CISM Domains 2026: New Weights After the November Update

Current Domain Weights at a Glance

The Certified Information Security Manager (CISM) exam has consisted of four domains since ISACA restructured the credential in June 2022. That update shifted the weight of the exam significantly toward operational security management, reducing the emphasis on governance strategy and increasing the emphasis on program execution and incident response.

Here is how the 150-question exam is distributed today:

To place these in context, compare them to the weights in force before the 2022 update:

The 2022 restructure told candidates exactly what ISACA believed security managers needed to do more of: build operational programs and respond to incidents under real conditions. The theoretical governance and risk work did not disappear, but it was repositioned as a foundation rather than the exam's primary focus.

Domain 1: Information Security Governance (17%)

Governance is the smallest domain by question count but arguably the most strategically foundational. Security managers who cannot frame their work in business terms, gain executive buy-in, or align security investment to organizational risk appetite will struggle in the other domains too -- because governance is what gives the program its mandate.

The exam tests two major areas within Domain 1:

Enterprise Governance covers organizational culture and accountability, the legal and regulatory landscape (GDPR, HIPAA, PCI DSS, SOX), and how security authority is distributed across the organization. The exam does not test memorization of specific regulatory clauses. It tests your judgment about how to respond when regulations conflict with operational constraints, or when organizational culture resists security controls.

Information Security Strategy covers how to develop and maintain a security strategy that maps to business objectives, which frameworks to apply (COBIT 2019, ISO/IEC 27001, NIST CSF), and how to build business cases for security spending that resonate with a board or executive committee.

Domain 2: Information Security Risk Management (20%)

Risk management is the analytical engine that translates governance strategy into prioritized action. Domain 2 covers how to identify threats, assess their likelihood and impact, and decide what to do with the risk -- mitigate, transfer, accept, or avoid.

ISACA splits this domain into two parts:

Risk Assessment includes understanding the threat landscape (ransomware, supply chain attacks, insider threats, AI-driven attacks), analyzing vulnerability and control gaps, and applying both quantitative and qualitative risk methods. The key quantitative formula is ALE = SLE x ARO (Annual Loss Expectancy = Single Loss Expectancy times Annualized Rate of Occurrence). Know when to use quantitative analysis and when qualitative is more appropriate -- the exam tests judgment here, not just arithmetic.

Risk Response covers selecting and implementing risk treatment options, assigning ownership of risk to business units (not just IT), and establishing ongoing monitoring through Key Risk Indicators (KRIs) and risk registers. A recurring exam theme is that risk ownership belongs with the business, not the security team.

Domain 3: Information Security Program (33%)

The largest domain on the current exam, Domain 3 covers everything involved in building and running an enterprise security program day-to-day. This is where the "manager" part of CISM lives: allocating people and budget, choosing and implementing controls, managing third parties, measuring effectiveness, and communicating posture to stakeholders.

The breadth of Domain 3 is what makes it challenging. The major topic areas include:

• Program resources and staffing: Skills gap analysis, security team structure, budget prioritization, and build-vs-buy decisions for security capabilities
• Asset identification and classification: Data classification schemes, asset inventory, crown jewel analysis, and data flow mapping across the enterprise
• Security controls: Selecting controls based on risk assessment output, cost-benefit analysis, and regulatory requirements; testing and evaluating control effectiveness
• Policy development: The full policy hierarchy from board-level policy through standards, guidelines, and procedures; policy lifecycle management
• Security awareness and training: Designing targeted programs tied to organizational risk -- not generic annual training, but role-specific, behavior-targeted content
• Third-party and vendor risk management: Assessing vendor security posture, managing outsourced security services, supply chain risk, cloud provider shared responsibility
• Program metrics and reporting: Key Performance Indicators (KPIs), maturity model assessments, dashboards for executive and board-level audiences

Exam questions in this domain tend to be scenario-heavy and test your ability to prioritize under constraints. You will often have to choose between two reasonable actions -- and the correct answer is the one that addresses root cause at the management level rather than applying a quick technical fix.

