Online Mind Mapping and Brainstorming

Create your own awesome maps

Online Mind Mapping and Brainstorming

Even on the go

with our free apps for iPhone, iPad and Android

Get Started

Already have an account? Log In

ISACA® CISM® study guide mind map by Mind Map: ISACA® CISM® study guide
mind map
5.0 stars - 43 reviews range from 0 to 5

ISACA® CISM® study guide mind map

ISACA® is a registered trademark of Information Systems Audit and Control Association. CISA®, Certified Information Systems Auditor®, CISM®, CGEIT®, Certified in the Governance of Enterprise IT/CGEIT® (and design)®, COBIT® are registered trademarks of ISACA®. CRISC™, Certified in Risk and Information Systems Control™, Certified Information Security Manager™, Risk IT™, Val IT™ are trademarks of ISACA®. Trademarks are properties of the holders, who are not affiliated with mind map author.

CISM Exam Passing Principles

The job profile of the CISM® (Certified Information Security Manager) published at the autumn of 2002 is a reaction to the continuously changing market requirements and is addressed to individuals who are responsible for managing information security.


It covers 4 domains, 37 tasks and 60 knowledge statements (statements covering the required technical knowledge).


The CISM® certification / designation reflects a solid achievement record in managing information security, as well as in such areas as risk analyses, risk management, security strategy, security organisation etc.

The CISM® job profile was published at the end of 2002 and was revised for a second time for the 2012 examination.

Official Recommended exam study materials


Development Guides

ISACA® CISM® Item Development Guide,

ISACA® CISM® QAE Item Development Guide,

ISACA® CISM® Review Manual 2015

ISACA® CISM® Review Questions, Answers & Explanations Manual 2014

ISACA® CISM® Review Questions, Answers & Explanations Manual 2015 Supplement

ISACA® CISM® Practice Question Database

CISM® Official website

Basic security related definitions (from ISACA® CISM® perspective)








Business Model for Information Security (BMIS)

Has 4 elements, Organization Design and Strategy, People, Process, Technology

Business dependency analysis

Business impact analysis




Data classification

Enterprise Architecture


Gap analysis





Layered security



Risk / Residual risk


A structured deployment of risk-based controls related to, People, Processes, Technology

Security is a business-driven activity.

Security domains

Security metrics





Trust models


Domain 1: Information Security (InfoSec) Governance

Domain 1 - CISM® Exam Relevance

The content area for Domain 1 will represent ..., 24% of the CISM® examination, 62 questions

Security is here to support the interests and needs of the organization – not just the desires of security

Security is always a balance between cost and benefit; security and productivity

Corporate Governance

What is it?, Corporate governance is the set of responsibilities and practices exercised by the board and executive management

Goals, Providing strategic direction, Reaching security and business objectives, Ensure that risks are managed appropriately, Verify that the enterprise’s resources are used responsibly

Goal of Information Security

The goal of information security is to protect the organization’s assets, individuals and mission, requires, Asset identification, Classification of data and systems according to criticality and sensitivity, Application of appropriate controls

Business Case Development

The Business case for initiating a project must be captured and communicated:, Reference, Context, Value Proposition, Focus, Deliverables, Dependencies, Project metrics, Workload, Required resources, Commitments, The Business case for Security must address the same criteria

Security Integration

Security needs to be integrated INTO the business processes

Goal, The goal is to reduce security gaps through organizational-wide security programs

Integrate IT with, Physical security, Risk Management, Privacy and Compliance, Business Continuity Management

Information Security Governance

Outcomes of effective InfoSec Governance, Strategic alignment, Risk management, Value delivery, Resource management, Performance measurement, Integration

Benefits of effective InfoSec Governance, Compliance and protection from litigation or penalties, Cost savings through better risk management, Avoid risk of lost opportunities, Better oversight of systems and business operations, Opportunity to leverage new technologies to business advantage, Improved trust in customer relationships, Protecting the organization’s reputation, Better accountability for safeguarding information during critical business activities, Reduction in loss through better incident handling and disaster recovery

Information Security Architecture

Information security architecture is similar physical architecture, Requirements definition, Design / Modeling, Creation of detailed blueprints, Development, deployment

Architecture is planning and design to meet the needs of the stakeholders

Security architecture is one of the greatest needs for most organizations

Information Security Frameworks

Effective information security is provided through adoption of a security framework, Defines information security objectives, Aligns with business objectives, Provides metrics to measure compliance and trends, Standardizes baseline security activities enterprise-wide

