Skip to content
Home » Blog » Certified Information Security Manager Certification (CISM): Introduction to the four domains

Certified Information Security Manager Certification (CISM): Introduction to the four domains

  • by

CISM certification is broad, demanding exposure to a variety of intellectual, technical, and professional life areas; nevertheless, the heart of the test is to comprehend the four key domains that comprise the CISM certification.

This post may provide you a bird’s-eye view of domains and the expertise they represent.

Which domains are part of CISM?

The scope of the CISM test is pretty broad. Applicants for the CISM test have to show proficiency in four job practice areas. 

These are set up with 150 multiple-choice questions that must be answered in four hours.

Candidates must get a normalized score of 450 or above to pass the test.

Below are the four job practice areas for CISM along with the percentage of the weightage they cover in the exam :

  • Information Security Governance (24%)
  • Information Risk Management (30%)
  • Information Security Program Development and Management (27%)
  • Information Security Incident Management (19%)

Domain percentage on an exam is critical in assisting students in estimating the effort and time they will devote to each element of their studies.

How frequently do the domains scope get revised?

The CISM topics are updated on a regular basis to keep them current in evolving cybersecurity field; nevertheless, large modifications that would have a significant influence on the test are rare.

To identify the best questions, exam outcomes, and statistically analyze the findings for ongoing development, independent committees have been formed.

Domains Introduction

In the test, students will experience a variety of tasks and knowledge statements.

The actions that a CISM professional is expected to conduct within a company are described in the task statements.

Knowledge assertions are the benchmarks by which risks are quantified, evaluated, and mitigated.

All domains have a set of task and knowledge statements, which we’ll go over in detail later.

It’s worth mentioning that you can get a comprehensive list of tasks and knowledge statements on ISACA website.

Domain 1 : Information security governance

The subjects covered in this area account for 24% of the Certified Information Security Manager (CISM) exam.

This domain is defined by ISACA as follows: “Establish and/or maintain an information security governance framework and supporting processes to ensure that the information security strategy is aligned with organizational goals and objectives.”

Security governance should serve as the springboard from which all security-related strategic decisions and actions emanate.

In general, CISM aspirants will need to understand the link between efficient information security governance and management duties.

Applicants should study at the information security business model and grasp the interrelationships between organizational planning and process, personnel and technology.

Security Metrics, which describes how a measurable and recurring evaluation of security performance can be successfully evaluated, is one of the topics deemed significant for applicants.

 Applicants will need to comprehend metrics. Learning how to create metrics and present them for top management is frequently required.

Information security governance as of 2021 has nine task statements and 20 knowledge statements. The task statements as stated in the  ISACA website are:

  • Establish and/or maintain an information security strategy in alignment with organizational goals and objectives to guide the establishment and/or ongoing management of the information security program.
  • Establish and/or maintain an information security governance framework to guide activities that support the information security strategy.
  • Integrate information security governance into corporate governance to ensure that organizational goals and objectives are supported by the information security program.
  • Establish and maintain information security policies to guide the development of standards, procedures and guidelines in alignment with enterprise goals and objectives.
  • Develop business cases to support investments in information security.
  • Identify internal and external influences to the organization (e.g., emerging technologies, social media, business environment, risk tolerance, regulatory requirements, third-party considerations, threat landscape) to ensure that these factors are continually addressed by the information security strategy.
  • Gain ongoing commitment from senior leadership and other stakeholders to support the successful implementation of the information security strategy.
  • Define, communicate, and monitor information security responsibilities throughout the organization (e.g., data owners, data custodians, end users, privileged or high-risk users) and lines of authority.
  • Establish, monitor, evaluate and report key information security metrics to provide management with accurate and meaningful information regarding the effectiveness of the information security strategy.

Want to know the best books for CISM preparation? Click here are our recommendations.

Domain 2: Information risk management

The process of balancing economic opportunity with possible information security-related damages is known as information risk management.

Applicants must be familiar with the company’s strategic plan and how it relates to the technology.

Individuals should be asked to grasp the company’s risk priorities to accomplish this.

As a result, distinct roles and duties must be established and incorporated in various job descriptions throughout the company.

