Start Here: Orientation Before Study

If you are planning to sit the CISM exam by ISACA, there are a few things you should know before you open a book or start watching videos. These are not preparation tips in the usual sense. They are orientation points that help you set the right mindset for the exam.

Orientation matters.

Understand the map — weightage and scope — before you start studying.

Domain Weightage

CISM is divided into four domains. These domains are not equal in importance, and ISACA is very explicit about that through exam weightage. Knowing this upfront matters because it directly affects how you should allocate your time and energy.

Domains 3 and 4 together account for more than 60% of the exam. CISM does not reward equal effort across all topics. It rewards focus on how security programs are built, run, and responded to when things go wrong. Understanding this early helps avoid a very common mistake — spending too much time on governance theory while under-preparing for program and incident scenarios.

Methods of Taking the Exam

CISM can be taken in two ways: at an authorised exam centre or as an online proctored exam from home. Both are officially supported by ISACA.

In some regions, especially parts of Europe, exam centres may not always be available or conveniently located. The home-based exam is not a compromise — it is a fully valid option, provided you meet the technical and environmental requirements. This flexibility allows you to plan the exam around your life constraints instead of postponing it indefinitely due to logistics.

Voucher Purchase vs Locking the Exam Date

Buying the CISM voucher and booking the exam date are two separate steps. You can purchase the voucher first and decide on the date later. This gives you flexibility — you are not forced to commit to a date before you feel ready. This approach also helps maintain momentum. Book the exam when you feel your understanding has reached a plateau and further preparation is unlikely to add much value.

Domain Layout

Before going into preparation strategies, it helps to understand what each domain actually covers at a high level. This section is about knowing the scope, not the depth.

Domain 1 · 17%

Information Security Governance

Align security with business objectives and establish governance structures.
  • Establishing and maintaining an information security governance framework
  • Alignment of information security strategy with organisational goals
  • Information security policies, standards, procedures, and guidelines
  • Roles and responsibilities for information security (ownership and accountability)
  • Integration of information security into organisational processes
  • Legal, regulatory, and contractual requirements affecting information security
  • Security governance metrics and reporting to senior management and the board
  • Assurance activities (audits, assessments, compliance reviews)
  • Continuous improvement of the information security governance framework
Domain 2 · 20%

Information Security Risk Management

Identify, evaluate, treat, and monitor information security risk.
  • Establishing and maintaining an information security risk management framework
  • Risk identification (threats, vulnerabilities, assets, impacts)
  • Risk analysis and evaluation methods (qualitative and quantitative)
  • Risk appetite, risk tolerance, and risk thresholds
  • Risk treatment options (mitigate, accept, transfer, avoid)
  • Residual risk assessment and acceptance
  • Integration of risk management into business processes and decision-making
  • Risk monitoring and reporting
  • Third-party and supply chain risk management
  • Emerging risk identification and response
Domain 3 · 33%

Information Security Program Development and Management

Build, operate, and continuously improve the security program — the largest domain.
  • Establishing and maintaining an information security program
  • Information security program objectives and scope
  • Resource management (people, budget, tools, skills)
  • Security architecture and alignment with enterprise architecture
  • Information asset protection controls
  • Security awareness, training, and education programs
  • Third-party security management and vendor oversight
  • Security program metrics, KPIs, and reporting
  • Program maturity models and continuous improvement
  • Integration of security into system development and operations
  • Managing security technologies and services
Domain 4 · 30%

Information Security Incident Management

Prepare, respond, recover, and learn from incidents.
  • Establishing and maintaining an incident management framework
  • Incident response planning and procedures
  • Incident detection, identification, and reporting
  • Incident classification and prioritisation
  • Incident analysis and investigation
  • Containment, eradication, and recovery activities
  • Root cause analysis
  • Business continuity and disaster recovery integration
  • Communication and escalation during incidents
  • Post-incident review and lessons learned
  • Evidence handling and forensic considerations

Why Knowing Weightage and Layout Matters

At this stage, the goal is not to master any domain. The goal is to understand the map. Once you know what the exam is made of, how it is weighted, and how it can be taken, you can move into preparation with far fewer assumptions and far less anxiety.

In the next article, the focus shifts from structure to execution — how I actually prepared, how I allocated time across domains, and how my strategy changed as the exam approached.

Next:

Preparation strategy — how to allocate time and train the "ISACA way of thinking".

CISM Preparation Series — 4 Articles
Article 01
CISM Exam Blueprint & Domain Weightage
You are reading this
Article 02
How I Started Preparing for CISM
Read article
Article 03
Last-Minute CISM Preparation
Read article
Article 04
CISM Exam Day Tips
Read article