Information Security Governance
17%of exam
Information Security Risk Management
20%of exam
Information Security Program
33%of exam
Program ResourcesAsset ClassificationControlsAwarenessThird Parties
Incident Management
30%of exam
Quick Facts
- Exam
- CISM
- Credential
- Security Manager
- Questions
- 150 MCQ
- Time
- 4 hours
- Pass
- 450/800
- Provider
- ISACA
- Experience
- 5 years
- Update
- Nov 3 2026
Manager Lens
Business risk before technical detail.
BusinessRiskOwnershipEvidence
Governance vs Management
Governance
- Direction
- Accountability
- Oversight
Management
- Execution
- Resources
- Operations
Governance decides why
Enterprise Governance
- Board
- Sets direction
- Executives
- Sponsor strategy
- Steering committee
- Prioritizes investments
- Culture
- Shapes behavior
- Regulation
- External obligation
- Contract
- Partner obligation
- Charter
- Authority source
- Accountability
- Owned outcomes
Policy vs Standard
Policy
- Management intent
- High level
- Stable
Standard
- Mandatory rule
- Specific control
- Measurable
Policy directs standards
Security Strategy
- Alignment
- Supports objectives
- Roadmap
- Sequenced change
- Business case
- Investment rationale
- Budget
- Funded priorities
- Framework
- Governance structure
- Policy
- Management intent
- Standard
- Mandatory rule
- Guideline
- Recommended practice
Management Signals
- Effectiveness
- Goal achieved
- Efficiency
- Resources optimized
- Compliance
- Requirement met
- Assurance
- Confidence level
- Benchmark
- External comparison
- Trend
- Direction over time
- Dashboard
- Executive view
- Exception
- Approved deviation
Risk Response Four
Avoid, mitigate, transfer, accept.
AvoidMitigateTransferAccept
Inherent vs Residual Risk
Inherent
- Before controls
- Raw exposure
- Assessment start
Residual
- After controls
- Accepted exposure
- Decision point
Residual needs ownership
Risk Response Picker
- Risk exceeds appetite→Mitigate(Reduce exposure)
- Activity unnecessary→Avoid(Stop work)
- Insurance fits→Transfer(Share impact)
- Within appetite→Accept(Document approval)
- Owner missing→Assign owner(Business accountable)
- Risk changes→Reassess(Update register)
- Controls fail→Remediate(Track action)
- Executives ask→Risk report(Business impact)
Risk Assessment
- Asset
- Value holder
- Threat
- Potential cause
- Vulnerability
- Weakness
- Impact
- Business harm
- Likelihood
- Event probability
- Inherent risk
- Before controls
- Residual risk
- After controls
- Risk register
- Tracked risks
Risk Response
- Avoid
- Stop activity
- Mitigate
- Reduce risk
- Transfer
- Share impact
- Accept
- Approve exposure
- Appetite
- Desired risk
- Tolerance
- Allowed variance
- Owner
- Business accountable
- KRIs
- Risk signals
Program Cycle
Design, implement, test, report, improve.
DesignImplementTestReportImprove
Metric vs KRI
Metric
- Program performance
- Control status
- Trend evidence
KRI
- Risk signal
- Threshold breach
- Decision trigger
KRIs warn early
Program Control Picker
- Behavior problem→Awareness(Change conduct)
- Missing rule→Policy(Set intent)
- Need mandate→Standard(Make required)
- Need evidence→Test controls(Prove operation)
- Vendor risk→Contract controls(Set obligations)
- Program unclear→Metrics(Show status)
Program Development
- Resources
- People/tools/funds
- Architecture
- Control placement
- Asset inventory
- Known information
- Classification
- Value sensitivity
- Metrics
- Program evidence
- Process
- Repeatable workflow
- Capability
- Operational ability
- Maturity
- Process depth
Control Management
- Preventive
- Stops events
- Detective
- Finds events
- Corrective
- Restores state
- Directive
- Guides behavior
- Compensating
- Alternate safeguard
- Testing
- Control evidence
- Awareness
- Behavior change
- Suppliers
- External dependency
Incident Flow
Triage, contain, investigate, recover, improve.
TriageContainInvestigateRecoverImprove
BCP vs DRP
BCP
- Business processes
- Continuity focus
- People included
DRP
- Technology recovery
- Systems focus
- Restore platforms
DRP supports BCP
Incident Action Picker
- Possible event→Triage(Classify first)
- Damage spreading→Contain(Limit scope)
- Facts unclear→Investigate(Preserve evidence)
- Law requires→Notify(Meet deadline)
- Service down→Recover(Meet RTO)
- Data lost→Restore(Meet RPO)
- Incident closed→Post-review(Find causes)
- Plan untested→Exercise(Validate readiness)
Incident Readiness
- IRP
- Response playbook
- BIA
- Impact priorities
- BCP
- Business continuity
- DRP
- Technology recovery
- RTO
- Restore time
- RPO
- Data loss
- Tabletop
- Scenario exercise
- Escalation
- Authority path
Containment vs Eradication
Containment
- Limit spread
- Short term
- Preserve evidence
Eradication
- Remove cause
- Longer term
- Clean environment
Contain before eradicate
Incident Operations
- Detection
- Identify incident
- Triage
- Prioritize response
- Containment
- Limit damage
- Investigation
- Establish facts
- Evidence
- Preserve integrity
- Notification
- Required reporting
- Recovery
- Resume service
- Lessons learned
- Improve controls
Common Traps
Security vs Business
Technical perfection ≠ Business alignment
Risk Owner
Security team owns ≠ Business owns
Compliance Trap
Compliance equals security ≠ Compliance informs risk
Incident First Step
Fix immediately ≠ Classify and contain
Metrics Trap
Count activities ≠ Show outcomes
Policy Detail
Procedure steps ≠ Management direction
Last Minute
- 1.Business owns risk
- 2.Governance sets direction
- 3.Management executes strategy
- 4.Residual risk needs approval
- 5.Policy guides standards
- 6.BCP precedes DRP
- 7.Contain before eradication
- 8.Metrics show outcomes
- 9.Vendors need contracts
- 10.Post-review improves program
Buy on Amazon
Take courses on Udemy
Learning path on PluralsightSame family resources
Explore More ISACA Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
More From This Family
Videos and articles for deeper review.