CISM Certification Training
Domain 1 — Information Security Governance
• Establish and/or maintain an information security strategy in alignment with organizational goals and objectives to guide the establishment and/or ongoing management of the information security program.
• Establish, monitor, evaluate and report key information security metrics to provide management with accurate and meaningful information regarding the effectiveness of the information security strategy.
• Identify internal and external influences to the organization (e.g., emerging technologies, social media, business environment, risk tolerance, regulatory requirements, third party considerations, threat landscape) to ensure that these factors are continually addressed by the information security strategy.
Domain 2 — Information Risk Management
• Knowledge of techniques used to develop an information security strategy (e.g., SWOT [strengths, weaknesses, opportunities, threats] analysis, gap analysis, threat research)
• Knowledge of the fundamental concepts of governance and how they relate to information security
• Knowledge of the relationship of information security to business goals, objectives, functions, processes and practices.
Domain 3 — Information Security Program Development and Management
• Establish and/or maintain the information security program in alignment with the information security strategy.
• Align the information security program with the operational objectives of other business functions (e.g., human resources [HR], accounting, procurement and IT) to ensure that the information security program adds value to and protects the business.
• Identify, acquire and manage requirements for internal and external resources to execute the information security program.
Domain 4 — Information Security Incident Management
• Establish and maintain an organizational definition of, and severity hierarchy for, information security incidents to allow accurate classification and categorization of and response to incidents.
• Establish and maintain an incident response plan to ensure an effective and timely response to information security incidents.
• Develop and implement processes to ensure the timely identification of information security incidents that could impact the business.