Describe the four domains of the CISM exam: Information Security Governance, Information Risk Management, Information Security Program Development and Management, and Information Security Incident Management.
Last updated on
Information Security Governance:
Definition: Information Security Governance refers to the framework, policies, processes, and controls an organization uses to manage and oversee its information security program.
Key Components:
Establishing and maintaining an information security framework aligned with organizational goals and objectives.
Defining roles and responsibilities for information security throughout the organization.
Ensuring compliance with laws, regulations, and industry standards related to information security.
Managing risks associated with information security and ensuring that appropriate controls are in place.
Providing oversight and monitoring of the information security program to ensure its effectiveness.
Examples of Exam Topics:
Corporate governance and its relation to information security.
Development and maintenance of information security policies, standards, and procedures.
Risk management frameworks and methodologies.
Compliance requirements and regulatory frameworks.
Information Risk Management:
Definition: Information Risk Management involves identifying, assessing, and mitigating risks to the confidentiality, integrity, and availability of an organization's information assets.
Key Components:
Identifying and classifying information assets and the risks associated with them.
Conducting risk assessments to determine the likelihood and impact of potential threats and vulnerabilities.
Developing risk mitigation strategies and controls to reduce the impact of identified risks.
Monitoring and reviewing risks on an ongoing basis to ensure that mitigation measures are effective.
Examples of Exam Topics:
Risk assessment methodologies and techniques.
Business impact analysis (BIA) and risk appetite.
Threat modeling and vulnerability assessment.
Risk treatment options and cost-benefit analysis.
Information Security Program Development and Management:
Definition: Information Security Program Development and Management involves the planning, implementation, and maintenance of an organization's information security program to protect its information assets.
Key Components:
Developing and implementing information security strategies, policies, and procedures.
Establishing security awareness and training programs for employees.
Managing the deployment and maintenance of security technologies and controls.
Conducting regular security assessments and audits to ensure compliance and effectiveness.
Continuously improving the information security program based on lessons learned and emerging threats.
Examples of Exam Topics:
Security program governance and organizational structure.
Security architecture and design principles.
Security controls and technologies.
Security awareness and training programs.
Security metrics and performance measurement.
Information Security Incident Management:
Definition: Information Security Incident Management involves preparing for, detecting, responding to, and recovering from security incidents to minimize their impact on the organization.
Key Components:
Developing an incident response plan that outlines roles, responsibilities, and procedures for responding to security incidents.
Establishing mechanisms for detecting and reporting security incidents in a timely manner.
Implementing procedures for containing, eradicating, and recovering from security incidents.
Conducting post-incident reviews to identify lessons learned and improve incident response processes.
