Certified Information Security Manager (CISM) Training Outline
This CISM training course covers the following areas:
Domain 1: Information Security Governance
Module 1: Organisational Culture
- About Information Security Governance
- Reason for Security Governance
- Security Governance Activities and Results
- Risk Appetite
Module 2: Legal, Regulatory, and Contractual Requirements
- Introduction
- Requirements for Content and Retention of Business Records
Module 3: Organisational Structures, Roles and Responsibilities
- Roles and Responsibilities
- Monitoring Responsibilities
Module 4: Information Security Strategy Development
- Introduction
- Business Goals and Objectives
- Information Security Strategy Objectives
- Ensuring Objective and Business Integration
- Avoiding Common Pitfalls and Bias
- Desired State
- Elements of a Strategy
Module 5: Information Governance Frameworks and Standards
- Security Balanced Scorecard
- Architectural Approaches
- Enterprise Risk Management Framework
- Information Security Management Frameworks and Models
Module 6: Strategic Planning
- Workforce Composition and Skills
- Assurance Provisions
- Risk Assessment and Management
- Action Plan to Implement Strategy
- Information Security Program Objectives
Domain 2: Information Security Risk Management
Module 7: Emerging Risk and Threat Landscape
- Risk Identification
- Threats
- Defining a Risk Management Framework
- Emerging Threats
- Risk, Likelihood and Impact
- Risk Register
Module 8: Vulnerability and Control Deficiency Analysis
- Introduction
- Security Control Baselines
- Events Affecting Security Baselines
Module 9: Risk Assessment and Analysis
- Introduction to Risk Assessment and Analysis
- Determining the Risk Management Context
- Operational Risk Management
- Risk Management Integration with IT Life Cycle Management Processes
- Risk Scenarios
- Risk Assessment Process
- Risk Assessment and Analysis Methodologies
- Other Risk Assessment Approaches
- Risk Analysis
- Risk Evaluation
- Risk Ranking
Module 10: Risk Treatment / Risk Response Options
- Introduction to Risk Treatment / Risk Response Options
- Determining Risk Capacity and Acceptable Risk (Risk Appetite)
- Risk Response Options
- Risk Acceptance Framework
- Inherent and Residual Risk
- Impact
- Controls
- Legal and Regulatory Requirements
- Costs and Benefits
Module 11: Risk and Control Ownership
- Risk Ownership and Accountability
- Risk Owner
- Control Owner
Module 12: Risk Monitoring and Reporting
- Risk Monitoring
- Key Risk Indicators
- Reporting Changes in Risk
- Risk Communication, Awareness and Consulting
- Documentation
Domain 3: Information Security Program Development and Management
Module 13: Information Security Program Resources
- Introduction to Security Program Development and Management
- Information Security Program Objectives
- Information Security Program Concepts
- Common Information Security Program Challenges
- Common Information Security Program Constraints
Module 14: Information Asset Identification and Classification
- Information Asset Identification and Valuation
- Information Asset Valuation Strategies
- Information Asset Classification
- Methods to Determine Criticality of Assets and Impact of Adverse Events
Module 15: Industry Standards and Frameworks for Information Security
- Enterprise Information Security Architectures
- Information Security Management Frameworks
- Information Security Frameworks Components
Module 16: Information Security Policies, Procedures, and Guidelines
- Policies
- Standards
- Procedures
- Guidelines
Module 17: Information Security Program Metrics
- Introduction to Information Security program Metrics
- Effective Security Metrics
- Security Program Metrics and Monitoring
- Metrics Tailored to Enterprise Needs
Module 18: Information Security Control Design and Selection
- Introduction
- Managing Risk Through Controls
- Controls and Countermeasures
- Control Categories
- Control Design Considerations
- Control Methods
Module 19: Information Security Control Implementation, Integration, Testing, and Evaluation
- Introduction
- Baseline Controls
- Introduction
- Control Strength
- Control Recommendations
Module 20: Information Security Awareness and Training
- Security Awareness Training and Education
- Developing an Information Security Awareness Program
- Role Based Training
Module 21: Management of External Services
- Governance of Third-Party Relationships
- Third Party Service Providers
- Outsourcing Challenges
- Third-Party Access
Module 22: Information Security Program Communications and Reporting
- Program Management Evaluation
- Plan-Do-Check-Act Cycle
- Security Reviews and Audits
- Compliance Monitoring and Enforcement
- Monitoring Approaches
- Measuring Information Security Management Performance
- Ongoing Monitoring and Communication
Domain 4: Incident Management
Module 23: Incident Response Plan
- Introduction to Incident Response Plan
- Relationship Between Incident Management and Incident Response
- Goals of Incident Management and Incident Response
- Incident Handling and Management Life Cycle
- Incident Management and Incident Response Plans
- Importance of Incident Management
- Outcomes of Incident Management
- Incident Management Resources
- Policies and Standards
- Incident Management Objectives
- Strategic Alignment
- Response and Recovery Plan
- Role of Information Security Manager in Incident Management
- Risk Management
- Assurance Process Integration
- Value Delivery
- Resource Management
- Defining Incident Management Procedures
- Detailed Plan of Action for Incident Management
- Current State of Incident Response Capability
- Developing and Incident Response Plan
- Incident Management Response Teams
- Organising, Training and Equipping the Resource Staff
- Incident Notification Process
- Challenges in Developing an Incident Management Plan
Module 24: Business Impact Analysis
- Introduction to Business Impact Analysis
- Elements of Business Impact Analysis
- Benefits of Conducting a Business Impact Analysis
Module 25: Business Continuity Plan
- Integrating Incident Response with Business Continuity
- Methods for Providing Continuity of Network Services
- High-Availability Considerations
- Insurance
Module 26: Disaster Recovery Plan
- Introduction to Disaster
- Business Continuity and Disaster Recovery Procedures
- Recovery Operations
- Evaluating Recovery Strategies
- Addressing Threats
- Recovery Sites
- Basis for Recovery Site Selection
- Response and Recovery Strategy Implementation
Module 27: Incident Classification/Categorisation
- Introduction to Incident Classification/Categorisation
- Escalation Process for Effective Incident Management
- Help/Service Desk Processes for Identifying Security Incidents
Module 28: Incident Management Training, Testing and Evaluation
- Incident Management Roles and Responsibilities
- Incident Management Metrics and Indicators
- Performance Measurement
- Updating Recovery Plans
- Testing Incident Response and Business Continuity/Disaster Recovery Plans
- Periodic Testing of the Response and Recovery Plans
- Testing for Infrastructure and Critical Business Applications
- Types of Tests
- Test Results
- Recovery Test Metrics
Module 29: Incident Management Tools and Technologies
- Incident Management Systems
- Incident Response Technology Foundations
- Personnel
- Skills
- Awareness and Education
- Audits
- Outsourced Security Providers
Module 30: Incident Investigation, Evaluation, and Containment Methods
- Introduction
- Executing Response and Recovery Plans
- Introduction to Incident Containment Methods
Module 31: Incident Response Communication, Eradication, and Recovery
- Introduction to Incident Response Communication
- Notification Requirements
- Communication Networks
- Eradication Activities
- Recovery
Module 32: Post-Incident Review Practices
- Introduction Post-Incident Review Practices
- Identifying Causes and Corrective Actions
- Documenting Events
- Establishing Legal Procedures to Assist Post-Incident Activities
- Requirements for Evidence
- Legal Aspects of Forensic Evidence