CISM Domain 4: Incident Management

Domain 4: Incident Management

The largest CISM domain at 30%, Incident Management covers how organizations prepare for, detect, respond to, and recover from security incidents. It spans the full lifecycle from pre-incident planning through post-incident improvement.

Why This Domain Matters on the Exam

🎯 Exam Weight: 30%

45 of 150 questions come from this domain. Mastering incident response lifecycle steps, BCP vs. DRP distinctions, containment strategies, and communication protocols is essential.

🔑 CISM Perspective

CISM tests the manager's role, not the technical analyst's. Focus on: establishing IR capability, escalation criteria, communication chains, and continuous improvement — not forensic tool commands.

⚠️ Common Trap

CISM questions often contrast containment (stop the bleeding) vs. eradication (remove root cause) vs. recovery (restore operations). Know which phase each activity belongs to.

Incident Classification

Critical (P1)

Complete business disruption. Immediate executive notification. All-hands response. Examples: ransomware, data breach of PII.

High (P2)

Significant business impact. Senior management notified. Urgent response within hours. Examples: DDoS, major system compromise.

Medium (P3)

Moderate impact, limited spread. Team lead notified. Response within business day. Examples: malware on single workstation.

Low (P4)

Minimal impact. Standard ticketing process. Response within SLA window. Examples: failed login attempts, spam.

Key Definitions

Term	Definition	CISM Distinction
Event	Any observable occurrence in a system or network	Not all events are incidents
Security Event	Event with potential security significance	Requires triage to determine severity
Incident	Event that violates security policy or threatens CIA triad	Requires formal IR response
Breach	Confirmed unauthorized access to or disclosure of protected data	Triggers legal/regulatory notification
Crisis	Incident with significant business, reputational, or safety impact	Escalates to BCP/crisis management
Disaster	Event causing prolonged inability to operate normally	Triggers DRP / BCM activation

Incident Response Team Roles

Incident Response Manager

Coordinates the IR effort, makes containment decisions, communicates with management. Reports to CISO.

Security Analyst

Technical investigation, log analysis, malware analysis, evidence collection. Provides data to IR Manager.

Legal / Compliance

Advises on regulatory notification obligations, evidence preservation for litigation, attorney-client privilege considerations.

Communications / PR

Manages external messaging to customers, media, regulators. Ensures consistent, approved messaging.

IT / System Owners

Execute technical remediation steps, apply patches, restore systems from backups under IR Manager direction.

Executive Management

Approves major decisions (pay ransom, shut down operations), receives regular briefings, accountable for outcomes.

Incident Response Lifecycle

CISM follows NIST SP 800-61 as the primary IR framework. Know the 4-phase model and the activities within each phase — especially what belongs in each step and in what order.

NIST SP 800-61 — 4-Phase IR Model

Preparation

IR plan, team, tools, training before incidents occur

Detection & Analysis

Identify, triage, classify, and scope the incident

Containment, Eradication & Recovery

Stop spread, remove root cause, restore operations

Post-Incident Activity

Lessons learned, documentation, process improvement

Phase Details

Phase 1

Preparation

Develop and maintain IR plan and playbooks
Establish and train IR team (CSIRT)
Deploy detection tools (SIEM, IDS/IPS)
Define escalation criteria and contact lists
Conduct tabletop exercises and IR drills
Establish legal retainer and forensic partnerships
Define communication templates (pre-approved)

Phase 2

Detection & Analysis

Monitor alerts from SIEM, IDS, EDR, logs
Triage: is this an incident or false positive?
Classify severity (P1–P4) and escalate appropriately
Determine scope: how many systems/users affected?
Preserve evidence — document timeline
Notify stakeholders per escalation plan
Initial indicators of compromise (IOC) identification

Phase 3A

Containment

Short-term: isolate affected systems (network segmentation, quarantine)
Long-term: implement alternative controls while root cause is addressed
Evidence preservation before containment changes
Decision: contain vs. monitor (threat intelligence gathering)
Maintain detailed change log of all containment actions

Phase 3B

Eradication

Remove malware, backdoors, and attacker artifacts
Patch exploited vulnerabilities
Reset compromised credentials
Rebuild or reimage compromised systems
Verify eradication completeness before recovery

