Cyber & Security

CISM® Certification Prep

A five-day intensive for security leaders preparing to sit for ISACA's Certified Information Security Manager (CISM) exam. Aligned to the current CISM Job Practice Areas, with deep focus on the manager's-perspective reasoning that distinguishes CISM from CISSP. Built for security professionals moving into manager, director, or CISO-track roles.

Format: Live virtual, in-person, or private on-site
Duration: 1 week
Level: Advanced
From: $3995.00

About this course

Course overview

The cybersecurity credential designed for security leaders, not security technicians.

CISSP and CISM are often discussed in the same breath, but they're aimed at different audiences. CISSP tests deep technical breadth across the eight CBK domains. CISM is narrower, more management-focused, and built around four practice areas — Information Security Governance, Risk Management, Information Security Program, and Incident Management. The exam consistently rewards the candidate who can pick the most-appropriate management response in a scenario, not the technically-correct one.

Day 1 covers Governance. Day 2 covers Risk Management. Days 3–4 split the Information Security Program domain across development and operations (it's 33% of the exam). Day 4 closes with Incident Management. Day 5 integrates everything with a timed mock and a 30-day study plan tuned to ISACA's published weights.

Learning outcomes

What you'll learn

Every module is tied to an outcome you can bring back to your team the next day.

Establish and maintain an information security strategy aligned with organizational goals, governance frameworks, and the CISM management lens
Identify, analyze, evaluate, and treat information security risk using ISACA-aligned risk management practices
Develop and maintain an information security program: resourcing, capability roadmap, security architecture, and operational practices
Manage program implementation through metrics, vendor / third-party risk, and integration with broader business processes
Establish and run an incident response capability — detection, triage, response, recovery, post-incident review — and the executive-communication practice senior leaders need during an incident
Operate business continuity, disaster recovery, and crisis management at the management altitude tested in CISM
Sit for the CISM exam after a 30-day post-bootcamp study plan tuned to ISACA's published domain weights

Audience

Who it's for

Security professionals with 4+ years in information security work who are moving into management roles
Information security managers, directors, and CISO-track candidates re-credentialing or upgrading from CISSP
Risk, audit, and compliance leaders crossing into information security leadership
Senior project and program managers with security accountability who need a recognized security-leadership credential
Candidates without ISACA's 5-year experience requirement who plan to certify and waive experience after the exam

Course structure

Syllabus

A structured path from core concepts to applied practice.

Module 1

Day 1 — Information Security Governance

CISM exam orientation: format, scoring, and the manager's-perspective approach (vs CISSP's CBK lens)
Security strategy and governance: alignment to business strategy, COBIT, NIST CSF, ISO 27001/27002
Roles, responsibilities, RACI, board-level reporting, security committee operations
Policy, standards, procedures, baselines, guidelines hierarchy
Practice Lab: governance scenario items with manager-perspective debrief

Module 2

Day 2 — Information Security Risk Management

Asset identification, threat modeling, vulnerability assessment, ISACA risk-evaluation lifecycle
Risk analysis: qualitative, quantitative, SLE / ALE / annual rate of occurrence
Risk treatment: avoid, mitigate, transfer, accept; residual-risk conversation with executives
Compliance: GDPR, HIPAA, PCI-DSS, SOX — manager altitude, not specialist depth
Risk communication, registers, KRIs, board/regulator reporting

Module 3

Day 3 — Information Security Program (Part 1: Development)

Program resourcing: capability matrix, in-house vs outsourced, vendor management
Capability roadmap, prioritization, budgeting an enterprise security program
Security architecture frameworks at management altitude (TOGAF, SABSA, NIST)
Control selection, defense in depth, manager's view of architectural trade-offs
Awareness, training, and culture: program design, role-specific content, measurement

Module 4

Day 4 — Program Operation and Incident Management

Third-party / vendor risk, contract security clauses, M&A integration
DevSecOps, change management, security in broader business processes
Program metrics, maturity models, KPIs, KRIs, reporting cadence
Incident response lifecycle: detect, triage, respond, eradicate, recover, post-incident review
BCP/DR/crisis communications: executive briefings, regulator and customer notifications

Module 5

Day 5 — Integration, Mock Exam, and Study Planning

Cross-domain items where governance, risk, program, and incident management overlap
Reading manager-perspective items: separating most-appropriate from technically-correct
Timed mock exam (75 items / 90 min) with item-by-item debrief
Personalized 30-day study plan: ISACA Review Manual sequencing, practice-exam cadence
ISACA application: experience verification, work-history documentation, audit-readiness walk-through

Public cohorts

Upcoming sessions

Secure your seat in a live, instructor-led cohort. Private team deliveries available on request.

No public cohorts on the calendar yet.

We run this course as a private team cohort on demand, or you can be the first to know when the next public date drops.

Book a private cohort Notify me of the next date

Frequently asked questions

Still have questions?

Should I take CISM, CISSP, or both?

If your role is principally security management — establishing strategy, leading programs, communicating to executives during incidents — CISM fits better than CISSP. If your role demands deep technical breadth across the full security program, CISSP. Many senior practitioners eventually hold both, often CISSP first then CISM as they move into management.

Do I meet the CISM experience requirement?

ISACA requires 5 years of cumulative paid work experience in information security work, with 3+ years in three or more of the four CISM Job Practice Areas. Substitutions exist (degrees, other certs). Candidates without the experience can still sit the exam and certify after meeting the requirement within 5 years.

Is the exam included in the price?

No. ISACA exam application, voucher ($575 ISACA member / $760 non-member), and exam scheduling are handled separately unless explicitly bundled in a private engagement. Day 5 walks through the application + audit-readiness.

How is this different from CISSP Bootcamp?

Same 5-day intensive format, same $3,995 price tier — but different exam target and different perspective. CISSP covers eight CBK domains broadly; CISM covers four practice areas with manager-perspective depth. The interplay matters: CISSP-then-CISM is a common career path.

Can this be delivered as a private cohort?

Yes. Private deliveries can use your real security program as the case study, include your CISO and security committee for the governance and incident-management modules, and bundle a follow-up coaching engagement for the 30-day post-bootcamp exam-prep window.

Keep exploring

Related courses

Related pathways in the same discipline.

Cyber & Security

CISSP Certification Bootcamp

A five-day bootcamp for experienced security professionals preparing for the (ISC)² CISSP exam and for security leaders who need a managerial-level view across the full security program. Aligned to the current CBK effective April 15, 2024.

Learn more →

Cyber & Security

CompTIA Security+ Prep

A five-day Security+ SY0-701 exam-preparation course that builds core cybersecurity knowledge, scenario-based exam judgment, performance-based question readiness, and practical security operations confidence.

Learn more →

Cyber & Security

Cyber Security for Managers

One day of applied cyber literacy for managers and team leads. Learn to make good security decisions without becoming a security specialist — vendor risk, incident response, and the questions you should be asking your IT team.

Learn more →

Bring this training to your team

We deliver private cohorts in-person and online, tailored to your operating context.

Request private training Browse all courses

← All training