CISM domain - 33% of the exam

Information Security Program

Information Security Program is 33% of the Certified Information Security Manager (CISM) (CISM) exam. These are the objectives it covers, each with practice questions and worked explanations.

Objectives in this domain

Plan and manage information security programme resources including people, tools and technologies.
Section 3.1medium
Identify and classify information assets to determine appropriate protection requirements.
Section 3.2easy
Apply industry standards and frameworks to guide the design and operation of the information security programme.
Section 3.3medium
Develop and maintain information security policies, procedures and guidelines that govern programme activities.
Section 3.4easy
Define and monitor information security programme metrics to measure effectiveness and support decision-making.
Section 3.5medium
Design and select information security controls appropriate to identified risks and business requirements.
Section 3.6hard
Implement and integrate information security controls across systems, processes and third-party services.
Section 3.7hard
Test and evaluate information security controls to verify that they operate as intended.
Section 3.8medium
Develop and manage an information security awareness and training programme for all personnel.
Section 3.9easy
Manage information security risks associated with external service providers, suppliers and third and fourth parties.
Section 3.10hard
Communicate information security programme status and outcomes to stakeholders through appropriate reporting.
Section 3.11medium

Sample question from this domain

Free sampleInformation Security Programeasy

A retailer is building its first data classification scheme. The information security manager must decide what should drive the sensitivity level assigned to each information asset. Which factor should primarily determine the classification level?

AThe potential business impact if the asset's confidentiality, integrity, or availability were compromised Correct
BThe storage format of the asset, such as whether it is held in a database, a spreadsheet, or a paper file
CThe number of staff who currently request access to the asset during normal operations
DThe age of the asset and how long it has been retained in the records management system

Information asset classification should be driven by the business impact of a loss of confidentiality, integrity, or availability. Classification expresses the worth of information to the organisation, and that worth is judged by the consequences to the business if the asset is disclosed, altered, or lost, which is why impact is the primary driver rather than format, demand, or age.

Why A is correct: Correct because classification reflects the value and sensitivity of the information, which is measured by the harm to the business if it were disclosed, altered, or made unavailable.

Why B is wrong: Tempting because storage format does affect some control choices, but format is a handling consideration that follows classification; it does not define how sensitive the information itself is.

Why C is wrong: Tempting because high demand can suggest importance, but access volume reflects operational convenience, not the inherent sensitivity that classification is meant to capture.

Why D is wrong: Tempting because retention schedules relate to data governance, but age alone does not set sensitivity; old records can be highly sensitive and new ones trivial.

Other domains in this exam

Information Security Governance17% of the exam
Information Security Risk Management20% of the exam
Incident Management30% of the exam

See also the CISM cert hub, the study guide, and the cheat sheet.

Examworthy is not affiliated with or endorsed by ISACA. Original, blueprint-aligned practice material only.