📋 Table of Contents
- What Domain 1 Covers
- Exam Weight and Question Distribution
- Governance Frameworks and Standards
- Organizational Roles and Responsibilities
- Information Security Strategy Development
- Legal, Regulatory, and Contractual Requirements
- Organizational Culture and Security Culture
- How to Study Domain 1 for the Exam
- Frequently Asked Questions
What Domain 1 Covers
Information Security Governance is the smallest of the four CISM domains by exam weight, but it is foundational to everything else. ISACA defines information security governance as the system by which an organization's information security activities are directed and controlled. It is distinct from security management: governance sets direction, establishes accountability, and measures outcomes; management executes against that direction.
Domain 1 maps to seven task areas in ISACA's Exam Content Outline:
- Establishing and maintaining an information security governance framework and supporting processes
- Aligning information security strategy with organizational goals and objectives
- Establishing and maintaining information security policies that reflect business direction
- Developing business cases for information security investment
- Identifying internal and external influences on the organization's information security strategy
- Obtaining commitment from senior leadership and stakeholders
- Defining, communicating, and monitoring information security responsibilities
The through-line in all of these tasks is the same: security decisions must be grounded in business context, justified by risk, and owned by leadership - not delegated downward and forgotten. That mindset is what Domain 1 questions test.
For the broader context of how Domain 1 fits within all four domains, see the CISM Domains Explained guide.
Exam Weight and Question Distribution
At 17%, Domain 1 generates roughly 25-26 questions in a standard 150-question sitting. That makes it the smallest domain on the exam - Domain 3 (Information Security Program) at 33% and Domain 4 (Incident Management) at 30% together account for nearly two-thirds of the exam. Still, 25 questions is meaningful: a candidate who guesses blindly on Domain 1 and gets 40% correct loses roughly 15 points of scaled score headroom.
| Domain | Weight | Approx. Questions (of 150) |
|---|---|---|
| Domain 1: Information Security Governance | 17% | ~25-26 |
| Domain 2: Information Security Risk Management | 20% | ~30 |
| Domain 3: Information Security Program | 33% | ~50 |
| Domain 4: Incident Management | 30% | ~45 |
These weights reflect the current exam content outline. ISACA's November 3, 2026 update does not change Domain 1's 17% weight, though it adds AI governance elements to the subtopics within the domain. If you are testing before November 3, 2026, the content described in this article applies directly.
Governance Frameworks and Standards
ISACA expects CISM candidates to be familiar with the major governance frameworks and know when each is most appropriate. The exam does not ask you to memorize framework details - it tests whether you can apply them to a scenario and choose the most appropriate framework given a specific organizational context.
COBIT 2019
COBIT (Control Objectives for Information and Related Technologies), published by ISACA, is the most directly referenced framework in CISM questions. COBIT 2019 provides a governance and management framework organized around 40 governance and management objectives. For CISM purposes, the key COBIT concepts are: the distinction between governance (EDIM - Evaluate, Direct, Monitor) and management (PBRM - Plan, Build, Run, Monitor); the roles of the board versus executive management; and how performance goals cascade from governance objectives down to management processes.
ISO/IEC 27001:2022
ISO 27001 is the international standard for information security management systems (ISMS). The 2022 revision restructured its Annex A controls into four themes. For Domain 1, the most relevant aspect is Clause 5 (Leadership), which assigns explicit governance responsibilities to top management, and Clause 6 (Planning), which ties risk treatment to organizational context. Many CISM exam scenarios involve an organization seeking ISO 27001 certification - understanding what governance posture that requires is testable.
NIST Cybersecurity Framework 2.0
NIST CSF 2.0, released in February 2024, added a sixth function - Govern - to the original five (Identify, Protect, Detect, Respond, Recover). The Govern function covers organizational context, risk management strategy, roles and responsibilities, policy, oversight, and cybersecurity supply chain risk management. ISACA has incorporated NIST CSF 2.0 into its updated exam content, particularly in the context of governance structure and risk appetite documentation.
How the Exam Tests Frameworks
CISM questions rarely name a framework and ask you to recall its details. Instead, a scenario describes an organizational problem - poor board visibility into security risk, undefined accountability for security decisions, or a security program that lacks executive sponsorship - and asks which governance action the security manager should take first. Knowing that "board-level oversight" maps to COBIT's governance layer, or that "documented risk appetite" is a NIST CSF 2.0 Govern requirement, helps you quickly eliminate wrong answers.