Examples of Other Security Frameworks, SABSA (Sherwood Applied Business Security Architecture), Business Model for Information Security, Model originated at the Institute for Critical, Information Infrastructure Protection, COBIT, COSO, ISO27001:2013, Goal, Establish, Implement, Maintain, Continually improve, Contains, 14 Clauses, 35 Controls Objectives, 114 Controls

Information Security Program

Objectives, Ensure the availability of systems and data, e.g., Allow access to the correct people in a timely manner, Protect the integrity of data and business processes, e.g., Ensure no improper modifications, Protect confidentiality of information, e.g., Unauthorized disclosure of information, Privacy, trade secrets

Priorities, Achieve high standards of corporate governance, Treat information security as a critical business issue, Create a security positive environment, Have declared responsibilities

Security versus Business, Security must be aligned with business needs and direction, Security is woven into the business functions, Strength, Resilience, Protection, Stability, Consistency

Starts with theory and concepts, Policy

Interpreted through, Procedures, Baselines, Standards

Measured through audit

Information Security Concepts

Evaluating the Security Program, Audit and Assurance of Security, Metrics are used to measure results, Measure security concepts that are important to the business, Use metrics that can be used for each reporting period, Compare results and detect trends, Key Performance Indicators (KPIs), Thresholds to measure, Compliance / non-compliance, Pass / fail, Satisfactory / unsatisfactory results, A KPI is set at a level that indicates action should / must be taken, Alarm point

End to End Security, Security must be enabled across the organization – not just on a system by system basis, Performance measures should ensure that security systems are integrated with each other, Layered defenses

Information Security Strategy

Developing Information Security Strategy, Long term perspective, Standard across the organization, Aligned with business strategy / direction, Understands the culture of the organization, Reflects business priorities

Achieving the desired state is a long-term goal of a series of projects

Goal, Protect the organization’s information assets

Objectives, 6 defined outcomes of security governance will provide high-level guidance to Information Security Strategy, Defined, Supported by metrics (measurable), Provide guidance, The long-term objectives describe the “desired state”, Should describe a well-articulated vision of the desired outcomes for a security program, Security strategy objectives should be stated in terms of specific goals directly aimed at supporting business activities

Elements, Road map, Includes people, processes, technologies and other resources, A security architecture: defining business drivers, resource relationships and process flows, Resources, Policies, Standards, Procedures, Guidelines, Architectire, Controls, physical, technical, procedural, Countermeasures, Layered defenses, Technologies, Personnel security, Organizational structure, Roles and responsibilities, Skills, Training, Awareness and education, Audits, Compliance enforcement, Vulnerability analysis, Risk assessment, Business impact assessment, Resource dependency analysis, Third party service providers, Other organizational support and assurance providers, Facilities, Environmental security, Constraints, Legal, Laws and regulatory requirements, Physical, Capacity, space, environmental constraints, Ethics, Appropriate, reasonable and customary, Culture, Both inside and outside the organization, Costs, Time, money, Personnel, Resistance to change, resentment against new constraints, Organizational structure, How decisions are made and by whom, turf protection, Resources, Capital, technology, people, Capabilities, Knowledge, training, skills, expertise, Time, Window of opportunity, mandated compliance, Risk tolerance, Threats, vulnerabilities, impacts

Information Security Strategy Business Linkages, Start with understanding the specific objectives of a particular line of business, Take into consideration all information flows and processes that are critical to ensuring continued operations, Enable security to be aligned with and support business at strategic, tactical and operational levels

Desired State of Security, The “desired state of security” must be defined in terms of attributes, characteristics and outcomes, It should be clear to all stakeholders what the intended security state is, Available approaches to provide a framework to achieve a well-defined “desired state“, COBIT (Control Objectives for Information and related Technology), “Protecting the interests of those relying on information, and the processes, systems and communications that handle, store and deliver the information, from harm resulting from failures of availability, confidentiality and integrity”, Focuses on IT-related processes from IT governance, management and control perspectives, Capability Maturity Model (CMM), Balanced Scorecard (BSC), Enterprise Architecture approaches, The Open Group Architecture Framework (TOGAF), Zachman Enterprise Architecture Framework, Extended Enterprise Architecture Framework (EA2F), ISO/IEC 27001 and 27002

Effective Security Metrics

Criteria, Meaningful, Accurate, Cost-effective, Repeatable, Predictive, Actionable, Genuine

Types, Performance metrics, Risk management metrics, Value delivery metrics, Resource management metrics, Strategic alignment metrics

