Create your own awesome maps

Even on the go

with our free apps for iPhone, iPad and Android

Get Started

Already have an account?
Log In

ISACA® CISM® study guide mind map by Mind Map: ISACA® CISM® study guide
mind map
5.0 stars - 41 reviews range from 0 to 5

ISACA® CISM® study guide mind map

ISACA® is a registered trademark of Information Systems Audit and Control Association. CISA®, Certified Information Systems Auditor®, CISM®, CGEIT®, Certified in the Governance of Enterprise IT/CGEIT® (and design)®, COBIT® are registered trademarks of ISACA®. CRISC™, Certified in Risk and Information Systems Control™, Certified Information Security Manager™, Risk IT™, Val IT™ are trademarks of ISACA®. Trademarks are properties of the holders, who are not affiliated with mind map author.

CISM Exam Passing Principles

The job profile of the CISM® (Certified Information Security Manager) published at the autumn of 2002 is a reaction to the continuously changing market requirements and is addressed to individuals who are responsible for managing information security.


It covers 4 domains, 37 tasks and 60 knowledge statements (statements covering the required technical knowledge).


The CISM® certification / designation reflects a solid achievement record in managing information security, as well as in such areas as risk analyses, risk management, security strategy, security organisation etc.

The CISM® job profile was published at the end of 2002 and was revised for a second time for the 2012 examination.

Official Recommended exam study materials


Development Guides

ISACA® CISM® Item Development Guide,

ISACA® CISM® QAE Item Development Guide,

ISACA® CISM® Review Manual 2015

ISACA® CISM® Review Questions, Answers & Explanations Manual 2014

ISACA® CISM® Review Questions, Answers & Explanations Manual 2015 Supplement

ISACA® CISM® Practice Question Database

CISM® Official website

Basic security related definitions (from ISACA® CISM® perspective)








Business Model for Information Security (BMIS)

Has 4 elements, Organization Design and Strategy, People, Process, Technology

Business dependency analysis

Business impact analysis




Data classification

Enterprise Architecture


Gap analysis





Layered security



Risk / Residual risk


A structured deployment of risk-based controls related to, People, Processes, Technology

Security is a business-driven activity.

Security domains

Security metrics





Trust models


Domain 1: Information Security (InfoSec) Governance

Domain 1 - CISM® Exam Relevance

The content area for Domain 1 will represent ..., 24% of the CISM® examination, 62 questions

Security is here to support the interests and needs of the organization – not just the desires of security

Security is always a balance between cost and benefit; security and productivity

Corporate Governance

What is it?, Corporate governance is the set of responsibilities and practices exercised by the board and executive management

Goals, Providing strategic direction, Reaching security and business objectives, Ensure that risks are managed appropriately, Verify that the enterprise’s resources are used responsibly

Goal of Information Security

The goal of information security is to protect the organization’s assets, individuals and mission, requires, Asset identification, Classification of data and systems according to criticality and sensitivity, Application of appropriate controls

Business Case Development

The Business case for initiating a project must be captured and communicated:, Reference, Context, Value Proposition, Focus, Deliverables, Dependencies, Project metrics, Workload, Required resources, Commitments, The Business case for Security must address the same criteria

Security Integration

Security needs to be integrated INTO the business processes

Goal, The goal is to reduce security gaps through organizational-wide security programs

Integrate IT with, Physical security, Risk Management, Privacy and Compliance, Business Continuity Management

Information Security Governance

Outcomes of effective InfoSec Governance, Strategic alignment, Risk management, Value delivery, Resource management, Performance measurement, Integration

Benefits of effective InfoSec Governance, Compliance and protection from litigation or penalties, Cost savings through better risk management, Avoid risk of lost opportunities, Better oversight of systems and business operations, Opportunity to leverage new technologies to business advantage, Improved trust in customer relationships, Protecting the organization’s reputation, Better accountability for safeguarding information during critical business activities, Reduction in loss through better incident handling and disaster recovery

Information Security Architecture

Information security architecture is similar physical architecture, Requirements definition, Design / Modeling, Creation of detailed blueprints, Development, deployment

Architecture is planning and design to meet the needs of the stakeholders

Security architecture is one of the greatest needs for most organizations

Information Security Frameworks

Effective information security is provided through adoption of a security framework, Defines information security objectives, Aligns with business objectives, Provides metrics to measure compliance and trends, Standardizes baseline security activities enterprise-wide

