ISACA Changes CISM Exam for 2012

April 23, 2012 by Kenneth Magee

According to ISACA, the CISM certification is changing to reflect the new CISM job practice analysis. (Source: ISACA’s CISM Review Manual 2012 p. iii)

ISACA has reformatted the CISM changing it from five domains to four domains. They have combined the Information Security Program Development and Information Security Program Management domains into one domain entitled Information Security Program Development and Management. The weighting of the domains has also changed. Domain 1 – Information Security Governance has been raised to 24% from 23%; Domain 2 – Information Risk Management and Compliance has been raised from 22% to 33%; the combined Domain 3 – Information Security Program Development and Management has been dropped from a combined total of 41% to 25% and the last domain, Domain 4 – Information Security Incident Management has been raised from 14% to 18%.

Domain 1 changes include expanded task and knowledge statements with the emphasis being on “Establishing and maintaining” versus “Developing and Identifying.”

Domain 2 changes include a substantial increase in the focus on Compliance. Additional task and knowledge statements have been added which, as in Domain 1, shift the focus to “Establishing and maintaining” as well as adding in the statements for “Managing information risk to an acceptable level to meet the business and compliance requirements of the organization.” (Source: ISACA’s CISM Review Manual 2012 p. 76)

Domain 3 combined the old domain 3 and domain 4 and we now find that Information Security Program Development and Management is in a single domain. As is the case with the first two domains, the emphasis has shifted here as well, going from establishing to establishing and maintaining.

Domain 4 – even here we find the same shift in emphasis, for example 6 of the 10 task statements start with “Establish and Maintain” whereas in the 2011 version, not a single task statement started that way.

Clearly the emphasis for management has taken on a more active role in Information Security Management, and it is clear in the expanded role definitions in Domain 1 that management is being tasked with active participation in information security.

Posted: April 23, 2012


We've encountered a new and totally unexpected error.

Get instant boot camp pricing

Thank you!

A new tab for your requested boot camp pricing will open in 5 seconds. If it doesn't open, click here.

Articles Author
Kenneth Magee
View Profile

J Kenneth (Ken) Magee is president and owner of Data Security Consultation and Training, LLC, which specializes in data security auditing and information security training. He has over 40 years of IT experience in both private industry and the public sector with the last 21 devoted to IT security and Risk Management.

Ken holds degrees from Robert Morris University and Fairleigh Dickinson University. He holds 30 certifications including: CTT+, CEH, CPT, SSCP, CISSP-ISSMP, CAP, CISA, CISM, ISO 27001 PA, GIAC-GWAPT/GSEC/GSNA, CIA-CGAP, Security+, and CDP. He is a Senior Instructor with the InfoSec Institute.