Phase 3C

Recovery

Restore systems from clean backups
Reconnect to network with enhanced monitoring
Validate restoration meets RTO and RPO
Enhanced monitoring during recovery period
Phased return to production operations
Executive sign-off before declaring incident closed

Phase 4

Post-Incident Activity

Lessons learned meeting (within 2 weeks of incident)
Root cause analysis (RCA) — 5 Whys or fishbone
Update IR plan, playbooks, and detection rules
File final incident report for management
Regulatory notifications if required (GDPR 72hr, HIPAA 60-day)
Track corrective action items to closure

Containment Strategy Decision Matrix

Factor	Immediate Isolation	Monitor & Gather Intel
Risk of data exfiltration	High — isolate immediately	Low — can afford to watch
Safety / operational impact	Critical systems — isolate	Non-critical — monitor
Threat intelligence value	Already identified attacker	Unknown adversary — learn TTPs
Legal / law enforcement	No ongoing investigation	Law enforcement requests monitoring
Business continuity	System can be taken offline	Critical service — cannot disrupt

Escalation & Notification Triggers

Internal Escalation

Severity P1/P2 → CISO and executive leadership immediately
Data breach suspected → Legal team + CISO
Incident exceeds IR team capacity → Engage IR retainer
Criminal activity suspected → Legal + Law Enforcement

External Notification

GDPR breach: Supervisory authority within 72 hours
HIPAA breach: HHS + affected individuals within 60 days
PCI-DSS: Card brands and acquiring bank within 24 hours
SOX: SEC/external auditors — timing per legal guidance
Law enforcement: FBI, Secret Service, local police (voluntary unless legally required)

IR Plan vs. IR Procedure vs. IR Playbook

Document	Audience	Purpose	Detail Level
IR Plan	Management	Strategic: who does what, policy authority	High-level
IR Procedure	IR Team	Tactical: step-by-step IR process	Detailed
IR Playbook	Analysts	Scenario-specific: ransomware, phishing, DDoS runbooks	Prescriptive

Business Continuity & Disaster Recovery

BCP and DRP are related but distinct disciplines. BCP focuses on keeping business operations running during a disruption; DRP focuses on recovering IT systems after a disaster. Both are essential CISM exam topics.

BCP vs. DRP

📋 Business Continuity Plan (BCP)

Scope: entire organization, all critical functions
Goal: maintain business operations during disruption
Driven by: BIA results + risk assessment
Covers: people, process, technology, facilities
Owner: senior management / board
Activated: when business operations are threatened
Examples: manual workarounds, alternate sites, crisis communications

💻 Disaster Recovery Plan (DRP)

Scope: IT systems and infrastructure
Goal: restore IT systems after a disaster
Driven by: RTO/RPO requirements from BIA
Covers: data, applications, hardware, networks
Owner: IT leadership / CISO
Activated: when IT systems are disrupted
Examples: failover, backup restoration, hot site activation

BCM Lifecycle (ISO 22301)

Policy & Scope

Define BCM objectives and boundaries

BIA

Identify critical functions, RTO/RPO/MTD

Risk Assessment

Identify threats to business continuity

Strategy

Select continuity / recovery strategies

Plan & Test

Document, train, exercise, improve

Recovery Site Options

Site Type	Readiness	Recovery Time	Cost	Best For
Hot Site	Fully operational, real-time data sync	Minutes to hours	Highest	Mission-critical systems
Warm Site	Hardware ready, data loaded periodically	Hours to days	Moderate	Business-critical systems
Cold Site	Space and power only, no equipment	Days to weeks	Lowest	Non-critical systems
Mobile Site	Portable units (trailers), rapidly deployable	Hours	Moderate	Geographic disasters
Cloud / Virtual	On-demand provisioning	Minutes (if pre-configured)	Pay-per-use	Modern cloud-native workloads
Reciprocal Agreement	Agreement with partner org to share space	Variable	Low (but unreliable)	Small organizations

Recovery Objectives — Key Formulas

MTD — Maximum Tolerable Downtime

The absolute maximum time a business function can be unavailable before causing irreparable harm. Set by business leadership. This is the hard ceiling — RTO must be less than MTD.

RTO — Recovery Time Objective

Target time to restore a system or process after a disruption. RTO < MTD always. Set based on business requirements, then IT designs to meet it.

