CISM® — Certified Information Security Manager

This course focuses on developing the skills necessary to become a Certified Information Security Manager (CISM®), with an emphasis on emerging technologies such as artificial intelligence and blockchain.

Why should you attend?

The Certified Information Security Manager (CISM®) validates your ability to assess risks, implement effective governance, and proactively respond to incidents. With a focus on emerging technologies such as AI (artificial intelligence) and blockchain, it ensures that your skill set addresses security threats and evolving industry requirements. Addressing top concerns such as data breaches and ransomware attacks, essential for IT professionals, this certification ensures that you stay ahead of the pace of change.

Target audience

  • Professionals preparing to become CISM certified.

  • Individuals certified in CISA or CISSP looking to move into information security management.

  • Professionals in general security management who wish to shift towards information security.

  • Information security managers.

Learning objectives

Upon completion of this course, you will be able to:

• Explain the relationship between executive leadership, enterprise governance, and information security governance.

• Outline the components used to build an information security strategy.

• Explain how the risk assessment process influences the information security strategy.

• Articulate the process and requirements used to develop an effective information risk response strategy.

• Describe the components of an effective information security program.

• Explain the process of building and maintaining an enterprise-level information security program.

• Outline the techniques used to assess the enterprise's capability and readiness to manage an information security incident.

• Outline the methods of measuring and improving response and recovery capabilities.

Requirements for CISM certification

To obtain the CISM certificate, you must have 5 years of experience in information system security within the last 10 years.


Domain 1: Information Security Governance

Enterprise Governance

  • Organizational Culture
  • Legal, Regulatory, and Contractual Requirements
  • Organizational Structures, Roles, and Responsibilities

Information Security Strategy

  • Development of information security strategy
  • Governance frameworks and standards for information
  • Strategic planning (e.g., budgets, resources, business case)

Domain 2: Information Security Risk Management

Information Security Risk Assessment

  • The emerging landscape of risks and threats
  • Vulnerability and control deficiency analysis
  • Risk assessment and analysis

Response to Information Security Risks

  • Risk treatment/response options
  • Risk and control ownership
  • Risk monitoring and reporting

Domain 3: Information Security Program

Development of the Information Security Program

  • Resources for the information security program (e.g., people, tools, technologies)
  • Identification and classification of information assets
  • Industry standards and frameworks for information security
  • Information security policies, procedures, and guidelines
  • Metrics for the information security program

Management of the Information Security Program

  • Design and selection of information security controls
  • Implementation and integration of information security controls
  • Testing and evaluation of information security controls
  • Awareness and training in information security
  • Management of external services (e.g., vendors, suppliers, third parties, fourth parties)
  • Communications and reporting of the information security program

Domain 4: Incident Management

Preparation for Incident Management

  • Incident response plan
  • Business impact analysis (BIA)
  • Business continuity plan (BCP)
  • Disaster recovery plan (DRP)
  • Incident classification/categorization
  • Training, testing, and evaluation of incident management

Incident Management Operations

  • Tools and techniques for incident management
  • Investigation and evaluation of incidents
  • Incident isolation methods
  • Communications in incident response (e.g., reporting, notification, escalation)
  • Incident eradication and recovery
  • Post-incident review practices


Eliza Popa

I am a Diplomat Economist who has been working with CII organizations for over 30 years. Out of this tenure, 14 years have been dedicated to IT digital transformation projects and operations, followed by over 10 years in information security roles with both end-user organizations and consultancy firms. My professional certifications include CISSP, CISA, CRISC, CISM, CDPSE, CCSK v4, ITIL v3, Oracle SQL DBA, and PECB ISO/IEC 27001 Master, ISO/IEC 27002 Sr. Lead Manager, ISO/IEC 27005 Sr. Lead Risk Manager, Sr. Lead Cybersecurity Manager, CISO, Sr. Lead Cloud Security Manager, ISO/IEC 38500 Sr. Lead IT Corporate Governance Manager, ISO/IEC 20000 Sr. Lead Auditor, ISO 37301 Sr. Lead Implementer, ISO 31000 Sr. Lead Risk Manager, ISO 21502 Sr. Lead Project Manager, and ISO 9001 Sr. Lead Auditor. I provided informal training to CISA and CISSP candidates from 2016 until 2019, when I became an ISC2 Official Training Instructor for CISSP and a PECB Certified Trainer. Furthermore, in 2022 I became an ISC2 Official Training Instructor for CC and a CSA Authorized Trainer for CCSK v4 Foundation and Plus (AWS / Azure labs). My expertise and capabilities captured the attention of PECB, who, in 2023, appointed me to develop and record the eLearning training content and Skills content for ISO/IEC 27001 Lead Implementer and ISO/IEC Lead Auditor courses.

What is included in the course fee

  • Official ISACA Training Materials:

The Review Manual, which is a comprehensive reference guide designed to assist individuals in preparing for the CISM exam and to understand the roles and responsibilities of an information systems (IS) auditor.

QAE (Questions, Answers, and Explanations), based on the exam questions, each set of questions and answers includes in-depth explanations for each answer choice, allowing the learner to fully understand the rationale behind each correct and incorrect answer choice.

  • Examination voucher

Exam details

  • Number of questions:  150 questions
  • Duration of the exam:  4 hours
  • Course duration: approximately 16 hours

Course Dates and Prices