📋 Table of Contents
- What Is Domain 2 and Why Does It Matter?
- Exam Weight and Question Distribution
- Core Topics Covered in Domain 2
- Risk Assessment Frameworks ISACA Tests
- Risk Response: The Four Treatment Strategies
- Risk Monitoring and Reporting to the Board
- How Domain 2 Differs from CRISC
- Study Strategy for Domain 2
- Frequently Asked Questions
What Is Domain 2 and Why Does It Matter?
Of the four CISM domains, Domain 2 is the one most directly tied to day-to-day security management work. Risk management is not a periodic exercise or a compliance checkbox - it is the ongoing process by which a security manager helps the business make informed decisions about what threats to prioritize, which controls to invest in, and what level of residual risk is acceptable.
ISACA's framing is deliberately business-first. The domain title is Information Security Risk Management, not vulnerability management or threat intelligence. The distinction matters on the exam: questions almost always test whether you understand how risk connects to business impact, not whether you know the technical details of any particular attack vector.
Domain 2 sits in the context of the four-domain structure covered in our complete CISM domains guide. Domain 1 (Governance) establishes the framework and authority structures that make risk management possible; Domain 2 uses those structures to identify and prioritize threats. Domains 3 and 4 then execute the controls and respond to incidents that risk management helps predict.
Exam Weight and Question Distribution
The CISM exam contains 150 questions. Domain 2's 20% weight translates to approximately 30 questions - the second-largest domain by question count after Domain 3 (Security Program Development, 27%).
| Domain | Weight | Approx. Questions |
|---|---|---|
| Domain 1: Information Security Governance | 17% | ~26 |
| Domain 2: Information Security Risk Management | 20% | ~30 |
| Domain 3: Information Security Program | 27% | ~40 |
| Domain 4: Incident Management | 36% | ~54 |
A passing score of 450 out of 800 (ISACA's scaled scoring system) requires a reasonably consistent performance across all domains. Since Domain 2 contributes 30 questions, getting most of them right provides meaningful leverage - but no domain is large enough to carry you if you are weak elsewhere. See our Domain 1 deep dive for a model of how ISACA structures these domain questions.
Core Topics Covered in Domain 2
ISACA's CISM Review Manual organizes Domain 2 around five major task statements. Candidates are expected to demonstrate the ability to perform each of these in a real management role:
1. Establishing a Risk Management Process
Defining the scope, methodology, and governance of the risk management program. This includes aligning the process with enterprise risk management (ERM), selecting a risk framework (NIST RMF, ISO 31000, FAIR, OCTAVE), and getting stakeholder buy-in. The exam tests whether you understand that risk management must be integrated into business processes, not run as a parallel security activity.
2. Risk Identification
Systematically identifying threats, vulnerabilities, and the assets they affect. Key concepts include threat modeling, asset classification, vulnerability assessments, and Business Impact Analysis (BIA). ISACA distinguishes between threats (external and internal events that could cause harm), vulnerabilities (weaknesses in controls), and risk (the combination of likelihood and impact). The exam often presents scenarios where candidates must identify which element is being described.
3. Risk Assessment and Analysis
Quantifying or qualifying risk to enable prioritization. Both qualitative (risk matrices, heat maps, expert judgment) and quantitative approaches (Annual Loss Expectancy, Single Loss Expectancy) appear on the exam. ISACA tends to favor qualitative approaches in practice because they are more accessible to business stakeholders - expect scenarios that test when each method is appropriate rather than requiring you to calculate a specific ALE value.
4. Risk Response and Treatment
Selecting and implementing the appropriate response to each identified risk. This is where the four response strategies (accept, avoid, mitigate, transfer) are applied. Documented risk acceptance by business owners and senior management is a frequently tested concept - the security manager's role is to present options and obtain documented decisions, not to make risk acceptance decisions unilaterally.
5. Risk Monitoring and Reporting
Tracking residual risk over time and communicating risk posture to senior management and the board. Key metrics include Key Risk Indicators (KRIs), risk register updates, and escalation thresholds. ISACA consistently tests the idea that risk monitoring is continuous, not annual - a static risk register that is updated once per year is not an acceptable control.
