The Certified Information Security Manager (CISM) certification from ISACA is a globally recognized credential for professionals who manage, design, oversee, and assess enterprise information security. CISM validates expertise in information security governance, risk management, program development and management, and incident management. It demonstrates a deep understanding of the link between information security and business objectives, enabling organizations to achieve their goals while effectively managing their risk profile.

Prerequisites

• Basic Knowledge of Information Security: While you don’t need to be an expert, having a foundational understanding of information security principles and practices is helpful. It’s ideal to have some experience in IT, cybersecurity, or related fields.
• Work Experience: While there’s no strict requirement to attend the training, to later earn the CISM certification, you will need to demonstrate at least five years of work experience in information security management. Some substitutions and waivers for up to two years of the required work experience can apply (e.g., having a degree in information security or a related field), but it’s best to check ISACA’s guidelines for the most current requirements.

Target Audience

This course is ideal for:

• Information Security Managers
• IT Managers
• Security Consultants
• Auditors
• Individuals aspiring to leadership roles in information security

Career Opportunities and Benefits

Earning the CISM certification can significantly enhance career prospects and offer numerous benefits:

• Increased earning potential
• Enhanced credibility and recognition within the industry
• Demonstrated expertise in information security management
• Improved career advancement opportunities
• Access to a global network of CISM professionals
• Greater understanding of the link between information security and business goals

Course Content

This course covers the four CISM domains as defined by ISACA:

Domain 1: Information Security Governance (17%)

• Establishing and maintaining an information security strategy aligned with organizational goals.
• Developing and implementing an information security governance framework.
• Integrating information security governance into corporate governance.
• Establishing and maintaining information security policies, standards, procedures, and guidelines.
• Developing business cases for information security investments.
• Identifying and addressing internal and external influences on the organization's information security.
• Gaining and maintaining senior leadership commitment.
• Defining, communicating, and monitoring information security responsibilities.
• Establishing, monitoring, evaluating, and reporting key information security metrics.

Domain 2: Information Risk Management (20%)

• Establishing and maintaining a process for information asset classification.
• Identifying legal, regulatory, organizational, and other applicable requirements.
• Conducting risk assessments, vulnerability assessments, and threat analyses.
• Identifying, recommending, and implementing risk treatment/response options.
• Determining the appropriateness and effectiveness of information security controls.
• Facilitating the integration of information risk management into business and IT processes.
• Monitoring internal and external factors that may require risk reassessment.
• Reporting noncompliance and changes in information risk.
• Ensuring information security risk is reported to senior management.

Domain 3: Information Security Program Development and Management (33%)

• Establishing and maintaining the information security program.
• Aligning the information security program with other business functions.
• Identifying, acquiring, and managing resources for the information security program.
• Establishing and maintaining information security processes and resources.
• Establishing, communicating, and maintaining organizational information security documentation.
• Establishing and maintaining an information security awareness and training program.
• Integrating information security requirements into organizational processes.
• Integrating information security requirements into third-party contracts and activities.
• Establishing, monitoring, and analyzing program management and operational metrics.
• Compiling and presenting reports on the information security program.

Domain 4: Information Security Incident Management (30%)

• Establishing and maintaining an organizational definition of information security incidents.
• Establishing and maintaining an incident response plan.
• Developing and implementing processes for timely incident identification.
• Establishing and maintaining processes for incident investigation and documentation.
• Establishing and maintaining incident notification and escalation processes.
• Organizing, training, and equipping incident response teams.
• Testing, reviewing, and revising the incident response plan.
• Establishing and maintaining communication plans and processes.
• Conducting post-incident reviews.
• Establishing and maintaining integration among incident response, business continuity, and disaster recovery plans.