ISACA CISM Exam Update: What’s Changed
The ISACA updates the content of its curriculum and exams around every five years. The CISM Exam has recently been revised, and the changes came into effect on 1 June 2022. Here’s what changed in the most recent CISM Exam Content Outline update.
What Does the CISM Exam Cover?
The content outline for the 2022 CISM Exam is as follows:
Domain 1 – Information Security Governance
- Enterprise governance
- Organisational culture
- Legal, regulator, and contractual requirements
- Organisational structures, roles, and responsibilities
- Information Security Strategy
- Information security strategy development
- Information governance frameworks and standards
- Strategic planning
Domain 2 – Information Security Risk Management
- Information security risk assessment
- Emerging risk and threat landscape
- Vulnerability and control deficiency analysis
- Risk assessment and analysis
- Information Security risk response
- Risk treatment/risk response options
- Risk and control ownership
- Risk monitoring and reporting
Domain 3 – Information Security Program
- Information security program development
- Information security program resources
- Information asset identification and classification
- Industry standards and frameworks for information security
- Information security policies, procedures, and guidelines
- Information security program metrics
- Information security program management
- Information security control design and selection
- Information security control implementation and integrations
- Information security control testing and evaluation
- Information security awareness and training
- Management of external services
- Information security program communications and reporting
Domain 4 – Incident Management
- Incident management readiness
- Incident response plan
- Business impact analysis
- Business continuity plan
- Disaster recovery plan
- Incident classification/categorisation
- Incident management training, testing, and evaluation
- Incident management operations
- Incident management tools and techniques
- Incident investigation and evaluation
- Incident containment methods
- Incident response communications
- Incident eradication and recovery
- Post-incident review practices.
In addition to the knowledge contained in these domains, there are 37 supporting tasks that make up the curriculum for the 2022 CISM.
What Changed in the 2022 CISM Exam Update?
The most significant change to the CISM exam content outline in 2022 is the weight of each domain in the exam material.
In the 2022 CISM exam update the weight is as follows:
- Domain 1: Information Security Governance is worth 17%
- Domain 2: Information Security Risk Management is worth 20%
- Domain 3: Information Security Program is worth 33%
- Domain 4: Incident Management is worth 30%.
Prior to the 2022 CISM Exam update, domain 1 was worth 24%, domain 2 was worth 30%, domain 3 was worth 27% and domain 4 was worth 19%.
As you can see, the exam now places much more weight on domains 3 and 4.
These domains cover more of the technical and practical elements of information security management and incident management. There is less of a focus on governance in the updated CISM exam content.
CISM Exam Content Updates in 2022
The domains remain largely the same in the 2022 CISM exam update, with some minor changes to the language. For instance, Domain 4 is now called Incident Management instead of Information Security Incident Management.
CISM Exam Format Updates in 2022
The exam format has not changed for 2022. There will still be 150 multiple-choice questions that you must answer within 4 hours. The exam is still difficult and will involve you considering and selecting which answer is the ‘most right’ or ‘least incorrect’.
CISM Exam Resources
You can also:
- Read our guide to CISM certification exam preparation.
- Learn how to get your CISM certification.
- Find out more about our CISM exam training courses.
For more information about the CISM training courses, contact us!