Set metrics that will indicate the health of the security program, Incident management, Degree of alignment between security and business development, Was security consulted, Were controls designed in the systems or added later

Choose metrics that can be controlled, Measure items that can be influenced or managed by local managers / security, Not external factors such as number of viruses released in the past year, Have clear reporting guidelines, Monitor on a regular scheduled basis

The Maturity of the Security Program Using CMM

0: Nonexistent—No recognition by organization of need for security

1: Ad hoc—Risks are considered on an ad hoc basis—no formal processes

2: Repeatable but intuitive—Emerging understanding of risk and need for security

3: Defined process—Companywide risk management policy/security awareness

4: Managed and measurable—Risk assessment standard procedure, roles and responsibilities assigned, policies and standards in place

5: Optimized—Organization-wide processes implemented, monitored and managed

Roles and Responsibilities

Senior Management, Senior Management Commitment / Buy in, To be successful, information security must have the support of senior management (top-down), Budget, Direction/ Policy, Reporting and Monitoring, A bottom-up management approach to information security activities is much less likely to be successful, Give tone at the top

Board of directors / Senior Management, Information security governance / Accountability

Steering committee, Ensuring that all stakeholders impacted by security considerations are involved, Oversight and monitoring of Information Security Program, Acts as Liaison between Management, Business, Information Technology, and Information Security, Ensures all stakeholder interests are addressed, Oversees compliance activities

Executive management, Implementing effective security governance, Defining the strategic security objectives, Developing an effective information security strategy, Budget and Support

Chief Information Security Officer (CISO), Responsible for Information security related activity, Compliance, Investigation, Testing, Policy

Business Manager, Responsible for security enforcement and direction in their area, Day to day monitoring, Reporting, Disciplinary actions, Compliance

IT Staff, Responsible for security design, deployment and maintenance, System and Network monitoring, Reporting, Operations of security controls, Compliance

Reporting and Compliance

Reporting, Performance




Industry standards, Payment Card Industry (PCI), BASEL II

Effect of Regulations, Potential impact of breach, Cost, Reputation, Scheduled reporting requirements, Frequency, Format

Reporting and Analysis, Data gathering at source, Accuracy, Identification, Reports signed by Organizational Officer


Rules of behaviour, Legal, Corporate, Industry, Personal

Ethical Responsibility, Responsibility to all stakeholders, Customers, Suppliers, Management, Owners, Employees, Community

ISACA Code of Ethics, Required for all ISACA certification holders, Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for information systems., Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards and best practices., Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession., Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties., Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence., Inform appropriate parties of the results of work performed; revealing all significant facts known to them., Support the professional education of stakeholders in enhancing their understanding of information systems security and control.

Domain 2: Information Risk Management and Compliance

Domain 2 - CISM® Exam Relevance

The content area for Domain 1 will represent ..., 33% of the CISM® examination, 62 questions

Risk Management

Risk is a function of the likelihood of a threat-source exercising a vulnerability and the resulting impact of that adverse event on the mission of the organization

Risk Management objective, The objective of risk management is to identify, quantify and manage information security risk, Reduce risk to an acceptable level through the application of risk-based, cost-effective controls

Risk terms, Asset, Threat, Vulnerability, Weaknesses in security controls, Patches not applied, Non-hardened systems, Inappropriate access levels, Unencrypted sensitive data, Software bugs or coding issues (buffer overflow), Physical security, Likelihood (probability), Impact (consequence), An exploit of a vulnerability by a threat may lead to an exposure, An exposure is measured by the impact it has on the organization or the ability of the organization to meet its mission, Examples of direct and indirect financial losses, Direct loss of money (cash or credit), Criminal or civil liability, Loss of reputation/goodwill/image, Reduction of share value, Conflict of interests to staff or customers or shareholders, Breach of confidence/privacy, Loss of business opportunity/competition, Loss of market share, Reduction in operational efficiency/performance, Interruption of business activity, Noncompliance with laws and regulations resulting in penalties, Aggregate risk, Aggregate risk is where a several smaller risk factors combine to create a larger risk (the perfect storm scenario), Cascading Risk, Cascading risks are the effect of one incident leading to a chain of adverse events (domino effect)

Defining the Risk Environment/Context, The most critical prerequisite to a successful risk management program is understanding the organization including, Key business drivers, The organization’s SWOT (strengths, weaknesses, opportunities and threats), The organization’s PESTLE, Internal and external stakeholders, Organizational structure and culture, Assets (resources, information, customers, equipment), Goals and objectives, and the strategies already in place to achieve them

