This free CISM study guide walks through every content domain the Certified Information Security Manager exam tests, organized to the current ISACA exam content outline.[1]
It’s interactive, not a wall of text: every module has built-in checkpoint quizzes, flashcards, and practice questions, so you learn by doing — not just reading.
The CISM tests four official domains, and it is a management exam: it asks for the best or most appropriate action a security manager would take — governance, risk strategy, running the program, and handling incidents — not hands-on technical configuration. We teach all four in four study modules and lead with Governance, which frames everything else.
Read a module, test yourself at each checkpoint, then drill gaps with our free practice test and flashcards. This guide is a high-yield overview mapped to the official content — not a full security textbook.
CISM Exam Snapshot
| Detail | CISM Exam |
|---|---|
| Questions | 150 multiple-choice (plus unscored pretest items) |
| Format | 4 options, one BEST answer; some scenario-based items |
| Time | 4 hours (240 minutes) |
| Passing score | 450 on a 200–800 scaled scale |
| Administered by | ISACA, delivered at PSI test centers or remote online proctored |
| Certifying body | ISACA |
| Experience | 5 years' infosec management experience (3+ yrs in 3 of 4 domains); up to 2 yrs waivable |
| Cost | $575 member / $760 non-member (+ $50 application fee) |
| Recertification | 120 CPE credits over 3 years (min 20/yr) + annual maintenance fee |
| Languages | English, Spanish, Chinese (Simplified), Japanese, French, German |
The CISM covers four domains, and the weighting is lopsided toward execution: the Information Security Program is the largest at 33%, and Incident Management is close behind at 30% — together 63% of the exam. Governance (17%) is smallest by weight but frames everything, so it is where to start.[1] Study by weight:
Information Security Governance
17% of the exam
Information Security Risk Management
20% of the exam
Information Security Program
33% of the exam
Incident Management
30% of the exam
Module 1 · Information Security Governance
One official domain, 17% of the exam. Governance is leadership’s ownership of security: setting direction, aligning security to the business, and holding the organization accountable. It is the smallest domain by weight but the foundation the other three rest on — get the governance mindset and the rest of the exam makes sense.
1.1 Enterprise Governance
is exercised by the board and senior management. They own risk, set the tone at the top, and are ultimately accountable; the security manager translates business goals into a program and reports back up. Know the chain of who directs what.
Board of Directors / Senior Management
Owns risk, sets risk appetite and the tone at the top, and is ultimately accountable for security governance.
Security Steering Committee
Cross-functional body that aligns the security strategy with business objectives and prioritizes investment.
Information Security Manager (CISM)
Translates the strategy into a program — policies, controls, metrics — and reports performance and risk upward.
Process & Control Owners / Staff
Operate the controls day to day; risk owners accept residual risk, control owners run the controls.
Clear ownership is central, and the exam loves the model. For any control or task, exactly one party is Accountable (answers for the outcome) while one or more are Responsible (do the work); others are Consulted or Informed. Typically the (a senior business manager) is accountable for an asset, and the (IT) is responsible for the controls.
Two governance duties are heavily tested: (researching risks and building the plan) and (acting on it and maintaining controls). Together they form the “prudent person rule” that limits negligence liability after an incident.[1] Governance also means meeting legal, regulatory, and contractual requirements and shaping a healthy security culture.
| Document | What it is | Mandatory? |
|---|---|---|
| Policy | High-level management statement of intent and goals | Yes |
| Standard | Specific mandatory requirements (e.g., 'use AES-256') | Yes |
| Procedure | Detailed step-by-step instructions | Yes |
| Baseline | A minimum required level of security | Yes |
| Guideline | Recommended, discretionary best practice | No |
1.2 Information Security Strategy
The is the long-term plan that aligns the program to business objectives — the desired future state. Building it starts with understanding the business, then a comparing the current state to a target (often a framework or ), which produces a prioritized roadmap.