RPO — Recovery Point Objective

Maximum acceptable data loss measured in time. Determines backup frequency. If RPO = 4 hours, backups must run at least every 4 hours.

WRT — Work Recovery Time

Time needed to restore and verify systems after recovery. RTO + WRT < MTD. Often overlooked — systems must be validated, not just online.

Key Formula: RTO + WRT < MTD

Example: MTD = 8 hrs. RTO = 4 hrs. WRT = 2 hrs. RTO + WRT = 6 hrs < 8 hrs ✅. If RTO + WRT ≥ MTD, the recovery strategy is insufficient.

Backup Strategies

Type	What It Backs Up	Backup Time	Restore Time	Storage
Full	Everything, every time	Slowest	Fastest (single set)	Highest
Incremental	Changes since last backup (any type)	Fastest	Slowest (chain of sets)	Lowest
Differential	Changes since last full backup	Moderate	Faster than incremental (2 sets)	Moderate

BCP Testing Types

Test Type	Method	Disruption Risk	Realism
Tabletop Exercise	Discussion-based walkthrough of scenario	None	Low
Walkthrough / Checklist	Team reviews plan step-by-step	None	Low
Simulation	Simulated scenario, partial activation	Low	Medium
Parallel Test	Recovery systems activated alongside production	Low	High
Full Interruption Test	Production shut down, full failover executed	High	Highest

💡 CISM tip: Tabletop exercises are the most common and lowest-risk starting point. Full interruption tests are rarely performed due to business risk.

Digital Forensics & Incident Communications

CISM-level forensics focuses on managerial responsibilities: ensuring evidence is preserved, chain of custody is maintained, and investigations are legally defensible — not performing the forensic analysis itself.

Digital Forensics Principles

Order of Volatility

Collect evidence from most to least volatile: RAM → Swap → Network → Processes → Disk → Remote Logs → Archives. Volatile evidence is lost when system is powered off.

Chain of Custody

Documented record of who handled evidence, when, where, and how. Must be unbroken for evidence to be legally admissible. Every transfer of evidence must be logged and signed.

Evidence Integrity

Use write blockers when acquiring disk images. Hash evidence (SHA-256) before and after to prove no modification occurred. Work on forensic copies — never originals.

Legal Hold

When litigation is anticipated, a legal hold (litigation hold) suspends normal document retention/destruction policies. Failure to preserve can result in spoliation sanctions.

Types of Evidence

Evidence Type	Definition	Forensic Examples
Direct	Directly proves a fact without inference	Video of attacker, access logs showing unauthorized commands
Circumstantial	Implies a fact through inference	Malware found on system, unusual login time pattern
Corroborating	Supports other evidence	Multiple log sources showing same event
Hearsay	Secondhand account — generally not admissible	Verbal report of what someone witnessed
Best Evidence	Original document preferred over copies	Original device preferred over forensic copy (but verified copies accepted)

Forensic Investigation Process

Step 1

Identify & Preserve

Identify potential evidence sources
Prevent evidence tampering or destruction
Initiate legal hold if litigation likely
Photograph physical scene

Step 2

Collect & Acquire

Collect volatile data first (RAM, running processes)
Create forensic disk images using write blockers
Hash all evidence (MD5/SHA-256)
Document and tag all items

Step 3

Examine & Analyze

Analyze forensic copies — never originals
Reconstruct timeline of events
Identify IOCs and attacker TTPs
Cross-correlate log sources

Step 4

Report & Present

Document findings objectively
Executive summary + technical details
Preserve all work notes and tool outputs
Findings must withstand expert scrutiny

Incident Communication Strategy

📣 Internal — Executive Briefings

Regular status updates to CISO and C-suite. Translate technical details into business impact and financial language. Focus on: scope, business risk, actions taken, timeline to resolution.

⚖️ Legal & Regulatory

Coordinate with Legal before any external disclosure. Know notification timeframes: GDPR 72hr, HIPAA 60-day, PCI-DSS 24hr to card brands. All communications go through Legal review.

📰 Media / Public Relations

Designate a single spokesperson. Use pre-approved communication templates. Never speculate about cause or scope. Acknowledge the situation, describe actions taken, avoid technical jargon.

👥 Customers & Partners

Notify affected individuals promptly per legal requirements. Provide clear guidance on protective actions (password resets, credit monitoring). Be transparent about what happened and what data was affected.

