Training Outcomes Within Your Budget!

We ensure quality, budget-alignment, and timely delivery by our expert instructors.

Share this Resource

Table of Contents

Types of CISM Domains

Types of CISM domains refer to the four key areas of expertise that the Certified Information Security Manager (CISM) certification covers. These domains are essential for professionals who are responsible for managing, designing, and overseeing information security systems and processes within an organisation.  

Each domain covers a specific aspect of information security management and is critical for ensuring the security and protection of sensitive data. This certification helps to enhance the credibility of professionals in the field of information security management and prepares them for leadership roles in the industry. In this blog, you will learn, what is CISM and the different types of CISM domains required for the certification exam. Continue reading about cisa vs cism and learn more!

Table of Contents

1) What are the Domains included in CISM? 

2) Topics covered in CISM Domains 

3) CISM job Domains 

4) Conclusion 

What are the Domains included in CISM? 

The CISM exam includes 150 multiple-choice questions with a time duration of four hours. The four functional areas in which candidates are assessed. The main domains included in CISM are:

four domains of CISM

Domain 1: Information Security governance 

The first domain of the CISM exam focuses on assessing candidates' competence in developing, maintaining, and managing information security governance structure. It examines their ability to create and implement effective frameworks that govern the overall security of an organisation's information assets. 

Demonstrate skills: Within this domain, candidates are required to demonstrate their understanding of various aspects. They must be able to identify and comprehend the pertinent contractual and regulatory CISM requirements that have an impact on the enterprise. This includes recognising legal obligations, industry standards, and compliance mandates that influence Information Security practices. 

Organisational hierarchy: Candidates need to describe how enterprise structure, culture, and leadership influence the performance of an organisation's information security strategy. They should have a grasp of how organisational hierarchies, communication channels, and management styles can either support or hinder the effectiveness of security initiatives.

CISM Training

Assessment of Information Security strategy: Another important aspect covered in this domain is the measurement of the impact of an information security strategy on enterprise risk management. Candidates must demonstrate their ability to evaluate and quantify the potential risks associated with information security, as well as the effectiveness of the implemented security measures in mitigating those risks. 
Integrating security measures: Candidates will be tested on their capability to align the information security program with the operational objectives of other business functions. This involves integrating security measures into the overall business operations and ensuring that security goals are in line with the organisation's strategic objectives. 

Develop and utilise metrics: Lastly, candidates can expect questions related to security metrics, which involve the effective measurement and assessment of security performance. They should understand how to develop and utilise metrics that provide a periodic and quantitative evaluation of security effectiveness, enabling organisations to track progress, identify areas for improvement, and take the right steps to deal effectively with the Information Security procedure.   

Total number of questions covered: 25 

Domain 2: Information security risk management 

The second domain of the CISM exam focuses on information risk management, which is crucial for organisations to effectively identify and address potential risks. This domain introduces several important concepts such as exposures, vulnerabilities, threats, impacts, and various recovery-related metrics like Recovery Time Objective (RTO) and Recovery Point Objective (RPO). 
Understanding these concepts allows individuals to assess the risks faced by an organisation and take appropriate actions. By calculating and evaluating possible risks, one can determine whether to avoid, transfer, accept, or mitigate them. This strategic approach helps save time for both the individual and their team, ultimately demonstrating their value and benefit to the organisation. 

Total number of questions covered: 30 

Learn about the various important steps that go into information security governance. Register right away for our CISM Certified Information Security Manager Training! 

Domain 3: Information Security Program Development and Management (ISPDM) 

The third domain within ISPDM focuses on security program and management. Its primary objective is to configure effective strategies and implement them in a manner that considers cost-effectiveness. Furthermore, it is crucial to align these strategies with the desired goals and outcomes of the company. There are several challenges associated with ISPDM, namely: 

a) People: Dealing with personnel-related issues and ensuring their cooperation and adherence to security measures. 

b) Processes: establishing efficient processes to manage security programs and ensure their effectiveness. 

c) Policy Issues: Addressing policy-related challenges and ensuring compliance with regulatory requirements. 

d) Program Objectives: Aligning the security program with the organisation's objectives and continuously monitoring its progress. 

Ethical and legal considerations play a vital role in ISPDM, encompassing aspects such as regulatory requirements and personnel obligations. It is essential to calculate and manage risks effectively to achieve favourable outcomes. By effectively addressing potential risks, a better overall outcome can be attained. 

Total questions covered: 50 

Domain 4: Information Security Incident Management (ISIM) 

The final domain focuses on preparedness for handling Information Security incidents. This domain deals with managing problems that are unplanned. Candidates are required to outline the necessary procedures and prerequisites for developing an incident response plan. Furthermore, attention should be given to methodologies for categorising or classifying incidents, as well as how the response plan is to be thoroughly tested and evaluated.  

Incident Management encompasses the operational aspect, which involves the continuous management of reported incidents. Candidates must provide a description of the methods and processes employed to assess, investigate, and effectively contain an incident. Moreover, it is vital to comprehend the relationship between incident response, business continuity, and the impact on the overall business. One of the primary objectives of this domain is to ensure that candidates can promptly identify and contain incidents while addressing their existing causes.  

Total questions covered: 45 

How to sustain your CISM certification? 

It's critical that you earn 120 hours of CPE over the course of three years to keep your CISM® certification active. A minimum of 20 hours must be put in on a yearly basis and submitted to ISACA, the industry's governing body. Before renewing the certification for the current year, it is crucial to make sure that the prerequisites for the prior year have been met.  It is necessary to stay informed and compliant with the annual CPE audits conducted by the governing body. Additionally, you must report your CPE hours earned every three years, with at least 20 hours per year, and pay the appropriate fee of £69 for non-members or £36 for members. 
You are also expected to abide by the Professional Ethics Code established by ISACA as a CISM certified professional. Maintaining your certification and preserving the standards of the profession depend on you adhering to these rules.  

You can take part in information security management-related conferences, seminars, training sessions, or webinars to earn CPE hours. You can also obtain CPE hours by participating in peer-reviewed publications, writing papers, or reading books. Making sure that the selected tasks fit within the CISM job practice areas is essential. 

The four CISM job practice areas include: 

a) Information Security Governance 

b) Information Risk Management 

c) Information Security Program Management  d) Information Security Incident Management

the difference between old CISM Domains and new CISM Domains


The four CISM domains cover a broad range of skills and knowledge required for effective Information Security management. After becoming CISM certified and gaining expertise in these domains, individuals can enhance their knowledge and skills in information security management, which can lead to career growth opportunities in the field. Consequently, the CISM domains provide a comprehensive framework for advancing one's career in Information Security management.  

Become proficient in Information Security Management with our CISM Training. Sign up today!  

Frequently Asked Questions

Get A Quote




Special Discounts




Thank you for your enquiry!

One of our training experts will be in touch shortly to go over your training requirements.



Press esc to close

close close

Back to course information

Thank you for your enquiry!

One of our training experts will be in touch shortly to go overy your training requirements.

close close

Thank you for your enquiry!

One of our training experts will be in touch shortly to go over your training requirements.