📋 Table of Contents
- What Is the CISM Body of Knowledge?
- The Four CISM Domains at a Glance
- Domain 1: Information Security Governance
- Domain 2: Information Risk Management
- Domain 3: Information Security Program
- Domain 4: Incident Management
- The CISM Review Manual: Official BOK Resource
- How to Apply the BOK to Exam Prep
- Frequently Asked Questions
What Is the CISM Body of Knowledge?
The term "Body of Knowledge" refers to the complete set of concepts, practices, and competencies that ISACA considers essential for a Certified Information Security Manager. ISACA does not publish a single document titled "CISM Body of Knowledge" -- instead, the BOK is encoded across two authoritative sources:
- The CISM Exam Content Outline (ECO) -- a free PDF available on the ISACA website that defines the four domains, their subtopics, and the percentage of exam questions allocated to each. This is the definitive blueprint for the exam.
- The CISM Review Manual -- ISACA's official study guide, currently in its 27th edition, which expands each domain into detailed explanations, key terms, and sample questions. ISACA members receive a discount on this resource.
Together, these two documents define what a CISM candidate is expected to know. Third-party study materials (QAE banks, review courses, flashcard decks) are all ultimately derived from or aligned to this core BOK. If a topic appears in neither the ECO nor the Review Manual, ISACA will not test it.
Understanding the structure of the BOK -- not just memorizing its content -- is one of the highest-leverage moves a CISM candidate can make. The exam rewards applied management judgment over rote recall, which means knowing the "why" behind each domain matters as much as knowing the "what."
The Four CISM Domains at a Glance
The current CISM exam distributes 150 questions across four domains. The weights below are drawn directly from the ISACA Exam Content Outline in effect through October 2026:
| Domain | Exam Weight | Approx. Questions (of 150) | Core Theme |
|---|---|---|---|
| 1. Information Security Governance | 17% | ~26 | Strategy, alignment, structure |
| 2. Information Risk Management | 20% | ~30 | Risk identification, assessment, response |
| 3. Information Security Program | 33% | ~50 | Program development, controls, resources |
| 4. Incident Management | 30% | ~45 | Detection, response, recovery, lessons learned |
Two domains -- Information Security Program and Incident Management -- together account for 63% of the exam. Candidates who over-invest in Domain 1 (the classic starting point for many review courses) while under-preparing for Domains 3 and 4 frequently fall short of the 450 passing score. The domain weights are not suggestions; they are the actual exam distribution. See CISM Passing Score 2026 for a full breakdown of how the scaled score translates to correct answers needed per domain.
Domain 1: Information Security Governance (17%)
Governance is the foundation of the entire CISM framework. At its core, this domain asks: how does an organization ensure that information security is directed, controlled, and aligned with business objectives? The CISM candidate is expected to think and answer like a manager responsible for that alignment -- not like a technical implementer.
Key Subtopics
- Security governance frameworks: COBIT, ISO/IEC 27001, NIST CSF, and how a manager selects and tailors a framework to organizational context
- Information security strategy: Developing a security strategy that supports business goals, obtains executive sponsorship, and can be measured against defined objectives
- Organizational structures: Roles and responsibilities (CISO, security steering committee, board-level reporting), separation of duties, and accountability models
- Policies, standards, and procedures: The hierarchy of governance documents, how they are developed, approved, communicated, and enforced
- Legal, regulatory, and contractual requirements: Mapping security obligations to applicable regulations (GDPR, HIPAA, PCI DSS, SOX) and managing compliance as a governance output
- Metrics and reporting: KPIs, KRIs, security scorecards, and how to communicate security posture to non-technical stakeholders including the board
The exam consistently tests governance in the context of board and executive communication. The correct CISM answer almost always prioritizes business risk alignment over technical completeness. If a question asks what you should do first after identifying a governance gap, "align with business objectives" or "obtain senior management support" will outperform "implement a control" or "conduct a technical assessment."
Domain 2: Information Risk Management (20%)
Risk management is where the CISM diverges most sharply from technical security certifications like CISSP. Rather than identifying and mitigating technical vulnerabilities, the CISM candidate must manage risk at the organizational level -- quantifying impact, selecting appropriate responses, and communicating residual risk to decision-makers.
