on-demand course

CISM Certification Masterclass 2026: Complete Guide

with Aman Faheem

April 2026

Intermediate

22h 13m

English

Packt Publishing

Closed Captioning available in English

Watch now

Unlock full access

Includes

Badge

Course outline

Introduction to the CISM Exam Preparation
2m 9s
Getting Started Planning Your Study
2m 27s
Using the CISM Review Manual Effectively
2m 24s
Types of Questions on the CISM Exam
2m 57s
Using ISACA Exam Preparation Resources
2m 41s
CISM Review Questions, Answers & Explanations Manual
2m 58s
CISM Review QAE Database (12-Month Access)
2m 53s
Important Final Note on Exam Preparation
2m 39s
Information Security Governance
3m 0s
Overview Information Security Governance
2m 48s
Domain 1 Exam Content Outline
3m 12s
Importance of Information Security Governance
3m 36s
Importance of Information Security Governance-B
3m 13s
Outcomes of Information Security Governance
3m 34s
Scope and Charter of Information Security Governance
3m 13s
Organizational Culture
3m 10s
Acceptable Use Policy (AUP)
3m 4s
Ethics in Information Security
3m 13s
Legal, Regulatory & Contractual Requirements
3m 22s
Business Record Content & Retention Requirements
2m 31s
Organizational Structures, Roles & Responsibilities
3m 13s
Roles and Responsibilities in Security Governance
2m 35s
Skills in Defining Roles & Responsibilities
2m 59s
Role of the Board of Directors in Security Governance
3m 18s
Role of Senior Management in Security Governance
3m 4s
Role of Business Process Owners (BPOs)
2m 42s
Chief Information Security Officer (CISO)
3m 12s
Risk Management Roles & Responsibilities
2m 57s
Information Security Strategy Development
2m 39s
Business Goals and Objectives
2m 52s
Information Security Strategy Objectives
3m 14s
Ensuring Objective and Business Integration
2m 55s
Business Linkages in Information Security Strategy
2m 58s
Avoiding Common Pitfalls and Bias
3m 26s
Defining the Desired State of Information Security
2m 53s
Business Model for Information Security (BMIS)
3m 26s
Dynamic Interconnections in BMIS
3m 22s
Governance, Risk Management & Compliance (GRC)
3m 31s
Information Security Strategy Development
2m 56s
Elements of a Strategy
2m 57s
Resources and Constraints Overview
3m 24s
Constraints in Information Security Strategy
3m 25s
Information Governance Frameworks and Standards
2m 43s
Balanced Scorecard in Information Security Governance
3m 8s
Architectural Approaches in Information Security
2m 58s
Enterprise Risk Management (ERM) Frameworks
2m 53s
ISOIEC 27000 Series for Information Security
2m 59s
NIST Cybersecurity Framework (CSF)
2m 25s
NIST Risk Management Framework (RMF)
3m 4s
Other Approaches to Information Security Strategy
3m 42s
Strategic Planning
2m 47s
Workforce Composition and Skills
2m 43s
Organizational Structure and Its Impact
3m 8s
Centralized vs. Decentralized Security Approaches
3m 8s
Employee Roles & Responsibilities
2m 29s
Skills for Security Strategy Implementation
2m 49s
Awareness and Education
2m 45s
Assurance Provisions
2m 55s
Audits
3m 22s
Compliance Enforcement
3m 18s
Risk Assessment and Management
3m 6s
Business Impact Analysis (BIA)
2m 49s
Resource Dependency Analysis
2m 32s
Outsourced Services in Security Strategy
3m 20s
Threat Assessment
2m 56s
Vulnerability Assessment
2m 48s
Insurance as a Risk Treatment
3m 10s
Organizational Support and Assurance Providers
3m 14s
Action Plan to Implement Strategy
2m 31s
Gap Analysis Basis for an Action Plan
2m 54s
Action Plan Metrics
2m 49s
Key Goal Indicators (KGIs)
2m 20s
Key Performance Indicators (KPIs)
2m 29s
General Metrics Considerations
2m 37s
Action Plan Intermediate Goals
2m 57s
Information Security Program Objectives
3m 11s
Information Security Risk Management
2m 46s
Domain 2 Exam Content Outline
2m 53s
Learning Objectives Task Statements Chapter 2
3m 7s
Overview Information Security Risk Management
2m 32s
Part A Information Risk Assessment
6m 55s
Information Risk Assessment
3m 5s
Emerging Risk and Threat Landscape
2m 46s
Risk Identification
2m 58s
Threats
3m 5s
Internal Threats
3m 4s
External Threats
3m 4s
Advanced Persistent Threats (APTs)
3m 21s
Defining a Risk Management Framework
3m 27s
Defining the External Environment
3m 9s
Defining the External Environment
2m 57s
Risk, Likelihood and Impact
2m 41s
Risk Register
2m 44s
Emerging Threats
