CISM Domains: Four Management Domains Explained

2003

CISM certification launched

First management-focused security certification

2006

ANSI accreditation received

Validated certification rigor and global acceptance

2009

Job practice analysis expanded

Aligned domains with evolving security management roles

2012

Four-domain structure formalized

Clarified distinction between domains for better coverage

2015

Emphasis on risk management increased

Reflected enterprise shift toward risk-based security

2019

Cloud and third-party risk added

Addressed modern distributed computing environments

2022

Domain weightings adjusted

Reflected current importance distribution across domains

2024

Privacy and regulatory focus enhanced

Addressed GDPR, CCPA, and expanding compliance landscape

Chief Information Security Officer (CISO)

Very high - addresses all core responsibilities

CISSP (technical foundation), CGEIT (governance)

Information Security Manager

Very high - directly aligned to role

CISSP, CRISC (risk focus)

Security Director

Very high - governance and program management

CISSP, CRISC

IT Risk Manager

High - overlaps risk and security domains

CRISC (deeper risk focus), CISA (audit)

Security Consultant/Advisor

High - strategic advisory requires management perspective

CISSP, CCSP (cloud)

Compliance Manager (security focus)

Moderate-high - governance domain highly relevant

CISA, CRISC

Senior Security Engineer

Moderate - beneficial for career advancement

CISSP (broader technical), OSCP (offensive)

Security Analyst

Low - too early in career progression

Security+, CEH, GIAC certifications

CISM

Security program management and governance

Security managers, directors, CISOs

ISACA

CISSP

Broad technical and managerial security knowledge

Security engineers, architects, managers

(ISC)²

CRISC

IT and enterprise risk management

Risk managers, IT auditors

ISACA

CISA

IT audit and assurance

IT auditors, compliance professionals

ISACA

CEH

Ethical hacking and penetration testing

Penetration testers, security analysts

EC-Council

CCSP

Cloud security architecture and operations

Cloud security engineers, architects

(ISC)²

Domain 1: Information Security Governance

17%

~26 questions

Governance, strategy, frameworks

Domain 2: Information Risk Management

20%

~30 questions

Risk assessment, treatment, monitoring

Domain 3: Information Security Program

33%

~50 questions

Program development, management, resources

Domain 4: Incident Management

30%

~45 questions

Incident response, BCP, DR

Salary premium

$15,000-$35,000 higher average salary vs. non-certified peers

Direct financial return

Career advancement velocity

40% faster progression to director/CISO roles

Accelerated trajectory

Hiring preference

68% of security manager job postings prefer or require CISM

Market differentiation

Global recognition

Accepted in 170+ countries without additional qualification

International mobility

Knowledge systematization

Structured framework organizing disparate security knowledge

Professional confidence

Peer community access

ISACA chapters, conferences, networking opportunities

Professional network

Competency assurance

Verified management knowledge reducing program failures

Program effectiveness

Consistent approach

Common framework across security team

Operational coherence

Audit/compliance value

Recognized credential satisfying assessor competency requirements

Compliance evidence

Vendor evaluation

Objective measure when hiring security consultants

Procurement quality

Board confidence

Recognized credential communicating CISO qualifications

Governance assurance

Reduced hiring risk

Standardized competency assessment in security manager recruitment

Talent quality

Responsibility

Board of Directors, Executive Leadership

Security Director, CISO, Security Managers

Focus

Strategic direction, oversight, accountability

Implementation, operations, tactical execution

Timeframe

Long-term (3-5 years)

Short-to-medium term (quarterly, annual)

Questions addressed

What should we accomplish? Are we getting results?

How do we accomplish objectives? Are we executing efficiently?

Deliverables

Strategy, policies, risk appetite, resource allocation

Programs, procedures, controls, incident response

Meetings

Quarterly board reviews, annual strategy sessions

Weekly operations, monthly management reviews

Security strategy

Defines long-term security objectives aligned with business goals

Mission, vision, strategic objectives, roadmap

Organizational structure

Establishes reporting relationships and accountability

CISO reporting line, security team structure, committee composition

Policies and standards

Sets mandatory requirements and acceptable practices

Policy framework, standards hierarchy, exception processes

Risk appetite

Defines acceptable level and types of security risk

Risk tolerance statements, quantitative thresholds

Resource allocation

Provides funding and staffing for security initiatives

Budget allocation, headcount, capital investment

Performance measurement

Assesses security program effectiveness

KPIs, KRIs, metrics dashboard, reporting cadence

Oversight mechanisms

Ensures accountability and provides strategic guidance

Board reporting, steering committees, audit reviews

Reports to CEO

18%

Maximum independence; highest authority; direct board access

CEO may lack security expertise; can be isolated from technology decisions

Reports to CIO

42%

Technology integration; resource access; operational alignment

Conflict of interest (security oversees IT); independence questions

Reports to CFO/COO

22%

Business focus; risk management alignment; independence from IT

Can be disconnected from technology; may prioritize cost over security

Reports to Chief Risk Officer

12%

Risk management integration; enterprise risk view

Security may be subordinated to financial/operational risk priorities

Reports to General Counsel

6%

Compliance focus; legal privilege considerations

May overemphasize compliance vs. risk; technical disconnect

Mission statement

Defines security function's fundamental purpose

Derived from organizational mission

Vision statement

Articulates desired future state

Aligned with business vision (3-5 years)

