Career Employer

FREE CISM Study Guide 2026: All 4 Domains

The most important things the CISM tests — an interactive study guide with built-in quizzes and flashcards, organized by all 4 ISACA domains.

Check sections to boost your score

Don't know where to start?

To find us again, just search “Career Employer CISM

By

This free CISM study guide walks through every content domain the Certified Information Security Manager exam tests, organized to the current ISACA exam content outline.[1]

It’s interactive, not a wall of text: every module has built-in checkpoint quizzes, flashcards, and practice questions, so you learn by doing — not just reading.

The CISM tests four official domains, and it is a management exam: it asks for the best or most appropriate action a security manager would take — governance, risk strategy, running the program, and handling incidents — not hands-on technical configuration. We teach all four in four study modules and lead with Governance, which frames everything else.

Read a module, test yourself at each checkpoint, then drill gaps with our free practice test and flashcards. This guide is a high-yield overview mapped to the official content — not a full security textbook.

CISM Exam Snapshot

CISM exam at a glance
DetailCISM Exam
Questions150 multiple-choice (plus unscored pretest items)
Format4 options, one BEST answer; some scenario-based items
Time4 hours (240 minutes)
Passing score450 on a 200–800 scaled scale
Administered byISACA, delivered at PSI test centers or remote online proctored
Certifying bodyISACA
Experience5 years' infosec management experience (3+ yrs in 3 of 4 domains); up to 2 yrs waivable
Cost$575 member / $760 non-member (+ $50 application fee)
Recertification120 CPE credits over 3 years (min 20/yr) + annual maintenance fee
LanguagesEnglish, Spanish, Chinese (Simplified), Japanese, French, German

The CISM covers four domains, and the weighting is lopsided toward execution: the Information Security Program is the largest at 33%, and Incident Management is close behind at 30% — together 63% of the exam. Governance (17%) is smallest by weight but frames everything, so it is where to start.[1] Study by weight:

CISM weighting by domain (ISACA exam content outline)
Information Security Program33% · Domain 3
Incident Management30% · Domain 4
Information Security Risk Management20% · Domain 2
Information Security Governance17% · Domain 1

Module 1 · Information Security Governance

One official domain, 17% of the exam. Governance is leadership’s ownership of security: setting direction, aligning security to the business, and holding the organization accountable. It is the smallest domain by weight but the foundation the other three rest on — get the governance mindset and the rest of the exam makes sense.

1.1 Enterprise Governance

is exercised by the board and senior management. They own risk, set the tone at the top, and are ultimately accountable; the security manager translates business goals into a program and reports back up. Know the chain of who directs what.

Clear ownership is central, and the exam loves the model. For any control or task, exactly one party is Accountable (answers for the outcome) while one or more are Responsible (do the work); others are Consulted or Informed. Typically the (a senior business manager) is accountable for an asset, and the (IT) is responsible for the controls.

Two governance duties are heavily tested: (researching risks and building the plan) and (acting on it and maintaining controls). Together they form the “prudent person rule” that limits negligence liability after an incident.[1] Governance also means meeting legal, regulatory, and contractual requirements and shaping a healthy security culture.

The governance document hierarchy
DocumentWhat it isMandatory?
PolicyHigh-level management statement of intent and goalsYes
StandardSpecific mandatory requirements (e.g., 'use AES-256')Yes
ProcedureDetailed step-by-step instructionsYes
BaselineA minimum required level of securityYes
GuidelineRecommended, discretionary best practiceNo

1.2 Information Security Strategy

The is the long-term plan that aligns the program to business objectives — the desired future state. Building it starts with understanding the business, then a comparing the current state to a target (often a framework or ), which produces a prioritized roadmap.

