Security controls, architecture, data classification, awareness training, maturity models, and compliance β the largest CISM domain and the operational heart of the program.
Study with Practice Tests βDomain 3 is the largest CISM domain (33%) and covers the full lifecycle of building, operating, and improving an information security program.
CISM Exam Focus (33%): Domain 3 tests your ability to design and manage a security program as a senior practitioner. Questions focus on control selection, program management, metrics, awareness design, and architecture decisions β always through a management lens. Expect 45β50 questions from this domain alone.
The foundational document that formally establishes the security program β defines authority, scope, objectives, roles, and resources. The charter gives the CISO a mandate to act and is approved by senior management or the board.
Safeguards and countermeasures to protect assets. Selected based on risk assessment results, data classification, and cost-benefit analysis. Organized by type (preventive/detective/corrective) and category (administrative/technical/physical).
The overall design framework for how security controls are structured and integrated β including network segmentation, Zero Trust, defense in depth, and secure SDLC. Ensures security is built in, not bolted on.
KGIs, KPIs, and KRIs that measure program effectiveness and risk posture. Reported to management and the board to enable informed decisions. Must translate technical security data into business language.
Human-layer security β security awareness (broad), training (skill-specific), and education (professional development). The most cost-effective control for reducing social engineering and human error risk.
Managing regulatory and contractual obligations (GDPR, HIPAA, PCI-DSS, SOX). Compliance is a by-product of good security β not the primary goal. CISM frames compliance as a risk driver, not a driver of security design.
| Concept | Must-Know Detail |
|---|---|
| Control types (6) | Preventive, Detective, Corrective, Deterrent, Compensating, Recovery β know definitions and examples for each |
| Control categories (3) | Administrative (policies/procedures), Technical (logical/IT), Physical (locks/cameras) β all control types can belong to any category |
| Compensating control | Alternative control when primary control is not feasible β must provide equivalent protection level |
| Defense in depth | Layered security β multiple overlapping controls so failure of one doesn't lead to total compromise |
| Zero Trust principle | "Never trust, always verify" β verify every user and device regardless of network location; eliminates implicit trust |
| CMM Level 3 | Defined β processes are documented and standardized organization-wide; most orgs target Level 3 as baseline |
| Data classification owner | Data OWNER (business) sets classification; IT custodian implements protection controls accordingly |
| Awareness vs training | Awareness = broad culture change (all staff); Training = skill-based (role-specific); Education = professional development (security staff) |
| SSDLC principle | Security must be integrated at ALL phases β requirements through decommissioning; NOT just testing |
| Program charter purpose | Formally establishes security program authority, scope, and mandate β approved by senior management |
| Security vs compliance | CISM: compliance is a by-product of good security; don't let compliance drive security design |
| Metrics best practice | Metrics must be actionable, aligned to business objectives, and reported in business language β not technical jargon |
The types, categories, and architectural principles that structure how an information security program protects organizational assets.
Stops a threat from exploiting a vulnerability before an incident occurs.
Identifies and alerts when a security incident has occurred or is occurring.
Limits damage and restores systems after a security incident has been identified.
Discourages attackers from attempting an attack (psychological effect, not technical).
Alternative control when the primary/standard control cannot be implemented. Must provide equivalent protection.
Restores business functions and systems to normal operations after a disruption or disaster.
Control timing: Preventive = BEFORE incident. Detective = DURING incident. Corrective/Recovery = AFTER incident. Deterrent = BEFORE (psychological). A single control can belong to multiple types β e.g., encryption is preventive (stops data theft) and can be a compensating control (replacing physical security).
Important: ALL SIX control types (preventive, detective, etc.) can exist within EACH of the three categories. For example, a CCTV camera is a physical + detective control. A firewall is a technical + preventive control. A security policy is an administrative + preventive control.
