CISM - Certified Information Security Manager Cheat Sheet

The Certified Information Security Manager (CISM) credential from ISACA validates that you can build and govern an enterprise information security program at the management level, not just operate its tools. The exam is weighted toward judgment across four domains: Information Security Governance (17%), Information Security Risk Management (20%), Information Security Program (33%), and Incident Management (30%). The single reflex that separates a passing answer from a merely plausible one is to think like a manager, not a technician: when a scenario allows several defensible actions, ISACA credits the choice that aligns security with business objectives, respects the organization's risk appetite, and follows the established process over the fastest technical fix. This sheet maps every exam task to the concepts ISACA tests, in the manager's-eye framing the credited answers depend on. The current Exam Content Outline remains in force through ISACA's next scheduled update effective 3 November 2026.

What This Cheat Sheet Covers

This topic spans 35 focused tables and 241 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: Organizational CultureTable 2: Legal, Regulatory and Contractual RequirementsTable 3: Organizational Structures, Roles and ResponsibilitiesTable 4: Information Security Strategy DevelopmentTable 5: Information Governance Frameworks and StandardsTable 6: Strategic Planning, Budgets and the Business CaseTable 7: Emerging Risk and Threat LandscapeTable 8: Vulnerability and Control Deficiency AnalysisTable 9: Risk Assessment and AnalysisTable 10: Risk Treatment and Response OptionsTable 11: Risk and Control OwnershipTable 12: Risk Monitoring and ReportingTable 13: Information Security Program ResourcesTable 14: Information Asset Identification and ClassificationTable 15: Industry Standards and Frameworks for Information SecurityTable 16: Information Security Policies, Procedures and GuidelinesTable 17: Information Security Program MetricsTable 18: Information Security Control Design and SelectionTable 19: Information Security Control Implementation and IntegrationTable 20: Information Security Control Testing and EvaluationTable 21: Information Security Awareness and TrainingTable 22: Management of External Services and Third PartiesTable 23: Information Security Program Communications and ReportingTable 24: Incident Response PlanTable 25: Business Impact Analysis (BIA)Table 26: Business Continuity Plan (BCP)Table 27: Disaster Recovery Plan (DRP)Table 28: Incident Classification and CategorizationTable 29: Incident Management Training, Testing and EvaluationTable 30: Incident Management Tools and TechniquesTable 31: Incident Investigation and EvaluationTable 32: Incident Containment MethodsTable 33: Incident Response CommunicationsTable 34: Incident Eradication and RecoveryTable 35: Post-Incident Review Practices

Table 1: Organizational Culture

Domain 1A Enterprise Governance (Information Security Governance, 17%): the role of organizational culture as a governance factor the security manager must assess and influence so that information security aligns with how people actually behave, not just with written policy.

Concept	Example	Description
Security Culture	Staff act securely because it matches their values, not just under audit pressure	The shared values, attitudes, beliefs and behaviors of employees toward security, in short "how we do things here". A strategic asset, not a soft add-on. Tested against the trap that culture is just published rules.
Tone at the Top	Senior leaders visibly follow the same security rules they ask of staff	Leadership must walk the talk, since culture is top-down and visible example shapes what employees believe is truly expected. • Backed by incentives, training and clear expectations • Board and senior management stay accountable
Culture vs. Awareness Training	Everyone finished training, yet people still avoid reporting phishing	Culture is the deeper set of shared values and habitual behavior, while awareness training is one activity that supports it. Not to be confused: completing training does not by itself create a healthy culture.

Table 1: Organizational Culture

Concept	Example	Description
Security Culture	Staff act securely because it matches their values, not just under audit pressure	The shared values, attitudes, beliefs and behaviors of employees toward security, in short "how we do things here". A strategic asset, not a soft add-on. Tested against the trap that culture is just published rules.
Tone at the Top	Senior leaders visibly follow the same security rules they ask of staff	Leadership must walk the talk, since culture is top-down and visible example shapes what employees believe is truly expected. • Backed by incentives, training and clear expectations • Board and senior management stay accountable
Culture vs. Awareness Training	Everyone finished training, yet people still avoid reporting phishing	Culture is the deeper set of shared values and habitual behavior, while awareness training is one activity that supports it. Not to be confused: completing training does not by itself create a healthy culture.