Security Study Guide

ISACA CISM Study Guide

The ISACA Certified Information Security Manager (CISM) exam validates the ability to govern, design, and manage an enterprise information security program rather than to perform hands-on technical tasks. It targets experienced security managers, aspiring CISOs, IT consultants, and risk and compliance professionals who align security with business strategy. The 4-hour exam has 150 multiple-choice questions scored on a 200-800 scale (700 to pass) across four domains: Governance, Risk Management, Program, and Incident Management.

Domain 1 Domain 2 Domain 3 Domain 4

Practice ISACA CISM questions free Create free account

Domain 1: Information Security Governance

Key concepts you must know · 175 practice questions

Information security governance is a subset of enterprise (corporate) governance; its primary goal is to align the security strategy with business objectives, not to operate as a standalone technical function.
The single most important success factor for a security program is visible, committed senior management and board support - it provides the authority, funding, and 'tone at the top' that makes security culture enforceable.
The document hierarchy is strict: policies state high-level management intent (the 'what/why'), standards define mandatory measurable requirements (specific algorithms, configurations), procedures give step-by-step instructions (the 'how'), and guidelines are recommended but optional.
Senior management and the board are accountable for information security risk and must formally approve risk appetite; the information security manager drives and implements the strategy but does not own the residual-risk acceptance decision.
A RACI matrix assigns exactly one Accountable party per task or decision, plus Responsible (do the work), Consulted (provide input), and Informed (kept updated) roles to remove ambiguity.
The data/information owner (a business role) classifies data, defines who may access it, and approves access; the custodian (often IT) implements and maintains the controls the owner specifies.
A security steering committee composed of senior business and IT leaders sets priorities, allocates resources, and ensures the program stays aligned with business goals across departments.
A business case for security investment must link risk reduction to business value and cost - justify spend in terms of impact avoided, not technical features.
Security strategy must be measurable: define KGIs, KPIs, and a desired future state (often using a maturity model such as CMMI) and a gap analysis against the current state.
COBIT is the preferred framework for security governance and aligning IT/security with enterprise goals; ISO/IEC 27001 and 27014 also address governance and the ISMS.
Security-by-design means embedding security requirements early in system design so controls are built in - retrofitting controls after deployment is far more costly and less effective.
Budget alignment to risk appetite: spend should target the risks with the greatest business impact, and one governance metric is the trend of security spend relative to risk reduced and incidents avoided.
Governance over identity follows least privilege and zero trust ('never trust by network location; continuously verify identity, device, and context') as guiding principles for access decisions.
A defined organizational structure with clear reporting lines (the CISO ideally reporting outside of IT, e.g., to the CEO or risk/audit committee, to preserve independence) is a core governance deliverable.