Defense in depth applies multiple overlapping layers of controls so that failure of any single control does not result in complete compromise. Originally a military concept, now foundational to security architecture.
| Principle | Definition | Key CISM Application |
|---|---|---|
| Zero Trust | "Never trust, always verify" β authenticate and authorize every user, device, and transaction regardless of network location. No implicit trust based on network perimeter. | Contrasts with legacy perimeter model; addresses insider threats and cloud environments; requires identity-centric controls |
| Least Privilege | Users and systems get only the minimum access needed to perform their function. Reduces attack surface and limits blast radius of compromised accounts. | Implemented via RBAC, access reviews, privileged access management (PAM) |
| Separation of Duties | No single person can control an entire critical process from start to finish. Prevents fraud and errors by requiring two or more people for sensitive operations. | Example: Developer cannot also approve code deployments to production |
| Need to Know | Access to information is granted only when there is a legitimate business need β complementary to least privilege but focused on information access specifically. | Drives data classification and access control policy decisions |
| Security by Design | Security is built into systems from the beginning β requirements, design, development, testing, deployment β not added as an afterthought. | Implemented through SSDLC; security requirements gathered at project initiation |
| Fail Secure | When a control fails, it defaults to the more secure state (deny access). Contrasts with "fail open" which defaults to allowing access when systems fail. | Firewall rule: deny-all default when firewall fails = fail secure. Power failure locking doors = fail secure. |
The human layer of security and the classification framework that determines what protection each asset requires.
| Level | Purpose | Target Audience | Examples | Measured By |
|---|---|---|---|---|
| Awareness | Create security culture; change behavior; recognize threats | ALL staff β every employee | Phishing simulations, security newsletters, posters, annual compliance training, screensaver messages | Click rates on phishing tests, incident reporting rates, policy acknowledgment |
| Training | Build specific security skills for job functions | Role-specific groups (developers, HR, finance, admins) | Secure coding for developers, PII handling for HR, privileged access training for sysadmins | Skills assessments, completion rates, behavioral change metrics |
| Education | Deep professional knowledge for security practitioners | Security team members, CISO, security architects | CISM, CISSP, CEH certifications; degree programs; security conferences | Certifications earned, knowledge assessments, program improvement contributions |
Exam key: When asked "what should ALL employees receive?" β Awareness. "What should DEVELOPERS receive?" β Training (secure coding). "What supports CISO career development?" β Education. Effectiveness of awareness is measured by behavioral change (click rates, incident reports) β NOT by how many people attended the training.
Generic awareness is least effective. Tailor content to job function, data access level, and risk profile. A CFO needs different phishing awareness than a warehouse worker.
Annual "checkbox" training is the minimum β not the ideal. Effective programs use ongoing reinforcement: monthly tips, simulated phishing, incident-triggered reminders, posters, and communications throughout the year.
Measure BEHAVIOR, not completion. Track phishing click rates before/after training, security incident reporting rates, policy violations, and help desk calls. Declining click rates = improving culture.
Programs succeed when leadership champions them. If the CEO takes the phishing simulation seriously, employees do too. Tone from the top is the strongest driver of security culture.
Simulated phishing campaigns measure human vulnerability in real conditions. Results feed back into targeted training β employees who click receive immediate education. Must be done ethically without punitive intent.
Threat landscape changes β awareness programs must evolve. Update content to reflect current threats (e.g., AI-generated phishing, deepfakes). Outdated training creates false confidence.
Data classification assigns sensitivity levels to information assets, driving the selection of appropriate protection controls. Classification is set by the DATA OWNER (business), implemented by the data custodian (IT).
Highest sensitivity. Unauthorized disclosure would cause severe harm β regulatory fines, criminal liability, national security impact. Strictest controls required.
Sensitive business information. Unauthorized disclosure would harm the organization competitively, reputationally, or financially. Strong controls required.
Information intended for internal use. Disclosure would be embarrassing or give competitors an advantage but wouldn't cause severe harm. Moderate controls.
