CertifiedInformation Security Manager CISM
This is a high-level outline of the CISM course topics:
Domain 1- Information Security Governance (24%) -Establish and maintain an information security governance framework andsupporting processes to ensure that the information security strategy isaligned with organizational goals and objectives, information risk is managedappropriately and program resources are managed responsibly.
1.1 Establish and maintain an information security strategy inalignment with organizational goals and objectives to guide the establishmentand ongoing management of the information security program.
1.2 Establish and maintain an information security governanceframework to guide activities that support the information security strategy.
1.3 Integrate information security governance into corporategovernance to ensure that organizational goals and objectives are supported bythe information security program.
1.4 Establish and maintain information security policies tocommunicate management’s directives and guide the development of standards,procedures and guidelines.
1.5 Develop business cases to support investments in informationsecurity.
1.6 Identify internal and external influences to the organization (forexample, technology, business environment, risk tolerance, geographic location,legal and regulatory requirements) to ensure that these factors are addressedby the information security strategy.
1.7 Obtain commitment from senior management and support from otherstakeholders to maximize the probability of successful implementation of theinformation security strategy.
1.8 Define and communicate the roles and responsibilities ofinformation security throughout the organization to establish clearaccountabilities and lines of authority.
1.9 Establish, monitor, evaluate and report metrics (for example, keygoal indicators [KGIs], key performance indicators [KPIs], key risk indicators[KRIs]) to provide management with accurate information regarding theeffectiveness of the information security strategy.
KS1.1 Knowledge of methods to develop an information security strategy
KS1.2 Knowledge of the relationship among information security and businessgoals, objectives, functions, processes and practices
KS1.3 Knowledge of methods to implement an information security governanceframework
KS1.4 Knowledge of the fundamental concepts of governance and how theyrelate to information security
KS1.5 Knowledge of methods to integrate information security governanceinto corporate governance
KS1.6 Knowledge of internationally recognized standards, frameworks andbest practices related to information security governance and strategydevelopment
KS1.7 Knowledge of methods to develop information security policies
KS1.8 Knowledge of methods to develop business cases
KS1.9 Knowledge of strategic budgetary planning and reporting methods
KS1.10 Knowledge of the internal and external influences to the organization(for example, technology, business environment, risk tolerance, geographic location,legal and regulatory requirements) and how they impact the information securitystrategy
KS1.11 Knowledge of methods to obtain commitment from senior management andsupport from other stakeholders for information security
KS1.12 Knowledge of information security management roles andresponsibilities
KS1.13 Knowledge of organizational structures and lines of authority
KS1.14 Knowledge of methods to establish new, or utilize existing, reportingand communication channels throughout an organization
KS1.15 Knowledge of methods to select, implement and interpret metrics (forexample, key goal indicators [KGIs], key performance indicators
[KPIs], key risk indicators [KRIs])
Domain 2 - Information Risk Management and Compliance (33%)- Manage information risk to an acceptable level to meet the business andcompliance requirements of the organization.
2.1 Establish and maintain a process for information assetclassification to ensure that measures taken to protect assets are proportionalto their business value.
2.2 Identify legal, regulatory, organizational and other applicablerequirements to manage the risk of noncompliance to acceptable levels.
2.3 Ensure that risk assessments, vulnerability assessments and threatanalyses are conducted periodically and consistently to identify risk to theorganization’s information.
2.4 Determine appropriate risk treatment options to manage risk toacceptable levels.
2.5 Evaluate information security controls to determine whether theyare appropriate and effectively mitigate risk to an acceptable level.
2.6 Identify the gap between current and desired risk levels to managerisk to an acceptable level.
2.7 Integrate information risk management into business and ITprocesses (for example, development, procurement, project management, mergersand acquisitions) to promote a consistent and comprehensive information riskmanagement process across the organization.
2.8 Monitor existing risk to ensure that changes are identified andmanaged appropriately.
2.9 Report noncompliance and other changes in information risk toappropriate management to assist in the risk management decision-makingprocess.
KS2.1 Knowledge of methods to establish an information asset classificationmodel consistent with business objectives
KS2.2 Knowledge of methods used to assign the responsibilities for andownership of information assets and risk
KS2.3 Knowledge of methods to evaluate the impact of adverse events on thebusiness
KS2.4 Knowledge of information asset valuation methodologies
KS2.5 Knowledge of legal, regulatory, organizational and other requirementsrelated to information security
KS2.6 Knowledge of reputable, reliable and timely sources of informationregarding emerging information security threats and vulnerabilities
KS2.7 Knowledge of events that may require risk reassessments and changesto information security program elements
KS2.8 Knowledge of information threats, vulnerabilities and exposures andtheir evolving nature
KS2.9 Knowledge of risk assessment and analysis methodologies
KS2.10 Knowledge of methods used to prioritize risk
KS2.11 Knowledge of risk reporting requirements (for example, frequency,audience, components)
KS2.12 Knowledge of methods used to monitor risk
KS2.13 Knowledge of risk treatment strategies and methods to apply them
KS2.14 Knowledge of control baseline modeling and its relationship torisk-based assessments
KS2.15 Knowledge of information security controls and countermeasures and themethods to analyze their effectiveness and efficiency
KS2.16 Knowledge of gap analysis techniques as related to informationsecurity
KS2.17 Knowledge of techniques for integrating risk management into businessand IT processes
KS2.18 Knowledge of compliance reporting processes and requirements
KS2.19 Knowledge of cost/benefit analysis to assess risk treatment options
Domain 3-Information Security Program Development and Management(25%)-Establish and manage the information security program inalignment with the information security strategy.