2m 53s
Vulnerability and Control Deficiency Analysis
3m 14s
Security Control Baselines
2m 55s
Events Affecting Security Baselines
3m 2s
Risk Analysis, Evaluation and Assessment
2m 51s
Determining the Risk Management Context
2m 33s
Operational Risk Management
2m 54s
Risk Management Integration with IT Life Cycle Management Processes
2m 57s
Risk Scenarios
2m 32s
Risk Assessment Process
3m 23s
Risk Assessment & Analysis Methodologies
3m 5s
NIST Risk Assessment Methodology
3m 7s
Cascading Risk
2m 45s
Other Risk Assessment Approaches
2m 37s
Holistic Approach to Risk Management (HARM)
2m 33s
Probabilistic Risk Assessment
3m 1s
Risk Analysis
2m 34s
Gap Analysis
2m 5s
Qualitative Risk Analysis
1m 52s
Semi-Quantitative (Hybrid) Risk Analysis
2m 5s
Quantitative Analysis
2m 32s
Annual Loss Expectancy
2m 12s
Value at Risk (VaR) in Risk Management
2m 33s
Other Risk Analysis Methods
3m 0s
Risk Evaluation
2m 18s
Risk Ranking
2m 34s
Part B Information Risk Response
2m 46s
Risk Treatment Risk Response Options
2m 16s
Determining Risk Capacity and Acceptable Risk (Risk Appetite)
2m 37s
Risk Response Options
2m 40s
Terminate the Activity
2m 21s
Transfer the Risk
2m 12s
Mitigate the Risk
2m 17s
Accept the Risk
3m 24s
Inherent and Residual Risk
2m 22s
Impact
2m 33s
Controls
2m 31s
Legal and Regulatory Requirements
2m 39s
Costs and Benefits
2m 18s
Risk and Control Ownership
2m 23s
Risk Ownership and Accountability
2m 25s
Risk Owner
2m 23s
Control Owner
2m 41s
Risk Monitoring and Reporting
2m 21s
Risk Monitoring
2m 15s
Key Risk Indicators
2m 39s
Reporting Changes in Risk
2m 42s
Risk Communication, Awareness and Consulting
2m 42s
Risk Awareness
2m 37s
Documentation
1m 17s
Information Security Program Development & Management
3m 5s
Overview Information Security Program Development & Management
2m 49s
Part A – Information Security Program Development
3m 4s
Information Security Program Overview
2m 50s
Information Security Management Trends
2m 33s
Essential Security Program Elements
3m 7s
Importance of the Information Security Program
2m 36s
Applying the Security Program Business Case
2m 39s
Outcomes of Information Security Program Management
2m 32s
Risk Management in Information Security
2m 47s
Value Delivery in Information Security
2m 41s
Resource Management in Information Security
3m 8s
Performance Measurement in Information Security
2m 57s
Assurance Process Integration
2m 46s
Information Security Program Resources
2m 27s
Information Security Program Objectives
2m 19s
Defining Objectives of the Information Security Program
2m 25s
Concepts Information Security Program
2m 36s
Management and Process Concepts in Security Program Implementation
2m 35s
Technology Resources in an Information Security Program
2m 50s
Scope and Charter of an Information Security Program
2m 28s
Common Information Security Program
3m 8s
The Critical Role of Management Support
2m 35s
Overcoming Funding Challenges in InfoSec
3m 1s
Staffing Challenges in Information Security
2m 38s
Common Constraints in Information Security Program Development
2m 36s
Physical Constraints in Information Security Programs
2m 28s
Ethical Considerations in Information Security Programs
2m 13s
The Role of Culture in Information Security Programs
3m 10s
The Impact of Organizational Structure on Information Security
2m 34s
Managing Costs in Information Security Program Implementation
2m 35s
Cost Justification and ROI in Security Programs
2m 35s
Personnel Resistance in Security Program Implementation
2m 16s
Resource Planning for Effective Security Strategy
2m 19s
Life Cycle of Security Resources
1m 35s
Time as a Strategic Constraint
2m 31s
Technology as a Constraint in Security Strategy Implementation
2m 30s
Information Asset Identification and Classification
2m 42s
Information Asset Identification and Valuation
2m 24s
Information Asset Valuation Strategies
2m 9s
Information Asset Classification
2m 28s
Information Asset Classification Benefits & Key Questions
2m 36s
Determining Asset Criticality & Impact of Adverse Events
2m 44s
Industry Standards and Frameworks for Information Security
2m 25s
Enterprise Information Security Architectures
2m 51s
Alternative Frameworks for Enterprise & Security Architecture
2m 27s
Enterprise Architecture Domains & Layers
2m 32s
Objectives of Information Security Architectures
