CISM cheat sheet

A one-page reference for the ISACA CISM — Certified Information Security Manager exam: the format, how the domains are weighted, and the glossary terms for this exam.

Exam at a glance

Vendor
ISACA
Level
Advanced
Questions
100
Time
180 min
Mock pass mark
70%
Domains
4
Practice Qs
121
Code
CISM

Domain weightings

How much of the exam each domain covers. Spend your study time in proportion — the heavier the domain, the more questions you'll see.

Key terms

Information Security Governance
Information Security Governance is the system of leadership, structure, and processes that ensures security supports and extends the organization's strategy and objectives. CISM Domain 1 treats it as the foundation that aligns security with business goals.
Security Strategy
Security Strategy is the long-term plan that defines how information security will achieve the organization's desired state and support its objectives. CISM expects the strategy to be driven by business goals, not technology for its own sake.
Risk Appetite
Risk Appetite is the amount and type of risk an organization is willing to accept in pursuit of its objectives. CISM uses it, alongside risk tolerance, to guide which risks to treat, accept, transfer, or avoid.
Risk Management
Risk Management is the coordinated process of identifying, assessing, responding to, and monitoring information risk. CISM Domain 2 frames it as ongoing and business-aligned rather than a one-time exercise.
Residual Risk
Residual Risk is the risk that remains after controls and other responses have been applied. CISM holds that management formally accepts residual risk once it is within the organization's risk appetite.
Business Impact Analysis
Business Impact Analysis (BIA) is the process of determining the effect of disruptions on business functions to prioritize recovery. CISM uses the BIA to derive recovery objectives such as RTO and RPO.
RTO and RPO
RTO and RPO are the two core recovery objectives: Recovery Time Objective is the target time within which a process must be restored after disruption, and Recovery Point Objective is the maximum tolerable data loss measured in time. CISM distinguishes RTO from the maximum tolerable downtime (MTD), which is the absolute limit the RTO must stay within, and derives both from the business impact analysis.
KRI
A Key Risk Indicator (KRI) is a metric that provides an early signal of increasing risk exposure. CISM uses KRIs to monitor risk trends and trigger action before an event occurs, distinct from a KPI which measures performance.
Security Metrics
Security Metrics are measurements used to gauge the effectiveness and value of the security program. CISM stresses metrics that are meaningful to management and tied to objectives, not just technical counts.
Security Program
A Security Program is the coordinated set of activities, resources, and controls that executes the security strategy. CISM Domain 3 is the largest domain and covers building, running, and measuring the program.
Security Controls
Security Controls are the administrative, technical, and physical safeguards used to reduce risk to an acceptable level. CISM expects controls to be selected based on risk and mapped to a recognized framework.
Defense in Depth
Defense in Depth is the practice of layering multiple independent controls so the failure of one does not expose the asset. CISM treats it as a core design principle when building the security program.
Incident Management
Incident Management is the structured process of preparing for, detecting, responding to, and recovering from security incidents. CISM Domain 4 covers the full lifecycle and its integration with business continuity.
Incident Response Plan
An Incident Response Plan is the documented set of procedures and responsibilities for handling a security incident. CISM emphasizes defining and regularly testing the plan and the response team before an incident occurs.
Third-Party Risk
Third-Party Risk is the risk introduced by vendors, suppliers, and other external service providers. CISM covers managing it through due diligence, contractual controls, and ongoing monitoring within the security program.