Certified Information Security Manager® (CISM®) ISACA Exam Voucher

The Certified Information Security Manager® (CISM®) exam consists of 150 questions covering 4 job practice domains, all testing your knowledge and ability on real-life job practices leveraged by expert professionals.

Below are the key domains, subtopics and tasks candidates will be tested on:

• Domain 1: Information Security Governance
• Domain 2: Information Security Risk Management
• Domain 3: Information Security Program
• Domain 4: Incident Management

SUPPORTING TASKS

• Identify internal and external influences on the organization that impact the information security strategy.
• Establish and/or maintain an information security strategy in alignment with organizational goals and objectives.
• Establish and/or maintain an information security governance framework.
• Integrate information security governance into corporate governance.
• Establish and maintain information security policies to guide the development of standards, procedures and guidelines.
• Develop business cases to support investments in information security.
• Gain ongoing commitment from senior leadership and other stakeholders to support the successful implementation of the information security strategy.
• Define, communicate and monitor information security responsibilities throughout the organization and lines of authority.
• Compile and present reports to key stakeholders on the activities, trends and overall effectiveness of the information security program.
• Evaluate and report information security metrics to key stakeholders.
• Establish and/or maintain the information security program in alignment with the information security strategy.
• Align the information security program with the operational objectives of other business functions.
• Establish and maintain information security processes and resources to execute the information security program.
• Establish, communicate and maintain organizational information security policies, standards, guidelines, procedures and other documentation.
• Establish, promote and maintain a program for information security awareness and training.
• Integrate information security requirements into organizational processes to maintain the organization’s security strategy.
• Integrate information security requirements into contracts and activities of external parties.
• Monitor external parties’ adherence to established security requirements.
• Define and monitor management and operational metrics for the information security program.
• Establish and/or maintain a process for information asset identification and classification.
• Identify legal, regulatory, organizational and other applicable compliance requirements.
• Participate in and/or oversee the risk identification, risk assessment and risk treatment process.
• Participate in and/or oversee the vulnerability assessment and threat analysis process.
• Identify, recommend or implement appropriate risk treatment and response options to manage risk to acceptable levels based on organizational risk appetite.
• Determine whether information security controls are appropriate and effectively manage risk to an acceptable level.
• Facilitate the integration of information risk management into business and IT processes.
• Monitor for internal and external factors that may require reassessment of risk.
• Report on information security risk, including noncompliance and changes in information risk, to key stakeholders to facilitate the risk management decision-making process.
• Establish and maintain an incident response plan, in alignment with the business continuity plan and disaster recovery plan.
• Establish and maintain an information security incident classification and categorization process.
• Develop and implement processes to ensure the timely identification of information security incidents.
• Establish and maintain processes to investigate and document information security incidents in accordance with legal and regulatory requirements.
• Establish and maintain incident handling process, including containment, notification, escalation, eradication and recovery.
• Organize, train, equip and assign responsibilities to incident response teams.
• Establish and maintain incident communication plans and processes for internal and external parties.
• Evaluate incident management plans through testing and review, including table-top exercises, checklist review and simulation testing at planned intervals.
• Conduct post-incident reviews to facilitate continuous improvement, including root-cause analysis, lessons learned, corrective actions and reassessment of risk.