Key Subtopics
- Risk identification: Threat modeling, vulnerability assessment, and the role of threat intelligence in maintaining a current risk register
- Risk assessment methodologies: Qualitative vs. quantitative approaches, asset valuation, Single Loss Expectancy (SLE), Annualized Loss Expectancy (ALE), and Annualized Rate of Occurrence (ARO)
- Risk treatment options: The four responses -- accept, avoid, mitigate, transfer -- and how to select the appropriate treatment based on risk appetite and cost-benefit analysis
- Risk appetite and tolerance: How organizations define acceptable risk levels, how security managers translate tolerance statements into operational controls
- Third-party and supply chain risk: Vendor risk assessments, contract security requirements, and ongoing third-party monitoring
- Risk communication: Presenting risk to the board, documenting residual risk, and maintaining risk registers as living documents
ISACA's risk framework is built on a simple but important distinction: risk management is a business function, not a security function. The manager's job is to give decision-makers the information they need to make an informed risk acceptance decision -- not to eliminate all risk.
Domain 3: Information Security Program (33%)
This is the largest domain by exam weight, and the one where most CISM candidates spend the majority of their study time. Domain 3 covers the full lifecycle of building, managing, and improving an information security program -- from defining scope and securing budget to selecting controls and measuring effectiveness.
Key Subtopics
- Security program development: Establishing scope, obtaining resources, defining roadmaps, and aligning the program to the risk management framework from Domain 2
- Control frameworks and selection: How to map controls to standards (ISO 27001, NIST SP 800-53, CIS Controls), select controls appropriate to risk tolerance, and document control coverage
- Security awareness and training: Designing and measuring training programs, including phishing simulations, role-based training, and security culture initiatives
- Technology and architecture: Security architecture principles, defense-in-depth, zero trust concepts, and how security managers evaluate and approve technology decisions
- Vendor and procurement security: Security requirements in RFPs, contractual security obligations, and managing vendor access
- Program metrics and improvement: Maturity models (CMMI, ISO 27001 maturity), capability assessments, audit findings, and continuous improvement cycles
Domain 4: Incident Management (30%)
The second-largest domain covers the full lifecycle of security incidents: detection, classification, response, containment, recovery, and post-incident review. The CISM perspective on incident management is fundamentally managerial -- the exam tests the manager's role in coordinating response, communicating with stakeholders, and ensuring the organization learns from incidents.
Key Subtopics
- Incident classification and triage: Defining what constitutes an incident vs. an event, severity classifications, and escalation criteria
- Incident response planning: Building and maintaining an Incident Response Plan (IRP), defining roles and responsibilities (Incident Commander, communications lead, legal/privacy counsel), and integrating the IRP with Business Continuity and Disaster Recovery plans
- Detection and containment: The manager's role in overseeing detection capabilities (SIEM, EDR, threat intelligence feeds) and decision-making authority during containment
- Forensics and evidence handling: Chain of custody, legal hold requirements, and when to engage law enforcement or external forensic firms
- Communication and notification: Regulatory breach notification timelines (GDPR 72-hour rule, state breach laws), executive and board communication, and media/PR considerations
- Post-incident review: Root cause analysis, lessons learned documentation, and updating controls, procedures, and training based on incident findings
The CISM exam frequently presents incident scenarios and asks what the manager should do at a specific phase. The correct answer is almost always the most systematic, communications-first option -- not the most technically aggressive one. For example, when a ransomware incident is detected, the CISM answer prioritizes activating the IRP and notifying stakeholders, not immediately attempting decryption or system isolation without a plan.
The CISM Review Manual: Official BOK Resource
The ISACA CISM Review Manual (currently in its 27th edition) is the only study resource authored directly from the CISM BOK. It is structured to mirror the Exam Content Outline exactly: four chapters, one per domain, each containing explanations of key concepts, a glossary of terms, and a set of sample questions with answer explanations.
| Resource | Price (2026) | Format | Best Used For |
|---|---|---|---|
| CISM Review Manual (27th ed.) | $115 member / $145 non-member | PDF + print | Conceptual understanding, definitions |
| CISM Questions, Answers & Explanations (QAE) | $95 member / $125 non-member | PDF + online | Practice questions with rationale |
| ISACA Online Review Course | $895 member / $1,095 non-member | Video + assessments | Structured instruction across all domains |
| CISM Exam Content Outline | Free | PDF download | Confirming what is and isn't tested |
Most candidates find that combining the Review Manual (for conceptual depth) with an external question bank (for volume and varied phrasing) produces better results than relying on either alone. The QAE database from ISACA is authoritative but relatively small. Third-party platforms typically offer 500-1,000+ questions at varying difficulty levels, which better simulates the exam experience of 150 questions across 4 hours.
ISACA membership ($135/year) is almost always worth it for serious candidates: the membership discount on just the Review Manual and QAE recoups the membership fee, and ISACA members receive access to the CISM community, CPE opportunities, and the digital library of ISACA standards and frameworks.