Domain 2: Information Security Risk Management

Key concepts you must know · 136 practice questions

Risk is a function of likelihood and impact (Risk = Likelihood x Impact), expressing the probability that a threat exploits a vulnerability and the resulting harm.
There are exactly four risk treatment options: avoid (stop the activity), mitigate (reduce likelihood/impact with controls), transfer (shift financial impact via insurance or contract), and accept (formally acknowledge residual risk within appetite).
Risk appetite is the aggregate amount and type of risk leadership is willing to accept in pursuit of objectives; risk tolerance is the acceptable variation around a specific risk. Appetite is set by senior management/the board.
Residual risk is what remains after controls are applied; risk acceptance is appropriate only when residual risk is within appetite and treatment cost outweighs benefit, with formal sign-off from an authorized risk owner.
Quantitative analysis uses monetary values: SLE = Asset Value x Exposure Factor, ALE = SLE x ARO; the justification for a control is comparing the reduction in ALE to the annualized cost of the control.
Qualitative analysis ranks risks by relative severity (high/medium/low or scored likelihood x impact matrices) and is faster and cheaper but more subjective than quantitative methods.
A risk register documents identified risks, their assessment, owners, treatment decisions, and status for ongoing tracking - it is the central artifact of risk management.
A Key Risk Indicator (KRI) is a forward-looking metric that signals rising risk exposure; a KPI measures performance/effectiveness. KRIs warn before a risk materializes.
The first step in any risk assessment is to identify and value the assets (and the data they hold); you cannot prioritize protection without knowing what you are protecting and its worth.
Cost-effectiveness rule: never spend more on a control than the asset (or the expected loss) is worth; if a control costs more than the risk it reduces, choose a compensating control, transfer, or accept the risk.
Cyber insurance is a transfer mechanism justified only when the premium and coverage terms cost less than the expected loss being transferred; it does not remove accountability for the risk.
When budget is constrained, defer the lowest-impact, lowest-likelihood controls while documenting the accepted risk, and prioritize controls by greatest risk reduction per dollar.
Total Cost of Ownership (TCO) of a control includes acquisition, implementation, maintenance, and operation over its full lifecycle - not just the purchase price - when evaluating cost-effectiveness.
Recovery objectives (RTO and RPO) drive redundancy and continuity decisions: the cost and complexity of redundancy must be weighed against the business impact of downtime defined in the Business Impact Analysis (BIA).

Domain 3: Information Security Program

Key concepts you must know · 193 practice questions

Security awareness training targets the human factor (phishing, social engineering, password misuse) - the goal is to change user behavior to reduce human-related risk, measured by metrics such as declining phishing click rates.
Program value to leadership is demonstrated with KPIs tied to business outcomes: fewer/less-severe incidents, faster MTTD/MTTR, critical vulnerabilities remediated within SLA, and improving compliance posture - not raw activity counts.
Controls are classified by type - preventive (MFA, access controls, hardening, input validation), detective (IDS, log monitoring, audits), and corrective (backups, patching, incident response) - and a defense-in-depth program layers all three.
Aligning the program to a recognized framework (ISO/IEC 27001, NIST CSF, CIS Controls, COBIT) ensures comprehensive coverage, provides a common language with auditors, and avoids overlooked threat categories.
ISO/IEC 27001 certifies an Information Security Management System (ISMS); its Statement of Applicability (SoA) documents which Annex A controls apply and why others are excluded.
Third-party/vendor risk is managed contractually: define required controls, breach-notification obligations, and right-to-audit clauses, and review independent assurance reports (SOC 2 Type II, ISO 27001) for ongoing assurance.
Continuous monitoring and periodic reassessment of risk and controls verify that controls remain effective as the environment changes - a program is never 'finished.'
Control selection is risk-based: prioritize investments where they reduce the highest-impact, most-exploitable exposures, and pair this with automated remediation workflows for efficiency.
Compliance is achieved by mapping controls to applicable laws, regulations, and standards (GDPR, HIPAA, PCI DSS, etc.) and demonstrating the mapping through evidence.
Cost optimization in a program comes from consolidating overlapping point tools into integrated platforms, retiring unused licenses, negotiating enterprise/volume agreements, and tiering log retention by data value.
Tune SIEM detection rules and correlation logic to reduce false positives and surface high-fidelity alerts; alert fatigue from noisy rules is a common program failure.
Demonstrate program ROI with business-facing metrics such as cost per risk reduced and the trend of loss avoidance against spend, communicated in financial terms.
A documented control baseline (e.g., CIS Benchmarks, hardened gold images) ensures consistent, auditable configuration of systems across the environment.
Roles, segregation of duties, and least-privilege access design are foundational program controls that prevent any single person from completing a high-risk transaction unchecked.

