CISM domain 1: Information security governance [Updated 2022]

Dan Virgillito
September 6, 2022 by
Dan Virgillito

The certified information security manager (CISM) certification is in high demand among cybersecurity professionals. Attaining CISM requires a strong grasp of four domains, also known as knowledge areas. The first of these reviews the body of knowledge and associated tasks necessary to build an information security governance structure that’s aligned with organizational objectives.

$150,040 average salary

$150,040 average salary

ISACA CISM is one of the industry's highest-paying cybersecurity certifications for 2023. Take your information security management career to new heights and enroll now to claim your Exam Pass Guarantee!

This article will give you a detailed overview of information security governance. You’ll learn what it’s all about, what’s new after the recent CISM exam updates and why it’s important to know for a leadership role in information security. 

Information security governance overview

Previously, information security governance had 24% exam weightage with 36 questions. But after the exam updates, its weight has been reduced to 17% with 25 questions. More weight is given to the information security program and incident management, which protect the organization’s most important and critical assets.  

The information security governance domain covers enterprise governance and information security strategy. Candidates are tested for their ability to develop an accurate security framework, which generally involves:

  • Governing security policies that address each aspect of controls, regulation, and strategy.
  • A robust security strategy aligned with company objectives. 
  • A complete set of standards for each policy to ensure guidelines and processes comply with the policy.
  • Establishing monitoring processes and metrics to provide feedback on effectiveness, offer the basis for appropriate management decisions and ensure compliance. 

The domain also helps candidates learn how ISG should be implemented as an internal and transparent part of enterprise governance. Candidates are tested on various outcomes, such as:

Strategic alignment — This emphasizes the need to align information security with the overarching company strategy to support the enterprise’s objectives. 

Value delivery — Emphasis is on measures to ensure that security investments deliver a positive ROI by fulfilling various objectives. 

 Resource management — This involves ensuring long-lasting security architectures are designed, and formal requirements are met for document security. 

Integration — Candidates must know how to coordinate and integrate various assurance functions to ensure complete security.  

What’s new in the information security governance domain?

ISACA has split CISM domain 1 into enterprise governance and information security strategy. Governance drives risk management based on how the organization designs its security strategy. The updated exam also includes a few additions to ISG, including:

  • NIST cybersecurity framework, which helps organizations prioritize cybersecurity decisions and investments.
  • Legal, regulatory and contractual requirements, such as requirements for content and retention of business records.

Several topics have been moved from domain 1 to other CISM domains, and some have been deleted. These include:

  • Information security governance metrics as a topic has been removed from ISG. However, metrics are touched upon in subtopics of the domain.
  • Governance of third-party relationships has been removed and added to domain 3. This was likely done to prioritize internal governance before ensuring external vendor accountability. 
  • The strategy constraints topic has been moved to domain 3. The shift was made to help candidates gain visibility into cultural issues and other risk management challenges before defining strategy constraints.
  • Determining risk capacity and acceptable risk (risk appetite) has been moved to domain 2. From a general perspective, it makes more sense to include the topic in domain 2 because it deals with the factors that influence the design and implementation process of risk management. 
  • Information security roles and responsibilities (specifically establishing reporting and communication channels) have been removed from domain 1. 

The removal and shuffling of previous topics are why the weight of the information security governance domain has shrunk to 17%.  

Information security governance exam outline

The refreshed CISM exam has updated knowledge areas for the information security governance domain. You can access the whole CISM exam outline, but here is an overview of the main sections and subdomains included in ISG.

CISM Domain 1: Information security governance

Section 1: Enterprise governance Section 2: Information security strategy

1A1 Organizational culture 2A1 Information security strategy development 

1A2 Legal, regulatory and contractual requirements  2A2 Information governance frameworks and standards 

1A3 Organizational structures, roles and responsibilities 2A3 Strategic planning (budgets, resources, business case, etc.)

Earn a $150,040 Salary with an ISACA CISM

Earn a $150,040 Salary with an ISACA CISM

The employment of information systems managers is projected to grow 16% by 2031. Get your ISACA CISM to launch into the field — backed with an Exam Pass Guarantee.

Summary of information security governance

Information security governance covers a structured set of elements required to match the organization’s security posture with the objectives of senior management. Once the elements have been integrated into the security strategy, management can rest assured that effective information security will safeguard the organization’s systems and critical information. 

As a candidate, being up to date on ISG elements is critical to acing 17% of the CISM exam. This overview should broaden your horizon about information security governance and help you prepare better. For a detailed overview of all CISM domains, visit our ISACA CISM hub.


Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.