Information approved for public release. No harm from disclosure β in fact, it may be intentionally published. Minimal controls; integrity protection still important.
| Classification Level | Encryption Required | Access Control | Disposal Method |
|---|---|---|---|
| Restricted | Yes β strong encryption (AES-256) at rest and in transit | Strict need-to-know; MFA required; audit all access | Certified destruction; degaussing; crypto-shredding |
| Confidential | Yes β encryption at rest and in transit | Role-based access; formal approval process | Secure shredding or degaussing |
| Internal | In transit only (typically) | Employee access; no external sharing without approval | Cross-cut shredding; secure deletion |
| Public | Not required (integrity controls recommended) | No access restriction β open to all | Standard disposal |
| SDLC Phase | Security Activities |
|---|---|
| Requirements | Identify security and privacy requirements; threat modeling begins; classify data the application will handle; define security acceptance criteria |
| Design | Security architecture review; threat modeling (STRIDE, DREAD); design security controls; define authentication and authorization model; plan for secure APIs |
| Development | Secure coding standards; code reviews; static analysis (SAST); developer security training; use of approved libraries and components |
| Testing | Dynamic analysis (DAST); penetration testing; security regression testing; vulnerability scanning; user acceptance testing with security scenarios |
| Deployment | Secure configuration management; change control process; production access controls; secrets management; deployment pipeline security |
| Maintenance | Patch management; vulnerability monitoring; security monitoring and alerting; periodic security reviews; bug bounty programs |
| Decommissioning | Secure data disposal; access revocation; certificate expiration management; documentation of decommission for audit trail |
How to assess and improve the security program's maturity, and how to manage regulatory and contractual compliance obligations.
Processes are unpredictable, reactive, and undocumented. Success depends on individual heroics. No consistent approach β each project or incident is handled differently. High risk of repeated failures.
Basic processes are established and repeated across similar projects. Reactive to requirements rather than proactive. Some documentation exists. Success is still partly dependent on key individuals β not fully institutionalized.
Processes are formally documented, standardized, and integrated across the organization. Proactive rather than reactive. Most organizations target Level 3 as the baseline for a mature security program. ISO 27001 certification typically aligns here.
Processes are measured and controlled using quantitative metrics. Predictable performance within defined limits. Management makes decisions based on statistical data and performance metrics. Security is data-driven.
Continuous process improvement based on quantitative feedback and innovation. Proactively addresses future challenges. Lessons learned feed back into process refinement. Few organizations achieve or need Level 5 for all processes.
CISM exam note: When asked about a "mature" or "well-run" security program, Level 3 (Defined) is typically the expected answer for baseline maturity. Level 4 indicates advanced, quantitatively managed programs. Level 5 is aspirational and rare. Moving from Level 1 to 2 requires documenting and repeating processes β from 2 to 3 requires standardizing and institutionalizing them.
| Metric Type | Examples |
|---|---|
| KGI (Goal) | Zero critical data breaches this year; 100% critical systems patched within SLA; no regulatory fines |
| KPI (Performance) | % systems with current patches; mean time to remediate vulnerabilities; training completion rate; % encrypted laptops |
| KRI (Risk) | % systems unpatched >30 days; # of open critical vulnerabilities; phishing click rate; # privileged accounts without MFA |
| Framework / Regulation | Scope | Key Requirements | CISM Relevance |
|---|---|---|---|
| GDPR | Personal data of EU residents β applies globally if processing EU data | Lawful basis for processing; consent; data subject rights; 72-hour breach notification; DPO appointment | Privacy by design; data classification; breach response; third-party data processing agreements |
| HIPAA | US healthcare β Protected Health Information (PHI) | Administrative, physical, and technical safeguards; business associate agreements; breach notification | Control framework alignment; vendor management; breach notification process |
| PCI-DSS | Any org handling payment card data | 12 requirements; network segmentation; encryption; access control; penetration testing; quarterly vulnerability scans | Control implementation; scoping; third-party service provider management |
| SOX | US public companies β financial reporting integrity | Internal controls over financial reporting; IT general controls (ITGC); access controls; change management | IT control framework; segregation of duties; audit support; access management |
| ISO 27001 | Any organization β voluntary ISMS certification | Risk-based ISMS; Annex A controls; SoA; continual improvement via PDCA; third-party certification available | Primary ISMS standard for CISM β aligns with all four domains |
CISM's compliance philosophy: Compliance is a floor, not a ceiling. Meeting regulatory requirements is the minimum β a mature security program goes beyond compliance to address actual risk. Never let compliance requirements drive security architecture decisions in isolation from risk assessment findings.
