📋 Table of Contents
Domain Weights at a Glance
The CISM exam is 150 questions, 4 hours, scored on a scale of 200-800. The passing score is 450. Questions are distributed across four domains based on the 2022 Job Practice (updated for 2026 exam windows):
| Domain | Weight | Approx. Questions | Primary Focus |
|---|---|---|---|
| 1. Information Security Governance | 17% | ~26 | Strategy, alignment, governance structures |
| 2. Information Security Risk Management | 20% | ~30 | Risk assessment, treatment, BIA |
| 3. Information Security Program Development and Management | 33% | ~49 | Program design, controls, metrics, vendors |
| 4. Incident Management | 30% | ~45 | IR lifecycle, BCP/DR, communication |
Domains 3 and 4 together account for 63% of the exam. If your study time is running short, weight them accordingly. See the full scoring explanation in our CISM Passing Score guide.
Domain 1: Information Security Governance (17%)
Governance questions test whether you think like an executive aligning security to business strategy - not like a technician configuring controls. The correct answer is almost always the one that serves business objectives first.
Core Governance Concepts
- Security governance vs security management: Governance sets direction and accountability (board, executives). Management executes (CISO, security team). On the exam, "governance" questions tend to point to senior leadership decisions.
- Security strategy: Must align with and support the overall business strategy. A security strategy that exists independently of business goals is considered weak governance.
- Due care: Taking reasonable steps to protect assets (doing something). Due diligence: Continuously verifying those steps are adequate (checking it was done right).
- Policies, standards, procedures, guidelines: Policy (what/why, mandatory) - Standard (specific requirements, mandatory) - Procedure (how, mandatory) - Guideline (recommended, discretionary). Policies require senior management sign-off.
- Security steering committee: Cross-functional body bridging IT security and business units. The CISO typically chairs or advises; senior business leaders are members. This is the correct escalation path for most strategic decisions.
Key Governance Metrics
- KPI (Key Performance Indicator): Measures how well a control or process is working (lagging indicator - tells you where you are).
- KRI (Key Risk Indicator): Early warning of increasing risk exposure (leading indicator - tells you where you are heading).
- CSF (Critical Success Factor): What must go right for the security program to achieve its objectives.
Domain 2: Information Security Risk Management (20%)
Risk Management is the most formula-heavy domain. Know the quantitative calculations cold; understand qualitative methods conceptually.
Risk Formulas
| Formula | Definition | Use Case |
|---|---|---|
| SLE = AV x EF | Single Loss Expectancy = Asset Value x Exposure Factor | Loss from one incident occurrence |
| ALE = SLE x ARO | Annual Loss Expectancy = SLE x Annual Rate of Occurrence | Annualized expected loss; basis for control cost justification |
| ALE before - ALE after - Cost of Control | Net benefit of implementing a control | If result is positive, the control is cost-justified |
| Risk = Threat x Vulnerability x Asset Value | Conceptual risk equation | Used in qualitative discussions, not precise calculation |
Risk Treatment Options
- Mitigate (reduce): Implement controls to lower probability or impact.
- Transfer (share): Shift financial impact to a third party (insurance, contracts). Does not eliminate the risk.
- Accept: Acknowledge and document the risk; appropriate when cost of control exceeds expected loss. Requires formal sign-off by business owner.
- Avoid: Stop the activity creating the risk entirely.
Risk Vocabulary Distinctions
- Risk appetite: The total amount of risk an organization is willing to accept in pursuit of its objectives (strategic, set by board).
- Risk tolerance: Acceptable deviation from risk appetite for a specific area or process (operational, set by management).
- Risk threshold: The point at which risk becomes unacceptable and requires escalation or action.
- Inherent risk: Risk before any controls are applied.
- Residual risk: Risk remaining after controls are applied. This is what the business owner formally accepts.
- Control risk: Risk that a control will fail to prevent or detect an issue.
Business Impact Analysis (BIA)
- RTO (Recovery Time Objective): Maximum acceptable time to restore a process after disruption.
- RPO (Recovery Point Objective): Maximum acceptable data loss expressed in time (how far back can you tolerate restoring from backup).
- MTD / MTO (Maximum Tolerable Downtime / Outage): Absolute maximum time a business process can be unavailable before unacceptable consequences occur. MTD must be greater than or equal to RTO.
- WRT (Work Recovery Time): Time needed to restore data and verify integrity after systems are back online. RTO = RTO (system) + WRT in some frameworks.
Domain 3: Security Program Development and Management (33%)
The heaviest domain. Questions focus on building, running, and measuring a security program as a manager - not on technical configurations.