2m 21s
Information Security Management Frameworks
2m 37s
COBIT and Its Role in Information Security Governance
2m 24s
ISOIEC 27001 and the ISO 27000 Series in ISM
2m 34s
NIST Cybersecurity Framework (CSF)
2m 39s
NIST Risk Management Framework (RMF)
2m 34s
Information Security Framework Components
2m 33s
Technical Components of Information Security
2m 40s
Operational Components of Information Security
2m 23s
Management Components of Information Security
2m 23s
Administrative Components of Information Security
2m 39s
Educational & Informational Components of InfoSec
2m 24s
Information Security Policies, Procedures and Guidelines
2m 32s
Information Security Policies
2m 16s
Policy Development in Information Security
2m 39s
Information Security Standards
2m 23s
Developing Effective Information Security Standards
2m 18s
Information Security Procedures
2m 36s
Guidelines in Information Security
2m 28s
Applying Frameworks and Architectures to Build a Security Program Road Map
2m 5s
Developing an Information Security Program Road Map
2m 40s
Simplicity & Clarity Through Layering and Modularization
2m 11s
Gap Analysis as the Basis for an Action Plan
2m 6s
Business Focus Beyond the Technical Domain
1m 56s
Life Cycle Principles Supporting the Road Map
2m 13s
Architecture and Control Objectives
2m 27s
Architecture Implementation in Security Programs
2m 29s
Security Program Management & Administrative Activities
2m 8s
Program Administration in Information Security
2m 27s
Effective Security Metrics
2m 7s
Standards and Approaches for Security Metrics
2m 18s
Governance Implementation Metrics
1m 58s
Strategic Alignment Metrics
1m 59s
Risk Management Metrics
2m 29s
Value Delivery Metrics
2m 17s
Resource Management Metrics
2m 23s
Performance Measurement in Information Security
2m 39s
Security Program Metrics & Monitoring
2m 12s
Metrics Tailored to Enterprise Needs
1m 58s
Strategic Metrics for Information Security
1m 40s
Management Metrics for Information Security
1m 40s
Operational Metrics in Information Security
2m 6s
Information Security Control Design and Selection
1m 26s
Managing Risk Through Controls
1m 14s
IT Controls
1m 1s
Non-IT Controls
1m 11s
Layered Defenses (Defense in Depth)
1m 37s
Technologies in Information Security
1m 41s
Controls and Countermeasures
56s
Control Categories
3m 29s
Control Design Considerations
4m 17s
Control Methods
4m 16s
Countermeasures in Information Security
1m 12s
Physical and Environmental Controls
1m 0s
Control Technology Categories
1m 1s
Native Control Technologies
50s
Supplemental Control Technologies
56s
Management Support Technologies
52s
Technical Control Components and Architecture
1m 18s
Information Security Control
3m 56s
Baseline Controls
3m 45s
Information Security Control Testing and Evaluation
3m 23s
Control Strength
3m 12s
Control Recommendations
3m 37s
Control Testing and Modification
3m 45s
Information Security Awareness and Training
3m 5s
Security Awareness Training and Education
3m 10s
Developing an Information Security Awareness Program
3m 21s
Role-Based Training
9m 5s
Personnel, Roles, Skills and Culture
44s
Documentation in Information Security Programs
3m 54s
Document Maintenance in Information Security Programs
3m 34s
Information Security Liaison Responsibilities
3m 40s
Physical Corporate Security
3m 12s
IT Audit
3m 10s
Role of Information Technology in Security Programs
3m 2s
Role of Business Unit Managers in Information Security
3m 4s
Human Resources & Information Security
3m 8s
Legal Department & Information Security
3m 8s
Employees: The First Line of Defense
2m 49s
Procurement: A Critical Security Touchpoint
2m 45s
Compliance: Aligning Security with Legal and Regulatory Demands
2m 44s
Privacy: Enforcing Data Protection in a Regulated World
3m 0s
Training: Partnering for Security Awareness & Skill Development
2m 59s
Quality Assurance: Integrating Security into QA Processes
3m 0s
Insurance as a Compensating Control in Information Security
3m 1s
Third Party Management in Information Security
3m 10s
Role of the PMO in Information Security
2m 48s
Cross-Organizational Responsibilities
3m 30s
Information Security Leadership & Cross-Business Alignment
3m 26s
Issue Resolution through the Information Security Program
3m 24s
Integration With IT Processes
2m 34s
Integration of Information Security Across the Enterprise