Strategy leans on recognized frameworks and standards: (ISACA’s governance framework), (a certifiable ISMS), and the . To win resources, the manager makes a — a cost/benefit justification, often expressed as return on security investment — so security is funded as a business enabler, not a cost center. This is the essence of and .[9]
| Framework | Owner | Purpose |
|---|---|---|
| COBIT | ISACA | Governance and management of enterprise IT |
| ISO/IEC 27001 | ISO/IEC | Certifiable Information Security Management System (ISMS) |
| NIST CSF | NIST | Voluntary cybersecurity risk-management framework |
| ISO/IEC 27002 | ISO/IEC | Catalog of information security controls |
Checkpoint · Information Security Governance
Question 1 of 10
An information security manager builds a RACI chart for a new data-handling initiative. Which role on a RACI chart must be assigned to exactly one party for each activity?
Module 2 · Information Security Risk Management
One official domain, 20% of the exam. Risk management is the discipline of finding, rating, treating, and monitoring risk so it stays within the organization’s appetite. On CISM it is a management activity — who owns the risk, what response is appropriate, and how to report it — not a technical scan.
2.1 Risk Assessment & Analysis
Risk is the chance a exploits a to harm an asset, rated by likelihood × impact. The process is a continuous loop, and everything is measured against the board’s .
- 1
Identify risk
Scan the emerging threat landscape and identify assets, threats, vulnerabilities, and control deficiencies.
- 2
Assess & analyze
Rate likelihood × impact — qualitatively (high/medium/low) or quantitatively (ALE = SLE × ARO) — against the risk appetite.
- 3
Choose a risk response
Mitigate (reduce with controls), transfer (insurance/third party), avoid (stop the activity), or accept the residual risk.
- 4
Assign ownership
The risk owner is accountable and formally accepts residual risk; the control owner operates the control.
- 5
Treat & record
Implement the response cost-effectively and log it in the risk register with status and owner.
- 6
Monitor & report
Track KRIs, reassess as the business changes, and report risk posture to senior management.
Three appetite terms are tested together: (willingness to take risk), (acceptable deviation around it), and (the most risk the organization can absorb). You also distinguish (before controls) from (after).
Risk capacity
The MAXIMUM risk the organization could absorb before it fails — the outer limit.
Risk tolerance
The acceptable DEVIATION around the appetite for a specific objective or risk.
Risk appetite
The amount and type of risk the organization is WILLING to pursue to meet its objectives (board-set).
You assess risk two ways. Qualitative analysis ranks risks high/medium/low — fast and subjective. Quantitative analysis is dollar-based: the = Asset Value × Exposure Factor; the is events per year; and the = SLE × ARO is the expected yearly cost — the figure that cost-justifies a control to management.[4]
2.2 Risk Response & Monitoring
Once a risk is rated, you choose a : mitigate (add controls), transfer (insurance or a third party), avoid (stop the activity), or accept (formally tolerate the residual risk). Acceptance is a documented decision by the — never just ignoring a risk.
| Response | What you do | Example |
|---|---|---|
| Mitigate (reduce) | Add controls to lower likelihood or impact | Deploy MFA to reduce account takeover |
| Transfer | Shift the financial impact to a third party | Buy cyber-insurance or outsource |
| Avoid | Stop the activity that creates the risk | Discontinue a risky product feature |
| Accept | Formally tolerate the residual risk | Risk owner signs off on a low-impact risk |
Ownership must be explicit: the is accountable and accepts residual risk, while the operates the control. Everything is tracked in a and monitored over time with s (forward-looking risk signals), s (performance), and s (goal achievement). The manager then reports risk posture to senior management so they can decide.
| Metric | Answers | Example |
|---|---|---|
| KRI (Key Risk Indicator) | Is risk rising? | # of unpatched critical systems trending up |
| KPI (Key Performance Indicator) | Is the program performing? | % of staff who finished security training |
| KGI (Key Goal Indicator) | Did we hit the goal? | 100% of critical systems patched within SLA |
Checkpoint · Information Security Risk Management
Question 1 of 10
Which statement most accurately defines an organization's risk appetite?
Module 3 · Information Security Program
One official domain, 33% of the exam — the largest. The program is where strategy and risk decisions become operating reality: resources, classification, frameworks, policies, controls, training, vendor management, and metrics. Expect the most questions here, and expect them to test management judgment about building and running the program.
3.1 Program Development
An is built from the strategy down. It needs resources (budget, people, tools), then — labeling assets by sensitivity so protection lands where it matters — followed by selecting industry standards and frameworks, writing , procedures, and guidelines, and defining program metrics.