Strategic objectives

Specific goals supporting business objectives

Mapped to business goals and risk appetite

Strategic initiatives

Major programs achieving objectives

Prioritized by business impact and risk reduction

Success metrics

Measurements determining strategy effectiveness

Tied to business outcomes and risk indicators

Resource requirements

Budget and staffing needed for strategy execution

Justified by business value and risk mitigation

Enter European market (Year 1)

Achieve GDPR compliance for patient data

GDPR gap analysis and remediation program; Data Protection Impact Assessments; Privacy-by-design integration

Year 1

Launch telehealth services globally (Year 2)

Secure global telehealth platform meeting regional requirements

Cloud security architecture; Identity federation; Data sovereignty controls

Years 1-2

Establish partnerships with local providers (Years 2-4)

Create secure health information exchange

Third-party risk program; Interoperability security standards; Cross-border data flow controls

Years 2-4

Centralize analytics across regions (Year 3-5)

Enable compliant global analytics while maintaining data sovereignty

Data anonymization pipeline; Federated analytics architecture; Consent management platform

Years 3-5

Policies

High-level mandatory requirements

Entire organization

What must be done

2-3 years

Standards

Specific technical or process requirements

Relevant functions

Specific requirements

1-2 years

Procedures

Step-by-step implementation instructions

Specific roles

Detailed how-to

6-12 months

Guidelines

Recommended practices (non-mandatory)

Relevant functions

Best practice recommendations

As needed

Work instructions

Detailed task-specific steps

Individual roles

Granular execution

As needed

Information Security Policy (master)

Establishes overall security program authority and scope

Management commitment, roles, compliance requirements

Acceptable Use Policy

Defines appropriate use of organizational IT resources

Prohibited activities, monitoring rights, consequences

Access Control Policy

Establishes requirements for user access management

Authentication, authorization, access review, termination

Data Classification Policy

Defines information sensitivity levels and handling requirements

Classification levels, labeling, storage, transmission, disposal

Incident Response Policy

Establishes incident handling requirements

Incident definition, reporting obligations, response process

Third-Party Security Policy

Defines security requirements for vendors and partners

Due diligence, contracting requirements, oversight

Encryption Policy

Establishes when and how to encrypt data

Data at rest, data in transit, key management

Remote Access Policy

Defines secure remote access requirements

VPN usage, device security, authentication

Change Management Policy

Establishes process for system changes

Change approval, testing, rollback procedures

Business Continuity Policy

Defines resilience and recovery requirements

RTO/RPO objectives, testing frequency, plan maintenance

Board Risk/Audit Committee

Board members, CISO, CRO, CFO

Quarterly

Security oversight, major incident review, strategy approval, resource allocation

Executive Security Steering Committee

C-suite executives, CISO

Monthly

Strategic decisions, policy approval, investment prioritization, cross-functional coordination

Security Architecture Review Board

CTO, Enterprise Architects, CISO, Security Architects

Bi-weekly

Architecture decisions, technology selection, security design patterns

Change Advisory Board (security representation)

IT leadership, CISO, operations

Weekly

Change approval ensuring security review integration

Third-Party Risk Committee

Procurement, Legal, CISO, Business Units

Monthly

Vendor risk assessment, critical vendor reviews, third-party incident response

Data Governance Committee

Data owners, Privacy Officer, CISO, Legal

Monthly

Data classification, access policies, data retention, privacy requirements

Executive participation

C-suite personally attends

Delegates send subordinates

High - decisions carry authority

Meeting preparation

Materials distributed 48hrs advance; pre-reads expected

Materials presented during meeting

High - enables substantive discussion

Decision authority

Committee can approve budgets, policies, and initiatives

Committee makes recommendations only

High - eliminates decision bottlenecks

Accountability

Action items tracked; owners held accountable

Discussions without follow-through

High - ensures execution

Focus

Agenda addresses strategic/high-impact issues

Agenda filled with tactical operational details

Moderate - efficient time utilization

HIPAA (Health Insurance Portability and Accountability Act)

Healthcare providers, health plans, clearinghouses

Administrative, physical, and technical safeguards for PHI

PCI DSS (Payment Card Industry Data Security Standard)

Organizations processing credit card transactions

Cardholder data protection requirements

SOX (Sarbanes-Oxley Act)

Publicly traded companies

IT controls supporting financial reporting

GDPR (General Data Protection Regulation)

Organizations processing EU resident data

Privacy-by-design, breach notification, data subject rights

CCPA/CPRA (California Consumer Privacy Act)

Organizations with California consumer data

Privacy rights, data transparency, security requirements

GLBA (Gramm-Leach-Bliley Act)

Financial institutions

Information security program requirements

FERPA (Family Educational Rights and Privacy Act)

