis, effectiveness of the response, and recommendations; update the IRP, security controls, detection rules, and training based on findings; this phase is critical for continuous improvement but is often skipped under time pressure, which the CISM exam considers a significant failure |
Exam Tip: The CISM exam expects you to know the correct sequence of incident response phases. The first priority during an incident is always containment to limit damage, followed by eradication and recovery. Evidence preservation is important but should not delay containment actions that protect business operations. The post-incident review is mandatory, not optional, and must result in documented improvements to the security program.
Business Continuity and Disaster Recovery
| Concept | Description |
|---|---|
| Business Impact Analysis (BIA) | Identifies critical business processes and the impact of their disruption; determines Maximum Tolerable Downtime (MTD) for each process: the longest time the organization can survive without the process; defines Recovery Time Objective (RTO): the target time to restore the process; defines Recovery Point Objective (RPO): the maximum acceptable data loss measured in time; BIA results drive BCP/DRP investment decisions and prioritization; must involve business process owners, not just IT |
| Business Continuity Plan (BCP) | Comprehensive plan to maintain critical business operations during and after a disruptive event; covers people (alternative work locations, communication plans, succession planning), processes (manual workarounds, alternative procedures), and technology (backup systems, alternative sites); BCP is broader than DRP and addresses all aspects of business continuity, not just IT recovery; must be tested at least annually through tabletop exercises, structured walkthroughs, or full-scale simulations |
| Disaster Recovery Plan (DRP) | Subset of BCP focused specifically on restoring IT systems and infrastructure after a disaster; defines recovery strategies including backup procedures, alternate processing facilities, and data replication; must meet the RTO and RPO defined in the BIA; maintained and tested by IT in coordination with the BCP team; includes detailed technical procedures for system restoration, failover activation, and data recovery |
| Recovery Site Types | Hot site: fully equipped and operational, can assume processing within minutes to hours (highest cost); Warm site: partially equipped with hardware and connectivity but requires data restoration and configuration (moderate cost, recovery in hours to days); Cold site: basic facility with power, HVAC, and connectivity but no equipment pre-installed (lowest cost, recovery in days to weeks); Mobile site: portable facility that can be deployed to the disaster location; Cloud-based DR: leverages cloud infrastructure for on-demand recovery resources with pay-per-use pricing |
BCP/DRP Testing Methods
| Test Type | Description |
|---|---|
| Checklist Review | Simplest form; team members review plan documentation and verify completeness; ensures contact lists are current, procedures are documented, and resources are identified; low cost and minimal disruption but provides limited assurance of plan effectiveness; useful as a starting point or between more rigorous tests |
| Tabletop Exercise | Discussion-based exercise where key personnel walk through a disaster scenario in a conference room setting; facilitator presents a scenario and participants discuss their roles, decisions, and actions; identifies gaps in procedures, communication plans, and role understanding without operational risk; moderate cost; highly recommended for management-level testing and for validating decision-making processes |
| Simulation Test | Goes beyond tabletop by simulating actual disaster conditions; personnel perform their assigned recovery tasks without impacting production systems; may include activating alternate work locations or setting up recovery environments in parallel; tests operational readiness and personnel competency; moderate cost and disruption |
| Full Interruption Test | Most comprehensive and realistic test; actual production systems are shut down and recovery procedures are executed; validates that recovery can be achieved within the RTO and RPO; highest risk because production is interrupted; rarely performed due to cost and business risk; provides the highest level of assurance; typically reserved for the most critical systems and conducted during planned maintenance windows |
Exam Tip: The BIA is the foundation of all business continuity planning. RTO must be less than MTD (if the system must be recovered in 4 hours but the business can survive 8 hours without it, 4-hour RTO is within the 8-hour MTD). RPO determines the backup strategy: RPO of zero requires synchronous replication, RPO of 24 hours can use daily backups. The most common exam error is confusing RTO (time to restore) with RPO (acceptable data loss).