Risk Assessment Frameworks ISACA Tests
The CISM exam does not require you to be a practitioner of any single framework, but it does test your ability to recognize each framework's purpose, strengths, and appropriate context. Expect 4-6 questions that reference specific frameworks by name.
| Framework | Owner | Key Characteristic | When ISACA Favors It |
|---|---|---|---|
| NIST RMF (SP 800-37) | NIST | Six-step lifecycle: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor | US federal agencies and contractors; systems-focused risk decisions |
| ISO 31000 | ISO/IEC | Principles and guidelines for enterprise risk management; technology-agnostic | International or enterprise-wide risk programs; board-level risk alignment |
| FAIR (Factor Analysis of Information Risk) | FAIR Institute / OpenFAIR | Quantitative model for expressing risk in financial terms | Scenarios requiring business case for security investment; board communication |
| OCTAVE | Carnegie Mellon CERT | Operationally Critical Threat, Asset, and Vulnerability Evaluation; self-directed | Smaller organizations without large security teams; asset-centric risk assessments |
| COBIT 2019 | ISACA | Governance and management of enterprise IT; includes risk optimization objective | Questions linking risk management to IT governance; ISACA's own framework |
The exam rarely asks you to recall framework steps in sequence. It more commonly presents a scenario - "the organization is a US defense contractor" or "the CISO needs to quantify risk for the CFO" - and asks which framework best fits. Matching context to framework is the core skill.
Risk Response: The Four Treatment Strategies
Risk response questions are the most commonly seen Domain 2 question type. ISACA uses four treatment options consistently, and the exam tests whether candidates can identify the correct strategy given specific scenario conditions.
| Strategy | Also Called | Description | When to Apply |
|---|---|---|---|
| Accept | Risk retention | Acknowledge the risk and take no additional action beyond monitoring | Risk falls below risk appetite; cost of mitigation exceeds expected loss; residual risk after controls is acceptable |
| Avoid | Risk elimination | Discontinue the activity that creates the risk | Risk exceeds appetite and the business activity is non-essential; no cost-effective mitigation exists |
| Mitigate | Risk reduction | Implement controls to reduce likelihood, impact, or both | Most common response; used when risk is above appetite but the business activity is necessary |
| Transfer | Risk sharing | Shift financial impact to a third party via insurance or contract | Residual risk remains after mitigation; cyber insurance or contractual liability shift is appropriate |
One more concept worth memorizing: residual risk is the risk that remains after controls are applied. Every organization carries some residual risk - the security manager's job is to ensure it is documented and formally accepted by the appropriate business owner, not to eliminate it entirely. Questions about who should sign off on residual risk almost always have the answer as the business owner or senior management, not the CISO or security manager.
Risk Monitoring and Reporting to the Board
Once risks are assessed and response strategies selected, Domain 2 requires ongoing monitoring to detect changes in the risk environment and report status to leadership. ISACA tests three key concepts here:
Key Risk Indicators (KRIs)
KRIs are metrics that provide early warning signals of increasing risk exposure. Unlike Key Performance Indicators (KPIs), which measure how well controls are working, KRIs measure the conditions that indicate risk is rising. Examples include: number of unpatched critical vulnerabilities trending upward, third-party vendor assessment scores falling below threshold, or percentage of employees who have not completed security awareness training.
The exam often presents scenarios where candidates must distinguish between a KRI (forward-looking risk signal) and a KPI (backward-looking control performance measure). Confusing the two is a common wrong-answer trap.
The Risk Register
A risk register is the central document of any risk management program - a living inventory of identified risks, their current assessment, response decisions, ownership, and monitoring status. ISACA expects the risk register to be continuously maintained, not updated once per year. Exam questions frequently test the idea that a stale or static risk register represents a control failure, not a completed task.
Board-Level Risk Reporting
Senior management and the board need risk information in business terms, not technical terms. ISACA consistently rewards answers that translate risk into potential financial impact, regulatory exposure, and strategic implications - rather than CVE severity scores or patch counts. The security manager's role is to be the translator between technical risk reality and business decision-making language.
How Domain 2 Differs from CRISC
Many CISM candidates also hold or are considering ISACA's CRISC (Certified in Risk and Information Systems Control) credential, which is entirely focused on risk and control. Understanding the distinction helps calibrate study depth.
| CISM Domain 2 | CRISC (full credential) | |
|---|---|---|
| Depth | Manager-level breadth; 20% of one exam | Specialist depth; four domains entirely about risk and controls |
| Focus | Risk management in context of an information security program | Enterprise IT risk and control assessment, response, and monitoring |
| Audience | Security managers building and leading security programs | Risk practitioners, internal auditors, GRC specialists |
| Quantitative rigor | Conceptual; qualitative methods favored | Deeper; ALE, control effectiveness metrics tested more rigorously |
For most CISM candidates, Domain 2 study provides a solid operational foundation. If your role is specifically in GRC, risk advisory, or internal audit, CRISC is a complementary credential worth pursuing alongside CISM. See our CISM vs CRISC comparison for a full analysis of which to pursue first.
Study Strategy for Domain 2
Domain 2 is where many candidates hit a wall because the questions are scenario-heavy and rarely have objectively "correct" answers in the way a technical exam would. The skill being tested is judgment, not recall.