Threats to information and information systems are related to, Confidentiality, Availability, Authentication, Integrity, Access control, Privacy, Nonrepudiation, Compliance

Risk Assessment Methodology

Data Gathering Techniques, Checklists, Prompt list (Risk breakdown structure (RBS)), Cause and effect diagrams, Surveys/Questionnaires, Observation, Workshops, Group techniques, Brainstorming, Nominal group, Delphi, Individual interviews, Assumption analysis, Constraints analysis

Risk Assessment, Risk Assessment measures Impact and Likelihood, Business Impact Analysis measures Impact over Time, Related disciplines - but not the same, BIA must be done periodically to determine how risk and impact levels increase over time, Set priorities for critical business functions

Risk Treatment, Risk Treatment takes the recommendations from the risk assessment process and selects the best choice for managing risk at an acceptable level, Risk Appetite, Risk Tolerance, Risk Acceptance, Residual Risk, Cost/Benefit, Priorities, Balance between security and business, Risk Treatment Options, for Threats (-), Avoid, This option is about making the uncertain situation certain by removing the risk, This can often be achieved by removing the cause of a threat, Risk avoidance is achieved by deciding not to undertake a risk by either not taking part in a certain risky activity or by abandoning an asset / source that generates the risk, Avoiding all risks is not a viable strategy, If we do not take risks, we cannot gain the benefits that can aris, Outcome = risk probability of occurrence is 0%, It simply means to conduct activity where the risk is not met, Reduce (a.k.a Modification), This option chooses definite action now to change the probability and/or impact of the risk, The term ‘mitigate’ is relevant when discussing reduction of a threat, i.e. making the threat less likely to occur and/or reducing the impact if it did., Because this option commits the organization to costs for reduction/enhancement now, response costs must be justified in terms of the change to residual risk, Reduce probability (a.k.a. Prevent), Reduce impact (a.k.a. Mitigate), Reduce probability & impact simultaneously, for Opportunities (+), Exploit, Exploiting the opportunity aims to make the most of an opportunity that arises to make the probability of its outcome to be 100%., It uses extensive measures to ensure that the opportunity becomes a certainty., Outcome = risk probability of occurrence is 100%, Risk becomes an issue (opportunity becomes a certainty), Enhance (a.k.a. Improve), Control methods put in place to increase the likelihood or increase the impact of the opportunity., Enhancement methods are not as extensive as exploit controls because they do not aim at making the opportunity a certainty., Increse probability (but still <100%), Increse impact, Increse probability & impact simultaneously, for Threats & Opportunities, Transfer, by transferring risk firms remove their own responsibility for dealing with risk events to someone outside of the organisation / programme / project etc., the most typical examples are taking out insurance and outsourcing., (for opportunity) it aims to transfer the opportunity to a more specialised organisation that will help maximise its effects., As name suggest 2nd party is needed for transfer, Transfer means transfering all (100%) impact to 2nd party, You can transfer impact, but you cannot transfer accountability for risk!, Share, Share’ is an option that is different in nature to the transfer response, It seeks for multiple parties (2+), typically within a supply chain, to share the risk on a pain/gain share basis, Rarely can risks be entirely shared in this way (for example, the primary risk taker will always need to protect their brand and reputation), but this can be a successful way of encouraging collaboration on risk management activities, particularly in programmes and projects, To share the risk on a pain/gain basis, As name suggest 2nd party is needed for sharing, Sharing means sharing at least small percentage of impact with 2nd party, Accept (a.k.a Retention), The organisation ‘takes the chance’ that the risk will occur, with its full impact if it did, There is no change to residual risk with the accept option, but neither are any costs incurred now to manage the risk, or to prepare to manage the risk in future, Accepting an opportunity basically leaves everything to chance, Passive Acceptance, Highly NOT recommended, not present in M_o_R®, without monitoring, Active Acceptance, Risk still MUST be actively monitored for any changes in nature (probability, impact, etc.), with monitoring, Prepare Contingent Plans, This option involves preparing plans now, but not taking action now, Most usually associated with the accept option, preparing contingent plans in this instance is saying: ‘We will accept the risk for now, but we'll make a plan for what we’ll do if the situation changes.', This option applies equally to other responses and is often referred to as a ‘fallback’ plan, i.e. what we will do if the original response doesn’t work., Fallback plans apply to all other strategies, even avoiding a threat and exploiting an opportunity, because the plan to avoid/exploit may not be successful despite good intentions., Only reduces impact, Does not changes probability, Effect of responses, Risk mitigation and controls, Controls (safeguards/countermeasures) are implemented in order to reduce a specified risk, Existing controls and countermeasures can be evaluated, New controls and countermeasures can be designed, Control recommendations, Factors to be considered when recommending new or enhanced controls are, Cost-benefit analysis, Anticipated effectiveness, Compatibility with other controls, systems, and processes, Legislation and regulation, Organizational policy, standards, and culture, Impact of control on business processes, Control reliability, Cost Benefit Analysis of Controls, Cost-benefit analysis must consider the cost of the control throughout the full life cycle of the control or countermeasure including, Acquisition/purchase costs, Deployment and implementation costs, Recurring maintenance costs, Testing and assessment costs, Compliance monitoring and enforcement, Inconvenience to users, Reduced throughput of controlled processes, Training in new procedures or technologies as applicable, End of life decommissioning, Categories of Security Controls, Reference: NIST SP800-53, Rev 3, Recommended Security Controls for Federal Information Systems, Managerial (Administrative) Controls, Policies, Standards, Processes, Procedures, & Guidelines, Technical (Logical) Controls, Access Controls , Identification & Authorization, Confidentiality, Integrity, Availability, Non-Repudiation., Operational (and Physical) Controls, Operational Security (Execution of Policies, Standards & Process, Education & Awareness), Physical Security (Facility or Infrastructure Protection), Reference: ISO/IEC 27001:2013, Information Technology - Security Techniques - Security Management System - Requirements, Security Control types, Administrative (or Directive Controls), Regulations, Policies, Standards, Guidelines, Processes and Procedures, Physical and Technical Controls, Preventive - Controls that avoid incident, Detective - Controls that identify incident, Corrective - Controls that remedy incident, Recovery - Controls that restores baseline from incident, Deterrent - Controls/warnings of consequences to security violations, Compensatory, Security Control Baselines, Creating baselines of control can assist in developing a consistent security infrastructure, Principles for developing baselines include, Assess of the level of security that is appropriate for the organization, Mandate a configuration for all systems and components attached to the organization’s network

