CISM Exam Flashcards

Q: What are the four CISM domains?

ISACA's CISM exam covers four domains: Information Security Governance (17%), Information Security Risk Management (20%), Information Security Program (33%), and Incident Management (30%). The Program and Incident Management domains together carry roughly 63% of the exam, reflecting CISM's management and execution focus.

Q: What is the CISM passing score?

CISM uses a scaled score from 200 to 800, and a score of 450 or higher is required to pass. The scaled score is not a percentage of correct answers; it normalizes difficulty across exam forms. Candidates receive a preliminary result at the test center and an official score after ISACA review.

Q: How is the CISM exam structured?

The CISM exam has 150 multiple-choice questions with a 4-hour (240-minute) time limit. Items emphasize the security manager's perspective — what to decide, fund, communicate, and improve — rather than deep technical implementation. The exam is delivered at PSI test centers or via remote online proctoring.

Q: What experience is required for CISM certification?

Anyone may sit the CISM exam, but certification requires five years of professional information security management experience. Experience waivers of up to two years are available for certain credentials and education. Candidates must apply for certification within five years of passing the exam.

Q: When does the CISM exam content outline change?

ISACA states the CISM Exam Content Outline updates effective 3 November 2026. Candidates testing before that date should study the current four-domain outline and avoid mixing it with the later blueprint. Maintaining certification requires 120 CPE hours per three-year reporting cycle plus annual maintenance fees.

Question 1

The Security Manager Mindset

Accepted Answer

CISM tests management judgment, not deep technical skill. The best answer usually defines direction, assigns ownership, aligns to business objectives, and produces evidence management can use — not the most technical fix.

Question 2

Scaled Score 450/800

Accepted Answer

CISM is scored 200–800, with 450 required to pass. The scale normalizes difficulty across forms, so it is not a raw percentage correct. Focus on domain weighting rather than counting questions.

Question 3

CISM Domain Weighting

Accepted Answer

Governance 17%, Risk Management 20%, Security Program 33%, Incident Management 30%. Program and Incident Management together are about 63% of the exam — allocate study time accordingly.

Question 4

One-Best-Answer Elimination

Accepted Answer

Most CISM options are partially defensible. Eliminate technically-narrow or reactive choices and pick the answer that protects business objectives, assigns accountability, and is sustainable.

Question 5

Preliminary vs. Official Score

Accepted Answer

You receive a preliminary pass/fail at the test center; ISACA issues the official score after review. Treat the official result as final and remember certification still requires the experience application.

Question 6

Information Security Governance

Accepted Answer

The CISM domain (17%) establishing the structure, strategy, roles, and oversight that direct security in support of business goals. Governance sets direction; management executes within it.

Question 7

Governance vs. Management

Accepted Answer

Governance defines direction, risk appetite, and accountability (board/executive); management implements and operates controls. Confusing the two is a classic CISM distractor.

Question 8

Security Strategy Alignment

Accepted Answer

The security strategy must support business objectives and be endorsed by senior leadership. A strategy disconnected from business goals fails regardless of technical strength.

Question 9

Senior Leadership Commitment

Accepted Answer

The single most important success factor for a security program. Without executive sponsorship and funding, policies and controls lack authority and adoption — secure it first.

Question 10

Roles & Responsibilities (RACI)

Accepted Answer

Clear assignment of who is Responsible, Accountable, Consulted, and Informed. Security accountability stays with management/data owners even when execution is delegated or outsourced.

Question 11

Legal, Regulatory & Contractual Requirements

Accepted Answer

External obligations (law, regulation, contracts) set mandatory baselines the strategy must meet. Compliance is a minimum floor, not the goal of the program.

Question 12

Security Governance Frameworks

Accepted Answer

Reference models (e.g., COBIT, ISO/IEC 27001, NIST CSF) provide structure for governance and controls. Frameworks are adapted to the organization, not adopted unchanged.

