CISM exam domains: A comprehensive breakdown for certification success
The Certified Information Security Manager (CISM) certification validates your ability to develop and manage enterprise information security programs. For professionals tasked with overseeing organizational information security, understanding the CISM exam domains is crucial to certification success. This article breaks down each domain to help you navigate the certification process with confidence. Candidates must demonstrate proficiency in all domains to pass the CISM certification.
$150,040 average salary
ISACA CISM is one of the industry's highest-paying cybersecurity certifications. Take your information security management career to new heights and enroll now to claim your Exam Pass Guarantee!
The CISM certification domains and weights
Here are the key domains and subdomains included in the new exam, along with an overview of how things changed after June 1, 2022.
The CISM exam contains 150 multiple-choice questions that must be completed in four hours. Candidates are tested on four information security management areas that reflect the actual work performed by information security professionals. These CISM domain weights have been validated by subject matter experts, industry leaders, and practitioners.
As of June 1, 2022, ISACA refreshed the CISM knowledge domains with the following weights:
- Domain 1 — Information security governance (17% exam weight)
- Domain 2 — Information security risk management (20% exam weight)
- Domain 3 — Information security program (33% exam weight)
- Domain 4 — Incident management (30% exam weight)
Understanding these CISM domain requirements is essential for creating an effective study plan. Let's explore each domain in detail.
Deep dive into CISM domain topics and breakdown
Domain 1: Information security governance domain
Weight: 17%
Total questions: 25
The first domain tests your ability to develop, maintain, and manage information security governance frameworks. You must demonstrate proficiency in identifying relevant contractual and regulatory requirements that impact the enterprise. Additionally, you'll need to describe how enterprise structure, culture, and leadership influence the performance of an information security strategy.
This domain also measures your ability to assess the impact of information security strategy on enterprise risk management. Successful candidates can align the information security program with operational objectives across business functions. Security metrics play a key role here, as they enable periodic and quantitative assessment of security performance.
The information security governance domain covers:
- Enterprise governance principles and frameworks
- Information security strategy development and implementation
- Governing security policies addressing controls, regulations, and strategy
- Robust security frameworks aligned with company objectives
- Standards development to ensure policy compliance
- Monitoring processes and metrics to evaluate effectiveness
Domain 1 outline
| Section A: Enterprise governance | Section B: Information security strategy |
| 1. Organizational culture | 1. Information security strategy development |
| 2. Legal, regulatory and contractual requirements | 2. Information governance frameworks and standards |
| 3. Organizational structures, roles and responsibilities | 3. Strategic planning (budgets, resources, business case, etc.) |
Understanding the CISM domain best practices for governance positions you to build security programs that align with business objectives while meeting compliance requirements.
Domain 2: Information risk management domain
Weight: 20%
Total questions: 30
The second domain focuses on identifying risks applicable to an organization. While this domain previously held greater weight in the exam, it remains crucial for certification success. Here, you'll demonstrate your ability to determine applicable risks and evaluate whether they exceed the organization's risk appetite.
For risks above acceptable thresholds, you must develop appropriate risk responses. This includes evaluating various risk treatments, defining control ownership, and implementing continuous monitoring. Effective info risk management requires periodic risk evaluation to address emerging threats, such as those arising from remote work environments.
When preparing for Domain 2, you should understand the factors influencing security risk assessment methodology and risk management implementation:
- Organizational structure and approval processes
- Company objectives and mission alignment
- Specific organizational policies and practices
- Regulatory, physical, and environmental conditions
Domain 2 outline
| Section A: Information security risk assessment | Section B: Information security risk response |
| 1. Emerging risk and threat landscape | 1. Risk treatment/risk response options |
| 2. Vulnerability and control deficiency analysis | 2. Risk and control ownership |
| 3. Risk assessment and analysis | 3. Risk monitoring and reporting |
The connection between information security is information risk management becomes clear in this domain, as it forms the foundation for prioritizing security investments.
$150,040 average salary
ISACA CISM is one of the industry's highest-paying cybersecurity certifications. Take your information security management career to new heights and enroll now to claim your Exam Pass Guarantee!
Domain 3: Information security program development domain
Weight: 33%
Total questions: 50
This domain, carrying the highest weight in the CISM exam content outline, focuses on configuring and implementing information security strategies. You'll be tested on your ability to execute security strategies and develop comprehensive security programs, guidelines, procedures, and metrics for the enterprise.
