CISM Overview of Domains - Infosec Resources
CISM Overview of Domains - Infosec Resources
CISM Overview of Domains - Infosec Resources
ISACA CISM
Share:
Although CISM certification is multi-faceted and requires knowledge of a number of academic, technical, and
career-based subjects, the core of the exam is to understand the four primary domains that make up the CISM
certification. Future articles will drill deeper into each of these domains, but this article should provide you with a
high-altitude look at the domains and what knowledge they represent.
1 de 10 13/05/2023, 02:38 p. m.
CISM: Overview of domains - Infosec Resources http://web.archive.org/web/20220815192710/https://resources.infosecinstitute.com/certification/cis...
To remain relevant, the CISM domains are updated frequently; however, major changes that would result in a
significant impact on the examination are seldom made. As of this writing, ISACA has not made any significant
changes to the domains themselves.
Information Security Incident Management domain covers 19% of the entire examination
ISACA has reorganized the CISM manual, categorizing each of the chapters into two main sections. In Section
One, the manual covers the corresponding knowledge and task statements that are tested within the
examination. In Section Two, the manual contains reference material and content that supports knowledge
statements. These two sections are important in preparing for the examination.
Among the concepts that are considered important for candidates is Security Metrics, which involves the
description of how a quantitative and periodic assessment of security performance is to be effectively measured.
The domain also features a way of measuring the effectiveness of its outcomes. For example, if we are to
consider Value Delivery as an outcome, effectiveness can be measured by considering the following:
2 de 10 13/05/2023, 02:38 p. m.
CISM: Overview of domains - Infosec Resources http://web.archive.org/web/20220815192710/https://resources.infosecinstitute.com/certification/cis...
Is the cost of security proportional to the value of the asset? We would not be delivering value if the cost of
Is periodic testing done on the controls? Here, we would not be delivering value if the controls we put in
In COBIT, candidates will need to understand the concept of the Capability Maturity Model, particularly Levels
3, 4 and 5.
Within Strategy Resources, candidates will need to know the two security frameworks of Zachman and SABSA.
Also, ISACA includes a few questions from EA2F. Candidates will therefore need to understand “Defense in Depth,”
which tests on the actions that should be taken during prevention, containment, detection, evidence collection,
and recovery or even restoration of business processes.
Candidates will need to finally understand metrics. This often will involve knowing how to define metrics and
produce them for upper management.
ISG as of 2018 has nine task statements and 20 knowledge statements. The task statements are:
Establish and/or maintain an information security strategy in alignment with organizational goals and
objectives to guide the establishment and/or ongoing management of the information security program.
Establish and/or maintain an information security governance framework to guide activities that support the
Integrate information security governance into corporate governance to ensure that organizational goals
Establish and maintain information security policies to guide the development of standards, procedures and
Identify internal and external influences to the organization (e.g., emerging technologies, social media,
business environment, risk tolerance, regulatory requirements, third-party considerations, threat landscape)
to ensure that these factors are continually addressed by the information security strategy.
Gain ongoing commitment from senior leadership and other stakeholders to support the successful
Define, communicate, and monitor information security responsibilities throughout the organization (e.g.,
data owners, data custodians, end users, privileged or high-risk users) and lines of authority.
Establish, monitor, evaluate and report key information security metrics to provide management with
accurate and meaningful information regarding the effectiveness of the information security strategy.
Various concepts will be important to memorize for candidates. These concepts include threats, vulnerabilities,
exposures, impact, recovery time objective (RTO), recovery point objective (RPO), service delivery Objectives
(SDOs) and acceptable interruption window (AIW). All of these topics are found in the 2018 CISM review manual.
3 de 10 13/05/2023, 02:38 p. m.
CISM: Overview of domains - Infosec Resources http://web.archive.org/web/20220815192710/https://resources.infosecinstitute.com/certification/cis...
A few basic steps should be observed while implementing IRM. Normally, the scope and boundaries need to be
determined, followed by a risk assessment. Once this is done, a risk treatment plan is designed to reduce risk to
an acceptable level. The residual risk is then accepted and communicated, while watching to see whether the
controls that are in place actually work.