- 1
Strategy & resources
Start from the governance strategy; secure budget, people, and tools to build the program.
- 2
Classify assets
Identify and classify information assets by sensitivity so controls are applied where they matter.
- 3
Select frameworks & policies
Adopt standards/frameworks (ISO 27001, NIST CSF, COBIT) and write policies, procedures, and guidelines.
- 4
Design & implement controls
Choose preventive/detective/corrective controls and integrate them into business processes.
- 5
Train & manage vendors
Run security awareness/training and govern external service providers (SLAs/OLAs).
- 6
Test, measure & report
Test and evaluate controls, track program metrics (KPIs/KGIs), and report performance to management.
Classification is a business decision: the assigns it; the implements the resulting controls. Over-classifying wastes resources; under-classifying creates risk.[5]
| Role / concept | Detail |
|---|---|
| Data owner | Accountable; sets classification and protection requirements (senior manager) |
| Data custodian | Responsible for day-to-day controls (backups, access) — usually IT |
| Classification | Labeling by sensitivity (e.g., public, internal, confidential, restricted) |
| Drives | Handling, access, encryption, retention, and destruction requirements |
3.2 Program Management
Running the program means selecting and operating controls. Know the control types by function and by nature — managers choose a layered mix () to meet the risk cost-effectively.
Preventive
Stops an incident before it happens (firewall rule, access control, encryption).
Detective
Identifies an incident in progress or after the fact (IDS, log review, SIEM alert).
Corrective
Restores systems after an incident (backups, patching, failover).
Deterrent
Discourages a would-be attacker (warning banners, visible cameras, sanctions).
Compensating
An alternative when the primary control isn't feasible (extra monitoring in place of segregation of duties).
Beyond controls, program management covers (the most cost-effective control for the human element), managing external services — holding vendors to security requirements through an (and internal s) and managing — and communications and reporting. Embedding security into builds via a , plus and , round out the operating controls.
| Nature | What it is | Examples |
|---|---|---|
| Administrative | Policy and people controls | Policies, training, background checks |
| Technical (logical) | Technology-enforced controls | Firewalls, encryption, access control |
| Physical | Controls in the physical world | Locks, guards, cameras, fences |
Checkpoint · Information Security Program
Question 1 of 10
When an information security program is first stood up, what should the security manager establish before allocating budget to specific projects?
Module 4 · Incident Management
One official domain, 30% of the exam. Incident management is preparing for, detecting, responding to, and recovering from security incidents — and learning from them. It splits into readiness (the planning you do in advance) and operations(what you do when an incident hits). At 30%, it’s nearly a third of the exam.
4.1 Incident Management Readiness
Readiness is mostly the battle. It centers on the , which identifies critical processes and the impact of disruption, producing the recovery objectives every other plan serves.
RPO — Recovery Point Objective (before)
Maximum acceptable DATA LOSS, measured backward from the disruption. Drives backup/replication frequency.
RTO — Recovery Time Objective (after)
Target TIME to restore systems after the disruption. Drives recovery-site choice (hot/warm/cold).
WRT — Work Recovery Time
Time to verify data and resume normal business operations once systems are back.
MTD = RTO + WRT (the hard limit)
Maximum Tolerable Downtime — the absolute outer limit before unacceptable harm. RTO + WRT must fit inside it.
Know the metrics cold. is the target time to restore a system; is the acceptable data loss (it drives backup frequency); is the time to resume normal operations; and the is the absolute outer limit, where MTD = RTO + WRT. From the BIA flow the (keep the business running) and the (restore IT). Both must be tested and kept current.[7]
| Term | Meaning | Drives |
|---|---|---|
| BIA | Business Impact Analysis — identifies critical processes & impact | RTO, RPO, MTD |
| RTO | Target time to restore a system | Recovery-site choice (hot/warm/cold) |
| RPO | Acceptable data loss (measured backward) | Backup / replication frequency |
| MTD | Maximum Tolerable Downtime (= RTO + WRT) | The absolute outer limit |
| BCP | Business Continuity Plan — keep the business running | Broad, business-focused |
| DRP | Disaster Recovery Plan — restore IT systems | Supports the BCP |
4.2 Incident Management Operations
When an incident hits, you work the response lifecycle. Distinguish an event (any observable occurrence) from an incident (an adverse event that harms security) from a (confirmed data exposure, which often triggers notification duties). The , supported by the and a , runs the response.