Question 13

Business Case for Security Investment

Accepted Answer

Justifies spend in business terms: risk reduced, obligations met, value enabled, and cost. Security funding decisions should be framed for executives, not as technical wish lists.

Question 14

Information Security Risk Management

Accepted Answer

The CISM domain (20%) covering identifying, analyzing, treating, and monitoring information risk so leadership can make informed, risk-based decisions.

Question 15

Risk = Threat × Vulnerability × Impact

Accepted Answer

Risk exists only when a threat can exploit a vulnerability to cause business impact on an asset. Removing any factor reduces the risk; assess all three together.

Question 16

Inherent vs. Residual Risk

Accepted Answer

Inherent risk is the exposure before controls; residual risk is what remains after controls. Management accepts residual risk only if it is within risk appetite.

Question 17

Risk Appetite vs. Risk Tolerance

Accepted Answer

Appetite is the broad level of risk leadership is willing to pursue; tolerance is the acceptable variation around specific objectives. Both are set by governance, not by the security team alone.

Question 18

Risk Treatment Options

Accepted Answer

Mitigate (apply controls), transfer (insure/contract), avoid (stop the activity), or accept (formally retain). The choice is a business decision justified by cost versus risk reduction.

Question 19

Risk Ownership

Accepted Answer

Risk is owned by the business/asset owner who accepts it, not by the security manager. Security advises and reports; accountability for accepting residual risk stays with the business.

Question 20

Qualitative vs. Quantitative Risk Analysis

Accepted Answer

Qualitative uses ratings (high/medium/low) — fast, subjective; quantitative uses monetary values (e.g., ALE) — data-heavy, comparable. Choose based on data availability and decision need.

Question 21

Annual Loss Expectancy (ALE)

Accepted Answer

ALE = Single Loss Expectancy × Annual Rate of Occurrence. It expresses expected yearly loss in money so a control's cost can be compared to the risk it reduces.

Question 22

Risk Assessment vs. Risk Analysis

Accepted Answer

Analysis estimates likelihood and impact of identified risks; assessment is the broader process of identifying, analyzing, and evaluating risks against criteria for treatment decisions.

Question 23

Key Risk Indicator (KRI)

Accepted Answer

A metric that signals rising risk exposure before it becomes a loss, enabling early action. KRIs feed risk monitoring and reporting to leadership.

Question 24

Risk Monitoring & Reporting

Accepted Answer

Continuous tracking of risk levels, controls, and KRIs, reported to the right stakeholders. Risk is dynamic — a one-time assessment is insufficient.

Question 25

Information Security Program

Accepted Answer

The CISM domain (33%, the largest) covering building, resourcing, and managing the program that executes the security strategy through people, processes, and technology.

Question 26

Program vs. Strategy

Accepted Answer

The strategy defines what to achieve and why; the program is how it is delivered and operated. A program without strategy alignment drifts and cannot justify its value.

Question 27

Asset Identification & Classification

Accepted Answer

You cannot protect what you have not identified and valued. Classification by sensitivity/criticality drives proportionate control selection — it is the foundation of the program.

Question 28

Data Owner vs. Data Custodian

Accepted Answer

The owner (business) classifies data and approves access and risk; the custodian (IT/security) implements and maintains protective controls. Accountability remains with the owner.

Question 29

Policy, Standard, Procedure, Guideline

Accepted Answer

Policy = mandatory intent; standard = mandatory specifics; procedure = step-by-step how-to; guideline = recommended practice. Only policies/standards are enforceable requirements.

Question 30

Preventive, Detective, Corrective Controls

Accepted Answer

Preventive stops an incident; detective identifies one in progress; corrective restores after one. A balanced program uses all three — relying only on prevention is fragile.

Question 31

Administrative, Technical, Physical Controls

Accepted Answer

Administrative = policies/process; technical = system/logical; physical = facility protection. Defense in depth layers all three so one failure does not collapse security.

Question 32

Defense in Depth

Accepted Answer

Layering multiple, independent controls so the failure of one does not cause total compromise. The goal is resilient overlap, not a single perfect control.

