Course Outline
Domain 1—Information Security Governance (24%)
Establish and maintain an information security governance framework and supporting processes to ensure that the information security strategy is aligned with organizational goals and objectives, information risk is managed appropriately and program resources are managed responsibly.
- 1.1 Establish and maintain an information security strategy in alignment with organizational goals and objectives to guide the establishment and ongoing management of the information security program.
- 1.2 Establish and maintain an information security governance framework to guide activities that support the information security strategy.
- 1.3 Integrate information security governance into corporate governance to ensure that organizational goals and objectives are supported by the information security program.
- 1.4 Establish and maintain information security policies to communicate management’s directives and guide the development of standards, procedures and guidelines.
- 1.5 Develop business cases to support investments in information security.
- 1.6 Identify internal and external influences to the organization (for example, technology, business environment, risk tolerance, geographic location, legal and regulatory requirements) to ensure that these factors are addressed by the information security strategy.
- 1.7 Obtain commitment from senior management and support from other stakeholders to maximize the probability of successful implementation of the information security strategy.
- 1.8 Define and communicate the roles and responsibilities of information security throughout the organization to establish clear accountabilities and lines of authority.
- 1.9 Establish, monitor, evaluate, and report metrics (for example, key goal indicators [KGIs], key performance indicators [KPIs], key risk indicators [KRIs]) to provide management with accurate information regarding the effectiveness of the information security strategy.
Domain 2—Information Risk Management and Compliance (33%)
Manage information risk to an acceptable level to meet the business and compliance requirements of the organization.
- 2.1 Establish and maintain a process for information asset identification and classification to ensure that measures taken to protect assets are proportional to their business value.
- 2.2 Identify legal, regulatory, organizational and other applicable requirements to manage the risk of noncompliance to acceptable levels.
- 2.3 Ensure that risk assessments, vulnerability assessments and threat analyses are conducted periodically and consistently to identify risk to the organization’s information.
- 2.4 Determine and implement appropriate risk treatment options to manage risk to acceptable levels.
- 2.5 Evaluate information security controls to determine whether they are appropriate and effectively mitigate risk to an acceptable level.
- 2.6 Integrate information risk management into business and IT processes (for example, development, procurement, project management, mergers and acquisitions) to promote a consistent and comprehensive information risk management process across the organization.
- 2.7 Monitor existing risk to ensure that changes are identified and managed appropriately.
- 2.8 Report noncompliance and other changes in information risk to appropriate management to assist in the risk management decision-making process.
Domain 3—Information Security Program Development and Management (25%)
Establish and manage the information security program in alignment with the information security strategy.
- 3.1 Establish and maintain the information security program in alignment with the information security strategy.
- 3.2 Ensure alignment between the information security program and other business functions (for example, human resources [HR], accounting, procurement and IT) to support integration with business processes.
- 3.3 Identify, acquire, manage, and define requirements for internal and external resources to execute the information security program.
- 3.4 Establish and maintain information security architectures (people, process, technology) to execute the information security program.
- 3.5 Establish, communicate, and maintain organizational information security standards, procedures, guidelines and other documentation to support and guide compliance with information security policies.
- 3.6 Establish and maintain a program for information security awareness and training to promote a secure environment and an effective security culture.
- 3.7 Integrate information security requirements into organizational processes (for example, change control, mergers and acquisitions, development, business continuity, disaster recovery) to maintain the organization’s security baseline.
- 3.8 Integrate information security requirements into contracts and activities of third parties (for example, joint ventures, outsourced providers, business partners, customers) to maintain the organization’s security baseline.
- 3.9 Establish, monitor, and periodically report program management and operational metrics to evaluate the effectiveness and efficiency of the information security program.
Domain 4—Information Security Incident Management (18%)
Plan, establish and manage the capability to detect, investigate, respond to and recover from information security incidents to minimize business impact.
- 4.1 Establish and maintain an information security incident classification and categorization process to allow accurate identification of and response to incidents.
- 4.2 Establish, maintain, and align incident response plan with the business continuity plan and disaster recovery plan to ensure an effective and timely response to information security incidents.
- 4.3 Develop and implement processes to ensure the timely identification of information security incidents.
- 4.4 Establish and maintain processes to investigate and document information security incidents to be able to respond appropriately and determine their causes while adhering to legal, regulatory and organizational requirements.
- 4.5 Establish and maintain incident handling processes to ensure that the appropriate stakeholders are involved in incident response management.