- 1
Prepare
Build the IR plan, the CSIRT, tools, and training before an incident — readiness is most of the battle.
- 2
Detect
Identify and confirm a real incident from events and alerts (SIEM, monitoring, reports).
- 3
Triage & classify
Categorize the incident by type and severity to prioritize the response and escalation.
- 4
Contain
Limit the spread and damage first — isolate systems before eradicating, to preserve evidence and stop the bleeding.
- 5
Eradicate
Remove the root cause — malware, compromised accounts, the exploited vulnerability.
- 6
Recover
Restore systems to normal operation and validate they are clean and functioning.
- 7
Post-incident review
Conduct lessons-learned / root-cause analysis and feed improvements back into the program.
The order matters: comes before eradication and recovery — limit the damage and preserve evidence first. If the incident may lead to legal or disciplinary action, maintain so evidence stays admissible. Finally, the (lessons learned and root-cause analysis) is where the program actually improves — the step candidates forget.[6]
| Term | Meaning | So what |
|---|---|---|
| Event | Any observable occurrence in a system/network | Most are benign; triage filters them |
| Incident | An adverse event harming CIA of information | Triggers the incident response plan |
| Breach | Confirmed access/exposure of protected data | Often triggers legal notification duties |
Checkpoint · Incident Management
Question 1 of 10
An information security manager learns that staff hesitate to report suspected incidents because they fear blame for clicking a malicious link. Which incident response plan provision most directly reduces this barrier?
How to Use This CISM Study Guide
This guide is built to be worked, not just read. The most efficient path to a pass:
- Study by weight. The Information Security Program (33%) and Incident Management (30%) are nearly two-thirds of the exam — spend the most time there, but start with Governance, which frames everything.
- Think like a manager. CISM questions ask for the best or most appropriate action — usually the one that addresses governance, ownership, and risk, not the most technical fix.
- Check off as you go. Use the Study Guide Contents to mark each section done; it raises your exam-readiness score.
- Take every checkpoint. The end-of-module quizzes show you exactly which domains need another pass.
- Drill the weak domain. Send your weak area into the flashcards and a practice test until your scores climb comfortably.
CISM Concept Questions
Common CISM concepts candidates search while studying — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.
CISM Glossary
The high-yield CISM terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.
- Annualized Loss Expectancy (ALE)
- The expected yearly cost of a risk: ALE = SLE × ARO. Used to cost-justify controls.
- Annualized Rate of Occurrence (ARO)
- The expected number of times a specific risk event will occur in one year.
- Asset classification
- Labeling information assets by sensitivity so the right level of protection is applied; assigned by the data owner.
- Breach
- A confirmed incident in which protected data was accessed or exposed, often triggering notification duties.
- Business alignment
- Ensuring security goals, investments, and metrics map directly to enterprise goals so security delivers value, not just cost.
- Business case
- The cost/benefit justification (often including ROSI) used to win management funding for a security investment.
- Business continuity plan (BCP)
- A plan to keep critical business functions operating during and after a disruption (business-focused).
- Business Impact Analysis (BIA)
- An analysis that identifies critical processes and the impact of disruption, producing the recovery objectives (MTD, RTO, RPO).
- Chain of custody
- The documented, tamper-evident record of who handled evidence and when, preserving its admissibility.
- COBIT
- ISACA's governance and management framework for enterprise IT, used to structure security governance.
- Compensating control
- An alternative control used when the primary control isn't feasible (e.g., extra monitoring instead of separation of duties).
- Containment
- Limiting the spread and damage of an incident before eradication and recovery — stopping the bleeding first.
- Control deficiency
- A control that is missing or not operating effectively, leaving a gap that increases risk.
- Control owner
- The party responsible for designing, implementing, and operating a specific control.
- Corrective control
- A control that restores systems after an incident (e.g., backups, patching, failover).
- CSIRT
- Computer Security Incident Response Team — the group that detects, responds to, and recovers from incidents.