Strategy leans on recognized frameworks and standards: (ISACA’s governance framework), (a certifiable ISMS), and the . To win resources, the manager makes a — a cost/benefit justification, often expressed as return on security investment — so security is funded as a business enabler, not a cost center. This is the essence of and .[9]

Common governance frameworks and standards
FrameworkOwnerPurpose
COBITISACAGovernance and management of enterprise IT
ISO/IEC 27001ISO/IECCertifiable Information Security Management System (ISMS)
NIST CSFNISTVoluntary cybersecurity risk-management framework
ISO/IEC 27002ISO/IECCatalog of information security controls

Checkpoint · Information Security Governance

Question 1 of 10

An information security manager builds a RACI chart for a new data-handling initiative. Which role on a RACI chart must be assigned to exactly one party for each activity?

Module 2 · Information Security Risk Management

One official domain, 20% of the exam. Risk management is the discipline of finding, rating, treating, and monitoring risk so it stays within the organization’s appetite. On CISM it is a management activity — who owns the risk, what response is appropriate, and how to report it — not a technical scan.

2.1 Risk Assessment & Analysis

Risk is the chance a exploits a to harm an asset, rated by likelihood × impact. The process is a continuous loop, and everything is measured against the board’s .

Three appetite terms are tested together: (willingness to take risk), (acceptable deviation around it), and (the most risk the organization can absorb). You also distinguish (before controls) from (after).

You assess risk two ways. Qualitative analysis ranks risks high/medium/low — fast and subjective. Quantitative analysis is dollar-based: the = Asset Value × Exposure Factor; the is events per year; and the = SLE × ARO is the expected yearly cost — the figure that cost-justifies a control to management.[4]

2.2 Risk Response & Monitoring

Once a risk is rated, you choose a : mitigate (add controls), transfer (insurance or a third party), avoid (stop the activity), or accept (formally tolerate the residual risk). Acceptance is a documented decision by the — never just ignoring a risk.

The four risk response options
ResponseWhat you doExample
Mitigate (reduce)Add controls to lower likelihood or impactDeploy MFA to reduce account takeover
TransferShift the financial impact to a third partyBuy cyber-insurance or outsource
AvoidStop the activity that creates the riskDiscontinue a risky product feature
AcceptFormally tolerate the residual riskRisk owner signs off on a low-impact risk

Ownership must be explicit: the is accountable and accepts residual risk, while the operates the control. Everything is tracked in a and monitored over time with s (forward-looking risk signals), s (performance), and s (goal achievement). The manager then reports risk posture to senior management so they can decide.

Metrics: KRI vs. KPI vs. KGI
MetricAnswersExample
KRI (Key Risk Indicator)Is risk rising?# of unpatched critical systems trending up
KPI (Key Performance Indicator)Is the program performing?% of staff who finished security training
KGI (Key Goal Indicator)Did we hit the goal?100% of critical systems patched within SLA

Checkpoint · Information Security Risk Management

Question 1 of 10

Which statement most accurately defines an organization's risk appetite?

Module 3 · Information Security Program

One official domain, 33% of the exam — the largest. The program is where strategy and risk decisions become operating reality: resources, classification, frameworks, policies, controls, training, vendor management, and metrics. Expect the most questions here, and expect them to test management judgment about building and running the program.

3.1 Program Development

An is built from the strategy down. It needs resources (budget, people, tools), then — labeling assets by sensitivity so protection lands where it matters — followed by selecting industry standards and frameworks, writing , procedures, and guidelines, and defining program metrics.

Classification is a business decision: the assigns it; the implements the resulting controls. Over-classifying wastes resources; under-classifying creates risk.[5]

Asset classification roles and outcomes
Role / conceptDetail
Data ownerAccountable; sets classification and protection requirements (senior manager)
Data custodianResponsible for day-to-day controls (backups, access) — usually IT
ClassificationLabeling by sensitivity (e.g., public, internal, confidential, restricted)
DrivesHandling, access, encryption, retention, and destruction requirements

3.2 Program Management

Running the program means selecting and operating controls. Know the control types by function and by nature — managers choose a layered mix () to meet the risk cost-effectively.

