CISM Job Practice Areas

A job practice serves as the basis for the exam and the experience requirements to earn the CISM. This job practice consists of task and knowledge statements, organized by domains.

CISM Certification Job Practice


The current CISM exam covers 4 information security management areas, each of which is further defined and detailed through Tasks & Knowledge statements. These areas and statements were approved by the CISM Certification Committee and represent a job practice analysis of the work performed by information security managers as validated by prominent industry leaders, subject matter experts and industry practitioners.

Following is a brief description of these areas, their definitions and approximate percentage of test questions allocated to each area.

This information provides the basis for the CISM exam and the qualifying experience for certification.

Domain 1—Information Security Governance (24%)

Domain 2—Information Risk Management and Compliance (33%)

Domain 3—Information Security Program Development and Management (25%)

Domain 4—Information Security Incident Management (18%)

For details on the tasks and knowledge statements forming part of the the CISM domains, click here

Make the most of your relatioship with ISACA

Become a Member