Training, Education and Awareness

Training and Awareness, The most effective control to mitigate risk is training of all personnel, Educate on policies, standards, practices, Creates accountability, End users should receive training on, The importance of adhering to information security policies, standards, and procedures, Clean desk policy, Responding to incidents and emergencies, Privacy and confidentiality requirements, The security implications of logical access in an IT environment

National Initiative for Cybersecurity Education (NICE), Reference:, NICE is a part of Comprehensive National Cybersecurity Initiative (CNCI) where government and industry collaborated to create a training & educational framework for cybersecurity workforce

Security Education, Training and Awareness (SETA), Reference: NIST SP800-50, Building an IT Security Awareness and Training Program., Awareness, Orientation briefs and materials to inform and remind employees of their security responsibilities and management’s expectation, Training, Course and materials to provide employees the necessary skills to perform their job functions, Education, Course and materials to provide employees the necessary decision-making and management skills to improve their promotional ability and mobility

Domain 3: Information Security (InfoSec) Program Development and Management

Domain 3 - CISM® Exam Relevance

The content area for Domain 1 will represent ..., 25% of the CISM® examination, 62 questions

Domain 4: Information Security (InfoSec) Incident Management

Domain 4 - CISM® Exam Relevance

The content area for Domain 1 will represent ..., 18% of the CISM® examination, 62 questions

Overview of the CISM® certification

About the CISM® exam

CISM® exam questions are developed with the intent of measuring and testing practical knowledge and the application of general concepts and standards.

PBE & CBE (only pencil & eraser are allowed)., PBE - Paper based exam., CBE - Closed book exam.

4 hour exam.

200 multiple choice questions designed with one best answer.

No negative points.

Pre-requisite for exam:, none

Pre-requisite for certification:, Read CISM® Application Form,

Interactive Glossary

Interactive CISM® Glossary

This freeware, non-commercial mind map (aligned with the newest version of CISM® exam) was carefully hand crafted with passion and love for learning and constant improvement as well for promotion the CISM® qualification and as a learning tool for candidates wanting to gain CISM® qualification. (please share and give feedback - your feedback and comments are my main motivation for further elaboration. THX!)

Questions / issues / errors? What do you think about my work? Your comments are highly appreciated. Please don't hesitate to contact me for :-) Mirosław Dąbrowski, Poland/Warsaw.