Beyond controls, program management covers (the most cost-effective control for the human element), managing external services — holding vendors to security requirements through an (and internal s) and managing — and communications and reporting. Embedding security into builds via a , plus and , round out the operating controls.

Control types by nature
NatureWhat it isExamples
AdministrativePolicy and people controlsPolicies, training, background checks
Technical (logical)Technology-enforced controlsFirewalls, encryption, access control
PhysicalControls in the physical worldLocks, guards, cameras, fences

Checkpoint · Information Security Program

Question 1 of 10

When an information security program is first stood up, what should the security manager establish before allocating budget to specific projects?

Module 4 · Incident Management

One official domain, 30% of the exam. Incident management is preparing for, detecting, responding to, and recovering from security incidents — and learning from them. It splits into readiness (the planning you do in advance) and operations(what you do when an incident hits). At 30%, it’s nearly a third of the exam.

4.1 Incident Management Readiness

Readiness is mostly the battle. It centers on the , which identifies critical processes and the impact of disruption, producing the recovery objectives every other plan serves.

Know the metrics cold. is the target time to restore a system; is the acceptable data loss (it drives backup frequency); is the time to resume normal operations; and the is the absolute outer limit, where MTD = RTO + WRT. From the BIA flow the (keep the business running) and the (restore IT). Both must be tested and kept current.[7]

Recovery objectives and continuity plans
TermMeaningDrives
BIABusiness Impact Analysis — identifies critical processes & impactRTO, RPO, MTD
RTOTarget time to restore a systemRecovery-site choice (hot/warm/cold)
RPOAcceptable data loss (measured backward)Backup / replication frequency
MTDMaximum Tolerable Downtime (= RTO + WRT)The absolute outer limit
BCPBusiness Continuity Plan — keep the business runningBroad, business-focused
DRPDisaster Recovery Plan — restore IT systemsSupports the BCP

4.2 Incident Management Operations

When an incident hits, you work the response lifecycle. Distinguish an event (any observable occurrence) from an incident (an adverse event that harms security) from a (confirmed data exposure, which often triggers notification duties). The , supported by the and a , runs the response.

The order matters: comes before eradication and recovery — limit the damage and preserve evidence first. If the incident may lead to legal or disciplinary action, maintain so evidence stays admissible. Finally, the (lessons learned and root-cause analysis) is where the program actually improves — the step candidates forget.[6]

Event vs. incident vs. breach
TermMeaningSo what
EventAny observable occurrence in a system/networkMost are benign; triage filters them
IncidentAn adverse event harming CIA of informationTriggers the incident response plan
BreachConfirmed access/exposure of protected dataOften triggers legal notification duties

Checkpoint · Incident Management

Question 1 of 10

An information security manager learns that staff hesitate to report suspected incidents because they fear blame for clicking a malicious link. Which incident response plan provision most directly reduces this barrier?

How to Use This CISM Study Guide

This guide is built to be worked, not just read. The most efficient path to a pass:

  • Study by weight. The Information Security Program (33%) and Incident Management (30%) are nearly two-thirds of the exam — spend the most time there, but start with Governance, which frames everything.
  • Think like a manager. CISM questions ask for the best or most appropriate action — usually the one that addresses governance, ownership, and risk, not the most technical fix.
  • Check off as you go. Use the Study Guide Contents to mark each section done; it raises your exam-readiness score.
  • Take every checkpoint. The end-of-module quizzes show you exactly which domains need another pass.
  • Drill the weak domain. Send your weak area into the flashcards and a practice test until your scores climb comfortably.

CISM Concept Questions

Common CISM concepts candidates search while studying — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.

CISM Glossary

The high-yield CISM terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.

