Skip to content
Home » Blog » Certified Information Security Manager (CISM) Exam: Information Security Incident Management [Updated 2021]

Certified Information Security Manager (CISM) Exam: Information Security Incident Management [Updated 2021]

  • by


Security incident response, business continuity, and disaster recovery all need prior planning so that the company may discuss, record, and describe the solutions needed for various sorts of incidents before they occur.

Risk assessments are the cornerstone of all three disciplines’ planning, since they are required to identify important hazards and define priorities during response.

The enhancement of systems and procedures is one of the consequences of security incident response, business continuity, and disaster recovery planning. Specifically, planning activities identify possibilities for improvement that, when adopted, will make information systems more safe and robust.

These enhancements often imply that events are less likely to occur or have a lower impact on the company.

This domain study covers the areas of knowledge that CISM candidates need to know in order to create an effective programme for responding to and managing events that affect an organization’s information systems and infrastructure.

Applicants will be evaluated on their ability to recognise, analyse, manage, and successfully respond to unforeseen occurrences that threaten the organization’s information assets and capacity to function.

We addressed the different domains that the CISM applicant faces when taking the test in our general overview essay on the Introduction to the four domains, but only briefly explored ISIM principles.

We’ll learn more about the domain in this post, as well as what applicants need know to prepare for the test.

Want to know the best books for CISM preparation? Click here are our recommendations.

What are security incidents?

A security incident occurs when the confidentiality, integrity, or availability of information (or an information system) has been compromised or is in jeopardy.

Any occurrence that constitutes a breach of an organization’s security policy might be considered a security incident.

For example, if an organization’s security policy prohibits one person from using another person’s computer account, such usage that leads to the exposure of information would be deemed a security incident. There are a number of different kinds of security incidents:

Abuse of computer accounts

Willful account abuse, for example, sharing user account credentials with other insiders or outsiders, or one individual stealing login credentials from another, are examples of willful account abuse.

Trespassing on a computer or a network

A computer network is accessed by an unauthorized individual. Malware, utilizing stolen credentials, access bypass, or physically obtaining physical access to the computer or network and connecting to it directly are all examples of trespass.

Exposure or theft of information

Through a flaw in the controls or purposeful or careless acts or omissions, information that is protected by one or more controls may nevertheless be accessible to unauthorized individuals.

E-mail communications, client-server communication, file transfers, login passwords, and network diagnostic information, for example, might all be intercepted by an intruder.

Alternatively, a system vulnerability might allow an attacker to get access to information stored or processed on the system.

Malware attacks

A worm or virus epidemic in a company’s network is possible. The epidemic may interrupt regular company operations merely by spreading malware, or it could harm affected systems in other ways, such as deleting or changing data.

Malware may also listen in on conversations and relay captured sensitive data back to its originator.

DoS (distributed denial-of-service)

An attacker can overwhelm a target machine or network by flooding it with traffic, rendering it unable to perform its normal duties.

An attacker might, for example, overwhelm an online banking website with so much traffic that depositors are unable to use it.

Another type of DoS attack involves sending traffic that causes the target to malfunction or stop working.

DDoS (distributed denial of service)

A DDoS assault, like a DoS attack, is launched simultaneously by hundreds to thousands of computers that make up a botnet.

Because of the amount of incoming communications and the high number of attacking systems, a DDoS assault might be difficult to defend.

Encryption or deletion of sensitive data

Information can be encrypted or deleted as a result of a ransomware or wiper attack.

Information that should not be made public

Any sensitive information that is provided to an unauthorised person falls under this category.

Theft of a computer system

Laptop computers, mobile devices, and other information-processing and storage equipment can all be taken, which can lead to further breaches either directly or indirectly.

If the stolen item includes sensitive information that may be retrieved or the means to access sensitive information that is kept elsewhere, what began as a theft of a tangible object may turn into a breach of sensitive information.

Damage to the information system

A human intruder or automated malware can harm information or an information system in a temporary or irreparable way.

This might cause information availability to be disrupted or information to be permanently lost.

Information tampering

Information saved on a system can be harmed by a human intruder or automated malware such as a worm or virus. It’s possible that this harm will go unnoticed.


A single business, many organisations in a market sector, or an entire nation might be disrupted or damaged by a human intruder or automated malware assault.

The following examples should help you understand the nature of a security event. Not all of them are cataclysmic.

In certain companies, other sorts of occurrences may be classified as security incidents.

CISM Exam Objectives : ISIM

The basic goal of incident management and response is to detect and respond to unanticipated disruptive occurrences with the goal of keeping the consequences to a minimum.

As a result, incident management and response may be characterised as follows:

  • Quickly detect incidents
  • Accurately diagnose situations
  • Take appropriate care of events.
  • Limit the amount of damage and keep it to a minimum.
  • Find the source of the problem.
  • To avoid a recurrence, make improvements.
  • Document and submit a report
  • Restore the services that have been impacted.

Applicants must understand when an event becomes a crisis and when a failure to effectively handle an issue necessitates a disaster declaration.

For a successful incident management capability, it’s also critical to get top management and stakeholder buy-in.

Applicants must understand how various organisations handle BCP and disaster recovery, as these approaches might differ, but they usually collaborate.

Each event’s overseer must be clearly defined, and the criteria used must be consistent, simply explained, and simple to comprehend so that severity levels of similar scale may be assessed equally.

Information Security Incident Response

From discovery to closure and post-event assessment, there are numerous steps to a security incident response. This section goes through each of these phases in depth.

