4 CISM Domains Explained (Master the Exam in 2024)

CISM Domains

Presented by ISACA, the Certified Information Security Manager (CISM) certification comprises four domains that test your ability to respond to cyber security incidents, assess risks, and implement digital security policies.

To best prepare for this advanced cyber security certification, we’ll examine the four CISM domains to see what you’ll be tested on. 

In addition to familiarizing yourself with what you’ll be tested on, we’ll also break down the testing format and style and present training options to help you ace the exam on your first attempt. 

Ready? Let’s start. 

Two exam questions will accompany each CISM domain so you can gauge your knowledge of the four CISM knowledge domains. 

What Is the CISM Certification?

The Certified Information Security Manager (CISM) certification is an advanced cyber security certification testing your ability to manage and implement effective information security measures and policies. 

Passing the exam demonstrates your ability to assess risk and security posture, create and implement security policies, and refine an organization’s ability to respond to security incidents. 

It also proves that you’re up to date on the latest security and IT technologies and that you can wield this technology to respond to the latest threats. 

The exam lasts a total of four hours and is comprised of 150 multiple-choice questions. The passing score is 450 out of 800. 

CISM Certification Salary

According to ZipRecruiter, the average salary of a cyber security professional with CISM to their name is $94,926 USD. 

Glassdoor, however, claims the average salary is more around $137,000 with the median being $179,000. 

What impacts your salary more than anything is the position that passing the CISM helps you obtain. In fact, it’s common to see CISM holders in the following positions:

  • Network Engineer: $109,040 
  • Information Security Manager: $$126,447
  • Senior IT Architect: $$112,119
  • Information/Privacy Risk Consultant: $93,381
  • IT Specialist Infosec: $$84,113

CISM Requirements

To become certified, you must have at least five years of professional IT security experience under your belt. These job practice areas include IT governance, IT risk management, Infosec, and incident management. 

These five years of experience must be acquired within a ten-year window, and three years of employment must involve work that touches on at least three of the aforementioned areas. 

Two of the five years of experience needed to be awarded the certification may be waived if test takers have a related MBA, master’s degree, or relevant experience. 


There are four domains that you’ll be tested on:

  • Information Security Governance: 17%
  • Information Security Risk Management: 20%
  • Information Security Program: 33%
  • Incident Management: 30%

Domain 1: Information Security Governance

True to its name, the first CISM domain will test your ability to manage and create an effective information security policy. Here, you’ll be asked to plan, analyze, and implement company-wide security strategies. 

To better prepare, be sure to study up on popular frameworks such as NIST and ISO 27001. 

Expect questions on government regulations that companies also must adhere to when protecting sensitive data. Candidates must be able to build a harmonious security plan that takes into account both the company’s operational objectives and government regulations. 

This domain can really be split up into two subdomains: Enterprise Governance and Information Security Strategy. 

Enterprise Governance covers organizational culture, legal, regulatory, and contractual requirements, and organizational structures, roles, and responsibilities.  

Information Security Strategy includes the development of security strategy, information governance frameworks and standards, and strategic planning. 

Here are some key terms you must know for the exam:

  • ERM: Enterprise risk management
  • SOX: Sarbanes-Oxley (SOX) Act
  • CMM: Capability maturity model 
  • COBIT: Control Objectives for Information and Related Technologies
  • KGI: Key Goal Indicator

Here are two questions that will test your understanding of this domain:


1) The company has neglected to periodically check its policy documents. Policies should be checked at least once a year.

2) An IT governance function should work in harmony with its IT governance function.

Domain 2: Information Security Risk Management

This domain will gauge your ability to identify and evaluate potential digital security risks, threats, and vulnerabilities. However, identifying security risks is just one part of the battle. 

You’ll also be tested on your ability to effectively respond to security risks through the use of both technical tools and a security response plan. 

This domain can be broken down into two sub-domains: Information Security Risk Assessment and Information Security Risk Response. 

The questions testing on Information Security Risk Assessment will test you on new risks and the threat landscape, vulnerability and control deficiency analysis, and risk assessment and analysis. 

The Information Security Risk Response subdomain will test you on risk treatment, risk and control ownership, and risk monitoring and reporting. 