Annualized Loss Expectancy (ALE)
The expected yearly cost of a risk: ALE = SLE × ARO. Used to cost-justify controls.
Annualized Rate of Occurrence (ARO)
The expected number of times a specific risk event will occur in one year.
Asset classification
Labeling information assets by sensitivity so the right level of protection is applied; assigned by the data owner.
Breach
A confirmed incident in which protected data was accessed or exposed, often triggering notification duties.
Business alignment
Ensuring security goals, investments, and metrics map directly to enterprise goals so security delivers value, not just cost.
Business case
The cost/benefit justification (often including ROSI) used to win management funding for a security investment.
Business continuity plan (BCP)
A plan to keep critical business functions operating during and after a disruption (business-focused).
Business Impact Analysis (BIA)
An analysis that identifies critical processes and the impact of disruption, producing the recovery objectives (MTD, RTO, RPO).
Chain of custody
The documented, tamper-evident record of who handled evidence and when, preserving its admissibility.
COBIT
ISACA's governance and management framework for enterprise IT, used to structure security governance.
Compensating control
An alternative control used when the primary control isn't feasible (e.g., extra monitoring instead of separation of duties).
Containment
Limiting the spread and damage of an incident before eradication and recovery — stopping the bleeding first.
Control deficiency
A control that is missing or not operating effectively, leaving a gap that increases risk.
Control owner
The party responsible for designing, implementing, and operating a specific control.
Corrective control
A control that restores systems after an incident (e.g., backups, patching, failover).
CSIRT
Computer Security Incident Response Team — the group that detects, responds to, and recovers from incidents.
Data custodian
The party (usually IT) responsible for implementing and maintaining the controls protecting data day to day.
Data owner
The senior business manager accountable for an asset — sets its classification and protection requirements.
Defense in depth
Layering multiple, overlapping controls so that if one fails, others still protect the asset.
Detective control
A control that identifies an incident in progress or after the fact (e.g., IDS, log review, SIEM alert).
Disaster recovery plan (DRP)
The IT-focused plan to restore technology systems and data; it supports the BCP.
Due care
Acting on due diligence by implementing and maintaining reasonable controls — what a prudent organization would do (doing the right thing).
Due diligence
Doing the research and verification — investigating risks and building the plans and policies needed to protect the organization (knowing what's right).
Gap analysis
A comparison of the current security state against a desired/target state to identify what is missing and drive the roadmap.
GRC
Governance, Risk, and Compliance — the integrated discipline that coordinates how an organization is directed, manages risk, and meets obligations.
Guideline
A recommended, discretionary best practice — the only optional item in the governance hierarchy.
Incident
An adverse event that harms or threatens the confidentiality, integrity, or availability of information.
Information security governance
The board- and executive-level responsibilities that provide strategic direction, ensure security objectives are met, manage risk, and verify resources are used responsibly. Leadership owns security.
Information security program
The coordinated set of activities, controls, resources, and people that executes the security strategy.
Inherent risk
The level of risk that exists before any controls are applied — the raw exposure.
ISO/IEC 27001
The international standard for an Information Security Management System (ISMS) — a certifiable framework for governing and running security.
KGI
Key Goal Indicator — a metric showing whether a defined goal was achieved.
KPI
Key Performance Indicator — a metric measuring how well the program or a control is performing.
KRI
Key Risk Indicator — a forward-looking metric that signals rising risk before an incident occurs.
Least privilege
Granting users and processes only the minimum access needed to do their job, and nothing more.
Maturity model
A staged scale (e.g., CMMI levels 1–5) rating process capability; the target a gap analysis measures the current state against.
Maximum Tolerable Downtime (MTD)
The absolute outer limit a process can be down before unacceptable harm; MTD = RTO + WRT.
NIST CSF
The NIST Cybersecurity Framework — a voluntary structure (Govern, Identify, Protect, Detect, Respond, Recover) for managing cybersecurity risk.
OLA
Operational Level Agreement — an internal agreement between teams that supports the delivery of an SLA.
Policy
A high-level, mandatory statement of management intent and goals for security.
Post-incident review
The lessons-learned and root-cause analysis after an incident that feeds improvements back into the program.
Preventive control
A control that stops an incident before it happens (e.g., firewall rule, access control, encryption).
Procedure
Detailed, mandatory step-by-step instructions for carrying out a task securely.
RACI
A responsibility chart assigning each task to roles: Responsible (does it), Accountable (answers for it — only one), Consulted (gives input), Informed (kept updated).
Recovery Point Objective (RPO)
The maximum acceptable amount of data loss measured backward in time; drives backup frequency.
Recovery Time Objective (RTO)
The targeted time to restore a system or process after a disruption; must fit within the MTD.
Residual risk
The risk that remains after controls (the risk response) are in place; the risk owner formally accepts it.
Risk appetite
The amount and type of risk an organization is willing to pursue to meet its objectives — set by the board.
Risk assessment
The process of identifying and analyzing risks — their likelihood and impact — to prioritize them.
Risk capacity
The maximum amount of risk an organization could actually absorb before it fails.
Risk owner
The party accountable for a risk who formally accepts its residual level (usually senior management).
Risk register
A documented inventory of identified risks with their ratings, owners, treatments, controls, and status.
Risk tolerance
The acceptable deviation around the risk appetite for a specific objective or risk.
Risk treatment
The chosen response to a risk: mitigate (reduce), transfer (insure/outsource), avoid (stop the activity), or accept.
Secure SDLC
Embedding security into every phase of the system development lifecycle ('shift left') rather than bolting it on at the end.
Security awareness training
Ongoing education that reduces human risk by teaching staff to recognize threats and follow policy.
Security steering committee
A cross-functional body that aligns the security strategy with business priorities and directs program investment.
Security strategy
The long-term plan that aligns the information security program to the organization's business objectives — the desired future state.
Separation of duties
Splitting a sensitive task so no single person can complete it alone, reducing fraud and error.
SIEM
Security Information and Event Management — a system that aggregates and correlates logs for detection and analysis.
Single Loss Expectancy (SLE)
The expected monetary loss from a single occurrence of a risk: SLE = Asset Value × Exposure Factor.
SLA
Service Level Agreement — a measurable service commitment between the organization and an external provider.
SOC
Security Operations Center — the function that monitors, detects, and responds to security events.
Standard
Mandatory, specific requirements that support a policy (e.g., 'use AES-256 encryption').
Third-party risk
Risk introduced through vendors and the supply chain; a provider's breach is still the organization's problem.
Threat
Any potential event or actor that could exploit a vulnerability to harm an asset.
Vulnerability
A weakness in a system, process, or control that a threat can exploit.
Work Recovery Time (WRT)
The time to verify data and resume normal operations after systems are restored.

