Presented by ISACA, the Certified Information Security Manager (CISM) certification comprises four domains that test your ability to respond to cyber security incidents, assess risks, and implement digital security policies.
To best prepare for this advanced cyber security certification, weβll examine the four CISM domains to see what youβll be tested on.
In addition to familiarizing yourself with what youβll be tested on, weβll also break down the testing format and style and present training options to help you ace the exam on your first attempt.
Ready? Letβs start.
Two exam questions will accompany each CISM domain so you can gauge your knowledge of the four CISM knowledge domains.
What Is the CISM Certification?
The Certified Information Security Manager (CISM) certification is an advanced cyber security certification testing your ability to manage and implement effective information security measures and policies.
Passing the exam demonstrates your ability to assess risk and security posture, create and implement security policies, and refine an organizationβs ability to respond to security incidents.
It also proves that youβre up to date on the latest security and IT technologies and that you can wield this technology to respond to the latest threats.

The exam lasts a total of four hours and is comprised of 150 multiple-choice questions. The passing score is 450 out of 800.
CISM Certification Salary
According to ZipRecruiter, the average salary of a cyber security professional with CISM to their name is $94,926 USD.

Glassdoor, however, claims the average salary is more around $137,000 with the median being $179,000.
What impacts your salary more than anything is the position that passing the CISM helps you obtain. In fact, itβs common to see CISM holders in the following positions:
- Network Engineer: $109,040
- Information Security Manager: $$126,447
- Senior IT Architect: $$112,119
- Information/Privacy Risk Consultant: $93,381
- IT Specialist Infosec: $$84,113
CISM Requirements
To become certified, you must have at least five years of professional IT security experience under your belt. These job practice areas include IT governance, IT risk management, Infosec, and incident management.
These five years of experience must be acquired within a ten-year window, and three years of employment must involve work that touches on at least three of the aforementioned areas.
Two of the five years of experience needed to be awarded the certification may be waived if test takers have a related MBA, masterβs degree, or relevant experience.
ISACA CISM Domains
There are four domains that youβll be tested on:
- Information Security Governance: 17%
- Information Security Risk Management: 20%
- Information Security Program: 33%
- Incident Management: 30%

Domain 1: Information Security Governance
True to its name, the first CISM domain will test your ability to manage and create an effective information security policy. Here, youβll be asked to plan, analyze, and implement company-wide security strategies.
To better prepare, be sure to study up on popular frameworks such as NIST and ISO 27001.
Expect questions on government regulations that companies also must adhere to when protecting sensitive data. Candidates must be able to build a harmonious security plan that takes into account both the companyβs operational objectives and government regulations.
This domain can really be split up into two subdomains: Enterprise Governance and Information Security Strategy.
Enterprise Governance covers organizational culture, legal, regulatory, and contractual requirements, and organizational structures, roles, and responsibilities.
Information Security Strategy includes the development of security strategy, information governance frameworks and standards, and strategic planning.
Here are some key terms you must know for the exam:
- ERM: Enterprise risk management
- SOX: Sarbanes-Oxley (SOX) Act
- CMM: Capability maturity model
- COBIT: Control Objectives for Information and Related Technologies
- KGI: Key Goal Indicator
Here are two questions that will test your understanding of this domain:


Answers:
1) The company has neglected to periodically check its policy documents. Policies should be checked at least once a year.
2) An IT governance function should work in harmony with its IT governance function.
Domain 2: Information Security Risk Management
This domain will gauge your ability to identify and evaluate potential digital security risks, threats, and vulnerabilities. However, identifying security risks is just one part of the battle.
Youβll also be tested on your ability to effectively respond to security risks through the use of both technical tools and a security response plan.
This domain can be broken down into two sub-domains: Information Security Risk Assessment and Information Security Risk Response.
The questions testing on Information Security Risk Assessment will test you on new risks and the threat landscape, vulnerability and control deficiency analysis, and risk assessment and analysis.
The Information Security Risk Response subdomain will test you on risk treatment, risk and control ownership, and risk monitoring and reporting.
Here are some key terms you must know for the exam:
- RTO: Recovery Time Objectives
- SDOs: Service Delivery Objectives
- AIW: Acceptable Interruption Window
- SLAs: Service Level Agreement
- TCO: Total Cost of Ownership
Here are two questions that will test your understanding of this domain:


Answers:
1) Risk manager can be either a job title, a role, or both.
2) A gaming software startup will have the highest risk tolerance as it's struggling to survive and has little to lose.
Domain 3: Information Security Program
Being that this exam prepares you to become a security manager, this domain is dedicated to testing you on your ability to create and manage an information security program.
Specifically, youβll be quizzed on how you design a security plan while collaborating with management and stakeholders, how you execute an information security strategy, and how metrics are used to gauge the effectiveness of said program.
To accomplish these goals, CISM candidates will be tested on their understanding of information security resources, asset classifications, and frameworks, as well as a range of security controls and security reporting techniques.
This domain can be broken down into two subdomains: Information Security Program Development and Information Security Program Management.
Information Security Program Development includes:
- Infosec program resources
- Information asset identification and classification
- Industry standards and frameworks for information security
- Information security policies, procedures, and guidelines
- Information security program metrics
Information Security Program Management includes:
- Control design and selection
- Implementation and integration of information security controls
- Testing and evaluating information security efforts
- Managing external services
- Information security program communication and reporting
Here are some key terms you must know for the exam:
- SDLCs: System Development Life Cycles
- PKI: Public Key Infrastructure
- ISO 27001: Organization for Standardization
- SIEM: Security Information and Event Management
- POPI: Protection of Proprietary Information
Here are two questions that will test your understanding of this domain:


Answers:
1) A security manager creating a business case should describe the need for MDM.
2) Form a security council comprised of business stakeholders.
Domain 4: Incident Management
The incident management domain gauges how ready you are to manage a companyβs risk management and preparedness efforts.
If you pass this portion of the exam, youβll prove that youβre ready to respond effectively to security incidents and guide your company toward recovery. Youβll be tested on incident management tools, ways to evaluate and contain incidents, and more.
Additionally, youβll be asked to manage the impact of an incident. In fact, as an aspiring IT security manager, you must know how to use various technical and physical controls in order to respond to an incident.
The domain can be broken down into two subdomains: Incident Management Readiness and Incident Management Operations.
Incident Management Readiness will test your ability to create various plans such as a business response plan, business continuity plan, and disaster recovery plan.
Here are some key terms you must know for the exam:
- IRP: Incident Response Procedure
- APTs: Advanced Persistent Threats
- IMT: Incident Management Team
- BIA: Business Impact Analysis
- DRP: Disaster Recovery Plan
Here are two questions that will test your understanding of this domain:


Answers:
1) Ransomware is a βhigh velocityβ threat that can destroy information at a high rate, necessitating incident response teams to respond more quickly.
2) The situation is clearly a security incident and should be declared and treated as such.
CISM Training
Passing the CISM exam is no easy feat.
This four-hour exam tests you on an array of information and security topics while drilling down into the nitty-gritty of information security management.
Even if you have the required five years of professional experience ISACA requires you to have, itβs still in your best interest to study up.
The best way to prepare for this certification is by enrolling in StationXβs Accelerator Program. Here, youβll gain access to over 1,000 courses and labs that allow you to both refine and further your cyber security-related skills.
In addition to courses and labs, youβll be paired with a mentor, have access to our community, learn which certifications and career pathways are best for you, and have the chance to join a mastermind group.
Start studying for the CISM certification by taking one of these courses:
Conclusion
CISM is comprised of four knowledge domains: Information Security Governance, Information Security Risk Management, Information Security Program, and Incident Management.
To pass this four-hour, 150 multiple-choice question certification, youβll need to brush up on the aforementioned topics related to the best cyber security management practices.
As this is an advanced cyber security certification, obtaining it will open new professional doors for you. Youβll not only become a more qualified candidate, but youβll be able to make more money as you take on more advanced roles.
Frequently Asked Questions
Level Up in Cyber Security: Join Our Membership Today!