3.1 Establish and maintain the information security program inalignment with the information security strategy.
3.2 Ensure alignment between the information security program andother business functions (for example, human resources [HR], accounting,procurement and IT) to support integration with business processes.
3.3 Identify, acquire, manage and define requirements for internal andexternal resources to execute the information security program.
3.4 Establish and maintain information security architectures (people,process, technology) to execute the information security program.
3.5 Establish, communicate and maintain organizational informationsecurity standards, procedures, guidelines and other documentation to supportand guide compliance with information security policies.
3.6 Establish and maintain a program for information securityawareness and training to promote a secure environment and an effectivesecurity culture.
3.7 Integrate information security requirements into organizationalprocesses (for example, change control, mergers and acquisitions, development,business continuity, disaster recovery) to maintain the organization’s securitybaseline.
3.8 Integrate information security requirements into contracts andactivities of third parties (for example, joint ventures, outsourced providers,business partners, customers) to maintain the organization’s security baseline.
3.9 Establish, monitor and periodically report program management andoperational metrics to evaluate the effectiveness and efficiency of theinformation security program.
KS3.1 Knowledge of methods to align information security programrequirements with those of other business functions
KS3.2 Knowledge of methods to identify, acquire, manage and definerequirements for internal and external resources
KS3.3 Knowledge of information security technologies, emerging trends, (forexample, cloud computing, mobile computing) and underlying concepts
KS3.4 Knowledge of methods to design information security controls
KS3.5 Knowledge of information security architectures (for example, people,process, technology) and methods to apply them
KS3.6 Knowledge of methods to develop information security standards,procedures and guidelines
KS3.7 Knowledge of methods to implement and communicate informationsecurity policies, standards, procedures and guidelines
KS3.8 Knowledge of methods to establish and maintain effective informationsecurity awareness and training programs
KS3.9 Knowledge of methods to integrate information security requirementsinto organizational processes
KS3.10 Knowledge of methods to incorporate information security requirementsinto contracts and third-party management processes
KS3.11 Knowledge of methods to design, implement and report operationalinformation security metrics
KS3.12 Knowledge of methods for testing the effectiveness and applicabilityof information security controls
Domain 4-Information Security Incident Management (18%)-Plan,establish and manage the capability to detect, investigate, respond to andrecover from information security incidents to minimize business impact.
4.1 Establish and maintain an organizational definition of, andseverity hierarchy for, information security incidents to allow accurateidentification of and response to incidents.
4.2 Establish and maintain an incident response plan to ensure aneffective and timely response to information security incidents.
4.3 Develop and implement processes to ensure the timelyidentification of information security incidents.
4.4 Establish and maintain processes to investigate and documentinformation security incidents to be able to respond appropriately anddetermine their causes while adhering to legal, regulatory and organizationalrequirements.
4.5 Establish and maintain incident escalation and notificationprocesses to ensure that the appropriate stakeholders are involved in incidentresponse management.
4.6 Organize, train and equip teams to effectively respond toinformation security incidents in a timely manner.
4.7 Test and review the incident response plan periodically to ensurean effective response to information security incidents and to improve responsecapabilities.
4.8 Establish and maintain communication plans and processes to managecommunication with internal and external entities.
4.9 Conduct post-incident reviews to determine the root cause ofinformation security incidents, develop corrective actions, reassess risk,evaluate response effectiveness and take appropriate remedial actions.
4.10 Establish and maintain integration among the incident response plan,disaster recovery plan and business continuity plan.
KS4.1 Knowledge of the components of an incident response plan
KS4.2 Knowledge of incident management concepts and practices
KS4.3 Knowledge of business continuity planning (BCP) and disasterrecovery planning (DRP) and their relationship to the incident response plan
KS4.4 Knowledge of incident classification methods
KS4.5 Knowledge of damage containment methods
KS4.6 Knowledge of notification and escalation processes
KS4.7 Knowledge of the roles and responsibilities in identifyingand managing information security incidents
KS4.8 Knowledge of the types and sources of tools and equipmentrequired to adequately equip incident response teams
KS4.9 Knowledge of forensic requirements and capabilities forcollecting, preserving and presenting evidence (for example, admissibility,quality and completeness of evidence, chain of custody)
KS4.10 Knowledge of internal and external incident reporting requirementsand procedures
KS4.11 Knowledge of post-incident review practices and investigativemethods to identify root causes and determine corrective actions
KS4.12 Knowledge of techniques to quantify damages, costs and otherbusiness impacts arising from information security incidents
KS4.13 Knowledge of technologies and processes that detect, log andanalyze information security events
KS4.14 Knowledge of internal and external resources available toinvestigate information security incidents