CISM Study Guide FAQ

The CISM exam has 150 multiple-choice questions and a time limit of 4 hours (240 minutes). Each question has four options and one BEST answer, and some are scenario-based. The exam also contains a small number of unscored pretest items that do not count toward your result.

References

  1. 1.ISACA. “CISM Exam Content Outline.” isaca.org.
  2. 2.ISACA. “CISM — Certified Information Security Manager.” isaca.org.
  3. 3.ISACA. “Maintain Your CISM Certification (CPE policy).” isaca.org.
  4. 4.National Institute of Standards and Technology. “SP 800-30 Rev. 1: Guide for Conducting Risk Assessments.” csrc.nist.gov.
  5. 5.National Institute of Standards and Technology. “SP 800-53 Rev. 5: Security and Privacy Controls.” csrc.nist.gov.
  6. 6.National Institute of Standards and Technology. “SP 800-61 Rev. 2: Computer Security Incident Handling Guide.” csrc.nist.gov.
  7. 7.National Institute of Standards and Technology. “SP 800-34 Rev. 1: Contingency Planning Guide.” csrc.nist.gov.
  8. 8.National Institute of Standards and Technology. “Cybersecurity Framework (CSF).” nist.gov.
  9. 9.International Organization for Standardization. “ISO/IEC 27001 — Information Security Management Systems.” iso.org.
Career Employer

Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.

Follow Us:

All Posts

Career Employer’s Editorial Process

Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.