Examples of Other Security Frameworks, SABSA (Sherwood Applied Business Security Architecture), Business Model for Information Security, Model originated at the Institute for Critical, Information Infrastructure Protection, COBIT, COSO, ISO27001:2013, Goal, Establish, Implement, Maintain, Continually improve, Contains, 14 Clauses, 35 Controls Objectives, 114 Controls

Information Security Program

Objectives, Ensure the availability of systems and data, e.g., Allow access to the correct people in a timely manner, Protect the integrity of data and business processes, e.g., Ensure no improper modifications, Protect confidentiality of information, e.g., Unauthorized disclosure of information, Privacy, trade secrets

Priorities, Achieve high standards of corporate governance, Treat information security as a critical business issue, Create a security positive environment, Have declared responsibilities

Security versus Business, Security must be aligned with business needs and direction, Security is woven into the business functions, Strength, Resilience, Protection, Stability, Consistency

Starts with theory and concepts, Policy

Interpreted through, Procedures, Baselines, Standards

Measured through audit

Information Security Concepts

Evaluating the Security Program, Audit and Assurance of Security, Metrics are used to measure results, Measure security concepts that are important to the business, Use metrics that can be used for each reporting period, Compare results and detect trends, Key Performance Indicators (KPIs), Thresholds to measure, Compliance / non-compliance, Pass / fail, Satisfactory / unsatisfactory results, A KPI is set at a level that indicates action should / must be taken, Alarm point

End to End Security, Security must be enabled across the organization – not just on a system by system basis, Performance measures should ensure that security systems are integrated with each other, Layered defenses

Information Security Strategy

Developing Information Security Strategy, Long term perspective, Standard across the organization, Aligned with business strategy / direction, Understands the culture of the organization, Reflects business priorities

Achieving the desired state is a long-term goal of a series of projects

Goal, Protect the organization’s information assets

Objectives, 6 defined outcomes of security governance will provide high-level guidance to Information Security Strategy, Defined, Supported by metrics (measurable), Provide guidance, The long-term objectives describe the “desired state”, Should describe a well-articulated vision of the desired outcomes for a security program, Security strategy objectives should be stated in terms of specific goals directly aimed at supporting business activities

Elements, Road map, Includes people, processes, technologies and other resources, A security architecture: defining business drivers, resource relationships and process flows, Resources, Policies, Standards, Procedures, Guidelines, Architectire, Controls, physical, technical, procedural, Countermeasures, Layered defenses, Technologies, Personnel security, Organizational structure, Roles and responsibilities, Skills, Training, Awareness and education, Audits, Compliance enforcement, Vulnerability analysis, Risk assessment, Business impact assessment, Resource dependency analysis, Third party service providers, Other organizational support and assurance providers, Facilities, Environmental security, Constraints, Legal, Laws and regulatory requirements, Physical, Capacity, space, environmental constraints, Ethics, Appropriate, reasonable and customary, Culture, Both inside and outside the organization, Costs, Time, money, Personnel, Resistance to change, resentment against new constraints, Organizational structure, How decisions are made and by whom, turf protection, Resources, Capital, technology, people, Capabilities, Knowledge, training, skills, expertise, Time, Window of opportunity, mandated compliance, Risk tolerance, Threats, vulnerabilities, impacts

Information Security Strategy Business Linkages, Start with understanding the specific objectives of a particular line of business, Take into consideration all information flows and processes that are critical to ensuring continued operations, Enable security to be aligned with and support business at strategic, tactical and operational levels

Desired State of Security, The “desired state of security” must be defined in terms of attributes, characteristics and outcomes, It should be clear to all stakeholders what the intended security state is, Available approaches to provide a framework to achieve a well-defined “desired state“, COBIT (Control Objectives for Information and related Technology), “Protecting the interests of those relying on information, and the processes, systems and communications that handle, store and deliver the information, from harm resulting from failures of availability, confidentiality and integrity”, Focuses on IT-related processes from IT governance, management and control perspectives, Capability Maturity Model (CMM), Balanced Scorecard (BSC), Enterprise Architecture approaches, The Open Group Architecture Framework (TOGAF), Zachman Enterprise Architecture Framework, Extended Enterprise Architecture Framework (EA2F), ISO/IEC 27001 and 27002

Effective Security Metrics

Criteria, Meaningful, Accurate, Cost-effective, Repeatable, Predictive, Actionable, Genuine

