CISM domain 1: Information security governance [Updated 2019]

July 5, 2019 by Lester Obbayi

This domain reviews the body of knowledge and associated tasks that are necessary in developing an information security governance structure for candidates, and is aligned with organizational objectives.

According to the Information Security Governance Guidance for Boards of Directors and Executive Management, 2nd Edition, the IT Governance Institute (ITGI) defines governance as “the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risk is managed appropriately and verifying that the enterprise’s resources are used responsibly.”

In our article, “CISM Domain Overview,” we obtained an overview of the different domains that the CISM candidate encounters while taking the exam, discussing ISG lightly, but in this one, we gain a deeper understanding of the domain and discuss what candidates will need to know in preparation for the examination.

Information security governance objectives

Part of the objectives of ISG is to ensure that there is an accurate security framework that meets the objectives of the organization.

Candidates are tested on the broad requirements for effective ISG and what is required to develop a framework with an accompanying plan of action for implementing it.

Candidates will be required to understand the contents of the framework, which will generally consist of:

  1. A comprehensive security strategy that is intrinsically linked with business objectives
  2. Governing security policies that address each aspect of strategy, controls and regulation
  3. A complete set of standards for each policy to ensure that procedures and guidelines comply with policy
  4. An effective security organizational structure void of conflicts of interest and with sufficient authority and adequate resources
  5. Institutionalized metrics and monitoring processes to ensure compliance, provide feedback on effectiveness, and provide the basis for appropriate management decisions.

The implementation and management of security programs is discussed in detail in the CISM review manual under the topic “Information Security Program Development and Management”, where the different frameworks are discussed. One such framework that candidates will need to focus on highly is the SABSA framework for security management.

Importance of information security governance

As dependence on information grows, the criticality of ISG increases as well. Organizations are beginning to appreciate information and the knowledge based on it, without which conducting business would not be possible. Candidates are therefore tested on the series of benefits that are experienced under effective ISG. These include:

  • Providing assurance of policy compliance. Candidates will be required to show an understanding of how assurance can be made to ensure policy compliance.
  • The ability to address the increasing potential for civil or legal liability inuring to the organization.
  • The ability to improve trust in customer relationships
  • The methods that can be taken to protect the organization’s reputation
  • The methods of effective management of information security resources

From the points above, candidates come to appreciate how ISG can add significant value to the organization, through reducing losses from security-related events and ensuring events are not catastrophic.

Outcomes of information security governance

Information security governance contains a structured set of elements that are required to provide senior management with assurance that its major objectives are captured in the organization’s security posture. After the elements have been put in place, management can rest assured that adequate and effective information security will protect the organization’s most critical and important assets.

ISG is mainly involved in the development, implementation and management of a security program that achieves six outcomes that candidates will be tested on. These include:

Strategic alignment: Emphasis here is placed on aligning information security with the respective business strategy in order to support the objectives of the organization

Risk management: Candidates are tested on the risks facing the organization and how they can be mitigated with the negative impacts on business reduced to an acceptable level.

Value delivery: The exam lays emphasis on security investments intended to support business. Candidates are tested on measures that ensure security investments are continuously improved by meeting various objectives.

Resource management: Candidates will need to understand various points here, for example, it is necessary that knowledge which is captured is made available across the organization, proper practices are followed for document security, long lasting security architectures are designed that define and utilize resources.

Performance measurement: Candidates will be tested on the various reporting metrics and how effective reporting is done on information security processes to meet the desired objectives, and how independent assurance from external audits and assessments can be achieved.

Integration: ISG ensures that the relevant assurance factors are integrated to make sure that processes operate as intended from end to end. Candidates are tested on the integration and coordination of the various assurance functions so as to ensure complete security, formal relationships between assurance functions, and the roles and responsibilities between assurance functions.

Finally, candidates should know that ISG is the responsibility of the board of directors and executive management and should be a transparent and integral part of enterprise governance, complementing or encompassing the IT governance framework. This is supported by the developers of the Business Model for Information Security (BMIS), who state that “It is no longer enough to communicate to the world of stakeholders why the organization exists and what constitutes success, we must also communicate how we are going to protect our existence.”

Senior management roles and responsibilities

ISG requires commitment, resources and the assigning of responsibilities that are necessary for information security management. A means for determining whether the necessary intents of a set board have been met is also necessary, and can be achieved by having qualified management overseeing the security of an organization.

Candidates will be tested on the different roles and responsibilities of senior management. For example, they will be required to identify whose primary responsibility it is to implement an information security governance, which role is in the best position to review and confirm the appropriateness of a user access list, or what the most important factors regarding data retention are.

As an example, let us take a look at the Executive Management role.

Executive Management

Since defining and implementing a security governance that accurately meets the identified security objectives is a difficult affair in most circumstances, an organization’s executive management is formed and tasked with the responsibility of ensuring that the needed organizational functions, resources and supporting infrastructure are made available and properly utilized to fulfill the requirements set by the board.

Candidates are most likely going to be required to understand the types of presentations that management undertakes; they should tie the security risks to key business objectives, for instance.

An understanding of the characteristics of centralized information security management is also required. One characteristic would be better adherence to policies, for example.

Candidates should understand the roles of the IS manager as it relates to executive management. IS managers for instance are required to provide guidance on various options and key decision support information and coordinate specific activities such as quarterly information risk reviews, new information systems go/no-go meetings.

The IS manager must also ensure that the executive has specific roles, will be provided with specific information and that they (management) have specific decisions to make when involved in security management issues.

Candidates should also understand the roles and responsibilities of other senior management such as the steering committee and CISO.

To register for the course, follow the link below to get an overview of what the course offers you and the current pricing:

The course will allow students to develop the necessary skill set to fit into the current and ever-growing information security industry and are in line with today’s acceptable industry standards.


After passing the examination, candidates will understand the necessary requirements for effective information security governance, the elements and actions required to develop an information security strategy, and a plan of action to implement it.

Posted: July 5, 2019
Lester Obbayi
View Profile

Lester Obbayi is a Cyber Security Consultant with one of the largest Cyber Security Companies in East and Central Africa. He has a deep interest in Cyber Security and spends most of his free time doing freelance Penetration Tests and Vulnerability Assessments for numerous organizations.

Leave a Reply

Your email address will not be published.