🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
CISM
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
CISM ISACA Coming Soon

CISM®

ISACA Certified Information Security Manager (CISM) training equips managers to design, implement, and govern enterprise security programs, aligning risk management with business objectives and regulatory requirements.

240
Minutes
150
Questions
450/800
Passing Score
${'member': 575, 'non_member': 760}
Exam Cost

Who Should Take This

It is intended for seasoned information security professionals who have at least five years of experience leading or overseeing enterprise security initiatives. These individuals seek to validate their expertise, advance to senior managerial roles, and ensure their organizations meet governance, risk, and compliance standards.

What's Covered

1 All domains and objectives in the ISACA Certified Information Security Manager (CISM) exam: Domain 1 Information Security Governance
2 , Domain 2 Information Security Risk Management
3 , Domain 3 Information Security Program
4 , and Domain 4 Incident Management

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

60 learning goals
1 Domain 1: Information Security Governance
4 topics

Security governance framework

  • Apply information security governance principles to establish organizational structures that ensure accountability, authority, and oversight of the security function.
  • Analyze regulatory and legal requirements to determine their impact on information security governance and ensure compliance integration into governance frameworks.
  • Design governance reporting structures that communicate security posture, risk exposure, and compliance status to senior management and board of directors effectively.

Security strategy and alignment

  • Develop information security strategies that align with enterprise objectives, risk appetite, and business requirements while addressing current and emerging threats.
  • Analyze the enterprise architecture and technology environment to identify security requirements and integration points for security controls.
  • Apply security metrics and key performance indicators to measure security program effectiveness and demonstrate return on security investment to stakeholders.
  • Evaluate the integration of information security considerations into enterprise architecture and technology roadmap decisions to ensure security by design.

Security policies and culture

  • Develop comprehensive information security policies, standards, and procedures that reflect organizational risk tolerance and regulatory requirements.
  • Apply organizational change management principles to build and sustain a security-aware culture across all levels of the enterprise.
  • Evaluate the effectiveness of security awareness programs by analyzing behavioral metrics, phishing simulation results, and incident trend data.

Information security roles and responsibilities

  • Apply organizational design principles to define information security roles including CISO, security architects, security analysts, and security operations staff with clear responsibilities.
  • Evaluate the effectiveness of security role assignments and reporting structures to identify accountability gaps and organizational impediments to security program execution.
  • Design security competency frameworks that define required skills, experience, and certifications for security roles aligned with organizational risk profile and maturity level.
2 Domain 2: Information Security Risk Management
4 topics

Risk identification and assessment

  • Apply risk identification methodologies to systematically discover information security threats, vulnerabilities, and exposures across the enterprise.
  • Analyze threat landscapes including advanced persistent threats, insider threats, supply chain risks, and emerging technology threats to assess organizational exposure.
  • Apply qualitative and quantitative risk assessment techniques including FAIR methodology to evaluate likelihood and impact of identified risk scenarios.
  • Design enterprise risk assessment programs that integrate information security risk with operational, financial, and strategic risk management processes.

Risk treatment and response

  • Evaluate risk treatment options including avoidance, mitigation, transfer, and acceptance to select appropriate responses aligned with organizational risk appetite.
  • Apply control selection frameworks to implement security controls that effectively reduce identified risks to acceptable levels within budget constraints.
  • Design risk treatment plans that document selected controls, implementation timelines, responsible parties, and residual risk acceptance criteria.

Risk monitoring and reporting

  • Apply risk monitoring processes to track risk indicators, control effectiveness, and changes in the threat landscape on an ongoing basis.
  • Analyze risk reporting mechanisms to ensure accurate and timely communication of risk posture, emerging risks, and treatment status to stakeholders.
  • Evaluate third-party and vendor risk management processes including due diligence assessments, contractual security requirements, and continuous monitoring.

Emerging risk and technology risk

  • Analyze emerging technology risks including cloud adoption, AI/ML systems, IoT deployments, and quantum computing threats to assess organizational exposure and readiness.
  • Evaluate supply chain and third-party cybersecurity risks by assessing vendor security postures, contractual obligations, and continuous monitoring mechanisms.
  • Design risk scenarios for emerging threats including ransomware campaigns, nation-state attacks, and deepfake-enabled social engineering to test organizational preparedness.
3 Domain 3: Information Security Program
5 topics

Security program development

  • Design information security program frameworks that integrate with enterprise governance, risk management, and compliance structures effectively.
  • Apply resource management principles to plan and allocate personnel, budget, and technology resources for security program implementation.
  • Develop security program roadmaps that prioritize initiatives based on risk reduction impact, business value, and implementation feasibility.

Security architecture and controls

  • Apply security architecture principles including defense in depth, zero trust, and least privilege to design layered security controls across the enterprise.
  • Evaluate identity and access management controls including authentication mechanisms, authorization models, privileged access management, and federation.
  • Apply data protection controls including encryption, data loss prevention, tokenization, and classification schemes to protect information throughout its lifecycle.
  • Analyze cloud security requirements to implement appropriate controls for IaaS, PaaS, and SaaS environments within the shared responsibility model.
  • Implement network security controls including segmentation, intrusion detection systems, web application firewalls, and DNS security to protect enterprise network perimeters.

