CISM® Preparation Course

Intensive CISM exam training with officially ISACA-accredited trainers
Enroll Book as in-company

What will you learn?

  • 9Establish and maintain an information security governance framework and supporting processes;
  • 9Manage information risk to an acceptable level based on risk appetite;
  • 9Develop and maintain an information security program;
  • 9Plan, establish and manage the capability to detect, investigate, respond to and recover from information security incidents.


  • 5 course days
  • 40-60 hours of self-study
  • ROne CPE credit per hour (including self-study)

ISACA about
Security Academy

CISM® Preparation Course – Intensive CISM training

Our CISM Preparation Course will help you master the skills you need to pass the ISACA Certified Information Security Manager certification exam and earn your CISM qualification. In this intensive five-day CISM training, you will learn how to manage, design, oversee and assess enterprise information security. You will cover all domains of the CISM certification exam with expert trainers who are active in cyber security risk management
and incident management and can help you with practical insights. To fully prepare for your CISM certification
exam and future career, the course will challenge you to practice exam-style questions as well as apply your
knowledge in practical contexts.

The Security Academy is an Accredited ISACA Training Partner, which means you will get access to official ISACA CISM® courseware.

Completing this unique CISM Preparation Course, you will gain in-depth understanding of the ISACA CISM domains (Information Security Governance, Information Security Risk Management, Information Security Program and Incident Management). At the same time, you will benefit from the guidance of real-world (cyber) security management experts who are up to date with current practices that will help you excel at your CISM certification exam as well as your career in an information security management role.

Is this CISM Preparation Course for you?

This CISM Preparation Course is intended for information or IT security professionals who aspire to manage information security programs and advance their career to a senior information security management role. Since the ISACA CISM certification is particularly popular amongst professionals with an IT or information security background, our CISM exam training is typically attended by IT (security) managers, information security officers, security consultants, security program managers and IT auditors.

Prerequisites to joining this CISM Preparation Course

This CISM Preparation Course is designed to prepare you for the ISACA CISM certification exam. To make the most of the training, you need to have a good understanding of fundamental information security management and technical IT security principles.

Are you new to information security management? Or would you just feel more comfortable taking an entry-level information security management training before moving on to CISM? Learn all the essentials in three days in our  Information Security Foundation course.

Unsure if you know enough of IT security to follow CISM®? Take three days to cover the basics in our IT Security Foundation course.

What is included in this CISM Preparation Course?

Before the training starts, you will receive your official ISACA CISM® courseware through our student portal. The course materials are in English. The language of instruction is either English or Dutch, depending on the participants..

Your CISM training package includes:

  • Official ISACA CISM® courseware
  • Additional course materials (slides, use cases, exam questions)
  • Expert trainer who is active in security risk management and incident management
  • Practice exam, evaluation and discussion on the last day

CISM Preparation Course Modules

Module 1: Information Security Governance

‘Establish and maintain an information security governance framework and supporting processes to ensure that the information security strategy is aligned with organizational goals and objectives.’

This module covers the organization and management of the information security function within an organization. This includes describing information security goals (in measurable terms), determining roles and responsibilities, describing the current and desired situation, performing a gap analysis, translating your findings to a plan of action… and getting to work!

Topics covered:

  • Develop an information security strategy aligned with business goals and objectives.
  • Align information security strategy with corporate governance.
  • Develop business cases justifying investment in information security.
  • Identify current and potential legal and regulatory requirements affecting information security.
  • Identify drivers affecting the organization and their impact on information security.
  • Obtain senior management commitment to information security.
  • Define roles and responsibilities for information security throughout the organization.
  • Establish internal and external reporting and communication channels that support information security.

Module 2: Information Risk Management and Compliance

‘Manage information risk to an acceptable level based on risk appetite to meet organizational goals and objectives.’

This module provides insights into formulating a risk management strategy, identifying associated roles and responsibilities, determining the risk management framework, performing risk gap analysis, assessing and treatingrisks, integrating risk management with life cycle processes and working with baseline measures, as well as risk monitoring and communication.

Topics covered:

  • Establish a process for information asset classification and ownership
  • Implement a systematic and structured information risk assessment process.
  • Ensure that business impact assessments are conducted periodically.
  • Ensure that threat and vulnerability evaluations are performed on an ongoing basis.
  • Identify and periodically evaluate information security controls and countermeasures to mitigate risk to acceptable levels.
  • Integrate risk, threat and vulnerability identification and management into life cycle processes (e.g., project management, development, procurement and employment life cycles).
  • Report significant changes in information risk to appropriate levels of management for acceptance on both a periodic and event-driven basis.

Module 3: Information Security Program Development

‘Develop an information security program that identifies, manages and protects the organization’s assets while aligning to information security strategy and business goals, thereby supporting an effective security posture.’

In this module, you will start translating the action plan made in Module 1 into an information security program. You will determine program objectives and program scope, perform a gap analysis, and outline the current and desired situation. Based on this, you will develop an information security program, paying attention to information security architectures, management tasks, operational aspects of program implementation, third party influences, and the types of measures that can be implemented. You will also grasp how to establish metrics to evaluate the effectiveness of an information security program.