Educational institutions

Student record protection

FedRAMP (Federal Risk and Authorization Management Program)

Cloud providers serving federal agencies

Standardized security assessment and authorization

FISMA (Federal Information Security Management Act)

Federal agencies and contractors

Security program requirements for federal systems

ISO 27001

Organizations seeking certification

Information security management system implementation

Risk posture

Number of high/critical risks; residual risk exposure; risk trend over time

Very high - core oversight responsibility

Compliance status

Percentage of controls compliant; audit findings; regulatory examination results

Very high - legal/regulatory consequences

Incident impact

Number of incidents; financial impact; customer impact; downtime

Very high - business impact visibility

Program maturity

Capability maturity scores; benchmark comparisons; progress against strategy

Moderate-high - program effectiveness assessment

Resource utilization

Budget variance; FTE allocation; project completion rates

Moderate - resource stewardship

Third-party risk

Vendor risk ratings; critical vendor incidents; vendor compliance rates

Moderate-high - supply chain risk visibility

Executive summary focus

One-page dashboard with key metrics and trend indicators

Board time is limited; needs quick risk assessment

Exception-based

Highlights significant changes, emerging risks, and incidents

Avoids overwhelming with routine operational details

Contextualized

Compares metrics to targets, industry benchmarks, and risk appetite

Enables assessment of "acceptable" vs. "concerning"

Forward-looking

Includes emerging threats and future risk indicators

Boards govern future risk, not just past performance

Action-oriented

Clear on what actions are needed and what has been done

Demonstrates accountability and enables board decisions

Business language

Avoids technical jargon; translates security to business impact

Ensures board comprehension and engagement

Asset

Something of value to the organization

Data, systems, intellectual property, reputation

Threat

Potential cause of unwanted incident

Ransomware, insider theft, natural disaster, system failure

Vulnerability

Weakness that can be exploited

Unpatched software, weak passwords, lack of encryption, single points of failure

Risk

Likelihood and impact of threat exploiting vulnerability

"High probability of ransomware attack causing $2M loss and 5-day outage"

Control

Measure reducing risk

Firewalls, encryption, access controls, backups, procedures

Residual Risk

Risk remaining after controls applied

Risk that persists despite mitigation efforts

Risk Appetite

Amount and type of risk organization willing to accept

Risk tolerance thresholds guiding accept/mitigate decisions

1. Asset Identification

Inventory information assets, systems, and processes

Asset inventory with criticality ratings

2. Threat Identification

Identify relevant threats based on environment and threat intelligence

Threat catalog specific to organization

3. Vulnerability Assessment

Technical scanning, configuration reviews, control gap analysis

Vulnerability inventory with severity ratings

4. Risk Analysis

Evaluate likelihood and impact of threat/vulnerability combinations

Risk register with ratings and prioritization

5. Risk Evaluation

Compare identified risks to risk appetite and criteria

Risk prioritization for treatment decisions

6. Risk Treatment Planning

Select risk treatment options and develop mitigation plans

Risk treatment plan with owners and timelines

Comprehensive enterprise risk assessment

Annually

—

All assets, systems, and processes

System-specific risk assessment

New system deployment; major changes

New systems, significant system changes

Individual system or application

Vendor/third-party risk assessment

Prior to engagement; annually for critical vendors

New vendor; contract renewal

Third-party relationship

Continuous risk monitoring

Ongoing

Vulnerability discoveries, threat intelligence, incidents

Specific risk indicators

Project risk assessment

Project initiation

New projects involving information assets

Project scope

Ransomware disrupting production

$2,400,000

Endpoint detection & response, enhanced backups

$120,000

80% ($1,920,000)

16:1

Customer data breach

$1,800,000

Data loss prevention, database encryption

$85,000

70% ($1,260,000)

14.8:1

Privileged access abuse

$850,000

Privileged access management solution

$95,000

75% ($637,500)

6.7:1

Supply chain compromise

$600,000

Third-party risk program, vendor assessments

$65,000

50% ($300,000)

4.6:1

Cloud misconfiguration

$420,000

Cloud security posture management

$45,000

85% ($357,000)

7.9:1

Risk Avoidance

Eliminate activity or asset creating the risk

Risk exceeds benefit; unacceptable risk level

Don't process certain data types; don't enter high-risk markets; don't use risky technologies

Risk Mitigation

Implement controls reducing likelihood or impact

Cost-effective controls available; residual risk acceptable

Deploy firewalls, encryption, access controls, monitoring, training

Risk Transfer

Shift financial consequences to third party

Risk can be insured; third-party better positioned to manage

Cybersecurity insurance, outsourcing to managed security providers, contractual liability shifts

