The CISM® (Certified Information Security Manager®) qualification from ISACA® is one of the most widely respected credentials for information security professionals. It demonstrates not only technical expertise, but also the strategic insight required to build, manage and improve enterprise-level security programmes.
Since its launch in 2002, CISM has become a globally recognised benchmark for senior roles in information security governance, risk and incident management. It is accredited under ISO/IEC 17024 and was named Best Professional Certification Program in the SC Awards 2025 – a reflection of its continued relevance and high industry regard.
CISM is designed for individuals who manage, design or assess an organisation’s information security function. It is particularly valued by employers looking to fill leadership roles such as CISO, information security manager, risk and compliance officer, or governance lead.
What are the 4 CISM domains?
| CISM domain | Exam weighting |
| 1. Information Security Governance | 17% |
| 2. Information Security Risk Management | 20% |
| 3. Information Security Program | 33% |
| 4. Incident Management | 30% |
Our CISM training course prepares candidates across all four domains, using official ISACA materials.
Summary of the CISM domains
1. Information Security Governance
This domain covers the structures, roles and strategies that support enterprise-level information security. It accounts for 17% of the CISM exam and includes:
| A – Enterprise Governance | B – Information Security Strategy |
| Organizational Culture | Information Security Strategy Development |
| Legal, Regulatory and Contractual Requirements | Information Governance Frameworks and Standards |
| Organizational Structures, Roles and Responsibilities | Strategic Planning (e.g. Budgets, Resources, Business Case) |
2. Information Security Risk Management
This domain focuses on assessing and managing security risks within the business context. It accounts for 20% of the CISM exam and includes:
| A – Information Security Risk Assessment | B – Information Security Risk Response |
| Emerging Risk and Threat Landscape | Risk Treatment/Risk Response Options |
| Vulnerability and Control Deficiency Analysis | Risk and Control Ownership |
| Risk Assessment and Analysis | Risk Monitoring and Reporting |
3. Information Security Program
This domain addresses the development and management of an effective information security programme. It is the largest component of the CISM exam, comprising 33%, and includes:
| A – Information Security Program Development | B – Information Security Program Management |
| Information Security Program Resources (e.g. People, Tools, Technologies) | Information Security Control Design and Selection |
| Information Asset Identification and Classification | Information Security Control Implementation and Integration |
| Industry Standards and Frameworks for Information Security | Information Security Control Testing and Evaluation |
| Information Security Policies, Procedures and Guidelines | Information Security Awareness and Training |
| Information Security Program Metrics | Management of External Services (e.g. Providers, Suppliers, Third and Fourth Parties) |
| Information Security Program Resources (e.g. People, Tools, Technologies) | Information Security Program Communications and Reporting |
4. Incident Management
This domain covers both preparedness and operational response to security incidents. It accounts for 30% of the CISM exam and includes:
| A – Incident Management Readiness | B – Incident Management Operations |
| Incident Response Plan | Incident Management Tools and Techniques |
| Business Impact Analysis (BIA) | Incident Investigation and Evaluation |
| Business Continuity Plan (BCP) | Incident Containment Methods |
| Disaster Recovery Plan (DRP) | Incident Response Communications (e.g. Reporting, Notification, Escalation) |
| Incident Classification/Categorisation | Incident Eradication and Recovery |
| Incident Management Training, Testing and Evaluation | Post-Incident Review Practices |
CISM exam format and maintenance
- 150 multiple-choice questions – 4-hour duration
- Passing scaled score: 450–800
- Experience requirements: 5 years’ work experience in information security management (waivers available for up to 2 years)
- Cost: £600 + VAT
- Maintenance: 120 CPE (Continuing Professional Education) hours over 3 years (minimum 20 annually), and compliance with ISACA’s Code of Professional Ethics
Why choose CISM?
CISM validates not only technical knowledge but also leadership ability in managing information security programmes. It demonstrates that you understand how to align security initiatives with business objectives, manage risk effectively and respond to incidents in a controlled and strategic manner.
- Globally recognised
- Over 65,000 professionals certified to date
- Aligns with NIST, COBIT, ISO 27001 and other major frameworks
- Frequently listed as a prerequisite for CISO, risk and compliance roles
- Recognised by employers as a sign of strategic-level expertise
Earn your CISM credential
IT Governance is an ISACA Accredited Partner. Our CISM Training Course has been designed to help you pass the exam first time, using the official ISACA curriculum and the CISM Review Questions, Answers & Explanations Manual.
The course is available in a range of learning formats – Live Online or in person – and successful completion leads to 28 CPD points.
The post The 4 CISM Domains Explained appeared first on IT Governance Blog.