| Process | Purpose | Key Controls |
|---|---|---|
| Change Management | Ensures changes to systems are authorized, tested, and documented before implementation β prevents unauthorized changes that could introduce vulnerabilities | Change advisory board (CAB); formal approval workflow; testing in non-production; rollback plan; post-implementation review |
| Emergency Change | Expedited process for urgent changes β typically security patches or critical fixes. Bypasses normal CAB timeline but still requires documentation and post-implementation review. | Pre-authorized emergency change catalog; retrospective review; executive approval; increased monitoring after change |
| Patch Management | Systematic identification, testing, and deployment of security patches. Critical for reducing vulnerability window β time between patch release and deployment is the risk window. | Patch inventory; criticality-based SLAs (critical = 24-72h, high = 7-14 days); testing before production; exception tracking |
| Configuration Management | Ensures systems are configured consistently and securely β baselines prevent configuration drift that introduces vulnerabilities over time. | Configuration baselines (CIS Benchmarks); automated compliance scanning; CMDB; change tracking; drift detection |
10 CISM-style questions covering Domain 3: Information Security Program.
Mnemonics and mental models for the key Domain 3 concepts.
Preventive, Detective, Corrective, Deterrent, Compensating, Recovery. Timing: Preventive = BEFORE, Detective = DURING, Corrective/Recovery = AFTER, Deterrent = BEFORE (psychological). Compensating = when you can't use the standard control.
Administrative = policies and people. Technical = IT and logical controls. Physical = locks and cameras. Every one of the 6 control TYPES can be in any one of the 3 CATEGORIES. A locked door = Physical + Preventive. A firewall = Technical + Preventive. A policy = Administrative + Preventive.
1 Initial (chaos), 2 Repeatable (reactive), 3 Defined (standardized β TARGET for most orgs), 4 Managed (quantitative), 5 Optimizing (continuous improvement). Level 3 = ISO 27001 territory. Level 1 = firefighting.
Awareness = EVERYONE (culture, phishing tests). Training = ROLE-SPECIFIC groups (developers, HR, finance). Education = SECURITY TEAM (CISM, CISSP, degrees). Measure awareness by BEHAVIOR (click rates, reporting) β not by completion or attendance.
Traditional = trust everything inside the network. Zero Trust = verify EVERYTHING, regardless of whether traffic is internal or external. Every user, device, and request is authenticated and authorized. No implicit trust based on IP address or network location.
The DATA OWNER (business executive) is responsible for classifying data and setting protection requirements. The DATA CUSTODIAN (IT) implements the controls the owner defines. Classification drives control selection β always match protection to sensitivity level, not to available technology.
| Concept | Key Fact |
|---|---|
| Control before incident | Preventive (technical blocks) and Deterrent (psychological discouragement) |
| Control during incident | Detective (SIEM, IDS, audit logs detect it happening) |
| Control after incident | Corrective (limit damage) and Recovery (restore operations) |
| Compensating control | Alternative when primary control is infeasible β must provide equivalent protection |
| CMM Level 3 | Defined = documented and standardized organization-wide; baseline target for mature programs |
| CMM Level 1 | Initial = ad hoc, reactive, dependent on individuals |
| Awareness audience | ALL employees β broad, cultural, behavioral |
| Training audience | Role-specific groups β skill-building, function-relevant |
| Education audience | Security practitioners β professional development (CISM, CISSP) |
| Measure awareness by | Behavioral change (phishing click rates, incident reports) β not attendance |
| Data classification owner | Business (data owner) classifies; IT (custodian) implements controls |
| Zero Trust principle | Never trust, always verify β no implicit trust based on network location |
| Fail secure vs fail open | Fail secure = deny access when system fails (firewall drops all); fail open = allow access on failure (dangerous) |
| SSDLC security stage | All stages β from requirements through decommissioning, not just testing |
| Compliance philosophy | Compliance is a floor, not a ceiling β security program should exceed compliance minimums |
Click a card to flip it and reveal the answer.
Personalized guidance for Domain 3.
Test your program management knowledge with full-length CISM practice exams on FlashGenius β scenario-based questions built on the ISACA job practice framework.
Unlock Full Practice Tests on FlashGenius β