Domain 4: Incident Management (30%)

Incident Management was the domain that changed most dramatically in the 2022 update, jumping from 19% to 30%. It now accounts for nearly one-third of the exam, reflecting the reality that incident preparedness, response, and recovery are among the most critical functions a security manager performs.

The domain covers two phases:

Readiness includes building the Incident Response Plan (IRP), conducting a Business Impact Analysis (BIA), developing Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP), and testing preparedness through tabletop exercises, functional drills, and full-scale simulations. The BIA is the foundational document -- it establishes what is critical, how long it can be unavailable, and how much data loss is tolerable.

Operations covers what happens when an incident actually occurs: detection and triage using SIEM and threat intelligence, containment decisions that balance security with business continuity, forensic investigation and evidence preservation, communications to regulators and executives, and the post-incident review that feeds lessons back into the program.

The November 3, 2026 Update: What's Changing

ISACA has officially confirmed that a new CISM Exam Content Outline takes effect on November 3, 2026. Exams taken before that date test the current 2022 outline. Exams taken on or after November 3rd test the updated content.

This update follows ISACA's standard Job Practice Analysis (JPA) cycle -- a global survey of working CISMs that identifies how the security management role has evolved since the last update. Given how dramatically the threat landscape, regulatory environment, and technology stack have changed since 2022, the 2026 JPA is expected to introduce meaningful revisions.

As of this writing, ISACA has not published the full new content outline. That document is typically released three to four months before the effective date. However, based on publicly available ISACA guidance, industry trends, and the scope of the JPA, the following changes are widely expected:

AI Security Governance

AI has moved from a niche topic to a board-level governance concern since 2022. Security managers are now expected to assess AI system risks, govern AI model development and deployment, and advise leadership on AI-related threats including model poisoning, prompt injection, and synthetic media fraud. ISACA has already launched the Advanced in AI Security Management (AAISM) credential -- which requires CISM as a prerequisite -- signaling how central AI governance has become to the CISM role. Expect AI risk topics to appear in Domains 1 and 2.

Expanded Third- and Fourth-Party Risk

Supply chain compromises (SolarWinds, Kaseya, MOVEit) have made vendor and supplier risk management a first-tier concern. The updated Domain 3 is expected to give more explicit coverage to software bill of materials (SBOM) governance, fourth-party risk (vendors' vendors), and security requirements in procurement processes.

Updated Regulatory Landscape

Several major frameworks and regulations came into force or were substantially updated after the 2022 JPA closed:

• NIST CSF 2.0 -- Adds a Govern function to the framework, directly affecting Domain 1 content
• ISO/IEC 27001:2022 -- Introduces 11 new controls in Annex A, including controls for threat intelligence, cloud services, and secure coding
• SEC Cybersecurity Rules -- Mandates incident disclosure within four business days for US public companies, expanding the communications requirements in Domain 4
• DORA (Digital Operational Resilience Act) -- EU financial sector resilience requirements with specific ICT risk management and incident reporting obligations
• NIS2 Directive -- Broader EU sector coverage with supply chain risk provisions that map directly to Domain 3

Domain Weight Adjustments

ISACA has not published new weights yet, but the JPA survey data typically drives weight changes when practitioners report that certain areas now consume more or less of their professional time. The most likely shifts, based on industry patterns:

• Domain 2 (Risk Management) may increase modestly, given the expanded role of formal AI risk assessment, third-party risk, and new regulatory risk obligations
• Domain 1 (Governance) may see a slight increase as well, as AI governance and board-level cybersecurity reporting have become more time-intensive management functions
• If Domains 1 and 2 increase, one or both of Domains 3 and 4 will decrease proportionally -- though all four will almost certainly remain close to their current approximate weights

How to Study Given the Upcoming Changes

Your study strategy depends almost entirely on when you plan to sit the exam. Here is the decision framework:

Testing Before November 3, 2026

If you are currently in your study plan and targeting a Q2 or Q3 2026 exam date, stay the course. The current content outline is fully published, your study materials are aligned, and you have a clear target. Allocate your study time proportionally to domain weights: roughly a third of your time to Domain 3, just under a third to Domain 4, and the remainder split between Domains 1 and 2.