🔒 Need-to-Know Principle

Limit incident details to those who need them operationally. Premature disclosure can tip off attackers, compromise investigation, or create legal liability. Use code names for major incidents.

📋 Communication Plan Elements

Pre-approved message templates, designated spokesperson, approved contact list, secure out-of-band communication channels, media holding statements, regulatory notification drafts.

Post-Incident Review & Continuous Improvement

Activity	Timing	Purpose	Output
Lessons Learned Meeting	Within 2 weeks of closure	Capture what worked, what didn't	Action items list
Root Cause Analysis (RCA)	During/after incident	Identify true root cause, not symptoms	RCA report, corrective actions
After-Action Report	Within 30 days	Document full incident narrative for management	Formal incident report
IR Plan Update	After lessons learned	Improve plan based on real-world experience	Updated IR plan/playbooks
Metrics Review	Monthly/quarterly	Track IR KPIs (MTTD, MTTR, recurrence rate)	IR performance dashboard

Key IR Metrics (CISM)

MTTD — Mean Time to Detect

Average time from incident occurrence to detection. Lower = better detection capability. Improved by better monitoring and threat intelligence.

MTTR — Mean Time to Respond/Recover

Average time from detection to full recovery. Improved by better playbooks, automation, and practice. Key IR performance metric.

Recurrence Rate

% of incident types that occur more than once. High recurrence = root causes not being addressed. Target: declining trend.

Containment Time

Time from detection to effective containment. Shorter containment time = less damage and data loss. Measured per severity level.

Practice Quiz — Domain 4

10 CISM-style questions on Incident Management. Select the best answer and get instant feedback.

out of 10 correct

Memory Hooks

Mnemonics and visual anchors to make Domain 4 concepts stick for exam day.

NIST IR Phases

PD-CER-P

Preparation → Detection & Analysis → Containment → Eradication → Recovery → Post-Incident. Think: "Pretty Detectives Catch Every Rogue Person."

Recovery Objectives Order

RPO → RTO → WRT → MTD

Data loss limit → System back up → Verify it works → Hard business deadline. RTO + WRT < MTD always. MTD is the ceiling everything else must fit under.

Backup Speed Trade-off

Full = Fast Restore, Slow Backup

Incremental: fast backup, slow restore (need all prior sets). Differential: middle ground (only need last full + latest diff). Full: slowest backup, fastest single-set restore.

Recovery Sites

Hot / Warm / Cold = $ $ / $ / Free

Hot = always on, ready in minutes, most expensive. Warm = hardware ready, data loaded periodically, hours. Cold = empty shell, weeks to stand up, cheapest. Match site type to RTO requirement.

Forensics Evidence Rule

Most Volatile First

RAM → Swap → Network → Running Processes → Disk → Remote Logs → Archives. Power-off destroys RAM. Always hash evidence before and after. Work on forensic copies, never originals.

Notification Timeframes

72 / 60 / 24

GDPR = 72 hours to supervisory authority. HIPAA = 60 days to HHS. PCI-DSS = 24 hours to card brands. Know these cold — they appear frequently on CISM exams.

Flashcards

Click a card to flip it and reveal the answer.

What are the 4 phases of the NIST SP 800-61 Incident Response lifecycle?

Click to flip

1. Preparation → 2. Detection & Analysis → 3. Containment, Eradication & Recovery → 4. Post-Incident Activity. Phase 3 has three sub-steps: Contain first, then Eradicate, then Recover.

What is the key formula relating RTO, WRT, and MTD?

Click to flip

RTO + WRT < MTD. Recovery Time Objective (restore) + Work Recovery Time (verify) must be less than Maximum Tolerable Downtime (business hard limit). MTD is always the ceiling.

What is the difference between BCP and DRP?

Click to flip

BCP = keep business operations running during any disruption (people, process, facilities, tech). DRP = restore IT systems after a disaster. DRP is a subset of BCP. BCP is broader; DRP is IT-focused.

A hot site, warm site, and cold site — which has the fastest recovery time?

Click to flip

Hot site = fastest (minutes to hours, fully operational, real-time data sync, highest cost). Warm site = hours to days. Cold site = days to weeks (empty space only, lowest cost). Match to RTO requirement.

What is chain of custody and why does it matter?