Here are some key terms you must know for the exam:

  • RTO: Recovery Time Objectives
  • SDOs: Service Delivery Objectives 
  • AIW: Acceptable Interruption Window
  • SLAs: Service Level Agreement
  • TCO: Total Cost of Ownership

Here are two questions that will test your understanding of this domain:


1) Risk manager can be either a job title, a role, or both

2) A gaming software startup will have the highest risk tolerance as it's struggling to survive and has little to lose. 

Domain 3: Information Security Program

Being that this exam prepares you to become a security manager, this domain is dedicated to testing you on your ability to create and manage an information security program. 

Specifically, you’ll be quizzed on how you design a security plan while collaborating with management and stakeholders, how you execute an information security strategy, and how metrics are used to gauge the effectiveness of said program. 

To accomplish these goals, CISM candidates will be tested on their understanding of information security resources, asset classifications, and frameworks, as well as a range of security controls and security reporting techniques. 

This domain can be broken down into two subdomains: Information Security Program Development and Information Security Program Management. 

Information Security Program Development includes:

  • Infosec program resources
  • Information asset identification and classification
  • Industry standards and frameworks for information security
  • Information security policies, procedures, and guidelines
  • Information security program metrics

Information Security Program Management includes:

  • Control design and selection
  • Implementation and integration of information security controls
  • Testing and evaluating information security efforts
  • Managing external services
  • Information security program communication and reporting 

Here are some key terms you must know for the exam:

  • SDLCs: System Development Life Cycles
  • PKI: Public Key Infrastructure
  • ISO 27001: Organization for Standardization 
  • SIEM: Security Information and Event Management
  • POPI: Protection of Proprietary Information

Here are two questions that will test your understanding of this domain:


1) A security manager creating a business case should describe the need for MDM.

2) Form a security council comprised of business stakeholders.

Domain 4: Incident Management

The incident management domain gauges how ready you are to manage a company’s risk management and preparedness efforts. 

If you pass this portion of the exam, you’ll prove that you’re ready to respond effectively to security incidents and guide your company toward recovery. You’ll be tested on incident management tools, ways to evaluate and contain incidents, and more. 

Additionally, you’ll be asked to manage the impact of an incident. In fact, as an aspiring IT security manager, you must know how to use various technical and physical controls in order to respond to an incident. 

The domain can be broken down into two subdomains: Incident Management Readiness and Incident Management Operations. 

Incident Management Readiness will test your ability to create various plans such as a business response plan, business continuity plan, and disaster recovery plan. 

Here are some key terms you must know for the exam:

  • IRP: Incident Response Procedure
  • APTs: Advanced Persistent Threats
  • IMT: Incident Management Team
  • BIA: Business Impact Analysis
  • DRP: Disaster Recovery Plan

Here are two questions that will test your understanding of this domain:


1) Ransomware is a “high velocity” threat that can destroy information at a high rate, necessitating incident response teams to respond more quickly.

2) The situation is clearly a security incident and should be declared and treated as such. 

CISM Training

Passing the CISM exam is no easy feat. 

This four-hour exam tests you on an array of information and security topics while drilling down into the nitty-gritty of information security management. 

Even if you have the required five years of professional experience ISACA requires you to have, it’s still in your best interest to study up. 

The best way to prepare for this certification is by enrolling in StationX’s Accelerator Program. Here, you’ll gain access to over 1,000 courses and labs that allow you to both refine and further your cyber security-related skills. 

In addition to courses and labs, you’ll be paired with a mentor, have access to our community, learn which certifications and career pathways are best for you, and have the chance to join a mastermind group. 

Start studying for the CISM certification by taking one of these courses:


CISM is comprised of four knowledge domains: Information Security Governance, Information Security Risk Management, Information Security Program, and Incident Management. 

To pass this four-hour, 150 multiple-choice question certification, you’ll need to brush up on the aforementioned topics related to the best cyber security management practices. 

As this is an advanced cyber security certification, obtaining it will open new professional doors for you. You’ll not only become a more qualified candidate, but you’ll be able to make more money as you take on more advanced roles. 

Frequently Asked Questions

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Spencer Abel

    Spencer is part cyber security professional and part content writer. He specializes in helping those attempting to pivot into the vast and always-changing world of cyber security by making complex topics fun and palatable. Connect with him over at LinkedIn to stay up-to-date with his latest content.