A model is used to describe the steps of a security incident response. As a result, security managers recognise that not all types of events follow the model’s stages. A stolen laptop computer, for example, may have almost no eradication activity.

There may also be extra phases in some instances. For example, a security event involving the theft of a substantial amount of data would likely result in a succession of post-incident procedures that take more time and money than the initial incident response.

A successful incident response necessitates extensive planning. The creation, testing, and training of security incident response plans are covered in the preceding parts of this chapter.

Importance of Incident Management

Unexpected incidents that threaten to disrupt the business may be dealt with efficiently by an organisation with good incident management.

It will be equipped with sufficient and appropriate detection and monitoring capabilities to guarantee that issues are discovered quickly.

There will be well-defined severity and declaration criteria, as well as established escalation and notification protocols, in such an organisation.

Employees will be taught how to recognise events, apply severity criteria, and follow correct reporting and escalation processes.

The business will offer monitoring and metrics to assess incident management and response skills, and it will test its capabilities on a regular basis to ensure that information and plans are current and available when needed.

For such organizations:

  • The security of information assets is adequate, and the risk level is within acceptable bounds.
  • Effective incident response strategies are in place, and all key stakeholders, including management, IT departments, end users, and issue handlers, are aware of them.
  • Incidents are detected and contained, and the fundamental cause is treated to allow for recovery within a reasonable timeframe (AIW).
  • As stated in the communication plan, communication flows to various stakeholders and external parties are well controlled.
  • To raise security awareness and serve as a foundation for development, lessons gained are documented and shared with stakeholders.
  • Customers, suppliers, and business partners are among the internal and external stakeholders who get assurance. The company develops trust that it has enough control and is prepared to guarantee long-term commercial viability by giving assurance.

Business Continuity Planning

Business continuity planning is done to decrease the chance of catastrophes and other disruptive events occurring.

BCP operations identify hazards and mitigate them by modifications or upgrades in technology or business processes, reducing the effect of disasters and reducing recovery time.

The fundamental goal of BCP is to increase the organization’s chances of surviving a disaster without sustaining expensive or perhaps catastrophic harm to its most important operations.

The activities of BCP development can be scaled up or down according on the size of the business. BCP has the terrible reputation of only existing in the stratosphere, in the thin air of the world’s most powerful and wealthy corporations.

This misconception impacts the majority of organisations that are afraid to start any type of BCP initiative because they feel it will be too expensive and disruptive.

The truth is that any size company, from a one-person home office to a global conglomerate, can effectively implement BCP initiatives that provide immediate advantages while also reducing the impact of disruptive events.

Even if a crisis never occurs, BCP programmes may help organisations. The phases in the BCP development process generally result in immediate benefits in the form of process and technology enhancements that improve the processes and systems’ resilience, integrity, and efficiency.


Disasters in the business world are unanticipated and unplanned incidents that cause corporate operations to be disrupted.

A disaster might be a large-scale occurrence that affects a large area or a localised incident that occurs in a single room.

A disaster’s impact will also differ, ranging from a total shutdown of all corporate activities to just a delay.

How to Plan for Business Continuity

Knowing what types of catastrophes are expected and their potential consequences on the business are the best method to plan for disaster preparedness. To put it another way, plan first and then act.

A life-cycle method is used to plan for company continuity. To put it another way, business continuity (and disaster recovery) planning is not a one-time event or activity.

It’s a collection of activities that result in ongoing catastrophe preparedness that adapts and improves as company conditions change.

The following are the elements of the BCP process life cycle:

  • Assign ownership of the program.
  • Develop BCP policy.
  • Conduct business impact analysis.
  • Perform criticality analysis.
  • Establish recovery targets.
  • Define KRIs and KPIs.
  • Develop recovery and continuity strategies and plans.
  • Test recovery and continuity plans and procedures.
  • Test integration of BCP and DR plans.
  • Train personnel.
  • Maintain strategies, plans, and procedures through periodic reviews and updates.


A security incident is an event where the confidentiality, integrity, or availability of information or systems has been or is in danger of being compromised.

Without incident detection capabilities, organizations may not know about an intrusion for many months, if ever.

Many organizations choose to outsource security event monitoring to third-party managed security services providers.

Business impact analysis (BIA) helps an organization focus its disaster planning on critical business functions. Disaster recovery planning is concerned with system resilience matters.

The development of recovery targets helps an organization understand how quickly various business processes should be recovered after a natural or man-made disaster.

Further Study : CISM domains

Further Study : CISM Resources

Below are some recommended CISM books on Amazon :

CISM Certified Information Security Manager All-in-One Exam Guide by Peter H. Gregory

This bundle contains all-in-one exam guide and CISM practice exams. When searching for the CISM preparation material, I could find only this book worth giving a try apart from the ISACA review manual.

The study guide is thorough and covers all aspects of the exam.

Electronic exams are included in both the study guide and the practice test book. Some questions are shared between both but they rarely overlap.

The practice tests and questions were as close to the exam version I took as feasible without being dumps, indicating that they were extremely accurate reflections of the test material.

With around 20 days of regular studying for about 1-2 hours per day, I was able to pass the test on my first attempt with ease. Based on the findings, I believe the study guide and practice test set is well worth the money and should likely be the only study material necessary.

CISM Review Manual, 15th Edition by ISACA

It’s a good handbook to read for the CISM exam, however, some of the information is a little raw. It’s kind of required reading for the CISM test, however, it’s a rather dull read. Lots of relevant and useful content. However, this appears to be a review handbook rather than a guidebook.

Related Posts


Leave a Reply