Risk Acceptance

Acknowledge risk and take no action

Cost of mitigation exceeds risk; risk below appetite threshold

Accept low-impact vulnerabilities; accept residual risk after mitigation

Low

<$10,000

Security Manager

Email to risk register

Moderate

$10,000-$100,000

CISO

Formal risk acceptance with mitigation plan

High

$100,000-$1,000,000

Executive Steering Committee

Board notification; quarterly review

Critical

>$1,000,000

Board Risk Committee

Board approval; monthly review; external validation

Data access risk

Vendor has access to sensitive organizational data

Cloud providers, SaaS applications, outsourced services

Service dependency risk

Business operations depend on vendor availability/security

Critical infrastructure providers, payment processors

Supply chain compromise risk

Vendor's compromise could affect organization

Software vendors, managed service providers

Compliance risk

Vendor's practices could create regulatory violations

Data processors under GDPR, HIPAA business associates

Reputational risk

Vendor's security failures could damage organization's reputation

Customer-facing vendors, brand partners

Concentration risk

Over-reliance on single vendor creates availability risk

Single cloud provider, single telecom carrier

Vendor Due Diligence

Security questionnaires, audit report review, site visits

Vendor risk assessment report

Contract Security Requirements

Negotiate security obligations, data protection terms, breach notification

Contract with security schedule

Ongoing Monitoring

Periodic reassessments, security scan validation, incident tracking

Quarterly vendor risk reports

Incident Response Coordination

Integrated response procedures, communication protocols

Vendor incident response plan

Offboarding

Data return/destruction, access termination, relationship closure

Offboarding completion verification

Tier 1 (Critical)

Access to sensitive data; critical service dependency; high inherent risk

Comprehensive security assessment; penetration testing; on-site audit

Annually

Tier 2 (High)

Limited sensitive data access; important but not critical services

Security questionnaire; SOC 2 report review; references

Every 18 months

Tier 3 (Moderate)

No sensitive data access; standard services

Abbreviated questionnaire; attestations

Every 2-3 years

Tier 4 (Low)

No data access; non-critical commodity services

Contractual security terms only

At contract renewal

Key Risk Indicators (KRIs)

Metrics signaling increasing/decreasing risk

Real-time to monthly

Risk managers, security operations

Risk Register Updates

Tracking risk status, treatment progress, new risks

Monthly

CISO, risk committee

Executive Risk Reporting

Summary of risk posture, significant changes, emerging risks

Quarterly

Executive steering committee

Board Risk Reporting

High-level risk trends, critical risks, strategic implications

Quarterly

Board audit/risk committee

Regulatory Risk Reporting

Compliance with mandated risk reporting requirements

Per regulation

Regulators, examiner

Ransomware risk

Days since last successful phishing simulation click

Increasing days = decreasing risk

Data breach risk

Number of exposed sensitive records in audit findings

Increasing count = increasing risk

Availability risk

Percentage of critical systems with tested disaster recovery

Increasing percentage = decreasing risk

Third-party risk

Number of critical vendors with overdue security assessments

Increasing count = increasing risk

Patch management risk

Average time to patch critical vulnerabilities

Increasing days = increasing risk

Access control risk

Percentage of user accounts reviewed in past 90 days

Increasing percentage = decreasing risk

NIST Cybersecurity Framework (CSF)

National Institute of Standards and Technology

Risk-based security program structure

US organizations, all sectors

ISO/IEC 27001

International Organization for Standardization

Information security management system

Organizations seeking certification

NIST SP 800-53

NIST

Federal system security controls

Federal agencies and contractors

CIS Controls

Center for Internet Security

Prioritized technical controls

Organizations of all sizes seeking practical controls

COBIT

ISACA

IT governance and management

IT audit, governance focus

PCI DSS

PCI Security Standards Council

Payment card data protection

Organizations processing card payments

HITRUST CSF

HITRUST Alliance

Healthcare information protection

Healthcare organizations

Regulatory requirements

Does regulation mandate specific framework?

May dictate framework selection

Certification needs

Does organization need third-party certification?

ISO 27001 required for certification

Industry norms

What frameworks do peers and customers expect?

Industry standards influence credibility

Organizational maturity

Does current capability match framework complexity?

Mature frameworks may overwhelm early-stage programs

Resource availability

Can organization support framework maintenance?

Complex frameworks require significant resources

Global vs. domestic

Does organization operate internationally?

ISO frameworks better recognized globally

Administrative

Policies, procedures, and processes

Security policies, risk assessments, security awareness training, incident response procedures

Technical

Technology-based security mechanisms

Firewalls, encryption, access controls, intrusion detection, antivirus, DLP

Physical

Protection of physical facilities and assets

Badge access, security cameras, locked doors, environmental controls

Preventive

Stop security incidents before they occur

Firewalls, encryption, authentication, hardening

Detective

Identify security incidents when they occur

IDS/IPS, SIEM, security monitoring, log analysis, audit reviews

Corrective

Reduce impact and restore systems after incidents

Backup restoration, patch deployment, incident response, system recovery

Deterrent

Discourage potential attackers

Warning banners, awareness campaigns, visible security presence

Compensating

Alternative controls when primary controls infeasible

Enhanced monitoring compensating for inability to patch legacy systems

Public

Information intended for public disclosure

Marketing materials, press releases, public website content

Integrity protection; availability as needed

Internal

Information for internal use; limited external impact if disclosed

Internal procedures, org charts, general business information

Access restricted to employees/contractors; standard protection

Confidential

Sensitive business information; moderate damage if disclosed

Business strategies, financial data, customer lists, employee records

Role-based access; encryption in transit; activity logging

Restricted/Highly Confidential

Highly sensitive; severe damage if disclosed

Trade secrets, M&A plans, customer PII, payment data, medical records

Strong access controls; MFA required; encryption at rest and in transit; extensive logging and monitoring