Security operations management

  • Apply security operations management practices to oversee vulnerability management, patch management, and security monitoring functions.
  • Evaluate SIEM and security orchestration capabilities to assess detection coverage, alert quality, and automated response effectiveness.
  • Design security operations improvement programs based on analysis of threat intelligence, detection gaps, and incident response performance metrics.
  • Apply threat intelligence management practices to integrate tactical, operational, and strategic intelligence into security operations and risk management decisions.

Security program management and integration

  • Apply change management processes to ensure security controls remain effective during organizational changes, technology migrations, and business transformations.
  • Evaluate security program integration with software development lifecycle, DevSecOps practices, and agile development methodologies.
  • Analyze security program maturity using capability maturity models to identify improvement areas and benchmark against industry peers.

Security compliance and assurance

  • Apply regulatory compliance management practices to integrate GDPR, HIPAA, PCI-DSS, and industry-specific requirements into the security program.
  • Evaluate security assurance mechanisms including internal audits, penetration testing, red team exercises, and third-party assessments for program effectiveness.
  • Design continuous compliance monitoring programs that automate evidence collection, control testing, and regulatory reporting across multiple compliance frameworks.
4 Domain 4: Incident Management
4 topics

Incident response planning

  • Design incident response plans that define roles, responsibilities, escalation procedures, and communication protocols for various incident severity levels.
  • Apply incident classification frameworks to categorize security events by type, severity, and business impact for appropriate response prioritization.
  • Evaluate incident response readiness by analyzing tabletop exercises, simulation results, and team capability assessments to identify preparedness gaps.
  • Design incident response training and exercise programs including tabletop exercises, functional drills, and full-scale simulations to build organizational response capability.

Incident detection and response

  • Apply incident detection and triage procedures to identify, validate, and prioritize security incidents using correlation of multiple data sources.
  • Apply containment and eradication strategies to limit incident impact while preserving forensic evidence for investigation and legal proceedings.
  • Analyze incident impact to determine business disruption scope, data compromise extent, and regulatory notification requirements.
  • Design incident communication plans that address internal stakeholders, external parties, regulatory bodies, and public disclosure requirements.
  • Evaluate threat intelligence integration with incident detection to assess the effectiveness of indicator enrichment, attribution analysis, and proactive threat identification.

Recovery and post-incident activities

  • Apply recovery procedures to restore affected systems and services to normal operations while validating the effectiveness of eradication measures.
  • Analyze post-incident review findings to identify root causes, evaluate response effectiveness, and derive actionable improvements for security controls.
  • Evaluate forensic investigation capabilities and evidence handling procedures to support legal and regulatory incident response requirements.
  • Design continuous improvement programs that integrate incident lessons learned into security strategy, controls, and training to strengthen organizational resilience.

Business continuity integration

  • Apply business continuity management principles to integrate incident management with disaster recovery and crisis management processes.
  • Evaluate the alignment of incident response capabilities with business continuity requirements including RTO, RPO, and maximum tolerable downtime.
  • Recommend organizational resilience strategies that address cyber threats, natural disasters, and operational disruptions through integrated response frameworks.

Scope

Included Topics

  • All domains and objectives in the ISACA Certified Information Security Manager (CISM) exam: Domain 1 Information Security Governance (17%), Domain 2 Information Security Risk Management (20%), Domain 3 Information Security Program (33%), and Domain 4 Incident Management (30%).
  • Professional-level information security management including security strategy development, security program establishment and management, risk assessment and treatment, incident response planning and execution, and alignment of security with business objectives.
  • Security governance concepts: organizational security structures, security policies and standards, regulatory compliance, board-level reporting, security metrics and KPIs, security culture development, and executive communication of security posture.
  • Risk management methodologies: threat and vulnerability analysis, risk assessment frameworks (NIST, ISO 31000, FAIR), risk treatment options, risk acceptance criteria, risk monitoring, and emerging risk identification.
  • Security program management: resource allocation, security architecture, security awareness programs, vendor management, security operations oversight, and technology integration.
  • Incident management lifecycle: incident response planning, detection and analysis, containment and eradication, recovery procedures, post-incident review, forensic investigation support, and communication protocols.

Not Covered

  • Detailed IT audit planning, execution, and reporting procedures (covered by CISA).
  • Enterprise IT governance and value delivery at board level (covered by CGEIT).
  • Hands-on technical cybersecurity operations and SOC analyst workflows (covered by CCOA).
  • Data privacy engineering and privacy-by-design implementation (covered by CDPSE).
  • Vendor-specific security product configuration and administration.

Official Exam Page

Learn more at ISACA

Visit

CISM is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

ISACA®, CISA®, CISM®, CRISC®, CGEIT®, and CDPSE® are registered trademarks of ISACA. ISACA does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.