Control Types and Categories
| Type | Purpose | Examples |
|---|---|---|
| Preventive | Stop an incident before it occurs | Firewall rules, access controls, encryption, security awareness training |
| Detective | Identify incidents in progress or after the fact | SIEM, IDS, audit logs, vulnerability scans |
| Corrective | Restore systems or processes after an incident | Patch management, incident response, backup restoration |
| Deterrent | Discourage potential attackers | Warning banners, visible cameras, security policies |
| Compensating | Substitute when a primary control cannot be implemented | Increased monitoring when segregation of duties is not feasible |
Controls also fall into three categories: technical (software/hardware), administrative (policies, training, procedures), and physical (locks, guards, facilities). CISM questions often ask which type is "most effective" - administrative controls (policy and training) are frequently the correct answer when the question involves human behavior.
Security Program Metrics
A strong security program uses metrics that demonstrate business value, not just technical activity. The CISM exam strongly favors metrics tied to risk reduction and business outcomes over counts of security events:
- Avoid: "Number of firewall rules updated" (activity metric, no business meaning).
- Prefer: "Percentage of critical assets with verified backups" or "Mean time to patch critical vulnerabilities."
- The best metric for presenting to the board is one that connects security posture to business risk - not technical detail.
Third-Party and Vendor Risk
- Security responsibilities cannot be fully outsourced. The organization retains accountability even when a vendor handles operations.
- Key tools: vendor risk assessments, security requirements in contracts, right-to-audit clauses, SLAs with security provisions.
- On the exam, "reviewing vendor contracts and SLAs" is typically a stronger answer than "trusting vendor certifications."
Domain 4: Incident Management (30%)
ISACA's incident management framework differs slightly from NIST SP 800-61 in terminology. Know both, but favor ISACA's framing when questions don't reference a specific standard.
ISACA Incident Response Lifecycle
| Phase | Key Activities |
|---|---|
| 1. Detection | Identify that an event has occurred; classify as incident or non-incident |
| 2. Response | Activate IR team, notify stakeholders, begin triage |
| 3. Mitigation | Contain the incident to prevent further spread or damage |
| 4. Reporting | Notify management, regulators (if required), and affected parties |
| 5. Recovery | Restore systems and services to normal operation |
| 6. Remediation | Address root cause; implement fixes to prevent recurrence |
| 7. Lessons Learned | Post-incident review; update plans, training, and controls |
BCP vs DR - Key Distinctions
- Business Continuity Plan (BCP): Keeps critical business functions running during a disruption. Focuses on people, processes, and workarounds. Business-owned.
- Disaster Recovery Plan (DRP): Restores IT systems and data after a major failure. Technology-focused. IT-owned.
- Crisis Management Plan: Coordinates executive response during a major crisis. Communication and decision-making. Executive-owned.
- On CISM exam questions, BCP takes priority because it preserves business operations. DR is a subset of BCP, not the other way around.
Evidence and Forensics
- Chain of custody: Documentation of who handled evidence, when, and how. Critical for any potential legal proceeding.
- First responder priority: Contain the incident and preserve evidence - do not power off systems without forensic guidance if volatile data (RAM, running processes) is relevant.
- The CISM exam distinguishes between incident response (security manager role) and forensic investigation (may require law enforcement or specialized team).
Key Frameworks Reference
CISM questions reference several frameworks by name. You do not need deep implementation knowledge - understand the purpose and structure of each.
| Framework | Owner | Purpose | CISM Relevance |
|---|---|---|---|
| COBIT 2019 | ISACA | IT governance and management framework; aligns IT with business objectives | Domain 1 - governance alignment; board/executive accountability |
| ISO/IEC 27001 | ISO | ISMS standard; defines requirements for managing information security | Domains 1, 3 - program structure, policy, continual improvement (Plan-Do-Check-Act) |
| ISO/IEC 27002 | ISO | Controls catalog; best-practice guidance for implementing 27001 controls | Domain 3 - control selection reference |
| NIST CSF | NIST | Cybersecurity framework: Identify, Protect, Detect, Respond, Recover | Domains 2-4 - risk-based program structure; widely referenced in US organizations |
| NIST SP 800-37 | NIST | Risk Management Framework (RMF) - prepare, categorize, select, implement, assess, authorize, monitor | Domain 2 - risk management lifecycle in federal/regulated contexts |
| ITIL 4 | Axelos | IT service management framework; change management, incident management, service continuity | Domain 4 - integration of IT service management with security incident response |
Ready to Test Your Knowledge?