- 4.6 Organize, train and equip teams to effectively respond to information security incidents in a timely manner.
- 4.7 Test and review the incident management plans periodically to ensure an effective response to information security incidents and to improve response capabilities.
- 4.8 Establish and maintain communication plans and processes to manage communication with internal and external entities.
- 4.9 Conduct post-incident reviews to determine the root cause of information security incidents, develop corrective actions, reassess risk, evaluate response effectiveness and take appropriate remedial actions.
- 4.10 Establish and maintain integration among the incident response plan, disaster recovery plan and business continuity plan.
Requirements
There is no set pre requisite for this course. ISACA do require a minimum of five years' professional information security work experience to qualify for full certification. You can take the CISM exam prior to meeting ISACA’s experience requirements, but the CISM qualification is awarded after you meet the experience requirements. However, there is no restriction in getting yourself certified in the early stages of your career and start practicing globally acceptant Information security management practices.
Testimonials
I genuinely was benefit from the communication skills of the trainer.
Flavio Guerrieri
Related Courses
BCS Foundation Certificate in Information Security Management Principles (CISMP)
21 hoursWho is it for: Anyone with an interest in information security, whether as a career or for general business knowledge. This certificate is relevant to anyone requiring an understanding of Information Security Management Principles as well
BCS Foundation Certificate in Information Security Management Principles (CISMP) 4 day
28 hoursWho is it for: Anyone with an interest in information security, whether as a career or for general business knowledge. This certificate is relevant to anyone requiring an understanding of Information Security Management Principles as well
BCS Practitioner Certificate in Information Risk Management (CIRM)
35 hoursWho is it for: Anyone who is involved in the areas of information security and information assurance. What will I learn: Candidates should be able to demonstrate: How the management of information risk will bring about significant
CISA - Certified Information Systems Auditor
28 hoursDescription: CISA® is the world-renowned and most popular certification for professionals working in the field of IS audit and IT risk consulting. Our CISA course is an intense, very competitive and exam focused training course. With
Building up information security according to ISO 27005
21 hoursThis course will give you the skills to build up information security according to ISO 27005, which is dedicated to information security risk management based on ISO 27001.
Open Data Risk Analysis and Management
21 hoursOpen Data is a concept of making data available to everyone for use without restrictions. This instructor-led, live training (online or onsite) focuses on analyzing the risks of Open Data while reducing vulnerability to disaster or data
CISMP - Certificate in Information Security Management Principles
21 hoursA thorough, practical, 3 day course designed to provide the knowledge and skills required to manage information security, information assurance or information risk based processes. The CISMP course is aligned with the latest national
Computer Room Security and Maintenance
14 hoursNetwork security begins at the physical level. In this instructor-led, live training, participants will learn the security risks related to computer server rooms and how to tighten security through smart practices, planning and technology
Cybersecurity Fundamentals
28 hoursDescription: Cybersecurity skills are in high demand, as threats continue to plague enterprises around the world. An overwhelming majority of professionals surveyed by ISACA recognise this and plan to work in a position that requires
Network Penetration Testing
35 hoursThis class will help the attendees to scan, test, hack and secure their own systems. To gain an in-depth knowledge and practical experience with the current essential security systems. The attendees will get to know how perimeter defences
Open Authentication (OAuth)
7 hoursOpen Authentication (OAuth) is an open technology standard used for website authentication. It describes how unrelated servers and services can safely allow authenticated access to assets without sharing credentials. This instructor-led, live
Public Key Infrastructure
21 hoursThe training is directed to all operating systems administrators, who plan to implement a public key infrastructure based on MS Windows Server 2012 R2 and plan to use qualified electronic signature certificates. The participants will learn
Security Policy Management
35 hoursSecurity policy management is the process of assessing, designing, and implementing rules and procedures at all levels of the organization to protect IT assets and resources. This instructor-led, live training (online or onsite) is aimed at IT
DevOps Security: Creating a DevOps Security Strategy
7 hoursDevOps is a software development approach that aligns application development with IT operations. Some of the tools that have emerged to support DevOps include: automation tools, containerization and orchestration platforms. Security has not kept up
NB-IoT for Developers
7 hoursNB-IoT allows IoT devices to operate over carrier networks such as GSM and "guard bands" between LTE channels. NB-IoT needs only 200kHz of bandwidth and can efficiently connect large numbers of endpoint devices (up to 50,000 per