How to Apply the BOK to Exam Prep
The most common mistake CISM candidates make is treating the BOK as a reading list rather than a thinking framework. The exam does not reward candidates who have memorized the most content -- it rewards candidates who can apply management judgment across novel scenarios. Here is how to use the BOK effectively:
1. Start with the Exam Content Outline, Not the Review Manual
Download the free ECO from ISACA before opening any study material. Read it in full. You will see exactly which subtopics are in scope, and you can build a study roadmap from the document itself. Many candidates skip this step and discover late in their prep that they over-studied low-weight areas.
2. Weight Your Study Time to Domain Weight
If you have 120 study hours available, allocate them roughly in proportion to exam weight: approximately 20 hours for Domain 1, 24 for Domain 2, 40 for Domain 3, and 36 for Domain 4. Candidates who treat all domains equally systematically under-prepare for Domains 3 and 4.
3. Practice Questions Before You Finish Reading
Start doing practice questions after your first read of each domain -- not after finishing all four. Early exposure to the question format teaches you how ISACA phrases management scenarios, which is a skill distinct from content knowledge. Aim for at least 400 questions before exam day, reviewing every incorrect answer against the relevant BOK section.
4. Read ISACA Standards Directly
ISACA makes its frameworks -- including COBIT and the Information Security Manager competency model -- available free to members through the digital library. Reading even 30-40 pages of the underlying standards gives you a feel for ISACA's conceptual priorities that no review course can fully replicate.
5. Simulate Exam Conditions
The CISM exam format is 150 questions in 4 hours, delivered via Pearson VUE. Take at least two full timed simulations before your exam date. Sustained attention over 4 hours is a skill that atrophies without practice.
Practice CISM Questions by Domain
Thousands of expert-verified questions mapped to each BOK domain, with AI-powered gap analysis to show exactly where to focus next.
Start Free 7-Day Trial →Frequently Asked Questions
What is the CISM Body of Knowledge?
The CISM BOK is the complete set of knowledge areas tested on the CISM exam, as defined by ISACA's Exam Content Outline and elaborated in the CISM Review Manual. It covers four domains: Information Security Governance, Information Risk Management, Information Security Program, and Incident Management.
Where can I download the CISM Exam Content Outline?
The current Exam Content Outline is available free on the ISACA website at isaca.org. Search for "CISM Exam Content Outline" and download the PDF. It is publicly available without login. Always verify you are downloading the current version -- ISACA publishes updated outlines roughly every three years.
Is the CISM Review Manual enough to pass the exam?
The Review Manual is necessary but generally not sufficient on its own. It provides the conceptual foundation, but most candidates find that they need significant practice question volume (400-600+ questions) to internalize how ISACA phrases management scenarios. The ISACA QAE database is authoritative but relatively small; most serious candidates supplement it with a third-party question bank.
How often does ISACA update the CISM BOK?
ISACA conducts a formal Job Practice Analysis (JPA) every three to five years to validate that the CISM domains reflect current professional practice. The results of each JPA drive updates to the Exam Content Outline. The most recent significant revision took effect in 2022; the next major update is scheduled for November 2026. ISACA announces content updates well in advance through its website and candidate communications.
Which CISM domain is the most difficult?
Most candidates report Domain 3 (Information Security Program) as the most time-intensive, given its breadth and 33% exam weight. Domain 4 (Incident Management) is frequently rated the most scenario-intensive, with complex multi-phase incident questions that require sequential reasoning. Domain 1 is often the most conceptually accessible but the easiest to under-prepare given its 17% weight.
Do I need to memorize specific standards (ISO 27001, NIST CSF) for the exam?
You do not need to memorize specific control numbers or clause references. You do need to understand the purpose and structure of each major framework, when a manager would apply it, and how it aligns with other standards. ISACA tests conceptual understanding and practical application -- not the ability to cite "ISO 27001 Annex A Control 8.2."
How does the CISM BOK compare to the CISSP CBK?
Both credentials use the term "Body of Knowledge" but they cover different territory. The CISSP Common Body of Knowledge (CBK) spans 8 domains and is deliberately broad, covering technical architecture, cryptography, software security, and operations in addition to governance and risk. The CISM BOK is narrower and management-focused -- all four domains address what a security manager does, not what a security engineer builds. See CISM vs CISSP for a full comparison.
Related Guides
CISM Domains Explained (2026)
Deep dive into all 4 domains with key concepts, exam weight breakdowns, and topic-level study priorities.
CISM 12-Week Study Plan
Week-by-week study schedule aligned to BOK domain weights, for working professionals with 10-15 hours per week.
CISM Exam Format (2026)
150 questions, 4 hours, Pearson VUE. Everything you need to know about the exam day experience.
CISM Domains 2026 Update
What changes with the November 2026 Exam Content Outline update, and how to adjust your prep.