Threats, vulnerabilities, hazards, recovery time objective (RTO), recovery point objective (RPO), and acceptable interruption window are all significant topics.

The objective and constraints of the project must be established first, then the risk assessment is done.

After that, a risk mitigation strategy is created to bring the risk down to a manageable level.

The level of risk is then accepted and reported, while the security measures are monitored to see if they are effective.

Risk assessment is primarily a step-by-step process that starts with asset evaluation and progresses through vulnerability and threat assessment.

Companies have the choice of avoiding, reducing, transferring or accepting risk when the risk assessment is completed.

The amount of money spent on protecting assets is determined by the value put on such resources.

Information risk management as of 2021 has nine task statements and 19 knowledge statements. The task statements as stated on the  ISACA website are:

  • Establish and/or maintain a process for information asset classification to ensure that measures taken to protect assets are proportional to their business value.
  • Identify legal, regulatory, organizational and other applicable requirements to manage the risk of noncompliance to acceptable levels.
  • Ensure that risk assessments, vulnerability assessments and threat analyses are conducted consistently, at appropriate times, and to identify and assess risk to the organization’s information.
  • Identify, recommend or implement appropriate risk treatment/response options to manage risk to acceptable levels based on organizational risk appetite.
  • Determine whether information security controls are appropriate and effectively manage risk to an acceptable level.
  • Facilitate the integration of information risk management into business and IT processes (e.g., systems development, procurement, project management) to enable a consistent and comprehensive information risk management program across the organization.
  • Monitor for internal and external factors (e.g., key risk indicators [KRIs], threat landscape, and geopolitical, regulatory change) that may require reassessment of risk to ensure that changes to existing, or new, risk scenarios are identified and managed appropriately.
  • Report noncompliance and other changes in information risk to facilitate the risk management decision-making process.
  • Ensure that information security risk is reported to senior management to support an understanding of potential impact on the organizational goals and objectives.

Domain 3: Information Security Program Development and Management

In an organization, security program development encompasses a wide range of tasks.

The majority of these actions have a direct influence on people, processes, or information technology.

Regulatory and legal requirements, values, and people are the most significant constraints for an information security program.

Security programs are frequently focused on connecting a variety of unrelated operations inside an organization that are all, in some way, related to the safeguarding of important information assets.

The following are the key phases in creating an information security program in a typical sequence:

  • The creation of a security plan
  • Carrying out a gap analysis
  • The creation of a roadmap
  • The creation of the security program

Applicants should be aware that ISACA keeps referring to the SABSA approach.

Applicants should also keep in mind that ISPDM’s goal is to execute the plan in the most cost-effective way possible while minimizing the impact on business activities.

Students must be able to identify the intended outcome or goal, as well as the goals that must be accomplished, the residual risk, and the ideal condition.

There are ten task statements and sixteen knowledge statements in the ISPDM. The following are the task statements:

  • Establish and/or maintain the information security program in alignment with the information security strategy.
  • Align the information security program with the operational objectives of other business functions (e.g., human resources [HR], accounting, procurement and IT) to ensure that the information security program adds value to and protects the business.
  • Identify, acquire and manage requirements for internal and external resources to execute the information security program.
  • Establish and maintain information security processes and resources (including people and technologies) to execute the information security program in alignment with the organization’s business goals.
  • Establish, communicate and maintain organizational information security standards, guidelines, procedures and other documentation to guide and enforce compliance with information security policies.
  • Establish, promote and maintain a program for information security awareness and training to foster an effective security culture.
  • Integrate information security requirements into organizational processes (e.g., change control, mergers and acquisitions, system development, business continuity, disaster recovery) to maintain the organization’s security strategy.
  • Integrate information security requirements into contracts and activities of third parties (e.g., joint ventures, outsourced providers, business partners, customers) and monitor adherence to established requirements in order to maintain the organization’s security strategy.
  • Establish, monitor and analyze program management and operational metrics to evaluate the effectiveness and efficiency of the information security program.
  • Compile and present reports to key stakeholders on the activities, trends and overall effectiveness of the IS program and the underlying business processes in order to communicate security performance.