- Data custodian
- The party (usually IT) responsible for implementing and maintaining the controls protecting data day to day.
- Data owner
- The senior business manager accountable for an asset — sets its classification and protection requirements.
- Defense in depth
- Layering multiple, overlapping controls so that if one fails, others still protect the asset.
- Detective control
- A control that identifies an incident in progress or after the fact (e.g., IDS, log review, SIEM alert).
- Disaster recovery plan (DRP)
- The IT-focused plan to restore technology systems and data; it supports the BCP.
- Due care
- Acting on due diligence by implementing and maintaining reasonable controls — what a prudent organization would do (doing the right thing).
- Due diligence
- Doing the research and verification — investigating risks and building the plans and policies needed to protect the organization (knowing what's right).
- Gap analysis
- A comparison of the current security state against a desired/target state to identify what is missing and drive the roadmap.
- GRC
- Governance, Risk, and Compliance — the integrated discipline that coordinates how an organization is directed, manages risk, and meets obligations.
- Guideline
- A recommended, discretionary best practice — the only optional item in the governance hierarchy.
- Incident
- An adverse event that harms or threatens the confidentiality, integrity, or availability of information.
- Information security governance
- The board- and executive-level responsibilities that provide strategic direction, ensure security objectives are met, manage risk, and verify resources are used responsibly. Leadership owns security.
- Information security program
- The coordinated set of activities, controls, resources, and people that executes the security strategy.
- Inherent risk
- The level of risk that exists before any controls are applied — the raw exposure.
- ISO/IEC 27001
- The international standard for an Information Security Management System (ISMS) — a certifiable framework for governing and running security.
- KGI
- Key Goal Indicator — a metric showing whether a defined goal was achieved.
- KPI
- Key Performance Indicator — a metric measuring how well the program or a control is performing.
- KRI
- Key Risk Indicator — a forward-looking metric that signals rising risk before an incident occurs.
- Least privilege
- Granting users and processes only the minimum access needed to do their job, and nothing more.
- Maturity model
- A staged scale (e.g., CMMI levels 1–5) rating process capability; the target a gap analysis measures the current state against.
- Maximum Tolerable Downtime (MTD)
- The absolute outer limit a process can be down before unacceptable harm; MTD = RTO + WRT.
- NIST CSF
- The NIST Cybersecurity Framework — a voluntary structure (Govern, Identify, Protect, Detect, Respond, Recover) for managing cybersecurity risk.
- OLA
- Operational Level Agreement — an internal agreement between teams that supports the delivery of an SLA.
- Policy
- A high-level, mandatory statement of management intent and goals for security.
- Post-incident review
- The lessons-learned and root-cause analysis after an incident that feeds improvements back into the program.
- Preventive control
- A control that stops an incident before it happens (e.g., firewall rule, access control, encryption).
- Procedure
- Detailed, mandatory step-by-step instructions for carrying out a task securely.
- RACI
- A responsibility chart assigning each task to roles: Responsible (does it), Accountable (answers for it — only one), Consulted (gives input), Informed (kept updated).
- Recovery Point Objective (RPO)
- The maximum acceptable amount of data loss measured backward in time; drives backup frequency.
- Recovery Time Objective (RTO)
- The targeted time to restore a system or process after a disruption; must fit within the MTD.
- Residual risk
- The risk that remains after controls (the risk response) are in place; the risk owner formally accepts it.
- Risk appetite
- The amount and type of risk an organization is willing to pursue to meet its objectives — set by the board.
- Risk assessment
- The process of identifying and analyzing risks — their likelihood and impact — to prioritize them.
- Risk capacity
- The maximum amount of risk an organization could actually absorb before it fails.
- Risk owner
- The party accountable for a risk who formally accepts its residual level (usually senior management).
- Risk register
- A documented inventory of identified risks with their ratings, owners, treatments, controls, and status.
- Risk tolerance
- The acceptable deviation around the risk appetite for a specific objective or risk.
- Risk treatment
- The chosen response to a risk: mitigate (reduce), transfer (insure/outsource), avoid (stop the activity), or accept.
- Secure SDLC
- Embedding security into every phase of the system development lifecycle ('shift left') rather than bolting it on at the end.
