Skip to content
Home » Blog » Information Security Governance Domain: CISM Exam [Updated 2021]

Information Security Governance Domain: CISM Exam [Updated 2021]

  • by


This domain examines the level of information and related functions that applicants must master in order to build an information security governance structure that is consistent with corporate goals.

Governance is a process in which senior management exercises effective control over corporate activities through policies, goals, authority, and supervision when properly implemented.

Management is responsible for overseeing all other business operations to ensure that they continue to achieve the corporate overall strategy and goals.

In our blog , We gained an idea of the many areas that the CISM applicant would experience when taking the test, with a short discussion on information security governance.

Here, We acquire a better knowledge of the topic and talk about what applicants need know in order to pass the test.

The CISM Exam Objectives (ISG)

One of the goals of Information Security Governance is to guarantee that the organization’s security architecture is correct and achieves its goals.

Applicants are assessed on the basic criteria for effective Information security governance as well as what it takes to build a plan of action to put it into practice.

Applicants will be expected to comprehend the security program’s contents, which will typically include:

  • A thorough security strategy that is inextricably connected to the company’s goals.
  • Security policies that govern every element of strategy and security controls. At the very least, security policy should mirror the broader organization’s mission, objectives, and goals.
  • The priorities in the security program should flow directly from the organization’s mission, objectives, and goals.
  • Standards promote solutions that fulfil the organization’s needs in a value and safe way. They also assist to drive an uniform approach to solving business issues.
  • Processes are structured descriptions of frequently performed corporate operations that contain instructions for relevant employees.
  • Metrics refers to the formal evaluation of systems and practices so that management can understand and track them.

Want to know the best books for CISM preparation? Click here are our recommendations.

Information Security Governance’s Relevance

Information systems are becoming increasingly important to organisations in almost every industrial area and at all branches of administration.

Information security governance is becoming increasingly important as our dependence on information rises.

 Dependence has advanced to the point that businesses’ business activities are totally reliant on the integrity and availability of their information systems, even if their goods or services are unrelated to information.

Companies are beginning to recognise the importance of information and the insights acquired from it, without which doing business would be difficult.

You must understand the business’s priorities in terms of confidentiality, integrity, and availability as an information security expert.

When constructing a security governance structure, all three CIA should be taken into account,

but the type of information utilized by the company will determine the importance given to confidentiality, integrity, or availability.

As a result, information security governance is required to guarantee that cyber security-related incidents do not jeopardize essential systems and their capacity to sustain the organization’s long-term existence.

Applicants will be expected to demonstrate a grasp of how policy adherence may be ensured.

Also, for effective information security resource management techniques.

Without proper precautions, information technology assets that are Internet accessible would be compromised in minutes of being brought online, according to information security specialists.

The technologies, methods, and controls required to safeguard these assets are as intricate as the information systems they are meant to safeguard.

Management will not be aware  of security controls and processes protecting IT assets unless they are effectively managed from the top down.

So, Applicants will understand how Information security governance may bring substantial value to the business by lowering losses from security-related incidents and ensuring that occurrences are not catastrophic.

Results and practices in Information Security Governance

Information security governance is a collection of organised components that must be in place to give senior management comfort that the organization’s key objectives are reflected in its security landscape.

The formulation, execution, and administration of a security programme that delivers below goals on which applicants will be assessed are the key responsibilities of information security governance.

Strategic alignment:  The focus is mostly on aligning information security (security needs, security solutions, and information security investment) with the relevant business strategy to meet the organization’s goals.

Risk management: Applicants are assessed on the organization’s risks and how they may be managed so that negative business consequences are kept to a minimum.

Value delivery: The focus of the test is on security investments that benefit business.

Applicants are put through their paces on methods that guarantee that security investments are continually enhanced while fulfilling a variety of goals.

For example, baselining all security requirements using best practices and according to their risk and impact.

Resource optimization: Applicants must understand that it is critical that captured information be made available across the company, that correct document security procedures be followed, and that long-term security architectures that define and utilise resources be developed.

Performance measurement: This is about information security process monitoring and reporting.

Applicants will be evaluated on a variety of reporting criteria, as well as how effective reporting on information security procedures is done to fulfil the required objectives.

Integration: This refers to the end-to-end integration of all essential assurance components.

Information security governance ensures that all of the necessary assurance factors are in place to guarantee that procedures run smoothly from start to finish.

Applicants are assessed on how to integrate and coordinate the different assurance functions to guarantee comprehensive security, as well as formal connections between assurance functions and the roles and responsibilities of assurance functions.

These are two important outcomes of a good security governance programme:

  • Enhanced trustworthiness When consumers, suppliers, and partners perceive that security is well-managed, they have more faith in the company.
  • Better public image The organisation will be held with better esteem by the business sector, including consumers, investors, and regulators.

Roles and Responsibilities of Senior Management for CISM

When everyone in the organisation understands what is expected of them, information security governance is most successful.

Better businesses have explicit roles and duties so that employees understand their position in all things relating to system, information, and even personal security.

Information security governance requires commitment, resources and the assigning of responsibilities that are necessary for information security management.

Applicants will be asked to determine who has main responsibility for implementing information security governance, who is most suited to evaluate and validate the suitability of a user access list, and what the most significant data retention considerations are.

Board of Directors

A company’s board of directors is a group of persons that supervise the company’s operations.

Board members may be appointed by shareholders or constituents, based on the type of organization.

This is a position that can be either paid or unpaid.

A constitution, bylaws, or external regulation typically outline the activities done by the board of directors, as well as the power of the directors.

