CISM Cert Masterclass - Prepare for the Exam in 2026

This course contains the use of artificial intelligence. This course is a complete, structured study program for the ISACA Certified Information Security Manager (CISM) exam. Built domain by domain against the official CISM exam blueprint, it covers every topic area you need to understand before sitting for the exam — from information security governance and risk management through security program development and incident management. If you are a security manager, IT risk professional, GRC analyst, compliance officer, or IT leader targeting the CISM certification, this course gives you a study path you can follow from start to finish. Domain 1 — Information Security Governance (17% of the exam) — covers the structures and processes that define how an organization governs information security. Topics include organizational culture and its influence on security outcomes, legal and regulatory requirements (GDPR, HIPAA, PCI DSS, SOX, GLBA, FERPA), contractual obligations, information security strategy development, governance frameworks (COBIT, ISO 27001, NIST CSF), the CISO reporting structure and organizational placement, security steering committees, roles and responsibilities across business units, and aligning security strategy with enterprise objectives. You will understand how security governance translates business risk appetite into actionable policy and how the security manager bridges technical risk and executive decision-making. Domain 2 — Information Security Risk Management (20%) — covers the identification, assessment, and treatment of information security risks across the enterprise. Topics include emerging threat landscapes, vulnerability and control deficiency analysis, risk assessment methodologies (quantitative and qualitative), risk scenario development, asset valuation, risk treatment options (accept, mitigate, transfer, avoid), risk and control ownership, third-party risk management, risk register maintenance, risk monitoring through KRIs and KPIs, and risk reporting to senior management and the board. You will understand how to build and operate a risk management program that produces defensible, business-aligned risk decisions — not just technical risk inventories. Domain 3 — Information Security Program (33%) — is the largest domain on the exam and covers the design, implementation, and management of the security program itself. Topics include program resource management (budget, staffing, outsourcing), information asset identification and classification, industry standards and frameworks for security controls, security policy hierarchies (policies, standards, procedures, guidelines), security program metrics and reporting, control design and selection, control implementation and integration, control testing and evaluation, security awareness and training programs, management of external services and third-party providers, and security program communications to technical and executive audiences. This domain tests your ability to build a security program that is measurable, sustainable, and aligned with organizational risk tolerance. Domain 4 — Incident Management (30%) — is the second-largest domain and covers the full incident lifecycle from preparation through post-incident improvement. Topics include incident response plan development, business impact analysis (BIA), business continuity planning (BCP), disaster recovery planning (DRP), recovery site strategies (hot, warm, cold, reciprocal agreements), incident classification and categorization, incident management training and testing (tabletop exercises, functional tests, full interruption tests), detection methods and monitoring tools (SIEM, SOC operations), incident investigation and evidence preservation, containment strategies (short-term and long-term), incident response communications (internal and regulatory notification), eradication and recovery procedures, and post-incident review practices including root cause analysis and lessons learned. You will understand how to design, test, and execute an incident management capability that meets both operational and regulatory requirements. This course is built differently from reading the CISM Review Manual cover to cover. Each lesson is a narrated video that explains how concepts connect to each other and to real security management work — not just what the definition is, but how a security manager applies it. Every domain includes practice questions designed to mirror the style and difficulty of CISM exam scenarios, covering not just recall but application and analysis. The course closes with full-length practice exams with detailed answer explanations, so you can measure your readiness and focus your remaining study time where it matters most. Major topics covered: information security governance, CISO role and reporting, security strategy, governance frameworks, COBIT, ISO 27001, NIST CSF, risk assessment, risk treatment, risk appetite, risk tolerance, KRIs, KPIs, security program management, asset classification, security policy, security awareness, control design, control testing, security metrics, vendor management, third-party risk, incident response planning, BIA, BCP, DRP, hot site, warm site, cold site, reciprocal agreement, incident classification, SIEM, SOC operations, evidence preservation, chain of custody, containment strategies, eradication and recovery, post-incident review, root cause analysis, GDPR, HIPAA, PCI DSS, SOX, GLBA, security compliance, GRC, CISM exam prep 2026.