Candidates should bear in mind that there is actually no qualitatively right or wrong way to select a methodology
and conduct a risk assessment. It is mostly a progressive exercise that begins with asset valuation and then
moves on to vulnerability and threat assessment. The risk is then assessed and the right controls to be enforced
determined. The residual risk is discussed and communicated to management.
After the risk assessment is complete, candidates have the option of avoiding, mitigating, transferring or
accepting the risk. The value placed on information resources determines how much you will be willing to spend
on that resource.
CISMs can set control baselines that allow them to measure how effective their IRM programs are.
Regarding the topics, IRM has nine task statements and 19 knowledge statements. The task statements are:
Establish and/or maintain a process for information asset classification to ensure that measures taken to
Identify legal, regulatory, organizational and other applicable requirements to manage the risk of
Ensure that risk assessments, vulnerability assessments and threat analyses are conducted consistently, at
appropriate times, and to identify and assess risk to the organization’s information.
Determine whether information security controls are appropriate and effectively manage risk to an
acceptable level.
Facilitate the integration of information risk management into business and IT processes (e.g., systems
Monitor for internal and external factors (e.g., key risk indicators [KRIs], threat landscape, and geopolitical,
regulatory change) that may require reassessment of risk to ensure that changes to existing, or new, risk
scenarios are identified and managed appropriately.
Report noncompliance and other changes in information risk to facilitate the risk management decision-
making process.
Ensure that information security risk is reported to senior management to support an understanding of
Information Security Program Development and Management (ISPDM)Candidates should also note that
everything that is performed on IRM must be documented. Small things come in handy, such as keeping a risk
registry or a controls registry, as well as records on an annual statement given to management detailing the
current state of risk at the organization.
Candidates should note that, for an information security program to be effective, it must mitigate information
and information technology risk at all costs, balancing against the magnitude and frequency of the potential loss.
Candidates should be aware that the challenges that are most often met by CISMs in organizations are people,
processes, and policy issues that conflict with program objectives.
4 de 10 13/05/2023, 02:38 p. m.
CISM: Overview of domains - Infosec Resources http://web.archive.org/web/20220815192710/https://resources.infosecinstitute.com/certification/cis...
The CISM manual outlines the constraints on developing an InfoSec roadmap. The most important of these are
legal and regulatory requirements, ethics, and personnel. For example, some personnel challenges might be that
HR is doing sporadic background checks while untrained staff members are doing the screenings.
ISACA pays a lot of attention to the SABSA methodology, so candidates should prepare for that. Candidates
should also note that the objective of ISPDM is to implement the strategy in the most cost-effective manner,
while at the same time minimizing the impact to business functions. Candidates will need to know how to define
the goal or desired outcome, define the objectives that should be met, define the residual risk, and define the
desired state.
ISPDM has 10 task statements and 16 knowledge statements. The task statements:
Establish and/or maintain the information security program in alignment with the information security
strategy.
Align the information security program with the operational objectives of other business functions (e.g.,
human resources [HR], accounting, procurement and IT) to ensure that the information security program
adds value to and protects the business.
Identify, acquire and manage requirements for internal and external resources to execute the information
security program.
Establish and maintain information security processes and resources (including people and technologies) to
execute the information security program in alignment with the organization’s business goals.
Establish, communicate and maintain organizational information security standards, guidelines, procedures
and other documentation to guide and enforce compliance with information security policies.
Establish, promote and maintain a program for information security awareness and training to foster an
Integrate information security requirements into organizational processes (e.g., change control, mergers and
acquisitions, system development, business continuity, disaster recovery) to maintain the organization’s
security strategy.
Integrate information security requirements into contracts and activities of third parties (e.g., joint ventures,
outsourced providers, business partners, customers) and monitor adherence to established requirements in
order to maintain the organization’s security strategy.
Establish, monitor and analyze program management and operational metrics to evaluate the effectiveness
Compile and present reports to key stakeholders on the activities, trends and overall effectiveness of the IS
program and the underlying business processes in order to communicate security performance.
One of the outcomes of ISIM is that, with adequate training, planning and testing, candidates will ensure that
incidents are identified and contained, and the root cause is addressed. This will allow for recovery within an
acceptable interruption window (AIW).
5 de 10 13/05/2023, 02:38 p. m.
CISM: Overview of domains - Infosec Resources http://web.archive.org/web/20220815192710/https://resources.infosecinstitute.com/certification/cis...
There are three technologies that candidates should associate with ISIM. These are network incident detection
systems (NIDSs), host intrusion detection systems (HIDSs), and logs (these can be for a system, database,
operating system or application.) Just to note, it is important to know that SIEM (system information and event
management) is a way of managing the HIDSs, NIDSs, and logs.
Candidates should be familiar with the advantages and disadvantages as well as the contents of the six types of
recovery sites (hot, cold, warm, mobile, mirror and duplicate information processing facilities). Familiarity with
the concepts of network recovery, such as redundancy, alternative routing, diverse routing, long-haul network
diversity, and voice recovery, is also encouraged.
ISIM has 10 task statements and 18 knowledge statements. The task statements are:
Establish and maintain an organizational definition of, and severity hierarchy for, information security
Establish and maintain an incident response plan to ensure an effective and timely response to information
security incidents.
Develop and implement processes to ensure the timely identification of information security incidents that
Establish and maintain processes to investigate and document information security incidents in order to
determine the appropriate response and cause while adhering to legal, regulatory and organizational
requirements.
Establish and maintain incident notification and escalation processes to ensure that the appropriate
Organize, train and equip incident response teams to respond to information security incidents in an
Test, review and revise (as applicable) the incident response plan periodically to ensure an effective
Establish and maintain communication plans and processes to manage communication with internal and
external entities.
Conduct post-incident reviews to determine the root cause of information security incidents, develop
corrective actions, reassess risk, evaluate response effectiveness and take appropriate remedial actions.
Establish and maintain integration among the incident response plan, business continuity plan and disaster
recovery plan.
Candidates need to note that, in some cases within this domain, the availability of evidence will be a
requirement, especially in cases where the incident is malicious and may possibly go to trial. As a result, in the
ISIM plan, evidence needs to be accounted for, it needs to be protected, and a chain of custody maintained, in
preparation for going to court.
6 de 10 13/05/2023, 02:38 p. m.
CISM: Overview of domains - Infosec Resources http://web.archive.org/web/20220815192710/https://resources.infosecinstitute.com/certification/cis...
Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.
Conclusion
This overview creates an expectation of what candidates should cover and what they need to know before taking
the CISM exam. It has discussed the topics that are to be covered in the examination, the percentage weight of
each domain covered, and the important concepts in each that should be emphasized. We hope that this
overview will prove to be a valuable time-saver for candidates who see the benefit of strategizing their study for
the examination.
28:39
Share:
Author
Lester Obbayi is a Cyber Security Consultant with one of the largest Cyber Security Companies in East and Central Africa. He has a deep interest
in Cyber Security and spends most of his free time doing freelance Penetration Tests and Vulnerability Assessments for numerous organizations.
7 de 10 13/05/2023, 02:38 p. m.
CISM: Overview of domains - Infosec Resources http://web.archive.org/web/20220815192710/https://resources.infosecinstitute.com/certification/cis...
ISACA CISA
ISACA CISM
ISACA CRISC
ISACA CGEIT
ISACA CDPSE
COBIT
Live instruction
8 de 10 13/05/2023, 02:38 p. m.
CISM: Overview of domains - Infosec Resources http://web.archive.org/web/20220815192710/https://resources.infosecinstitute.com/certification/cis...
Leave a Reply
Your email address will not be published. Required fields are marked *
Post Comment
Related Articles
Common CISM job titles [updated How to earn CISM CPE credits
2022] [updated 2022]
Author Image July 12, 2022 Author Image July 11, 2022
9 de 10 13/05/2023, 02:38 p. m.
CISM: Overview of domains - Infosec Resources http://web.archive.org/web/20220815192710/https://resources.infosecinstitute.com/certification/cis...
Get the latest news, updates and offers straight to your inbox.
10 de 10 13/05/2023, 02:38 p. m.