Domain 4: Incident Management

Key concepts you must know · 156 practice questions

The NIST SP 800-61 incident response lifecycle that CISM follows has four phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity (lessons learned).
Preparation - building the plan, tools, roles, communication trees, and training before an incident - is the phase that most reduces response time and improvisation under pressure.
When an incident is confirmed, the immediate priority is containment to limit the spread and damage; eradication (removing the threat and its root cause) and recovery follow after containment.
Key incident metrics are MTTD (Mean Time to Detect - incident start to identification) and MTTR (Mean Time to Respond/Recover - detection through return to normal); a downward MTTR trend signals improving maturity.
Legal and regulatory breach-notification deadlines are strict and drive escalation - e.g., GDPR requires notifying the supervisory authority within 72 hours of becoming aware of a personal-data breach.
Evidence handling requires chain of custody and forensic imaging: capture a bit-for-bit image (e.g., with dd) and compute a hash (e.g., SHA-256) to prove integrity; preserve volatile data first (order of volatility).
Escalation occurs when an incident meets defined severity criteria (data breach, regulatory notification trigger, or major business impact); criteria must be documented in advance, not decided ad hoc.
The incident response plan must define roles, responsibilities, escalation paths, and communication/notification procedures for both internal stakeholders and external parties (legal, regulators, customers, law enforcement).
The post-incident review (lessons-learned/after-action) identifies root cause and improvements so similar incidents are prevented or handled better; its output feeds back into the Preparation phase.
SOAR (Security Orchestration, Automation, and Response) provides repeatable containment and triage playbooks, reducing response time and human error for routine incident actions.
Tested, current backups enable fast, low-cost recovery (critical for ransomware), and rapid containment limits scope - both are far cheaper than rebuilding from a full compromise.
Regular tabletop and simulation exercises refine playbooks and team coordination before a real incident, exposing gaps in roles, tooling, and communication.
Centralized, well-organized log collection (a SIEM) makes evidence quick to locate and correlate; without it, detection and forensic analysis are slow and incomplete.
Business Continuity (BCP) and Disaster Recovery (DR) plans complement incident response: incident management handles the security event, while BCP/DR restore business operations against RTO/RPO targets.

ISACA CISM exam tips

Always answer as a security MANAGER, not a technician: choose the governance, risk, or business-aligned option over the hands-on technical fix. When in doubt, the answer that involves senior management, business alignment, or risk appetite is usually correct.
Identify the FIRST/BEST/MOST/PRIMARY step. CISM questions hinge on these qualifiers - many options are valid actions, but only one is the best first step (often risk assessment, asset identification, or obtaining management support).
Map every scenario back to business value and risk. The justification for any control, spend, or decision is reducing business risk to within the organization's risk appetite - never security for its own sake.
Know the standard sequences cold: the four risk responses, the NIST incident lifecycle phases, and the policy-standard-procedure hierarchy. Questions test whether you order or classify them correctly.
Pace yourself: 150 questions in 240 minutes is about 90 seconds each. Flag and skip lengthy scenario questions, answer the quick wins first, and return to the hard ones - there is no penalty for guessing.

Study guide FAQ

How is the CISM exam structured and what score do I need to pass?

CISM has 150 multiple-choice questions to be completed in 4 hours (240 minutes). It is scored on a scaled 200-800 range and you need 700 to pass, which is a relative scaled score - not a raw 70% of questions correct.

Do I need work experience to become CISM certified?

Yes. To earn the certification you must pass the exam and document at least five years of information security work experience, with a minimum of three years in information security management across three or more of the four domains, earned within the 10 years before applying (or up to 5 years after passing). Certain certifications and degrees can waive up to two years.

Is CISM a technical or a management exam?

CISM is a management-focused certification. It tests how you govern, design, and manage a security program and align it with business objectives - not hands-on configuration. Even when a question shows a command or technical detail, the correct answer almost always reflects the right managerial, risk-based, or governance decision rather than the technical step.

How should I prepare, and how does CISM differ from CISSP?

Use the official ISACA CISM Review Manual and the QAE (Questions, Answers and Explanations) database, and practice thinking like a manager. CISM is narrower and more management-oriented than CISSP: CISSP is broad and technical across eight domains for practitioners, while CISM concentrates on four governance and management domains aimed at security leaders and aspiring CISOs.

Test yourself: 660 ISACA CISM practice questions