Access authentication

None

Standard (password)

Multi-factor

Strong multi-factor

Encryption in transit

Optional

Standard TLS

Strong TLS 1.2+

Strong TLS 1.3

Encryption at rest

No

No

Yes (AES-256)

Yes (AES-256 with key management)

Access logging

No

Basic

Detailed

Comprehensive with real-time monitoring

Data loss prevention

No

No

Yes

Yes with advanced pattern detection

User access review

N/A

Annual

Quarterly

Monthly

Retention period

Until no longer needed

7 years

7 years

Per regulation/minimum necessary

Disposal method

Standard deletion

Standard deletion

Secure deletion

Cryptographic erasure or physical destruction

New employee security orientation

All new hires

Upon hire

Online with attestation

Acceptable use, data handling, incident reporting, password requirements

Annual security awareness training

All employees

Annually

Online with assessment

Emerging threats, policy updates, incident response, data protection

Role-specific security training

Privileged users, developers, managers

Annual or upon role change

Online or instructor-led

Role-specific responsibilities and risks

Phishing simulations

All employees

Monthly or quarterly

Automated email campaigns

Phishing recognition and reporting

Specialized technical training

Security team members

As needed for skills

External courses, conferences, certifications

Technical security skills development

Executive security briefings

C-suite and board

Quarterly

In-person or virtual briefings

Strategic risks, major incidents, emerging threats

Training completion rate

>95%

LMS tracking

Assessment pass rate

>85%

Assessment scoring

Phishing simulation click rate

<10%

Simulation platform metrics

Security incident reduction

30%+ YoY reduction

Incident tracking system

Time to report suspicious activity

<15 minutes

Incident timestamps

Employee security confidence survey

>75% confident

Annual survey

Click rate

42%

28%

18%

11%

Report rate

12%

31%

48%

62%

Real phishing incidents

10/month

7/month

4/month

2/month

Credential compromise incidents

3/quarter

2/quarter

1/quarter

0/quarter

Identification

Establish unique user identities

User provisioning, identity repository, unique identifiers

Authentication

Verify claimed identity

Passwords, MFA, biometrics, certificates

Authorization

Grant appropriate access rights

Role-based access control (RBAC), attribute-based access control (ABAC)

Accountability

Track user activities

Logging, monitoring, audit trails

Access Review

Validate access remains appropriate

Periodic recertification, manager attestation

Deprovisioning

Remove access when no longer needed

Termination process, access removal automation

Single Factor

Password only

Public information, low-value resources

High

Two-Factor

Password + SMS code

Internal resources, moderate sensitivity

Moderate

Multi-Factor (strong)

Password + authenticator app/hardware token

Sensitive data, privileged access

Low-Moderate

Certificate-based

Digital certificate + device trust

High-security environments, zero-trust architectures

Low

Biometric + additional factor

Fingerprint/face + password

Very high security requirements

Very Low

Discretionary Access Control (DAC)

Resource owners control access

Small organizations, flexible environments

Mandatory Access Control (MAC)

Centralized authority enforces access based on classification

Government, military, high-security environments

Role-Based Access Control (RBAC)

Access based on job roles

Medium-to-large organizations with defined roles

Attribute-Based Access Control (ABAC)

Access based on multiple attributes (role, location, time, device)

Complex environments requiring granular, contextual control

Privileged account inventory

Identify all privileged accounts

Automated discovery of admin accounts

Credential vaulting

Secure storage of privileged credentials

Password vault requiring check-out

Just-in-time (JIT) access

Grant privileged access only when needed

Temporary elevation with automatic expiration

Session recording

Capture privileged user activities

Video recording of admin sessions

Break-glass procedures

Emergency access when normal processes unavailable

Sealed envelope procedures, break-glass accounts

Data at rest

Protect stored data from unauthorized access

Full disk encryption, database encryption, file-level encryption

Data in transit

Protect data during transmission

TLS for web traffic, VPN for network traffic, SFTP for file transfer

Data in use

Protect data during processing

Encrypted memory, confidential computing enclaves

Backup media

Protect backup data

Encrypted backup sets, encrypted tape drives

Mobile devices

Protect data on portable devices

Device encryption (BitLocker, FileVault)

Email

Protect email content

S/MIME, PGP/GPG for sensitive emails

Cloud storage

Protect data in cloud environments

Cloud provider encryption + customer-managed keys

Key generation

High - weak keys undermine encryption

Use cryptographically secure random number generators; appropriate key lengths (AES-256, RSA-2048+)