Topics covered:

  • Develop and maintain plans to implement the information security strategy.
  • Specify the activities to be performed within the information security program.
  • Ensure alignment between the information security program and other assurance functions (e.g., physical, HR, quality, IT).
  • Identify internal and external resources (e.g., finances, people, equipment, systems) required to execute the information security program.
  • Ensure the development of information security architectures (e.g., people, processes, technology).
  • Establish, communicate and maintain information security policies that support the security strategy.
  • Design and develop a program for information security awareness, training and education.
  • Ensure the development, communication, and maintenance of standards, procedures and other documentation (e.g., guidelines, baselines, codes of conduct) that support information security policies.
  • Integrate information security requirements into the organization’s processes (e.g., change control, mergers and acquisitions) and life cycle activities (e.g., development, employment, procurement).
  • Develop a process to integrate information security controls into contracts (e.g., with joint ventures, outsourced providers, business partners, customers, third parties).
  • Establish metrics to evaluate the effectiveness of the information security program.

Module 4: Managing an Information Security Program

‘In Module 3 you covered Information Security Program Development. In this module you will learn how to manage the security program you just developed.’

Topics covered:

  • Manage internal and external resources (e.g., finances, people, equipment, systems) required to execute the information security program.
  • Ensure that processes and procedures are performed in compliance with the organization’s information security policies and standards.
  • Ensure the performance of contractually agreed (e.g., with joint ventures, outsourced providers, business partners, customers, third parties) information security controls.
  • Ensure that information security is an integral part of the systems development process and acquisition processes.Ensure that information security is maintained throughout the organization’s processes (e.g., change control, mergers and acquisitions) and life cycle activities (e.g., development, employment, procurement).
  • Provide information security advice and guidance (e.g., risk analysis, control selection) in the organization.
  • Provide information security awareness, training and education to stakeholders (e.g., business process owners, users, information technology).
  • Monitor, measure, test and report on the effectiveness and efficiency of information security controls and compliance with information security policies.
  • Ensure that noncompliance issues and other variances are resolved in a timely manner.

Module 5: Incident Management and Response

‘Plan, establish and manage the capability to detect, investigate, respond to and recover from information security incidents to minimize business impact.’

And what if the unexpected happens? What if an incident turns into a disaster?  In this module, you will learn how to develop incident response goals and procedures and how to establish a competent and trained incident response team. You will explore how to develop and implement incident response plans, disaster recovery plans and procedures. Plans need to be extensively tested and integrated with the organization’s disaster recovery (DR) and business continuity plan, so you will also get a good grounding in this area. Finally, you will learn what to do after an incident: how to conduct reviews to identify the causes, how to define corrective actions, and how to re-assess relevant risks.

Topics covered:

  • Develop and implement processes for detecting, identifying, analyzing and responding to information security incidents.
  • Establish escalation and communication processes and lines of authority.
  • Develop plans to respond to, and document, information security incidents.
  • Establish the capability to investigate information security incidents (e.g. forensics, evidence collection and preservation, log analysis, interviewing).
  • Develop a process to communicate with internal parties and external organizations (e.g., media, law enforcement, customers).
  • Integrate information security incident response plans with the organization’s disaster recovery (DR) and business continuity plan.
  • Organize, train, and equip teams to respond to information security incidents.
  • Periodically test and refine information security incident response plans.
  • Manage the response to information security incidents.
  • Conduct reviews to identify causes of information security incidents, develop corrective actions and reassess risk.

Practice Exam

On your last course day, you will take an extensive CISM practice exam, so that you can judge for yourself to what extent you are ready for the official ISACA CISM certification exam and to which domains you should pay more attention. After taking the practice exam, you will have the opportunity to discuss answers or potential issues with your trainer and the group. 

ISACA CISM® Certification Exam

Because we are an Accredited Training Partner, you can purchase an ISACA® exam voucher from us for €595 ex VAT. Would you rather arrange this yourself through ISACA®? You can do so via the ISACA® website. In this case the exam fee is $575 for ISACA® members and $760 for non-ISACA® members.

When you register for an exam, you are given one year to successfully complete the exam. Any possible retakes have to be done during this year as well. The time between two consecutive exam attempts is set at a minimum of 48 hours.

Upon successful completion of the CISM exam, you can apply for your ISACA CISMcertification title. Note that in addition to passing the exam, you need to have at least five years of experience in information security management to earn your ISACA CISM certificate (experience waivers are available for a maximum of two years).

The CISM exam requires in-depth theoretical knowledge. As an information security manager, you must understand all the domains covered – not just to pass your exam, but also to bring value to your organisation’s information security. In addition to attending this (or any other) CISM exam training, you will need to invest a good portion of your time in self-study to excel at your exam and your career in information security management. The recommended self-study time is a minimum. You may need significantly more self-study time depending on your personal situation.

Authors & Lead Trainers

Dr. Rob van der Staaij
IAM & IT-Infrastructure specialist

Register now

In-company training tailored to your needs

Schedule this training as in-company. Upskill your entire team in the most cost-effective way!