CISM is organised into four domains, all viewed from a management perspective. This is a plain-English summary with approximate weightings; ISACA’s official content is authoritative.
| # | Domain | Approx. weight |
|---|---|---|
| 1 | Information Security Governance | ~17% |
| 2 | Information Security Risk Management | ~20% |
| 3 | Information Security Program | ~33% |
| 4 | Incident Management | ~30% |
Domain 1 — Information Security Governance
Establishing and maintaining a governance framework: strategy aligned to business goals, roles and responsibilities, policies and standards, and metrics for leadership.
Domain 2 — Information Security Risk Management
Identifying and assessing information risk, selecting risk responses, and reporting risk in business terms, anchored in risk appetite and tolerance.
Domain 3 — Information Security Program
The largest domain: building, resourcing and running the security programme, selecting frameworks and controls, awareness, and managing third-party and operational security.
Domain 4 — Incident Management
Planning for and managing incidents: response plans and teams, detection and analysis, containment, eradication and recovery, continuity, and lessons learned.