Organizational Roles and Responsibilities
Domain 1 places heavy emphasis on understanding who is accountable for what at each organizational level. ISACA draws a clear line between governance roles and management roles, and exam questions frequently test whether candidates understand which actions belong to which level.
| Level | Role | Primary Responsibility in Security Governance |
|---|---|---|
| Governance | Board of Directors | Approve security strategy; set risk appetite; hold executive leadership accountable |
| Governance | Audit Committee | Independent oversight of security controls and compliance; receive risk reports |
| Executive Management | CEO / Executive Committee | Direct organizational resources toward security objectives; sponsor the security program |
| Executive Management | CISO / Chief Security Officer | Own the information security program; bridge between business strategy and security execution |
| Management | Security Manager (CISM holder) | Implement governance decisions; manage day-to-day security operations and reporting |
| Operations | Data / Asset Owners | Classify information; accept residual risk within their domain; ensure controls are applied |
A recurring exam pattern: a scenario presents a governance failure (security decisions are being made by IT without business input, or the board has no visibility into risk posture) and asks what the security manager should do. The correct ISACA answer nearly always involves escalating to or educating executive leadership and seeking formal board-level commitment - not fixing it at the operational level.
The security manager's role in governance is to support and enable governance, not to be the governance authority. When a CISM question asks who is ultimately responsible for information security risk, the answer is the business - specifically, senior management and the board - not the security manager or CISO.
Information Security Strategy Development
A core Domain 1 task is developing an information security strategy that aligns with the organization's business objectives. ISACA tests this through scenarios involving competing priorities, budget constraints, and executive relationships. The underlying principle is that security strategy must be derived from business strategy - not invented in isolation by the security team.
The Security Strategy Development Process
ISACA describes a structured approach:
- Assess the current state - inventory existing controls, identify gaps, and understand the organization's risk profile relative to its business objectives.
- Define the desired state - translate business objectives and risk appetite into a target security posture. This requires understanding what the business is trying to achieve, not just what threats exist.
- Identify the gap - compare current state to desired state and quantify what is missing in people, processes, and technology.
- Build the business case - justify investment in closing the gap using risk reduction, regulatory compliance requirements, and business enablement arguments.
- Obtain executive approval and sponsorship - present the strategy to leadership with metrics that translate security risk into business impact (financial exposure, operational disruption, reputational damage).
- Execute and measure - implement the roadmap and report progress against metrics the board can act on.
Security Metrics for Board Reporting
Domain 1 tests which metrics are appropriate to report at the board level versus the operational level. Board-level metrics should reflect business risk, not technical indicators. Examples ISACA favors:
- Percentage of critical assets covered by risk assessments
- Number of incidents with material business impact in the period
- Status of regulatory compliance (percentage of controls meeting requirements)
- Trend in risk profile versus risk appetite threshold
Operational metrics - patch compliance percentages, vulnerability counts, firewall rule changes - are not appropriate for board reporting. A CISM question presenting a scenario where the security manager brings a 400-line vulnerability scan report to the board is testing whether you recognize this as an error and can identify the correct escalation format.
Legal, Regulatory, and Contractual Requirements
Every organization's security governance framework must account for the legal and regulatory environment in which it operates. Domain 1 expects candidates to understand the categories of external obligations and how they shape governance decisions - not to memorize the specific provisions of each regulation.
Key regulatory environments the CISM exam references include:
- GDPR (EU General Data Protection Regulation) - imposes accountability at the board and executive level for data protection, requires documented governance structures, and mandates breach notification timelines.
- HIPAA (Health Insurance Portability and Accountability Act) - requires covered entities and business associates to maintain a security management process, conduct risk assessments, and document policies.
- SOX Section 404 (Sarbanes-Oxley) - requires public companies to establish internal controls over financial reporting; the IT general controls evaluated under SOX frequently fall within the security manager's scope.
- PCI-DSS (Payment Card Industry Data Security Standard) - a contractual rather than legislative requirement, but functionally mandatory for organizations processing payment cards. Governance requirements include quarterly reviews and annual formal assessments.
The exam typically presents these as contextual background, then asks: given this regulatory obligation, what should the security manager do to ensure governance is adequate? The correct answer framework: identify the requirement, assess the gap, escalate to the appropriate governance level, and build the remediation into the security strategy.
Organizational Culture and Security Culture
ISACA includes organizational culture as a distinct Domain 1 subtopic because governance frameworks and policies are only effective when the organization's culture supports them. The best-written policy fails if employees do not follow it, executives do not model it, and the board does not hold leadership accountable for it.
For the CISM exam, the key culture concepts are:
- Tone from the top - security culture is shaped by what leadership visibly prioritizes. A board that never asks about security risk, and an executive team that routinely bypasses controls for convenience, creates a culture where employees do the same. Changing culture requires changing leadership behavior first.
- Security awareness and training - not just an operational activity but a governance requirement. Domain 1 treats awareness programs as a governance mechanism that translates policy into behavior.