Click to flip

Chain of custody = documented record of everyone who handled evidence, when, where, and how. Must be unbroken for evidence to be legally admissible in court. Every transfer must be logged and signed.

What is the order of volatility in digital forensics?

Click to flip

Most volatile first: RAM → Swap space → Network state → Running processes → Disk → Remote/archived logs. RAM is lost immediately when system is powered off — always collect it first.

Which backup type has the fastest restore? Which has the fastest backup?

Click to flip

Fastest restore = Full backup (single set). Fastest backup = Incremental (only changes since last backup). Differential is the middle ground — faster restore than incremental (only need full + latest diff).

What are the GDPR, HIPAA, and PCI-DSS breach notification timeframes?

Click to flip

GDPR: 72 hours to supervisory authority. HIPAA: 60 days to HHS (and affected individuals). PCI-DSS: 24 hours to card brands and acquiring bank. Know these — they appear frequently on CISM.

Exam Advisor

Select a category for targeted exam guidance.

Are You Ready for Domain 4?

You're ready if you can…Name all 4 NIST IR phases and the key activities in each without looking. Recall RTO + WRT < MTD and explain each term. Distinguish BCP from DRP clearly.

You're ready if you can…Identify which recovery site type fits a given RTO. Explain chain of custody and why it matters. Name the three backup types and their trade-offs.

Study more if you can't…Name regulatory notification timeframes (GDPR 72hr, HIPAA 60-day, PCI-DSS 24hr) or explain the difference between eradication and recovery.

Common CISM Exam Traps

Containment vs. EradicationContainment = stop the spread (isolate). Eradication = remove the cause (patch, rebuild). They happen in that order — never eradicate before containing.

BCP vs. DRPBCP is broader (whole business). DRP is IT-specific. A question about "keeping the business running" → BCP. "Restoring servers" → DRP. Both are needed; neither replaces the other.

RTO vs. MTDRTO is the target recovery time (what you aim for). MTD is the maximum tolerable time (business limit). RTO must always be less than MTD — if they're equal, there's no buffer.

Lessons Learned TimingCISM consistently expects lessons learned to happen AFTER recovery is complete, not during the incident. Post-incident review comes last — not during active response.

Highest-Yield Topics for Domain 4

IR Lifecycle (NIST 800-61)Memorize the 4 phases and what belongs in each. Especially: detection before containment, eradication before recovery, lessons learned always last.

Recovery ObjectivesRTO, RPO, MTD, WRT — know each definition and the formula RTO + WRT < MTD. These appear in multiple question formats.

Notification TimeframesGDPR (72hr), HIPAA (60-day), PCI-DSS (24hr). These are tested directly and in scenario questions about "what should the CISM do first."

Forensic Evidence PrinciplesChain of custody, order of volatility, write blockers, forensic copies. CISM tests manager-level knowledge — ensure investigations are legally defensible.

Scenario Question Strategies

"What should the security manager do FIRST?"Follow the IR lifecycle order: detect/analyze before acting, contain before eradicating, always preserve evidence, and notify based on severity.

Ransomware ScenariosFirst: isolate affected systems (contain). Then: notify management and legal. Then: assess backup integrity (RPO check). Then: involve law enforcement if warranted. Do NOT pay ransom without management/legal approval.

Data Breach ScenariosFirst: contain and assess scope. Then: notify Legal immediately — they determine regulatory notification requirements. Communication timing is driven by legal requirements, not IT team preferences.

Business Continuity QuestionsIf the question mentions the business cannot operate, think BCP. If it mentions IT systems being down, think DRP. Site selection questions: match cost/speed trade-off to the stated RTO.

Last-Minute Domain 4 Review

IR Phase OrderPreparation → Detection & Analysis → Containment → Eradication → Recovery → Post-Incident. Never skip phases. Eradication before recovery. Lessons learned always last.

The Critical FormulaRTO + WRT < MTD. Business sets MTD. IT designs to meet RTO. WRT is verification time after restoration. If RTO + WRT ≥ MTD, your recovery strategy fails.

Evidence RuleMost volatile first. Always hash. Always use write blockers. Work on forensic copies. Unbroken chain of custody = legally admissible. Legal hold suspends document destruction.

Regulatory TimelinesGDPR: 72 hours. HIPAA: 60 days. PCI-DSS: 24 hours. All external communications through Legal. Single designated spokesperson for media.