In most cases, the board of directors is responsible to the organization’s shareholders or, in the case of a government agency, to the electorate.

Executive Management

The board of directors appoints executive management to carry out its directives.

Usually, an organization’s executive management is created and entrusted with ensuring that the necessary organizational functions and resources are made accessible and used appropriately to meet the board’s objectives.

One of executive management’s responsibilities is to ensure that the company has the resources to undertake a security program and create and maintain security measures to safeguard key assets.

It is also necessary to have a basic grasp of the centralized information security management. Better policy compliance, for example, would be one of the traits of it.

Security Steering Committee

Members from most of the organization’s business divisions, units, functions, and primary locations constitute a security steering committee in many companies.

This committee discusses and takes decision on various security topics.

Chief Information Security Officer

The highest-ranking security official in a corporation is the CISO.

The CISO creates security plans that are consistent with current and future business goals.

He’s also in charge of the company’s information risk management program, as well as the formulation and execution of security rules.

Chief Privacy Officer

Some businesses, usually those that handle substantial quantities of sensitive consumer data, will hire a chief privacy officer (CPO).

Some businesses have a CPO because legislation like as HIPAA, the Fair Credit Reporting Act (FCRA), and the Gramm-Leach-Bliley Act (GLBA) mandate it.

Metrics for Information Security Governance

Metrics are a way for management to track important processes and determine whether their initiatives are succeeding.

However, there is a difference in practical IT security metrics and those that show the overall security program’s condition.

Security metrics are frequently used to monitor and assess technical IT security policies and procedures in order to determine if they are functioning properly.

This helps handle the consequences of prior decisions better and can contribute to the decision-making process.

Examples of techniques may be, Firewall metrics telling the frequency and kind of rules triggered in the firewall or IDS metrics describe the types and numbers of incidents that may be detected or prevented, and systems that are targeted

Some of the key metrics categorization can be –

  • Key indications of risk (KRIs) represents measurements related to risk evaluation. 
  • Key target indicators (KGI’s).  metrics represent the achievement of strategy goals. 
  • Key indicators of performance (KPI) are measurements used to indicate safety-related activity to be either efficient or effective.

Metrics have to be quantifiable to be useful.

The SMART approach is a typical means of guaranteeing the quality and efficiency of a measured.

Business Model for Information Security (BMIS)

The Business Model for Information Security, which was developed by ISACA in 2009, provides a roadmap to corporate risk-based security governance.

BMIS supports the security leadership to guarantee that the security programme of the company continues to handle evolving risks, regulatory developments and changing business demands.

BMIS consists of three foundation pyramid elements: individuals, process and technology, and the organisation, is the highest element of the pyramid.

The BMIS aspects are linked to the culture, management, architecture, emergence, capacity and support and human factors through dynamic linkages.

COBIT Framework

Developed by the IT Governance Institute and ISACA in 1996, the Information and Related Technologies Control Operations Goal (COBIT) is an IT management framework.

The four COBIT domains are Plan, Organize, Acquisition and Implementation, Support, and Monitoring and Assessment.

COBIT is not simply a framework for safety control, but an IT process framework including inter-related security activities.

You can learn more about COBIT on ISACA website.

ISO/IEC 27001 Standard

ISO/IEC 27001 is an international standard for ISO security and risk management.

The standard provides a set of requirements that describes an ISMS and a complete control architecture. .

ISO/IEC 27001 has two components: requirements and controls.

The needed actions found in effective information security management system (ISMS) are described under the requirements section.

A baseline set of checks for an organisation is provided by the controls section.

The standard is regularly updated. It was updated in 2015 and is known as ISO/IEC 27001:2015.

These seven parts are the requirements sections of ISO/IEC 27001:

  • Context of the organization
  • Leadership
  • Planning
  • Support
  • Operation
  • Performance evaluation
  • Improvement

The ISO/IEC 27001 standard includes the 14 controls:

  • Information security policies
  • Organization of information security
  • Human resource security
  • Asset management
  • Access control
  • Cryptography
  • Physical and environmental security
  • Operations security
  • Communications security
  • System acquisition, development, and maintenance
  • Supplier relationships
  • Information security incident management
  • Information security aspects of business continuity management
  • Compliance

ISO/IEC 27001 can be checked on ISO website 


Applicants must grasp the prerequisites for successful information security governance, the components and activities required to establish an information security strategy, and a plan of action to implement it.

Further Study : CISM domains

Further Study : CISM Resources

Below are some recommended CISM books on Amazon :

CISM Certified Information Security Manager All-in-One Exam Guide by Peter H. Gregory

This bundle contains all-in-one exam guide and CISM practice exams. When searching for the CISM preparation material, I could find only this book worth giving a try apart from the ISACA review manual.

The study guide is thorough and covers all aspects of the exam.

Electronic exams are included in both the study guide and the practice test book. Some questions are shared between both but they rarely overlap.

The practice tests and questions were as close to the exam version I took as feasible without being dumps, indicating that they were extremely accurate reflections of the test material.

With around 20 days of regular studying for about 1-2 hours per day, I was able to pass the test on my first attempt with ease. Based on the findings, I believe the study guide and practice test set is well worth the money and should likely be the only study material necessary.

CISM Review Manual, 15th Edition by ISACA

It’s a good handbook to read for the CISM exam, however, some of the information is a little raw. It’s kind of required reading for the CISM test, however, it’s a rather dull read. Lots of relevant and useful content. However, this appears to be a review handbook rather than a guidebook.

Related Posts


Leave a Reply