- Risk culture and risk appetite - the organization's tolerance for risk is set at the governance level. The security manager must work within the defined risk appetite, not independently decide what risks are acceptable. When the manager believes the risk appetite is miscalibrated, the correct action is to present data to leadership, not to unilaterally tighten controls.
How to Study Domain 1 for the Exam
Domain 1 is the domain that most benefits from understanding ISACA's "why" behind each answer, rather than memorizing facts. The questions test judgment about governance roles and escalation paths. Here is what actually moves your Domain 1 score:
1. Internalize the Governance vs Management Distinction
Before doing any practice questions, read COBIT 2019's governance vs management model until it is automatic. Every Domain 1 question implicitly tests whether the correct action is a governance decision (board/executive) or a management action (security manager). Getting this wrong is the most common Domain 1 failure pattern.
2. Practice "Who Owns This?" Scenarios
For any security responsibility question, build the habit of asking: who decides this (governance), who directs this (executive management), and who executes this (security manager, operations)? The exam will hand you ambiguous scenarios designed to blur these lines - your job is to put each responsibility in the right box.
3. Use the CISM Review Manual for Frameworks
The ISACA CISM Review Manual covers COBIT, ISO 27001, and NIST CSF at the level of depth the exam requires. You do not need to read the full framework documents - the Review Manual summaries are sufficient for exam purposes.
4. Do 30-40 Targeted Domain 1 Practice Questions
Domain 1 questions have a characteristic structure - scenario, stakeholder action, four governance-level choices - and you build pattern recognition by doing them repeatedly. Focus on understanding why the correct answer is correct, especially when it requires escalating rather than acting. See the 12-week CISM study plan for how to sequence Domain 1 practice within a full study schedule.
5. Review the Domain 1 Section of the CISM Cheat Sheet
Before exam day, review the governance concepts summary in the CISM cheat sheet to consolidate key frameworks, roles, and escalation patterns into a single reference.
Practice Domain 1 Questions Now
Work through CISM-style governance scenarios with detailed explanations. Built by the team behind CISSP Study Group.
Start Free 7-Day Trial →Frequently Asked Questions
What percentage of the CISM exam is Domain 1?
Domain 1 - Information Security Governance - is 17% of the CISM exam, which equates to approximately 25-26 questions in a 150-question sitting. It is the smallest domain by weight. Domain 3 (Information Security Program) is the largest at 33%.
What is the difference between governance and management in the CISM context?
Governance is the system by which the board and executive leadership set direction, establish accountability, and monitor outcomes for information security. Management is the execution of that direction by the security manager and their team. The board governs; the CISM-holding security manager manages. When exam questions present a scenario where a governance decision needs to be made, the correct action is almost always to escalate to the appropriate governance level, not to resolve it at the management level.
Which governance frameworks does CISM Domain 1 test?
ISACA primarily references COBIT 2019 (its own framework), ISO/IEC 27001:2022, and NIST CSF 2.0. The CISM Review Manual covers each at exam depth. You do not need to memorize control numbers or annex specifics - focus on understanding what each framework says about roles, responsibilities, and governance structure.
Who is ultimately responsible for information security according to ISACA?
Senior management and the board of directors. The security manager supports and advises leadership but does not bear ultimate accountability for organizational risk. This distinction appears repeatedly in Domain 1 exam questions and is frequently the deciding factor between the correct answer and a plausible wrong answer.
What metrics should a security manager present to the board?
Board-level metrics should translate security risk into business terms: regulatory compliance status, incidents with material business impact, risk posture vs defined risk appetite, and progress against strategic security objectives. Technical metrics (vulnerability counts, patch rates, IDS alerts) are operational metrics for the security team - presenting them to the board is a common wrong answer in Domain 1 scenarios.
How does Domain 1 connect to the other CISM domains?
Domain 1 is the governance layer that all other domains report into. Domain 2 (Risk Management) feeds risk information up to the governance level for decision-making. Domain 3 (Information Security Program) executes the strategy that governance defines. Domain 4 (Incident Management) escalates significant incidents to the governance level. Candidates who have a strong Domain 1 foundation tend to apply the correct governance mindset across all four domains.
Related Guides
All 4 CISM Domains Explained
Complete overview of all four domains with weights, subtopics, and study priority guidance.
CISM 12-Week Study Plan
Week-by-week schedule covering all four domains, including how to sequence Domain 1 study.
CISM Cheat Sheet 2026
Domain weights, key frameworks, risk formulas, and governance mental models for exam day.
CISM Exam Format Guide
150 questions, 4-hour time limit, scaled 200-800 score - everything you need to know about the exam structure.