- Identify internal and external influences on the information security strategy.
- Align the information security strategy with organizational goals.
- Maintain an information security governance framework integrated with corporate governance.
- Develop and uphold information security policies, standards, and guidelines.
- Create business cases for information security investments.
- Secure ongoing support from leadership and stakeholders for the strategy.
- Define and communicate information security responsibilities and authority.
- Report on the effectiveness and trends of the information security program.
- Monitor and report information security metrics to stakeholders.
- Align the information security program with operational objectives.
- Establish processes and resources for executing the information security program.
- Promote information security awareness and training.
- Integrate security requirements into organizational processes and contracts.
- Monitor compliance of external parties with security requirements.
- Define and track metrics for the information security program.
- Identify and classify information assets.
- Ensure compliance with legal and regulatory requirements.
- Oversee risk identification, assessment, and treatment processes.
- Conduct vulnerability assessments and threat analyses.
- Implement risk treatment options based on organizational risk appetite.
- Assess the effectiveness of information security controls.
- Integrate information risk management into business processes.
- Monitor factors necessitating risk reassessment.
- Report on information security risks and noncompliance to stakeholders.
- Maintain an incident response plan aligned with business continuity and disaster recovery.
- Classify and categorize information security incidents.
- Ensure timely identification and documentation of incidents.
- Investigate incidents per legal and regulatory standards.
- Manage incident handling processes, including containment and recovery.
- Organize and train incident response teams.
- Establish communication plans for incident management.
- Evaluate incident management plans through testing and reviews.
- Conduct post-incident reviews for continuous improvement.
(CISM) Certified Information Security Manager
CISM certification boosts credibility in IS/IT security management, proving expertise in governance, risk, incident, and program management for IT professionals.
To earn the CISM credential you need five (5) or more years of experience in information security management. Experience waivers are available for a maximum of two (2) years.
The CISM certification is perfect for:
- Professionals preparing to become CISM certified.
- CISA or CISSP-certified individuals looking to move into information security management.
- General security management professionals looking to move into information security.
- Information security managers
- Mid-level career change
A Enterprise Governance
- Organizational Culture.
- Legal, Regulatory and Contractual Requirements.
- Organizational Structures, Roles, and Responsibilities.
B Information Security Strategy
- Information Security Strategy Development.
- Information Governance Frameworks and Standards.
- Strategic Planning (e.g., Budgets, Resources, Business Case).
A Information Security Risk Management
- Emerging Risk and Threat Landscape.
- Vulnerability and Control Deficiency Analysis.
- Risk Assessment and Analysis.
B Information Security Risk Response
- Risk Treatment / Risk Response Options.
- Risk and Control Ownership.
- Risk Monitoring and Reporting.
A Information Security Program Development
- Information Security Program Resources (e.g., People, Tools, Technologies).
- Information Asset Identification and Classification.
- Industry Standards and Frameworks for Information Security.
- Information Security Policies, Procedures and Guidelines.
- Information Security Program Metrics.
B Information Security Program Management
- Information Security Control Design and Selection.
- Information Security Control Implementation and Integrations.
- Information Security Control Testing and Evaluation.
- Information Security Awareness and Training.
- Management of External Services (e.g., Providers, Suppliers, Third Parties, Fourth Parties).
- Information Security Program Communications and Reporting.
A Incident Management Readiness
- Incident Response Plan.
- Business Impact Analysis (BIA).
- Business Continuity Plan (BCP).
- Disaster Recovery Plan (DRP).
- Incident Classification/Categorization.
- Incident Management Training, Testing and Evaluation.
B Incident Management Operations
- Incident Management Tools and Techniques.
- Incident Investigation and Evaluation.
- Incident Containment Methods.
- Incident Response Communications (e.g., Reporting, Notification, Escalation).
- Incident Eradication and Recovery.
- Post-Incident Review Practices.
| Length of exam | 240 minutes |
| Number of questions | 150 |
| Question format | Multiple choice questions |
| Passing grade | 70% |
| Exam availability | English, Chinese, Japanese and Spanish |
| Testing center | at PSI Testing Center |
Description
Course Code: CISM
Designed for IT professionals with technical expertise and experience in IS/IT security and control looking to transition from team player to manager. The Certified Information Security Manager certification (CISM) can add credibility and confidence to interactions with internal and external stakeholders, peers, and regulators. This certification indicates expertise in information security governance, program development and management, incident management and risk management. The course incorporates video, narrated interactive eLearning modules, downloadable, interactive workbooks, downloadable job aids, case study activities, and a practice exam to provide learners with an opportunity to go deeper into specific areas related to the course content. This certification proves your expertise in these work-related domains:
- Information Security Governance
- Information Security Risk Management
- Information Security Program
- Incident Management