1. Learn the ISACA Mental Model First
Before memorizing framework steps, internalize how ISACA thinks about risk. Key principles: risk decisions belong to business owners, not security managers; residual risk must be formally accepted; risk management is continuous; and business impact always outweighs technical severity when prioritizing response.
2. Practice Risk Scenario Questions
Domain 2 questions are scenario-based. The fastest way to improve is repetitive practice on risk scenarios where you explicitly identify: What is the risk? What is the business impact? What response strategy does the scenario call for? Who should own the decision? Timed practice reveals which instincts need correction.
3. Map Frameworks to Context
Build a simple reference table mapping each major framework (NIST RMF, ISO 31000, FAIR, OCTAVE, COBIT) to: its primary use case, the type of organization it fits, and the level of quantification it provides. You will see at least one scenario per framework type on exam day.
4. Understand the Risk Register Lifecycle
The risk register appears in multiple question types. Know what goes into it (risk description, inherent risk rating, controls in place, residual risk rating, risk owner, response decision, review date), who updates it, how frequently, and what escalation triggers look like.
5. Distinguish KRIs from KPIs
This distinction appears 2-3 times per exam on average. KRIs are leading indicators of risk exposure; KPIs are lagging indicators of control performance. Practice writing examples of each for common security scenarios until the distinction is automatic.
For a complete structured approach across all four domains, see our 12-week CISM study plan.
Practice Domain 2 Risk Scenarios
Work through hundreds of CISM-style risk management questions with detailed answer explanations. Built by the team behind CISSP Study Group - adaptive practice that targets your weak spots.
Start Free 7-Day Trial →Frequently Asked Questions
What percentage of the CISM exam is Domain 2?
Domain 2 accounts for 20% of the CISM exam, which translates to approximately 30 questions out of 150. It is the second-largest domain by question count, after Domain 4 (Incident Management, 36%).
What are the main topics in CISM Domain 2?
The five core topic areas are: establishing a risk management process, risk identification (threats, vulnerabilities, BIA), risk assessment and analysis (qualitative and quantitative methods), risk response and treatment (accept, avoid, mitigate, transfer), and risk monitoring and reporting (KRIs, risk register, board communication).
Do I need to know quantitative risk formulas for the CISM exam?
You should understand the concepts behind quantitative methods - Annual Loss Expectancy (ALE = Single Loss Expectancy x Annual Rate of Occurrence) and Return on Security Investment (ROSI) - but the exam rarely asks you to calculate a specific value. Conceptual understanding of when to use quantitative versus qualitative methods is more commonly tested.
Which risk framework does ISACA prefer on the CISM exam?
ISACA does not endorse one framework exclusively. Questions present scenarios and ask which framework fits best. COBIT 2019 (ISACA's own framework) appears frequently, as do NIST RMF and ISO 31000. The key is matching the framework to the context: NIST RMF for US federal environments, ISO 31000 for enterprise-wide programs, FAIR for financial quantification, OCTAVE for smaller organizations.
Who owns risk acceptance decisions in ISACA's model?
Business owners and senior management own risk acceptance decisions - not the CISO or security manager. The security manager's role is to identify risk, assess it, present options with their cost and residual risk implications, and obtain documented acceptance from the appropriate business authority. Any CISM question suggesting the security manager unilaterally accepts risk on behalf of the business is almost certainly wrong.
How is Domain 2 different from Domain 1?
Domain 1 (Information Security Governance, 17%) establishes the frameworks, structures, policies, and authority that make security management possible - it is about setting up the governance infrastructure. Domain 2 uses that infrastructure to manage ongoing risk: identifying threats, assessing likelihood and impact, selecting responses, and monitoring. Think of Domain 1 as the architecture and Domain 2 as day-to-day operations within that architecture. Our Domain 1 guide covers the governance side in full.
How hard is Domain 2 compared to the other CISM domains?
Most candidates find Domain 2 moderately difficult. The concepts are familiar to working security managers, but the ISACA framing - always business-first, always manager-perspective, residual risk is acceptable - requires deliberate adjustment if you come from a technical background. Domain 4 (Incident Management) is generally rated hardest due to its question volume and scenario complexity. Domain 2 is typically considered easier than Domains 3 and 4 but harder than Domain 1 for candidates without a risk management background.
Related Guides
All 4 CISM Domains Explained
Overview of every domain, weights, key topics, and how they connect to each other.
Domain 1: Governance (17%)
Deep dive into information security governance frameworks, roles, and strategy.
CISM vs CRISC (2026)
Which ISACA credential to pursue first if you work in risk management or GRC.
CISM 12-Week Study Plan
A structured week-by-week plan to prepare for all four domains while working full time.