Key storage

Critical - compromised keys compromise all encrypted data

Hardware security modules (HSMs), key vaults, separated from encrypted data

Key rotation

High - limits exposure window

Regular key changes based on data sensitivity and compliance requirements

Key escrow/backup

High - prevents data loss if keys lost

Secure key backup with strict access controls, recovery testing

Key destruction

Moderate - prevents future unauthorized access

Cryptographic erasure when data retention expires

Proprietary/custom crypto algorithms

Unvetted algorithms often contain weaknesses

Use established algorithms (AES, RSA, ECC)

Weak key lengths

Vulnerable to brute force

AES-256, RSA-2048 minimum

Keys stored with encrypted data

Compromise of storage exposes keys

Separate key management infrastructure

Lack of key rotation

Extended exposure if key compromised

Automated rotation policies

Weak random number generation

Predictable keys

Cryptographically secure RNG

Requirements

Security requirements definition, threat modeling initiation

Security requirements document

Design

Security architecture review, threat modeling completion, privacy review

Threat model, security architecture

Implementation

Secure coding training, static code analysis, code review

Remediated code, analysis reports

Testing

Dynamic application security testing (DAST), penetration testing, security test cases

Test results, remediation plan

Deployment

Security configuration review, security monitoring setup, deployment checklist

Secure configuration baseline

Operations

Vulnerability management, security monitoring, incident response

Security bulletins, patches

Security review at end of development

Security checks in CI/CD pipeline

Earlier vulnerability detection, faster remediation

Manual security testing

Automated security testing (SAST, DAST, SCA)

Consistent testing, faster feedback

Separate security and development teams

Security embedded in development teams

Better security understanding, faster resolution

Security as checkpoint/blocker

Security as enabler with clear guardrails

Faster velocity without compromising security

Input validation

SQL injection, command injection, XSS

Very high

Authentication and session management

Session hijacking, credential theft

Very high

Access control

Privilege escalation, unauthorized access

High

Cryptography usage

Weak encryption, exposed sensitive data

High

Error handling

Information disclosure

Moderate

Secure configuration

Default credentials, unnecessary services

High

1. Preparation

Establish incident response capability before incidents occur

Team formation, playbook development, tool deployment, training, exercises

2. Detection and Analysis

Identify security incidents and determine scope/impact

Monitoring, log analysis, alert triage, incident classification

3. Containment

Limit incident spread and damage

Isolation, access restriction, malware removal, system disconnection

4. Eradication

Remove incident cause from environment

Malware removal, vulnerability patching, account closure, system hardening

5. Recovery

Restore systems to normal operations

System restoration, validation, monitoring, gradual production return

6. Post-Incident Activity

Learn from incidents and improve response

Lessons learned, documentation, process improvement, metrics analysis

Incident Response Manager

Overall incident coordination, stakeholder communication, escalation decisions

CISO, Security Director, Senior Security Manager

Security Operations Lead

Technical analysis, containment execution, forensics coordination

Security Operations Manager

IT Operations Representative

System access, change implementation, technical support

IT Director, System Administrators

Legal Counsel

Legal implications, regulatory notification, law enforcement coordination

General Counsel, outside counsel

HR Representative

Insider threat cases, employee action coordination

CHRO, HR Director

Communications/PR

External communications, media relations, customer notification

CCO, PR Director

Business Unit Representative

Business impact assessment, business continuity decisions

Relevant VP or Director

Critical

Customer PII exposure; complete business disruption; ransomware encryption of critical systems; active data exfiltration

Immediate (within 15 minutes)

Executive team, board notification

High

Partial business disruption; suspected data breach; system compromise with sensitive data access; successful phishing with credential compromise

Within 1 hour

Senior management, department heads

Moderate

Limited business impact; successful attack contained; non-sensitive data exposure; attempted but unsuccessful attacks on critical systems

Within 4 hours

Security management, affected department managers

Low

Minor policy violation; unsuccessful attack; single system compromise with no sensitive data; security control failure without exploitation

Within 24 hours

Security team, system owners

Malware

Ransomware, trojans, worms, spyware

High-Critical

Containment priority to prevent spread

Unauthorized Access

Compromised accounts, privilege escalation

Moderate-Critical

Identity and access review required

Data Breach

Exfiltration, exposure, theft

High-Critical

Regulatory notification requirements

Denial of Service

DDoS attacks, service disruption

Moderate-High

Business continuity activation

Phishing/Social Engineering

Credential theft, invoice fraud

Low-High

User education component

Insider Threat

Malicious employee, data theft

Moderate-Critical

HR and legal involvement essential

Physical Security

Unauthorized facility access, device theft

Low-Moderate

Physical security team involvement

Third-Party Incident

Vendor compromise affecting organization

Variable

Vendor coordination required

Security Information and Event Management (SIEM)

Automated correlation of logs and events

Broad network and system activity

Real-time to 24 hours

Intrusion Detection/Prevention Systems (IDS/IPS)

Network traffic analysis for attack patterns

Network perimeter and internal segments

Real-time

Endpoint Detection and Response (EDR)

Endpoint behavior analysis and threat hunting

All endpoints (workstations, servers)

Real-time to hours

User and Entity Behavior Analytics (UEBA)