- Security awareness training
- Ongoing education that reduces human risk by teaching staff to recognize threats and follow policy.
- Security steering committee
- A cross-functional body that aligns the security strategy with business priorities and directs program investment.
- Security strategy
- The long-term plan that aligns the information security program to the organization's business objectives — the desired future state.
- Separation of duties
- Splitting a sensitive task so no single person can complete it alone, reducing fraud and error.
- SIEM
- Security Information and Event Management — a system that aggregates and correlates logs for detection and analysis.
- Single Loss Expectancy (SLE)
- The expected monetary loss from a single occurrence of a risk: SLE = Asset Value × Exposure Factor.
- SLA
- Service Level Agreement — a measurable service commitment between the organization and an external provider.
- SOC
- Security Operations Center — the function that monitors, detects, and responds to security events.
- Standard
- Mandatory, specific requirements that support a policy (e.g., 'use AES-256 encryption').
- Third-party risk
- Risk introduced through vendors and the supply chain; a provider's breach is still the organization's problem.
- Threat
- Any potential event or actor that could exploit a vulnerability to harm an asset.
- Vulnerability
- A weakness in a system, process, or control that a threat can exploit.
- Work Recovery Time (WRT)
- The time to verify data and resume normal operations after systems are restored.
CISM Study Guide FAQ
The CISM exam has 150 multiple-choice questions and a time limit of 4 hours (240 minutes). Each question has four options and one BEST answer, and some are scenario-based. The exam also contains a small number of unscored pretest items that do not count toward your result.
From the current ISACA outline: Information Security Governance (17%), Information Security Risk Management (20%), Information Security Program (33%), and Incident Management (30%). Program and Incident Management together make up 63% of the exam — the operational-management core.
You need a scaled score of 450 or higher on a 200 to 800 scale. The score is based on the total number of items you answer correctly across all domains; domain-level results are informational only, and there is no penalty for wrong answers, so answer every question.
You need at least five years of professional information security management work experience, with at least three years in three of the four CISM domains, earned within the ten years before applying or within five years after passing. Up to two years can be waived through approved education or credentials. You can pass the exam first and document the experience afterward.
Study by weight. The Information Security Program (33%) and Incident Management (30%) domains are the largest, so invest most there, but Governance frames everything — start with it. Read each module, take the checkpoint, then drill gaps with our free practice test and flashcards.
The exam fee is US$575 for ISACA members and US$760 for non-members, plus a one-time US$50 application fee after you pass. To maintain the credential you earn 120 CPE hours over a three-year cycle (minimum 20 per year) and pay an annual maintenance fee.
CISM is management-focused: it tests governance, risk strategy, building and running a security program, and managing incidents — choosing the BEST managerial action. CISSP is broader and more technical. Many candidates use CISM for the management lens and cross-reference a CISSP guide for technical depth.
The CISM is issued by ISACA and delivered at PSI test centers or via remote online proctoring. This study guide, the checkpoints, the glossary, the practice test, and the flashcards are 100% free with no account required.
References
- 1.ISACA. “CISM Exam Content Outline.” isaca.org. ↑
- 2.ISACA. “CISM — Certified Information Security Manager.” isaca.org. ↑
- 3.ISACA. “Maintain Your CISM Certification (CPE policy).” isaca.org. ↑
- 4.National Institute of Standards and Technology. “SP 800-30 Rev. 1: Guide for Conducting Risk Assessments.” csrc.nist.gov. ↑
- 5.National Institute of Standards and Technology. “SP 800-53 Rev. 5: Security and Privacy Controls.” csrc.nist.gov. ↑
- 6.National Institute of Standards and Technology. “SP 800-61 Rev. 2: Computer Security Incident Handling Guide.” csrc.nist.gov. ↑
- 7.National Institute of Standards and Technology. “SP 800-34 Rev. 1: Contingency Planning Guide.” csrc.nist.gov. ↑
- 8.National Institute of Standards and Technology. “Cybersecurity Framework (CSF).” nist.gov. ↑
- 9.International Organization for Standardization. “ISO/IEC 27001 — Information Security Management Systems.” iso.org. ↑

Career Employer
Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.
All PostsCareer Employer’s Editorial Process
Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.
