Cheat Sheet
CISM Cheat Sheet: Domains, Governance & Risk Terms
By The Exam Atlas Editorial Team · Verified 2026-05-29
A final-revision summary for CISM. Study aid only — no notes are allowed in the proctored exam.
The four domains and weights
| Domain | Approx. weight |
|---|
| Information Security Governance | ~17% |
| Information Security Risk Management | ~20% |
| Information Security Program | ~33% |
| Incident Management | ~30% |
Governance essentials
| Term | Idea |
|---|
| Strategy | Security direction aligned to business goals |
| Policy / standard / procedure | Intent / mandatory rules / step-by-step how-to |
| RACI | Responsible, Accountable, Consulted, Informed |
| KPI vs KRI | Performance indicator vs risk indicator |
Risk management essentials
| Term | Idea |
|---|
| Risk = likelihood × impact | The core equation |
| Risk responses | Avoid, transfer, mitigate, accept |
| Risk appetite / tolerance | How much risk the business will accept |
| Residual risk | Risk remaining after controls |
Incident management lifecycle
Preparation → Identification → Containment → Eradication → Recovery → Lessons learned.
| Term | Meaning |
|---|
| BIA | Business Impact Analysis |
| RTO / RPO | Recovery Time / Recovery Point Objective |
| SLA / OLA | Service / Operational Level Agreement |
FAQ
- Can I bring notes to the CISM exam?
- No. CISM is a proctored exam. Use this for final revision before exam day only.
Sources