1m 56s
Vendor Management in Information Security
3m 16s
Physical and Environmental Factors in Information Security
2m 54s
System Development Life Cycle (SDLC) & Security Integration
3m 48s
Cultural and Regional Variances in Information Security
3m 7s
DevOps and DevSecOps Security in High-Speed Development
4m 0s
Change Management in Information Security
3m 20s
Logistics in Information Security Management
36s
Configuration Management in Information Security
3m 10s
Secure Release Management
3m 6s
Cloud Computing
4m 12s
Cloud Service Models
3m 48s
Advantages of Cloud Computing
4m 0s
Evaluation of Cloud Service Providers
3m 50s
Management of External Services and Relationships
4m 0s
Governance of Third-Party Relationships
3m 34s
Third-Party Service Providers
3m 40s
Outsourcing and Third-Party Security Providers
3m 30s
Outsourcing Challenges
4m 5s
Outsourcing Contracts
3m 41s
Security Provisions in Outsourcing Contracts
3m 40s
Third-Party Access
2m 17s
Information Security Program
2m 43s
Program Management Evaluation
3m 30s
Compliance Requirements in Information Security
3m 53s
Program Management in Information Security
3m 33s
Security Operations Management
3m 19s
Technical Security Management
3m 56s
Resource Levels in Information Security Program
3m 24s
The Plan-Do-Check-Act Cycle
3m 58s
Security Reviews and Audits
2m 32s
Security Reviews vs. Audits
2m 10s
Compliance Monitoring and Enforcement
1m 51s
Standards Compliance
1m 49s
Resolution of Noncompliance Issues
1m 43s
Resolution of Noncompliance Issues
1m 36s
Compliance Enforcement
1m 15s
Monitoring Approaches
1m 17s
Monitoring Security Activities in Infrastructure and Applications
1m 15s
Determining Success of Information Security Investments
3m 42s
Measuring Information Security Management Performance
3m 48s
Measuring Support of Organizational Objectives
3m 19s
Measuring Compliance in Information Security
4m 7s
Measuring Operational Productivity in InfoSec
3m 40s
Measuring Security Cost-Effectiveness
3m 42s
Measuring Awareness & Technical Security Effectiveness
3m 34s
Measuring Effectiveness of Management Framework & Resources
3m 25s
Measuring Operational Performance in InfoSec
3m 57s
Ongoing Monitoring and Communication
3m 25s
Incident Management
4m 14s
Part A Incident Management Readiness
3m 36s
Incident Management & Response
3m 28s
Incident Management vs. Incident Response
3m 32s
Goals of Incident Management & Response
4m 8s
Goals & Value of Effective Incident Management
3m 56s
Incident Handling & Life Cycle
4m 9s
Incident Management Life Cycle & Disaster Progression
3m 40s
Incident Management and Incident Response Plans
3m 46s
Importance of Incident Management
3m 47s
Outcomes of Incident Management
3m 56s
Incident Management Resources
4m 21s
Policies and Standards
3m 59s
Incident Management Objectives
3m 52s
Strategic Alignment
4m 4s
Response and Recovery Plan
3m 59s
The Role of the Information Security Manager in Incident Management
3m 50s
Risk Management
3m 16s
Assurance Process Integration
3m 42s
Value Delivery
3m 56s
Resource Management
3m 37s
Defining Incident Management Procedures
3m 44s
Detailed Plan of Action for Incident Management
3m 35s
Phase 1 – Prepare (Prepare Improve Sustain)
3m 33s
Phase 2 – Protect (Reputation, Brand, Infrastructure, Data)
3m 35s
Phase 3 – Detect (Events, Incidents, Anomalies)
3m 24s
Phase 4 – Triage
3m 35s
Phase 5 – Respond
3m 46s
Current State of Incident Response Capability
3m 43s
History of Incidents
3m 31s
Threats to Enterprise Security
3m 47s
Vulnerabilities
3m 38s
Developing an Incident Response Plan (IRP)
4m 0s
Elements of an Incident Response Plan (IRP)
3m 50s
Gap Analysis Basis for an Incident Response Plan
2m 58s
Logistics in Incident Response and Recovery
4m 18s
Incident Management and Response Teams
4m 1s
Organizing, Training, and Equipping the Response Staff
3m 49s
Incident Notification Process
4m 10s
Challenges in Developing an Incident Management Plan
3m 45s
Business Impact Analysis
3m 30s
Elements of a Business Impact Analysis (BIA)
4m 5s
Benefits of Conducting a Business Impact Analysis
3m 33s
Business Continuity Plan
4m 14s
Integrating Incident Response with Business Continuity
3m 28s
Network Methods for Providing Continuity of Services
3m 45s
High-Availability Considerations
3m 35s
Insurance
3m 49s