Domain 3 now includes control design and selection, previously part of Domain 2. Candidates need to demonstrate knowledge of security program implementation, including control integration and evaluation methods. Another critical area is the management of external services, which requires understanding how to integrate the security program with third and fourth parties.
This domain is essential for designing effective program management plans that deliver acceptable security levels at reasonable costs. Core elements include:
- Well-developed programs supporting organizational objectives
- Security program design with stakeholder cooperation and management support
- Effective metrics and KPIs for performance assessment
- Clear guidelines for implementation phases
Domain 3 outline
| Section A: Information security program development | Section B: Information security program management |
| 1. Information security program resources (tools, technologies, people) | 1. Information security control design and selection |
| 2. Information asset identification and classification | 2. Information security control integrations and implementation |
| 3. Industry standards and frameworks for information security | 3. Information security control testing and evaluation |
| 4. Information security policies, procedures and guidelines | 4. Information security awareness and training |
| 5. Information security program metrics | 5. Management of external services (third parties, fourth parties, providers, suppliers) |
| 6. Information security program communications and reporting |
Mastering this domain requires a comprehensive understanding of security program implementation across all business functions.
Domain 4: Information security incident management domain
Weight: 30%
Total questions: 45
The final domain addresses readiness for information security incidents. You'll need to outline procedures for developing an incident response plan, including methodologies for categorizing incidents and approaches for testing response plans.
Incident management operations involve the ongoing management of reported incidents. You must describe methods for evaluating, investigating, and containing security events. Understanding the relationship between incident response procedures, business continuity, and business impact is crucial for this domain.
Candidates must demonstrate the ability to:
- Identify and contain incidents
- Address root causes of security events
- Manage various disruptions (environmental, technical, intentional acts)
- Define primary causes of each disruption
- Implement consistent incident response procedures
- Communicate effectively with stakeholders during incidents
Domain 4 outline
| Section A: Incident management readiness | Section B: Incident management operations |
| 1. Incident response plan | 1. Incident management techniques and tools |
| 2. Business impact analysis | 2. Incident investigation and evaluation |
| 3. Business continuity plan | 3. Incident containment methods |
| 4. Disaster recovery plan | 4. Incident response communications (e.g., notification, reporting, escalation) |
| 5. Incident categorization/classification | 5. Incident recovery and eradication |
| 6. Incident management testing, evaluation and training | 6. Post-incident review practices |
The incident management domain ensures you can respond effectively to security events while minimizing business impact.
Earn a $150,040 Salary with an ISACA CISM
The employment of information systems managers is projected to grow 16% by 2031. Get your ISACA CISM to launch into the field — backed with an Exam Pass Guarantee.
Conclusion
Understanding the CISM domain breakdown is essential for exam success. Whether you're beginning your CISM journey or preparing to take the exam, familiarity with these domains will help you create an effective study strategy. The distribution of exam questions reflects the relative importance of each domain, with the information security program and incident management domains carrying the most weight.
Ready to take the next step? Find guidance in our various CISM resources:
- CISM study resources: Review for comprehensive preparation materials.
- CISM certification requirements: Understand all the steps required to earn this valuable credential.
- CISM exam cost: Covers costs and payment options.
- Tips for CISM exam success: Maximize your chances of passing on the first attempt.
- CISM CPE credits: Learn to maintain your certification through ongoing professional education.
For a detailed insight into the CISM certification, check out our ISACA CISM hub.
In this Series
- CISM exam domains: A comprehensive breakdown for certification success
- CISM renewal requirements: How to maintain your certification
- How to Become CISM Certified – Certification Requirements [Updated 2025]
- CISM frequently asked questions (FAQ)
- CISM certification overview: Building your security management career
- The best CISM study resources for information security managers
- Common CISM job titles and career paths in 2025
- How to earn CISM CPE credits: Complete guide [updated 2025]
- 9 practical CISM exam tips for certification success in 2025
- CISM salary: What you can expect to earn in 2025
- CISM exam cost and complete testing details [Updated 2025]
- CISM certification cost and requirements: Your complete preparation guide
- CISM Domain 2: Information Risk Management (IRM) [2022 update]
- CISM domain 1: Information security governance [Updated 2022]
- CISM Domain 4: Information Security Incident Management (ISIM) [2022 update]
- CISM domain 3: Information security program development and management [2022 update]
- CISM Domain – Information Security Program Development
