The CISM (Certified Information Security Manager) exam tests your ability to manage and govern an enterprise information security program. Here's a domain-by-domain roadmap to help you prepare effectively.
CISM at a Glance
Domain 1: Information Security Governance (17%)
This domain tests your understanding of establishing and maintaining an information security governance framework.
Key Topics:
Study Focus: Understand the difference between governance (direction-setting by leadership) and management (execution of that direction). CISM questions at this level test strategic thinking, not technical implementation.
Domain 2: Information Security Risk Management (20%)
Managing risk is central to CISM. This domain covers identification, assessment, and treatment of information security risks.
Key Topics:
Study Focus: Know the formulas — ALE = SLE × ARO. Understand when to use quantitative vs. qualitative approaches. Practice calculating risk scenarios.
Domain 3: Information Security Program (33%)
The largest domain — and the most important. This covers building, managing, and maintaining the security program.
Key Topics:
Study Focus: This domain is about execution. Understand how to translate governance decisions into operational security controls and programs. Know common security frameworks (NIST CSF, ISO 27001, COBIT).
Domain 4: Incident Management (30%)
The second-largest domain covers planning, detection, response, and recovery from security incidents.
Key Topics:
Study Focus: Know the incident response lifecycle cold. Understand the order of operations — detect, contain, eradicate, recover, review. BCP/DRP questions are common and test your understanding of RTO, RPO, MTTR, and MTPD.
12-Week CISM Study Plan
Key Differences from CISA
If you've studied for CISA, note these CISM differences:
Start Your CISM Prep
Our CISM Course covers all 4 domains with 20 lessons, 290+ MCQs, full-length mock exams, and flashcards.
Generate a personalized study schedule with our free Study Plan Generator.