Anomalous user behavior detection

User activities across systems

Hours to days

Data Loss Prevention (DLP)

Sensitive data movement monitoring

Data in motion and at rest

Real-time

Security Operations Center (SOC)

Human analysis of security events

All security tool outputs

Variable

Threat Intelligence

External threat information correlation

Known threat actor TTPs

Real-time

Vulnerability Scanning

Identification of exploitable weaknesses

Infrastructure and applications

Periodic (daily to monthly)

User Reports

End users reporting suspicious activity

Activities visible to users

Variable (best case minutes)

Level 1 - Reactive

Minimal logging, no correlation, incident detection through business impact

Poor - only discover incidents after significant damage

Very small organizations, no dedicated security team

Level 2 - Basic Monitoring

Basic SIEM, signature-based detection, manual investigation

Moderate - detect known attacks, miss sophisticated threats

Small-to-medium organizations, limited security resources

Level 3 - Proactive Detection

Advanced SIEM with correlation, some automation, threat intelligence integration

Good - detect most attacks, some sophistication gaps

Medium-to-large organizations, dedicated SOC

Level 4 - Advanced Analytics

UEBA, threat hunting, advanced correlation, extensive automation

Very good - detect sophisticated attacks, proactive hunting

Large enterprises, mature security programs

Level 5 - Predictive

AI/ML-based detection, predictive analytics, continuous threat hunting

Excellent - predictive threat detection, minimal attacker dwell time

Leading enterprises, advanced security organizations

Mean time to detect

87 days

4.2 hours

99.8%

Mean time to respond

6 days

2.1 hours

99.3%

Security incidents requiring response

140/year

185/year

+32% (better detection)

Critical incidents

12/year

8/year

-33% (faster containment)

Average incident cost

$185,000

$28,000

-85%

Immediate disconnection

Disconnect affected systems from network

Rapidly spreading malware, active data exfiltration

Data loss if systems in middle of transaction, potential evidence destruction

Network isolation

Isolate affected network segment

Contained threat in specific segment, need to preserve some connectivity

May not prevent lateral movement if attacker already present in other segments

Account suspension

Disable compromised user accounts

Compromised credentials, insider threat

Business disruption if accounts needed for operations

Service blocking

Block specific protocols or destinations

C2 communication, data exfiltration to known destinations

May not prevent attacker adapting to different protocols/destinations

Controlled observation

Monitor attacker activity before containment

Need to understand attacker objectives, gather evidence for prosecution

Risk of allowing additional damage, requires very controlled environment

Volatile data

RAM contents, running processes, network connections

Live system memory capture before shutdown

Non-volatile data

Hard drive contents, logs, configuration files

Bit-level forensic image, hash verification

Network data

Packet captures, flow records, firewall logs

PCAP files, log exports with timestamps

Application data

Database records, application logs, audit trails

Database exports, application log preservation

Physical evidence

Removed hard drives, USB devices, notes

Chain of custody documentation, secure storage

Identification

Identify systems, data, and evidence relevant to incident

Comprehensive scope prevents missing critical evidence

Preservation

Secure and protect evidence from modification

Maintain chain of custody, hash verification

Collection

Gather evidence using forensically sound methods

Use write-blockers, create forensic copies not working with originals

Analysis

Examine evidence to understand incident

Document all findings, maintain objectivity

Reporting

Document findings in clear, factual report

Suitable for legal proceedings, technical and executive versions

Recovery Time Objective (RTO)

Maximum tolerable time to restore function after disruption

Minutes to weeks depending on criticality

Recovery Point Objective (RPO)

Maximum tolerable data loss measured in time

Minutes to days depending on data criticality

Maximum Tolerable Downtime (MTD)

Longest time function can be unavailable before organization viability threatened

Hours to months depending on function

Business Impact Analysis (BIA)

Assessment of criticality and recovery requirements for business functions

Completed for all critical business functions

Mission-critical (Tier 1)

1-4 hours

15 minutes

High availability, real-time replication, hot site

Business-critical (Tier 2)

8-24 hours

4 hours

Near-real-time replication, warm site

Important (Tier 3)

2-5 days

24 hours

Daily backups, cold site or cloud recovery

Non-critical (Tier 4)

1-2 weeks

7 days

Standard backups, eventual restoration

Hot Site

Fully operational duplicate site with real-time data replication

1-4 hours

Very high ($$$)

Mission-critical functions requiring immediate recovery

Warm Site

Partially equipped site with recent data backups

12-24 hours

Moderate-high ($$)

Business-critical functions tolerating brief downtime

Cold Site

Empty facility with power/connectivity but no equipment

Days to weeks

Low ($)

Non-critical functions with high downtime tolerance

Cloud-based DR

Recovery resources provisioned on-demand in cloud

1-24 hours

Variable (pay-per-use)

Flexible DR with variable RTO requirements

Mobile Site

Trailer/portable facility deployed to affected location

2-5 days

Moderate ($$)