Types, Performance metrics, Risk management metrics, Value delivery metrics, Resource management metrics, Strategic alignment metrics

Set metrics that will indicate the health of the security program, Incident management, Degree of alignment between security and business development, Was security consulted, Were controls designed in the systems or added later

Choose metrics that can be controlled, Measure items that can be influenced or managed by local managers / security, Not external factors such as number of viruses released in the past year, Have clear reporting guidelines, Monitor on a regular scheduled basis

The Maturity of the Security Program Using CMM

0: Nonexistent—No recognition by organization of need for security

1: Ad hoc—Risks are considered on an ad hoc basis—no formal processes

2: Repeatable but intuitive—Emerging understanding of risk and need for security

3: Defined process—Companywide risk management policy/security awareness

4: Managed and measurable—Risk assessment standard procedure, roles and responsibilities assigned, policies and standards in place

5: Optimized—Organization-wide processes implemented, monitored and managed

Roles and Responsibilities

Senior Management, Senior Management Commitment / Buy in, To be successful, information security must have the support of senior management (bottom-down), Budget, Direction/ Policy, Reporting and Monitoring, A bottom-up management approach to information security activities is much less likely to be successful, Give tone at the top

Board of directors / Senior Management, Information security governance / Accountability

Steering committee, Ensuring that all stakeholders impacted by security considerations are involved, Oversight and monitoring of Information Security Program, Acts as Liaison between Management, Business, Information Technology, and Information Security, Ensures all stakeholder interests are addressed, Oversees compliance activities

Executive management, Implementing effective security governance, Defining the strategic security objectives, Developing an effective information security strategy, Budget and Support

Chief Information Security Officer (CISO), Responsible for Information security related activity, Compliance, Investigation, Testing, Policy

Business Manager, Responsible for security enforcement and direction in their area, Day to day monitoring, Reporting, Disciplinary actions, Compliance

IT Staff, Responsible for security design, deployment and maintenance, System and Network monitoring, Reporting, Operations of security controls, Compliance

Reporting and Compliance

Reporting, Performance




Industry standards, Payment Card Industry (PCI), BASEL II

Effect of Regulations, Potential impact of breach, Cost, Reputation, Scheduled reporting requirements, Frequency, Format

Reporting and Analysis, Data gathering at source, Accuracy, Identification, Reports signed by Organizational Officer


Rules of behaviour, Legal, Corporate, Industry, Personal

Ethical Responsibility, Responsibility to all stakeholders, Customers, Suppliers, Management, Owners, Employees, Community

ISACA Code of Ethics, Required for all ISACA certification holders, Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for information systems., Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards and best practices., Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession., Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties., Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence., Inform appropriate parties of the results of work performed; revealing all significant facts known to them., Support the professional education of stakeholders in enhancing their understanding of information systems security and control.

Domain 2: Information Risk Management and Compliance

Domain 2 - CISM® Exam Relevance

The content area for Domain 1 will represent ..., 33% of the CISM® examination, 62 questions

Domain 3: Information Security (InfoSec) Program Development and Management

Domain 3 - CISM® Exam Relevance

The content area for Domain 1 will represent ..., 25% of the CISM® examination, 62 questions

Domain 4: Information Security (InfoSec) Incident Management

Domain 4 - CISM® Exam Relevance

The content area for Domain 1 will represent ..., 18% of the CISM® examination, 62 questions

Overview of the CISM® certification

About the CISM® exam

CISM® exam questions are developed with the intent of measuring and testing practical knowledge and the application of general concepts and standards.

PBE & CBE (only pencil & eraser are allowed)., PBE - Paper based exam., CBE - Closed book exam.

4 hour exam.

200 multiple choice questions designed with one best answer.

No negative points.

Pre-requisite for exam:, none

Pre-requisite for certification:, Read CISM® Application Form,

Interactive Glossary

Interactive CISM® Glossary

This freeware, non-commercial mind map (aligned with the newest version of CISM® exam) was carefully hand crafted with passion and love for learning and constant improvement as well for promotion the CISM® qualification and as a learning tool for candidates wanting to gain CISM® qualification. (please share and give feedback - your feedback and comments are my main motivation for further elaboration. THX!)

Questions / issues / errors? What do you think about my work? Your comments are highly appreciated. Please don't hesitate to contact me for :-) Mirosław Dąbrowski, Poland/Warsaw.