Book your exam by September 2026 at the latest. That leaves buffer time for a retake under the current outline if needed, since ISACA requires a 30-day wait between attempts. An October failure would force your retake onto the new outline.

Testing After November 2026

If you are just beginning your preparation now (May 2026 or later), consider targeting a Q1 2027 exam date. By then, updated ISACA review materials, practice question banks, and third-party courses will reflect the new content outline -- and you will have had time to study the actual revised domains rather than educated guesses about them.

In the meantime, studying the current domains is not wasted effort. The fundamental concepts of security governance, risk management, program operations, and incident response are not being replaced -- they are being updated. Deep knowledge of the 2022 content outline is the right foundation for studying the 2026 update.

Universal Study Priorities

Regardless of your test window, these principles apply:

1. Weight your time by domain. Domain 3 (33%) and Domain 4 (30%) deserve more than half your study time in the current outline. Do not split time equally across four domains.
2. Practice scenario questions continuously. The CISM is not a recall exam. Candidates who read extensively but do not practice hundreds of scenario questions consistently underperform. Aim for at least 800 to 1,000 practice questions before exam day, analyzed for reasoning -- not just right-or-wrong.
3. Study the JPA-flagged topics now. AI security governance, NIST CSF 2.0, and supply chain risk management are professionally relevant whether or not they appear on your specific exam. The time is not wasted.
4. Think like a manager on every question. The most common failure mode for CISM candidates is choosing technically correct answers when the correct answer is managerially correct. If you find yourself reaching for a hands-on-keyboard solution, stop and ask: what would a security program director do here first?

For a structured week-by-week schedule aligned to the current domains, see our CISM 12-week study plan. For a deeper dive into how the November change affects your decision-making, see the full CISM exam changes 2026 guide.

Frequently Asked Questions

What are the current CISM domain weights in 2026?

The current CISM exam (effective since June 2022) weights the four domains as follows: Information Security Governance 17%, Information Security Risk Management 20%, Information Security Program 33%, and Incident Management 30%. Domains 3 and 4 together represent 63% of the 150-question exam.

When do the new CISM domain weights take effect?

ISACA has confirmed that the updated CISM Exam Content Outline takes effect on November 3, 2026. Exams taken on or after that date test the new content. Exams before that date test the current 2022 outline. ISACA typically publishes the full new outline three to four months before the effective date -- watch for it around July or August 2026.

Which CISM domain is the hardest?

Most candidates find Domain 3 (Information Security Program) the most challenging because it is the broadest -- covering asset management, policy development, controls, vendor risk, awareness programs, and security metrics. Domain 4 can also be difficult for candidates without hands-on incident response experience, since it tests practical judgment about containment and recovery decisions under time pressure.

Do I need to pass each domain separately?

No. CISM uses a composite scoring model. Your performance across all four domains is combined into a single scaled score on the 200-800 scale. The passing threshold is 450. You could score below average on one domain and still pass if you exceed that level elsewhere -- though studying evenly and then doubling down on weak domains is the safer strategy.

Will my current study materials be invalidated by the November 2026 update?

If you are testing before November 3rd, your 2023 or 2024 materials are fine. If you are testing after November 3rd, you will want materials updated to reflect the new content outline -- specifically any new topics around AI governance, updated regulatory frameworks, and revised domain weights. ISACA's official review manual is updated after each content outline change; third-party publishers typically follow within a few months.

How does the 2026 update compare to the 2022 update?

The 2022 update was structurally significant -- it reduced the exam from five domains to four and shifted domain weights dramatically, with Incident Management nearly doubling from 19% to 30%. The 2026 update is expected to be less structurally disruptive (four domains will likely remain) but more content-intensive, adding AI governance, newer regulatory frameworks, and expanded supply chain risk coverage. Candidates who understand the 2022 content deeply will have a strong foundation for the 2026 update.

If I fail just before the November cutover, what happens on retake?

ISACA requires a 30-day wait before a retake attempt. If you fail in early October 2026, your next attempt falls after November 3rd and tests the new content outline. To protect yourself, schedule your exam no later than late September 2026 if you want a pre-cutover safety window for retakes. See our guide to the CISM passing rate for context on how candidates typically perform on their first attempt.

Related Guides