Specialized or geographically remote operations

Business Impact Analysis

Identifies critical functions and recovery requirements

Annually or with significant business changes

Risk Assessment

Identifies threats to business continuity

Annually

Recovery Strategies

Defines approaches for restoring functions

Annually

Recovery Procedures

Step-by-step restoration instructions

Annually, updated after tests

Emergency Response Plan

Immediate actions during incidents

Annually

Communication Plan

Stakeholder notification procedures

Annually

Team Contact List

Recovery team members and alternates

Quarterly

Vendor Contact List

Critical vendor emergency contacts

Quarterly

Tabletop Exercise

Discussion-based scenario walkthrough

Annually minimum

None - meeting only

Simulation

Simulated disaster with recovery actions (no actual failover)

Annually

None - systems remain in production

Parallel Test

Recovery systems activated alongside production

Annually

Minimal - production unaffected

Failover Test

Actual failover to DR systems with production cutover

Every 2-3 years

High - production switched temporarily

Full Interruption Test

Complete production shutdown and DR activation

Rarely (every 5+ years)

Very high - production down during test

Executive leadership

Business impact, recovery timeline, financial implications

Within 1-4 hours of critical incidents

Phone call, in-person briefing

Board of Directors

Strategic implications, major incidents, regulatory matters

Within 24 hours of critical incidents, formal reporting quarterly

Board report, emergency meeting

Affected business units

Operational impact, workarounds, recovery timeline

As soon as impact understood

Email, emergency hotline

All employees

What happened, what employees should do, what organization is doing

Within 24 hours for significant incidents

Email, intranet announcement

IT staff

Technical details, response actions, system status

Immediately upon detection

Incident ticket, emergency communications channel

Affected customers

Varies by jurisdiction and data type

GDPR: 72 hours; US state laws: 30-90 days

What data exposed, what actions taken, what customers should do

Regulators

Depends on regulation

GDPR: 72 hours; others vary

Incident details, data affected, remediation

Law enforcement

Voluntary except certain financial crimes

As soon as appropriate if prosecution sought

Evidence, suspect information, incident details

Media/public

Varies by jurisdiction and circumstances

When required by law or when public awareness necessary

Factual information, actions taken, customer guidance

Business partners

Contractual obligations

Per contract terms

Scope of incident affecting partner, remediation

Cyber insurance carrier

Policy requirements

Typically within 24-72 hours

Incident details for coverage determination

Medical records (PHI)

HIPAA

State laws may be stricter

Breach of unsecured PHI

60 days

Personal information (varies by state)

None (state law governs)

All 50 states + DC, territories

Unauthorized access to PII

30-90 days typically

Payment card data

None (PCI DSS applies)

State laws

Unauthorized access to cardholder data

Per card brand rules and state law

Student records

FERPA (no breach notification)

State laws

Varies

Varies

Governance establishes risk appetite

Risk management assesses risks against appetite

Program implements controls addressing prioritized risks

Incident management responds to control failures

Governance defines security strategy

Risk management identifies strategic risks

Program resources allocated to strategic priorities

Incident response capabilities protect strategic assets

Governance creates policies

Risk management identifies policy requirements

Program enforces policy through controls

Incident response addresses policy violations

Governance provides funding

Risk management justifies investments

Program uses resources effectively

Incident response capabilities funded appropriately

CISM Review Manual (ISACA official)

Self-study book

$195 members, $245 non-members

High - essential foundation

CISM Review Questions, Answers & Explanations Manual

Practice questions

$95 members, $120 non-members

High - question format familiarization

CISM Online Review Course (ISACA)

Online course

$795-$995

High - structured learning

Instructor-led CISM review course

Live training

$2,000-$4,000

Very high - interactive learning

Practice exams (various vendors)

Exam simulation

$50-$200

Moderate-high - readiness assessment

Study groups

Peer learning

Free

Moderate - depends on group quality

Security manager, 5+ years experience

2-3 months

10-15 hours

80-180 hours

Security professional, 3-5 years experience

3-4 months

15-20 hours

180-320 hours

Security professional, <3 years experience

4-6 months

15-20 hours

240-480 hours

Career changer with limited security experience

6-12 months

20+ hours

480-960 hours

"FIRST"

Prioritization question

Assessment, planning, stakeholder engagement before action

"BEST"

Multiple valid options

Most aligned with governance, risk management, or business objectives

"MOST important"

Risk prioritization

Highest risk or business impact

"PRIMARY responsibility"

Role clarification

Security manager's governance/oversight role vs. technical staff

"To comply with regulations"

Compliance driver

Evidence, documentation, audit trail

Annual minimum

20 hours

Security-related training, conferences, webinars, writing, teaching

Three-year total

120 hours

Same as annual

Security training courses

1 hour = 1 CPE

Certificate of completion

Security conferences

1 hour = 1 CPE

Attendance verification

Security webinars

1 hour = 1 CPE

Completion certificate

Security-related teaching

1 hour teaching = 2-4 CPE

Teaching materials, class roster

Security research/writing

Published work = 10-30 CPE

Published article/paper

Security professional groups

Meeting attendance = 1 CPE per hour

Meeting minutes/attendance

Self-study

Limited credit

Reading log