CISM Domain 2: Information Risk Management (IRM) [2022 update]

Dan Virgillito
September 9, 2022 by
Dan Virgillito

Certified Information Security Manager (CISM) is one of the highest-level certifications in the InfoSec industry. Professionals pursuing CISM are tested on four knowledge areas, otherwise known as CSM domains

Information Risk Management (IRM) is the systematic application of management practices, processes and policies to detect, monitor, evaluate and report information-related risks. Being skilled and knowledgeable in IRM is essential for strengthening an organization’s information security program. 

$150,040 average salary

$150,040 average salary

ISACA CISM is one of the industry's highest-paying cybersecurity certifications for 2023. Take your information security management career to new heights and enroll now to claim your Exam Pass Guarantee!

Below, we go into more detail about IRM, including what’s changed after the recent CISM exam updates.

Information risk management overview

Before the CISM exam update that became effective on June 1, 2022, information risk management had a 30% weightage with 45 exam questions. The updated exam content outline has reduced its weightage to 20% with 30 exam questions. The exam creator, ISACA, now gives more weight to the information security program and incident management domains, which are crucial to offering effective security management and advice.

Still, information risk management plays an essential role by enabling candidates to determine applicable risks, then evaluate whether they are below or above the organization’s risk appetite. Candidates must be able to identify, quantify, analyze, manage and report InfoSec-related risks through several tasks by utilizing their knowledge of key risk management techniques.

Preparing for Domain 2 also requires understanding the factors that influence the design and implementation of risk management within an organization. These may comprise the following:

  • The organization’s structure. In many organizations, lengthy approvals and processes slow the implementation of ideas and solutions. This is something the candidate should take into account.
  • The organization’s objective. The company’s objective and mission must be aligned with the need to implement risk management. Otherwise, the idea will be met with a lot of opposition. 
  • Specific organizational policies and practices also may influence the implementation of risk management. For instance, certain qualifications might be required for certain employees, etc.
  • The execution of effective risk management may also be influenced by regulatory, physical, and environmental conditions.

What’s new in the information risk management domain?

ISACA has split the information risk management domain into two parts: 

Part A: Information risk assessment

Part B: Information risk response

This new structure makes sense because candidates first need to identify and evaluate the risk before developing a risk response. Risks should be evaluated periodically to ensure the organization is accounting for new threats, such as risks arising from BYOD programs.

The CISM exam update also added a few new topics to IRM. We now have:

  • Vulnerability and Control Deficiency Analysis (VCDA). This looks at security control baselines and the events affecting them. After all, it’s important to properly assess controls to give you a defined objective.
  • Holistic Approach to Risk Management (HARM). This covers the measures required for comprehensive risk management, such as looking into different risk treatments and constantly monitoring controls and risks.

Additionally, ISACA has shifted some topics from Domain 2 to other CISM domains. These include:

  • Operational Risk Management, including RTO (Recovery Time Objective), RPO (Recovery Point Objective), MTO (Maximum Tolerable Outage), and SDO (Service Delivery Objective), has been shifted to domain 4
  • Information Asset Classification has also moved to domain 3, which makes for a logical structure considering the first two domains are more about understanding applicable risk. Comprehending and prioritizing risks is how candidates classify the information assets. 
  • Third-Party Service Provider has also moved to Domain 3, because risks related to external vendors need to be properly classified, then used as a basis for information security program development. 

Information security risk exam outline

The refreshed CISM exam outline has new subtopics for the information risk management domain. Below is a quick overview of the main sections and subsections for IRM.

CISM Domain 2: Information Risk Management

Section A: Information Security Risk Assessment Section B: Information Security Risk Response

2A1 Emerging Risk and Threat Landscape 2B1 Risk Treatment/Risk Response Options

2A2 Vulnerability and Control Deficiency Analysis 2B2 Risk and Control Ownership

2A3  Risk Assessment and Analysis 2B3 Risk Monitoring and Reporting

Summary of information risk management

Information risk management covers the process of analyzing the threat landscape and devising a response to secure the organization’s most critical assets. IRM defines the extent of protection required and is based on the mission, priorities, and objectives of the organization. 

If you’re planning to get the CISM certification, learning IRM elements will help you ace 20% of the exam. Hopefully, this domain overview will give you a starting point and help you connect the dots between information risk management and the other domains. To get an overview of all CISM domains and everything you need to know about the CISM exam, view our ISACA CISM hub.

$150,040 average salary

$150,040 average salary

ISACA CISM is one of the industry's highest-paying cybersecurity certifications for 2023. Take your information security management career to new heights and enroll now to claim your Exam Pass Guarantee!


Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.