Question 33

Control Testing & Evaluation

Accepted Answer

Controls must be tested for design and operating effectiveness, not assumed to work. Untested controls give false assurance and are a common audit and exam trap.

Question 34

Security Awareness & Training

Accepted Answer

Targets the human risk factor and must be role-relevant and reinforced. Awareness changes behavior; one-time annual training without reinforcement has limited effect.

Question 35

Third-Party / Supplier Risk

Accepted Answer

Outsourcing transfers work, not accountability. The organization remains responsible for vendor security through contracts, right-to-audit, and ongoing monitoring.

Question 36

Security Program Metrics

Accepted Answer

Metrics must show whether the program reduces risk and supports objectives, communicated to the right audience. Activity counts alone do not demonstrate value to leadership.

Question 37

Incident Management

Accepted Answer

The CISM domain (30%) covering preparing for, detecting, responding to, and recovering from security incidents while limiting business impact.

Question 38

Event vs. Incident

Accepted Answer

An event is any observable occurrence; an incident is an event that actually or potentially harms confidentiality, integrity, or availability. Classification triggers the response process.

Question 39

Incident Response Plan (IRP)

Accepted Answer

The documented, tested process and roles for handling incidents. Plans must be exercised before a real incident; an untested plan typically fails under pressure.

Question 40

Incident Response Lifecycle

Accepted Answer

Prepare → detect/analyze → contain → eradicate → recover → post-incident review. Containment usually precedes eradication to stop spread before removing the cause.

Question 41

Containment Priority

Accepted Answer

The first operational goal during an active incident is to limit damage and stop spread, balancing speed against preserving evidence and maintaining critical operations.

Question 42

Business Impact Analysis (BIA)

Accepted Answer

Identifies critical processes and the impact of disruption over time, producing recovery priorities. BIA outputs drive RTO/RPO and the continuity and recovery plans.

Question 43

RTO vs. RPO

Accepted Answer

RTO = maximum tolerable time to restore a process after disruption; RPO = maximum tolerable data loss measured in time. RTO is about downtime; RPO is about data currency.

Question 44

BCP vs. DRP

Accepted Answer

Business Continuity Plan keeps critical business functions running during disruption; Disaster Recovery Plan restores IT systems and data. DRP is a technical subset supporting the BCP.

Question 45

Incident Classification & Severity

Accepted Answer

Categorizing incidents by type and severity drives escalation, resourcing, and communication. Misclassification causes either over-reaction or dangerous under-response.

Question 46

Incident Communication & Escalation

Accepted Answer

Predefined notification paths to management, legal, regulators, and customers. Communication is planned in advance so the team is not improvising during a live incident.

Question 47

Chain of Custody

Accepted Answer

Documented handling of evidence to keep it admissible and credible. Improper collection or handling during response can make evidence unusable in legal action.

Question 48

Eradication & Recovery

Accepted Answer

Eradication removes the root cause (malware, access, vulnerability); recovery validates and returns systems to normal. Restoring before eradicating risks immediate reinfection.

Question 49

Post-Incident Review (Lessons Learned)

Accepted Answer

A structured review after closure to identify root cause and improve controls and the plan. Skipping it guarantees repeat incidents; it is a required, not optional, step.

Question 50

Incident Testing & Exercises

Accepted Answer

Tabletop and simulation exercises validate the IRP, BCP, and DRP and build team readiness. Plans degrade over time, so testing must be periodic and documented.

Free CISM Exam Flashcards

Filter by Topic

Jump to Card

About These CISM Flashcards

Topics Covered

Frequently Asked Questions

CISM

Explore More ISACA Certifications

CISA

CRISC Certified in Risk and Information Systems Control

ISACA COBIT 2019 Foundation

ISACA AAIA Advanced in AI Audit

ISACA AAIR Advanced in AI Risk

ISACA AAISM Advanced in AI Security Management

More From This Family