Disaster Recovery Plan
3m 57s
Business Continuity and Disaster Recovery Procedures
3m 36s
Recovery Operations
3m 34s
Evaluating Recovery Strategies
3m 14s
Addressing Threats
2m 54s
Recovery Sites
3m 53s
Basis for Recovery Site Selections
2m 56s
Response and Recovery Strategy Implementation
3m 31s
Incident Classification Categorization
3m 37s
Escalation Process for Effective Incident Management
3m 36s
Identifying Help Service Desk Processes for Security Incidents
3m 17s
Incident Management Training, Testing, and Evaluation
4m 0s
Incident Management Roles and Responsibilities
3m 59s
Common Roles in Incident Management
4m 13s
Senior Management Commitment
3m 36s
Responsibilities of the Information Security Manager in Incident Management
4m 24s
Incident Management Metrics and Indicator
3m 47s
Recovery Time Objectives (RTOs)
3m 35s
RTO in Business Continuity & Contingency Planning
3m 22s
Recovery Point Objective (RPO)
3m 49s
Service Delivery Objectives (SDOs)
3m 33s
Maximum Tolerable Outage (MTO)
3m 12s
Allowable Interruption Window (AIW)
3m 5s
Recovery Point Objectives (RPO)
2m 58s
Service Delivery Objectives (SDOs)
3m 30s
Maximum Tolerable Outage (MTO)
3m 4s
Performance Measurement
2m 29s
Updating Recovery Plans
3m 33s
Testing Incident Response and Business Continuity Disaster Recovery Plans
3m 34s
Periodic Testing of Response & Recovery Plans
3m 14s
Testing for Infrastructure & Critical Business Applications
4m 1s
Types of Tests
3m 23s
Test Results
2m 35s
Recovery Test Metrics
2m 34s
Part B Incident Management Operations
3m 25s
Incident Management Tools and Technologies
3m 39s
Incident Management Systems
3m 33s
Endpoint Detection and Response (EDR)
3m 27s
Extended Detection and Response (XDR)
3m 14s
Managed Detection and Response (MDR)
3m 27s
Incident Response Technology Foundations
3m 32s
Incident Response Operating Systems Knowledge
3m 35s
Malicious Code Propagation & Impact
3m 39s
Programming Skills for Incident Response Teams
4m 2s
Personnel on Incident Management Teams (IMTs)
2m 14s
Incident Response Team (IRT) Organization Models
3m 50s
Incident Response Team (IRT) Roles & Responsibilities
4m 1s
Skills
3m 32s
Awareness and Education
3m 5s
Audits in Incident Management
3m 14s
Outsourced Security Providers
3m 23s
Incident Investigation and Evaluation
3m 15s
Executing Response and Recovery Plans
3m 22s
Ensuring Execution as Required
2m 43s
Incident Containment Methods
2m 44s
Incident Response Communications
2m 56s
Notification Requirements
3m 32s
Communication Networks
3m 20s
Incident Eradication and Recovery
3m 2s
Eradication Activities
2m 49s
Recovery
2m 52s
Post-Incident Review Practices
2m 59s
Identifying Causes and Corrective Actions
3m 14s
Documenting Events
3m 8s
Establishing Legal Procedures to Assist in Post-Incident Activities
3m 12s
Requirements for Evidence
3m 5s
Legal Aspects of Forensic Evidence
3m 19s
Final Remarks CISM Certification
2m 25s

Overview

In this 22-hour CISM Certification Masterclass prepares you for the CISM exam, covering essential concepts in information security management. Build expertise in governance, risk, and incident management while mastering ISO/IEC 27001 to confidently pass the CISM exam.

What I will be able to do after this course:

Develop a solid understanding of information security governance
Master risk management techniques and risk assessments
Learn to align information security strategies with business goals
Gain practical experience in incident management and disaster recovery
Be prepared to take and pass the CISM exam with confidence

Course Instructor(s):

Aman Faheem is a seasoned cybersecurity professional with over 12 years of service in law enforcement. He specializes in information security, digital forensics, and incident response. Aman holds certifications including CISA, CISM, and CEH, and has a proven track record in securing critical systems and data.

Who is it for?

This course is designed for information security professionals, security managers, IT auditors, and those aiming for the CISM certification. It is ideal for individuals looking to enhance their skills in cybersecurity management.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Watch now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781807789190

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills