CISM® Preparation Course

CISM Preparation Course Modules

Module 1: Information Security Governance

‘Establish and maintain an information security governance framework and supporting processes to ensure that the information security strategy is aligned with organizational goals and objectives.’

This module covers the organization and management of the information security function within an organization. This includes describing information security goals (in measurable terms), determining roles and responsibilities, describing the current and desired situation, performing a gap analysis, translating your findings to a plan of action… and getting to work!

Topics covered:

• Develop an information security strategy aligned with business goals and objectives.
• Align information security strategy with corporate governance.
• Develop business cases justifying investment in information security.
• Identify current and potential legal and regulatory requirements affecting information security.
• Identify drivers affecting the organization and their impact on information security.
• Obtain senior management commitment to information security.
• Define roles and responsibilities for information security throughout the organization.
• Establish internal and external reporting and communication channels that support information security.

Module 2: Information Risk Management and Compliance

‘Manage information risk to an acceptable level based on risk appetite to meet organizational goals and objectives.’

This module provides insights into formulating a risk management strategy, identifying associated roles and responsibilities, determining the risk management framework, performing risk gap analysis, assessing and treatingrisks, integrating risk management with life cycle processes and working with baseline measures, as well as risk monitoring and communication.

Topics covered:

• Establish a process for information asset classification and ownership
• Implement a systematic and structured information risk assessment process.
• Ensure that business impact assessments are conducted periodically.
• Ensure that threat and vulnerability evaluations are performed on an ongoing basis.
• Identify and periodically evaluate information security controls and countermeasures to mitigate risk to acceptable levels.
• Integrate risk, threat and vulnerability identification and management into life cycle processes (e.g., project management, development, procurement and employment life cycles).
• Report significant changes in information risk to appropriate levels of management for acceptance on both a periodic and event-driven basis.

Module 3: Information Security Program Development

‘Develop an information security program that identifies, manages and protects the organization’s assets while aligning to information security strategy and business goals, thereby supporting an effective security posture.’

In this module, you will start translating the action plan made in Module 1 into an information security program. You will determine program objectives and program scope, perform a gap analysis, and outline the current and desired situation. Based on this, you will develop an information security program, paying attention to information security architectures, management tasks, operational aspects of program implementation, third party influences, and the types of measures that can be implemented. You will also grasp how to establish metrics to evaluate the effectiveness of an information security program.

Topics covered:

• Develop and maintain plans to implement the information security strategy.
• Specify the activities to be performed within the information security program.
• Ensure alignment between the information security program and other assurance functions (e.g., physical, HR, quality, IT).
• Identify internal and external resources (e.g., finances, people, equipment, systems) required to execute the information security program.
• Ensure the development of information security architectures (e.g., people, processes, technology).
• Establish, communicate and maintain information security policies that support the security strategy.
• Design and develop a program for information security awareness, training and education.
• Ensure the development, communication, and maintenance of standards, procedures and other documentation (e.g., guidelines, baselines, codes of conduct) that support information security policies.
• Integrate information security requirements into the organization’s processes (e.g., change control, mergers and acquisitions) and life cycle activities (e.g., development, employment, procurement).
• Develop a process to integrate information security controls into contracts (e.g., with joint ventures, outsourced providers, business partners, customers, third parties).
• Establish metrics to evaluate the effectiveness of the information security program.

Module 4: Managing an Information Security Program

‘In Module 3 you covered Information Security Program Development. In this module you will learn how to manage the security program you just developed.’

Topics covered:

• Manage internal and external resources (e.g., finances, people, equipment, systems) required to execute the information security program.
• Ensure that processes and procedures are performed in compliance with the organization’s information security policies and standards.
• Ensure the performance of contractually agreed (e.g., with joint ventures, outsourced providers, business partners, customers, third parties) information security controls.
• Ensure that information security is an integral part of the systems development process and acquisition processes.Ensure that information security is maintained throughout the organization’s processes (e.g., change control, mergers and acquisitions) and life cycle activities (e.g., development, employment, procurement).
• Provide information security advice and guidance (e.g., risk analysis, control selection) in the organization.
• Provide information security awareness, training and education to stakeholders (e.g., business process owners, users, information technology).
• Monitor, measure, test and report on the effectiveness and efficiency of information security controls and compliance with information security policies.
• Ensure that noncompliance issues and other variances are resolved in a timely manner.

Module 5: Incident Management and Response

‘Plan, establish and manage the capability to detect, investigate, respond to and recover from information security incidents to minimize business impact.’

And what if the unexpected happens? What if an incident turns into a disaster?  In this module, you will learn how to develop incident response goals and procedures and how to establish a competent and trained incident response team. You will explore how to develop and implement incident response plans, disaster recovery plans and procedures. Plans need to be extensively tested and integrated with the organization’s disaster recovery (DR) and business continuity plan, so you will also get a good grounding in this area. Finally, you will learn what to do after an incident: how to conduct reviews to identify the causes, how to define corrective actions, and how to re-assess relevant risks.

Topics covered:

• Develop and implement processes for detecting, identifying, analyzing and responding to information security incidents.
• Establish escalation and communication processes and lines of authority.
• Develop plans to respond to, and document, information security incidents.
• Establish the capability to investigate information security incidents (e.g. forensics, evidence collection and preservation, log analysis, interviewing).
• Develop a process to communicate with internal parties and external organizations (e.g., media, law enforcement, customers).
• Integrate information security incident response plans with the organization’s disaster recovery (DR) and business continuity plan.
• Organize, train, and equip teams to respond to information security incidents.
• Periodically test and refine information security incident response plans.
• Manage the response to information security incidents.
• Conduct reviews to identify causes of information security incidents, develop corrective actions and reassess risk.

Practice Exam

On your last course day, you will take an extensive CISM practice exam, so that you can judge for yourself to what extent you are ready for the official ISACA CISM certification exam and to which domains you should pay more attention. After taking the practice exam, you will have the opportunity to discuss answers or potential issues with your trainer and the group. 

ISACA CISM® Certification Exam

Because we are an Accredited Training Partner, you can purchase an ISACA® exam voucher from us for €595 ex VAT. Would you rather arrange this yourself through ISACA®? You can do so via the ISACA® website. In this case the exam fee is $575 for ISACA® members and $760 for non-ISACA® members.

When you register for an exam, you are given one year to successfully complete the exam. Any possible retakes have to be done during this year as well. The time between two consecutive exam attempts is set at a minimum of 48 hours.

Upon successful completion of the CISM exam, you can apply for your ISACA CISMcertification title. Note that in addition to passing the exam, you need to have at least five years of experience in information security management to earn your ISACA CISM certificate (experience waivers are available for a maximum of two years).

The CISM exam requires in-depth theoretical knowledge. As an information security manager, you must understand all the domains covered – not just to pass your exam, but also to bring value to your organisation’s information security. In addition to attending this (or any other) CISM exam training, you will need to invest a good portion of your time in self-study to excel at your exam and your career in information security management. The recommended self-study time is a minimum. You may need significantly more self-study time depending on your personal situation.