Incident Classification and Escalation
- Severity Levels: Critical (significant impact on business operations, data breach involving regulated data, complete system outage affecting revenue); High (major system degradation, unauthorized access to sensitive systems, potential data exposure); Medium (limited impact, contained security event, single system compromise); Low (minimal impact, policy violation, suspicious activity requiring investigation); severity determines response urgency, escalation path, and resource allocation
- Escalation Procedures: Define clear escalation paths based on incident severity and type; functional escalation routes incidents to specialists with required expertise; hierarchical escalation notifies management when severity thresholds are breached or when business decisions are required (e.g., whether to shut down a system); automatic escalation triggers when response time SLAs are not met; all escalation paths must be documented with current contact information and available 24/7
- Communication Plans: Internal communication: notify affected business units, management chain, legal counsel, and the board for significant incidents; external communication: regulatory notifications (GDPR 72-hour requirement, HIPAA, PCI DSS), law enforcement engagement, customer notification, media communications through designated spokesperson; coordinate all external communication through legal and public relations; premature or inaccurate communication can increase reputational and legal damage
- Evidence and Forensics: Preserve digital evidence following chain of custody procedures; create forensic images of affected systems before remediation; document all actions taken during the response with timestamps; use write blockers for disk imaging; maintain evidence logs detailing who accessed evidence, when, and why; evidence may be needed for legal proceedings, regulatory investigations, insurance claims, or disciplinary actions; forensic integrity is essential for legal admissibility
Security Program Metrics and Reporting
| Metric Category | Examples and Purpose |
|---|---|
| Operational Metrics | Measure day-to-day security operations effectiveness; examples: number of security incidents by type and severity, mean time to detect (MTTD) and mean time to respond (MTTR), patch compliance rates across systems, percentage of vulnerabilities remediated within SLA, antivirus/EDR coverage across endpoints, firewall rule review completion, number of policy exceptions granted; reported to security operations management for tactical decision-making |
| Strategic Metrics | Measure alignment with business objectives and long-term security posture improvement; examples: security program maturity level progression, percentage of business processes covered by BCP, risk reduction trend over time, security investment as percentage of IT budget, compliance audit findings trend, third-party risk assessment coverage; reported to senior management and the board for strategic decision-making and resource allocation |
| Compliance Metrics | Track adherence to regulatory requirements and internal policies; examples: percentage of systems compliant with configuration baselines, audit findings open versus closed, regulatory examination results, employee policy acknowledgment completion rates, data classification coverage, encryption deployment percentage for sensitive data; critical for demonstrating due diligence to regulators and auditors |
| Awareness Metrics | Measure effectiveness of the security awareness program; examples: phishing simulation click-through rates (trending over time), security training completion rates, number of security incidents caused by human error, number of suspicious activity reports submitted by employees, results of social engineering tests; behavioral change metrics are more meaningful than simple completion statistics |
Exam Tip: Effective metrics must be SMART: Specific, Measurable, Achievable, Relevant, and Time-bound. The CISM exam emphasizes that metrics should be reported in business terms that management understands, not in technical jargon. A metric like "reduced average vulnerability remediation time from 45 days to 15 days" is more meaningful to the board than "patched 500 CVEs this quarter."