This cheat sheet is only as useful as the practice behind it. Confirm you can apply these concepts under timed conditions with expert-verified CISM practice questions.
Start Free 7-Day Trial →Exam-Day Mental Models
CISM is not a knowledge test - it is a judgment test. ISACA writes questions where multiple answers look plausible. These mental models help you pick the right one reliably.
The Manager Lens
Always answer as a security manager, not a technician. When a question asks what to do about a vulnerability or risk, the managerial answer (communicate to stakeholders, assess business impact, update the risk register, get sign-off) typically beats the technical answer (patch it, block the port, run the scan). If a technical answer is the right choice, the question will usually say so explicitly.
Business Alignment Wins
When two answers are both defensible, choose the one that connects to business objectives. "Present a risk-adjusted business case to senior management" beats "implement the security control." "Align the security strategy with the organization's strategic plan" beats "update the security policy." ISACA's worldview is that security exists to enable business, not to constrain it.
Process Before Technical Controls
CISM strongly favors policies, training, and governance processes as primary answers over technical controls. If a question gives you "implement a firewall rule" vs. "update the acceptable use policy and train employees," the policy answer is usually right - even when both seem to address the problem.
"FIRST" Questions
When a question asks what a security manager should do FIRST, the answer is almost always: assess the risk, understand the business impact, or communicate to the appropriate stakeholder - before taking action. Jumping to a solution without assessment is almost never the right CISM answer. The sequence is: understand, assess, communicate, then act.
Risk Acceptance Belongs to the Business
The security manager does not own risk - the business does. When a question asks who should formally accept residual risk after controls are applied, the answer is the business owner or senior management, not the CISO or security team. The security team documents, advises, and monitors - but risk acceptance is a business decision.
Containment Before Eradication
In incident response questions, containment comes before eradication. You stop the bleeding before you extract the bullet. And always preserve evidence before you begin cleanup - this is especially important when legal or regulatory consequences are possible.
Frequently Asked Questions
What topics appear most on the CISM exam?
Domains 3 and 4 together make up 63% of exam questions - security program management and incident management. Within Domain 3, questions about metrics, control frameworks, and security program governance are common. Within Domain 4, the incident response lifecycle, BCP/DR distinctions, and communication protocols appear frequently. For the full breakdown, see our CISM Domains Explained guide.
Do I need to memorize specific formulas for CISM?
Yes, but only a handful: ALE = SLE x ARO, and SLE = AV x EF. Know these and be able to apply them in a scenario (e.g., "the asset is worth $500,000, the exposure factor is 40%, and the expected frequency is 0.5 times per year - what is the ALE?"). Qualitative risk assessments (high/medium/low matrices) are also tested but require no formula memorization.
What is the difference between a security policy and a security standard?
A policy states the organization's high-level intent and requirements - it defines "what" and "why." A standard provides specific, measurable requirements that implement the policy - it defines "how much" or "which." Policies are mandatory and require executive approval. Standards are also mandatory and typically require security management approval. Procedures describe the step-by-step "how." Guidelines are discretionary recommendations.
How does ISACA define an "information security incident"?
ISACA defines an incident as any event that has an adverse effect on the confidentiality, integrity, or availability of information assets - or any event that violates the organization's security policies. Not every security event is an incident: events are potential security issues; incidents are confirmed violations or impacts. The distinction matters for triage and escalation questions.
What is the CISM exam format in 2026?
150 multiple-choice questions, 4 hours, scored 200-800 with 450 as the passing threshold. Computer-based testing at Pearson VUE testing centers. Some questions are pretest items that do not count toward your score but are indistinguishable from scored questions. For the full format breakdown, see our CISM Exam Format guide.
How do I know if my prep is ready?
Two benchmarks: consistently scoring 70%+ on timed practice exams that mirror ISACA's management-focused question style, and being able to explain why wrong answers are wrong (not just why the right answer is right). If you can articulate ISACA's reasoning on the distractors, you are ready. Our 12-Week Study Plan includes specific readiness checkpoints.
Related Guides
CISM Domains Explained (2026)
Full deep dive into all 4 domains - key concepts, exam weight, and study priorities for each.
CISM 12-Week Study Plan
A structured week-by-week plan for working professionals. Covers all domains with milestones.
25 Free CISM Practice Questions
Timed sample questions with detailed explanations for all 4 domains - test your readiness now.
CISM Passing Score Explained
How scaled scoring works, what 450 actually means, and how many questions you need correct.