Domain 4: Information security incident management

Although security incident management, business continuity planning, and disaster recovery planning are generally thought of as different disciplines, they all have the same purpose in sight: ensuring the greatest possible business continuity during and after a threat event.

Many consider this CISM domain to be the most essential since recovery from an event assures company continuity.

 The relevance of incident management stems from the fact that its purpose is to monitor and react to unanticipated adverse occurrences with the goal of keeping impacts to a minimum.

ISIM, like disaster recovery, is an important element of business continuity planning.

Security incident response, business continuity, and disaster recovery all require advance planning so that the organization will have discussed, documented, and outlined the responses required for various types of incidents in advance of their occurrence. Security incident management, business continuity, and disaster recovery all need prior preparation so that the company may discuss, record, and define the solutions needed for various sorts of incidents before they occur.

Another of the results of ISIM is that, given proper training, preparation, and testing, applicants will be able to identify and control events while also addressing the root cause.

It will enable recuperation within a reasonable time frame.

Applicants should be aware of the benefits and drawbacks of each of the six types of recovery sites, i.e. hot, cold, warm, mobile, mirror, and duplicate information processing facilities.

It’s also a good idea to be familiar with network recovery principles like redundancy, alternate routing, diversified routing, and voice recovery.

There are ten task statements and eighteen knowledge assertions in ISIM. The following are the task statements:

  • Establish and maintain an organizational definition of, and severity hierarchy for, information security incidents to allow accurate classification and categorization of and response to incidents.
  • Establish and maintain an incident response plan to ensure an effective and timely response to information security incidents.
  • Develop and implement processes to ensure the timely identification of information security incidents that could impact the business.
  • Establish and maintain processes to investigate and document information security incidents in order to determine the appropriate response and cause while adhering to legal, regulatory and organizational requirements.
  • Establish and maintain incident notification and escalation processes to ensure that the appropriate stakeholders are involved in incident response management.
  • Organize, train and equip incident response teams to respond to information security incidents in an effective and timely manner.
  • Test, review and revise (as applicable) the incident response plan periodically to ensure an effective response to information security incidents and to improve response capabilities.
  • Establish and maintain communication plans and processes to manage communication with internal and external entities.
  • Conduct post-incident reviews to determine the root cause of information security incidents, develop corrective actions, reassess risk, evaluate response effectiveness and take appropriate remedial actions.
  • Establish and maintain integration among the incident response plan, business continuity plan and disaster recovery plan.

Applicants should be aware that evidence will be required in some situations within this area, particularly when the occurrence is malicious.

In order to go to court, the evidence must be recorded, safeguarded, and a chain of custody maintained as part of the ISIM strategy.


This review establishes a baseline for what applicants should study and know before taking the CISM test.

It has gone through the subjects that will be covered in the test, the percentage weight assigned to each domain, and the key ideas that should be stressed in each.

We believe that this review will prove to be a significant help for applicants who understand the need of planning ahead for the exam.

Next Chapter: Information Security Governance

Further Study : CISM domains

Further Study : CISM Resources

Below are some recommended CISM books on Amazon :

CISM Certified Information Security Manager All-in-One Exam Guide by Peter H. Gregory

This bundle contains all-in-one exam guide and CISM practice exams. When searching for the CISM preparation material, I could find only this book worth giving a try apart from the ISACA review manual.

The study guide is thorough and covers all aspects of the exam.

Electronic exams are included in both the study guide and the practice test book. Some questions are shared between both but they rarely overlap.

The practice tests and questions were as close to the exam version I took as feasible without being dumps, indicating that they were extremely accurate reflections of the test material.

With around 20 days of regular studying for about 1-2 hours per day, I was able to pass the test on my first attempt with ease. Based on the findings, I believe the study guide and practice test set is well worth the money and should likely be the only study material necessary.

CISM Review Manual, 15th Edition by ISACA

It’s a good handbook to read for the CISM exam, however, some of the information is a little raw. It’s kind of required reading for the CISM test, however, it’s a rather dull read. Lots of relevant and useful content. However, this appears to be a review handbook rather than a guidebook.

Related Posts


Leave a Reply