CISM: Overview of domains [updated 2022]
The certified information security manager (CISM) is for professionals tasked with overseeing organizations’ information security, which involves the development of working information security policies and practices. On June 1, 2022, ISACA introduced a new CISM exam and consequently updated the exam outline. Changing the outline means the CISM job practice areas have changed.
This article reviews the changes in CISM domains and domain weights in the new exam. Candidates must demonstrate proficiency in all domains to pass the CISM certification.
The CISM certification domains
The CISM exam contains 150 multiple-choice questions to be completed in four hours. Candidates are tested on the four information security management areas, representing a job practice analysis of the work done by information security professionals as validated by subject matter experts, industry leaders and company practitioners.
Here are the key domains and subdomains included in the new exam, along with an overview of how things changed after June 1, 2022.
CISM domains before June 1, 2022
CISM domains after June 1, 2022
|Domain 1 — Information security governance (24% exam weight)||Domain 1 — Information security governance (17% exam weight)|
|Domain 2 — Information risk management and compliance (30% exam weight)||Domain 2 — Information security risk management (20% exam weight)|
|Domain 3 — Information security program development and management (27% exam weight)||Domain 3 — Information security program (33% exam weight)|
|Domain 4 — Information security incident management (19% exam weight)||Domain 4 – Incident management (30% exam weight)|
What topics (tasks/knowledge statements) are covered in each domain?
Domain 1: Information security governance
Total questions: 25
The first domain tests candidates’ ability to develop, maintain and manage information security governance frameworks. Candidates must also identify the relevant, contractual, and regulatory requirements that impact the enterprise, and they have to describe the influence of enterprise structure, culture and leadership on the performance of an information security strategy.
The domain also features a way of measuring the impact of information security strategy on enterprise risk management. Candidates must align the information security program with the operational objectives of other business functions. Among other concepts, they will be asked about security metrics, which describe how a periodic and quantitative assessment of security performance can be measured effectively.
Domain 2: Information security risk management
Total questions: 30
The second domain requires candidates to identify risks applicable to an organization. This used to be a large part of the CISM exam, but now information security incidence holds greater weight than information security risk management. Still, it’s an important domain where candidates must determine applicable risks and evaluate whether they’re above or below the organization’s risk appetite.
For risks above the organization’s risk appetite, candidates need to develop a risk response. This includes looking into various risk treatments, defining who will control the risk and constantly monitoring risks and controls. Candidates should evaluate risks periodically to ensure the organization is taking care of new threats, such as those arising from work-from-home programs.
Domain 3: Information security program
Total questions: 50
This domain involves configuring the organization’s information security strategies and implementing them efficiently. Candidates are tested on their ability to execute security strategies and derive a security program, guidelines, procedures, and metrics for the enterprise.
CISM’s third domain has also been updated to include control design and selection, which was previously included in the second domain. Candidates also need to know how to control implementation and integrations and how the controls are to be tested and evaluated. Another important area is the management of external services (third-party providers); candidates should describe the process of integrating the security program with third and fourth parties because this requires a different set of controls than for managing internal systems.
Domain 4: Incident management
Total questions: 45
The last domain deals with readiness for information security incidents. Candidates must outline the procedures and requirements for developing an incident response plan. Other areas that require attention are methodologies for categorizing or classifying incidents and how the response plan is to be tested and evaluated.
Incident management also includes operations, which involves the ongoing management of a reported incident. Candidates must describe the methods and processes used to evaluate, investigate and contain an incident. In addition, it’s crucial to understand the relationship between incident response, business continuity, and business impact. One of the goals of the domain is to ensure candidates can identify and contain incidents and address their root causes.
Whether you are just starting your CISM journey or are preparing to take the exam, being up to date with the CISM knowledge domains is essential to your success. We hope this overview will be a valuable resource for candidates looking to strategize their study for the examination. For a detailed insight into the CISM certification, check out our ISACA CISM hub.