Security Auditing and Assurance
| Audit Type | Description |
|---|---|
| Internal Audits | Conducted by the organization's internal audit function; assess compliance with security policies, standards, and procedures; evaluate the effectiveness of security controls and risk management processes; provide independent assurance to management and the board; internal auditors should be independent from the functions they audit; findings tracked through remediation to closure; conducted on a risk-based audit schedule |
| External Audits | Conducted by independent third-party auditors; required for certifications (ISO 27001), regulatory compliance (SOX, PCI DSS), and customer assurance; types include certification audits, regulatory examinations, and customer-requested assessments; external audit findings typically carry more weight with regulators and business partners; more expensive but provide higher assurance level due to independence |
| SOC Reports | SOC 1: focuses on controls relevant to financial reporting (ICFR); SOC 2: evaluates controls across five Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy); Type I reports assess control design at a point in time; Type II reports assess both design and operating effectiveness over a period (minimum 6 months); SOC 2 Type II is the most commonly requested assurance report for cloud service providers and SaaS vendors |
| Penetration Testing | Simulated attacks to identify exploitable vulnerabilities; types: black box (no knowledge), gray box (partial knowledge), white box (full knowledge); scope includes external network, internal network, web applications, social engineering, and physical security; rules of engagement must be formally agreed including scope, timing, and escalation procedures; results provide realistic assessment of security posture; conducted at least annually and after significant changes |
Continuous Improvement and Integration
| Approach | Description |
|---|---|
| Plan-Do-Check-Act (PDCA) | Deming cycle applied to information security management; Plan: establish ISMS policy, objectives, processes, and procedures; Do: implement and operate the ISMS processes and controls; Check: monitor and review performance against policy and objectives through audits, metrics, and management reviews; Act: take corrective and preventive actions based on results of the check phase; continuous cycle that drives ongoing improvement of the security program |
| Capability Maturity Model | Level 0 (Non-existent): no defined process; Level 1 (Initial/Ad Hoc): unpredictable, reactive; Level 2 (Managed/Repeatable): basic processes established, reactive with some planning; Level 3 (Defined): standardized processes across the organization, proactive; Level 4 (Quantitatively Managed): measured and controlled using metrics; Level 5 (Optimizing): continuous improvement driven by quantitative feedback; target maturity level depends on organizational risk profile and industry requirements |
| Security Integration into SDLC | Embed security throughout the software development lifecycle; requirements phase: security requirements and threat modeling; design phase: security architecture review; development phase: secure coding standards and static analysis (SAST); testing phase: dynamic application security testing (DAST), penetration testing; deployment phase: security configuration review; operations phase: runtime monitoring and vulnerability management; DevSecOps automates security testing in CI/CD pipelines |
| Change Management | All changes to information systems must follow a formal change management process; change request documentation, security impact assessment, testing in non-production environment, approval by change advisory board (CAB), implementation with rollback plan, post-implementation review; emergency changes still require documentation and retrospective review; poor change management is a leading cause of security incidents and outages |
CISM Quick Reference: Key Concepts by Domain
| Domain | Critical Concepts to Remember |
|---|---|
| Governance (17%) | Board accountability for security; security strategy aligned with business objectives; policy hierarchy (policy > standard > guideline > procedure); security steering committee for cross-functional alignment; governance frameworks: COBIT, ISO 27001; metrics: KPIs, KRIs, KGIs; reporting in business language |
| Risk Management (20%) | Risk = Threat x Vulnerability x Impact; risk appetite set by the board; risk treatment: mitigate, transfer, accept, avoid; quantitative: SLE = AV x EF, ALE = SLE x ARO; risk register as central repository; information owner classifies data; residual risk must be formally accepted; continuous risk monitoring through KRIs |
| Security Program (33%) | Largest domain; defense-in-depth architecture; control types: preventive, detective, corrective, compensating; administrative, technical, physical categories; awareness as most cost-effective control; compliance: GDPR, PCI DSS, SOX, HIPAA; vendor risk management: due diligence, contracts, monitoring; security in SDLC |
| Incident Management (30%) | IR phases: Prepare, Detect, Contain, Eradicate, Recover, Lessons Learned; containment before eradication; BIA determines RTO, RPO, MTD; BCP broader than DRP; hot/warm/cold sites; test types: checklist, tabletop, simulation, full interruption; post-incident review is mandatory; evidence preservation and chain of custody; notification requirements by regulation |
Exam Tip: The CISM exam is about management, not technology. When choosing between a technically superior answer and a management-focused answer, choose the management approach. The correct answer is usually the one that best serves the organization's business objectives, involves appropriate stakeholders, follows a structured process, and enables informed decision-making by management. Think like a security manager advising the board, not like a security engineer configuring a firewall.